GDPR & Cold Email: UK Compliance Guide

Is cold email legal in the UK?

Yes, B2B cold email is legal in the UK. This is the first and most important thing to understand. Many businesses avoid cold email entirely because they assume GDPR prohibits it. It does not.

Under UK data protection law, you can send unsolicited emails to individuals at their business email addresses, provided you have a legitimate reason to contact them, you are transparent about who you are and why you are writing, and you give them a clear way to opt out.

The key distinction is between B2B and B2C. Sending unsolicited marketing emails to personal email addresses (B2C) requires prior consent. Sending relevant business communications to business email addresses (B2B) does not, as long as you meet certain conditions.

GDPR basics for cold email

Two pieces of legislation govern cold email in the UK: the UK GDPR (the UK’s post-Brexit version of the EU GDPR) and PECR (the Privacy and Electronic Communications Regulations). Understanding how they interact is essential.

Lawful basis: legitimate interest

Under GDPR, you need a lawful basis to process someone’s personal data. For B2B cold email, the relevant basis is legitimate interest. This means you have a genuine business reason to contact the person, contacting them is proportionate and reasonable, and their rights and expectations are not overridden by your interest.

In practice, this means you can email a marketing director at a SaaS company about your marketing analytics tool, because there is a clear and reasonable connection between your offer and their role. You cannot email that same person about an unrelated consumer product, because there is no legitimate business interest.

PECR and the B2B exemption

PECR is the regulation that specifically governs electronic marketing. For email, the general rule is that you need prior consent (opt-in) before sending marketing messages. However, PECR includes a specific exemption for B2B communications.

Under Regulation 22A, you can send unsolicited emails to corporate subscribers (businesses) without prior consent, provided the email is directed to a business address and is relevant to their professional role. This exemption does not apply to sole traders or partnerships, who are treated as individuals under PECR.

What you must include

Every cold email you send must include certain information. Omitting any of these can constitute a breach of GDPR or PECR.

• Your identity: The recipient must know who is contacting them. Include your name, your company name, and your role. Do not use misleading sender names or disguise your identity.
• A clear opt-out mechanism: Every email must include a straightforward way for the recipient to stop receiving messages. This can be an unsubscribe link or a simple line like “Reply STOP to opt out.” The mechanism must work immediately and be honoured without question.
• Your business address: Include a physical business address in every email. This is a PECR requirement for all commercial electronic communications.
• Data source disclosure: If the recipient asks how you obtained their data, you must be able to tell them. Under GDPR Article 14, you have 30 days to provide this information when requested.

What you must NOT do

Compliance is as much about what you avoid as what you include. These practices will put you on the wrong side of the regulations.

Data handling best practices

How you manage prospect data is just as important as how you use it. GDPR requires you to handle personal data responsibly throughout its lifecycle.

Retention periods

Set a clear data retention policy. A common and reasonable approach for cold email is to remove prospect data 30 days after the final email in a sequence if there is no response. If a prospect does respond and a business relationship develops, you have a legitimate reason to retain their data for as long as that relationship continues.

Opt-out management

Maintain a suppression list of everyone who has opted out. This list should be checked before every campaign to ensure you never re-contact someone who has asked to stop receiving emails. The suppression list itself should be retained indefinitely — it is a record of consent withdrawal, not marketing data.

Data minimisation

Only collect and store the data you actually need. For cold email, this typically means name, business email address, company name, job title, and the source of the data. Collecting additional personal information without a specific purpose violates the data minimisation principle.

Security

Store prospect data securely with appropriate access controls. Spreadsheets shared across teams without password protection, for example, do not meet GDPR security requirements. Use proper CRM or outreach tools with role-based access.

PrawnMail’s approach to GDPR compliance

PrawnMail is designed with compliance built into the workflow, not bolted on as an afterthought.

• B2B only: PrawnMail is built for business-to-business outreach. The platform targets professional contacts at their corporate email addresses.
• Research-based targeting: Rather than relying on purchased lists, PrawnMail’s AI researches prospects individually to ensure relevance and legitimate interest.
• Human approval: Every email is reviewed and approved by you before sending. Nothing goes out automatically without your sign-off.
• Built-in opt-out: All emails include a clear unsubscribe mechanism. Opt-out requests are processed immediately and added to a permanent suppression list.
• Sender identity: Your business name, contact details, and physical address are included in every email, meeting PECR disclosure requirements.
• Data retention controls: Prospect data can be managed with clear retention periods. Non-responsive contacts are flagged for removal according to your data policy.

For businesses that want full peace of mind, the managed service handles compliance management as part of the campaign — including data handling, opt-out processing, and retention policy enforcement.

Penalties for non-compliance

The consequences of getting GDPR wrong are significant and growing.

The Information Commissioner’s Office (ICO) has the authority to impose fines of up to 17.5 million pounds or 4 percent of annual global turnover, whichever is higher. While the largest fines have been reserved for major data breaches, the ICO has increasingly turned its attention to unsolicited marketing, with several organisations receiving six-figure fines for PECR violations in recent years.

Beyond financial penalties, non-compliance carries other risks:

• Reputational damage: ICO enforcement actions are public. Being named in an enforcement notice damages your brand and erodes trust with prospects and customers.
• Domain blacklisting: Spam complaints triggered by non-compliant email practices can get your sending domain blacklisted, making it impossible to reach anyone’s inbox.
• Loss of business relationships: Companies increasingly vet their partners’ data practices. Non-compliance can disqualify you from working with larger organisations that require GDPR compliance from their supply chain.