GDPR + Cold Emails: What it Means for Your Outbound Strategy

Mac Hasley
May 21, 2020 ·
GDPR + Cold Emails: What it Means for Your Outbound Strategy

There’s a lot of bad information out there on GDPR and cold emails.

Not just bad information. Scary information.

“Oh, you just have to make sure it’s relevant.”


“You just have to give them a chance to opt out.”


“Just stop buying from lists.”

No no no no no.

It’s true, not all cold emails are the same—and so GDPR may apply slightly differently, depending on who you’re contacting.

But none of those differences result in a clear green light. For some cold emails, upcoming regulations warn: “um…be careful.” And for some it screams the loudest possible “NO!”

We’ll breakdown what’s what in this article. But first, lightning fast…

Want to process, store, or even so much as glance at personal data? GDPR says you need consent

(…or something called “legitimate interest”—for which the requirements can be pretty strict).

Personal data means a lot of things. In short: anything that can identify a specific person—either on its own, or with the help of other data at your disposal.

In even shorter: yes, emails count.

And GDPR doesn’t care if this email is publicly available information. It doesn’t care how you came across it. It just cares that you have it and you are using it to send stuff to people who haven’t given the “okay.”

The standard for consent is also higher, now. It needs to be explicit. It needs to be affirmative. It needs to be specific. There are a lot of rules. We listed them here.  

So you know the basics.

Let’s see what they mean for different cold-emailing tactics.

1. Bought Lists

This is the: “but why are you still doing this?” type of cold emailing. And it usually refers to mass-messaging questionably collected, purchased lists.

Fun fact: for a most countries, this is already against the law.

CAN-SPAM made this sort of emailing illegal in the US eons ago. Same with Canada’s CASL, Australia’s Spam Act, the UK’s Data Protection Act, Germany’s Federal Data Protection Act, etc. etc. etc.

The gist is, most countries have have their own legislation regarding emailing from a purchased list.

But if that hasn’t killed these sorts of cold emails stone dead—GDPR will.

Because no “legitimate-interest” clause, or any other series of loopholes, will help you to prove: “these people have consented to hear from me”—if you bought their names and contact info.

Beyond the illegality of it all—bought email lists are bad news. They have abysmal open rates. They bounce back. They anger your email provider. They frequently lead you to be reported as spam (because you are spam!).

If you’re still buying lists, we can’t recommend enough that you cut. it. out.

And if you’re getting lists thrown your way via partners, well….

2. Third Parties

You may have seen an opt-in checkbox that looks like this:

“I would like to receive updates from Company A and trusted third parties.”

And if you’re company was one of those vague, unidentified “third parties”—this is how emails might have come your way.

Once GDP gets enacted, this goes to die. Because:

  1. GDPR states that if Company A is going to share data with third parties, it needs to get explicit, active, consent. It has to be an independent ask. It can’t just be bundled together with consent to get emails from Company A.
  2. Consent now has to be given to named companies. It has to be specific. If partners want to throw you an email list (or even, let you reach out after a joint-hosted webinar)—their list needs to opt-in to hear from your company specifically. And they need to agree to hear about promotions, or marketing offers, or information specifically.

Now, this doesn’t mean that your partners won’t give you lists without having properly obtained consent. But the burden of proving that the people you’re contacting, have signed up to hear from you, falls on you.

(In GDPR speak: You must maintain clear records of consent).

So if anytime you’re working with a list that wasn’t obtained by you, with documented, explicit consent: do your due-diligence. If you can’t prove that you’re compliant—you’re not.

3. Personalized, direct, targeted.

And then there’s this category of contact called “unsolicited commercial information.”

Rules on this comes down more to a provision outlined in GDPR’s sister law: the ePrivacy Directive.

So, ugh.

First off—these are rules that already apply. So ideally, none of this should be new.

Second—the ePrivacy Directive is being replaced within the coming year or two with the new ePrivacy Regulations.

Third—as it stands, ePrivacy let’s each country within the EU make its own rules about whether cold B2B emails should be “opt-in” only, or simply require the “opt-out.”

Here’s Article 13 of the current directive:

“However, companies which have acquired an end-user’s contact details in the context of a sale of products or services can send direct marketing by email to advertise their own similar products or services, provided that the end-user is given the possibility to object (often referred to as “opt-out”)

The ePD leaves it up to Member States to decide whether to impose a prior consent requirement (i.e. opt-in) or a right to object (i.e. opt-out) for commercial communications sent by means not mentioned above (Article 13.3). For example, this is the case regarding person to person telephone communications.”

So if someone’s already bought something from you, you can probably reach out without consent—as long as you’re advertising something related.

But let’s focus on the “for commercial communications sent by means not mentioned above” segment.

The email addresses that fall into this category are not “I sent someone shady 20 bucks and they gave me your contact info” email addresses. This is still explicitly restricted just about everywhere.

They’re the “I saw you were part of this group on LinkedIn, and you made a comment on an article I wrote. So I added you, downloaded your email address, threw it on a list, and reached out with this targeted piece of information” email addresses.

This is only okay in “opt-out” countries.

And remember, even IF they are opt-out only, they still have rules you need to follow.

For example, in the UK, B2B cold emails for corporations have very different rules than B2B small business and B2C emails. Some countries require that your initial email contains a physical business address. Some require you include access to recipient rights, or your privacy policy, when you make contact. Each EU nation has its own set of criteria, that if you don’t follow—can bury you in fines.

Moral of the story: if you’re sending these kinds of emails, you should already be doing your research on what they must include to be legal.

And you should only be contacting people who are hyper-relevant.

Our advice: if your marketing strategy relies on tactics like these, best to start diversifying your lead acquisition methods now.

It’s already easy to trip up on this sort of outreach. And odds are, when new ePrivacy regulation is passed, even this sort of cold email will be under threat.

Privacy Vendor List
Privacy Vendor List

Here’s a tactic we’ve seen suggested across the web:

“If you rely on cold email: send ‘non-promotional outreach email,’ first. Then use that email to get consent to send marketing materials.”

And here’s an example you may have seen floating around, from the folks at

And here’s an example you may have seen floating around, from the folks at

Looks good right?


Here’s an article about how a similar tactic landed Honda and Flybe in £83,000 worth of fines.

And here’s a quote from Steve Eckersley, the ICO’s (UK’s Information Commissioner’s Office) Head of Enforcement:

“Both companies sent emails asking for consent to future marketing. In doing so they broke the law…Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law.”

Now both of these cases mentioned are in the UK. And the laws that are being broken are pre-GDPR laws.

So maybe your circumstances are different.

Maybe you wouldn’t contact someone who already opted out—like Flybe.

Or you wouldn’t re-ask for consent from folks who you didn’t have it for in the first place—like Honda.

But there does seem to be a clear trend here. Asking for consent to receive marketing materials, is in and of itself, sending a marketing material.

So sending an email, to get permission to send emails—seems, at the very least, like an expensive gamble.

5. Generic Business Addresses

Plot twist! Something you can do!

The generic info@company, sales@company, marketing@company email addresses, aren’t personal data.

…as long as you can’t tie it to a specific individual, with any other data you might have in your possession.

Now I know.

In terms of lead acquisition—nothing about sending an email to an “info@” excites me.

But if you’re just looking for a foot-in-the-door, are reaching out to well targeted prospect, and have as solid, relevant offer—throwing an email to one of these accounts might be worthwhile.

A simple: “Would you like to hear more? Pass me along to the right person!” might go along way.

You might just be able to start moving a totally cold prospect down a funnel—GDPR worry free.

To be brief and brutal:

Most common cold-emailing tactics are a GDPR nightmare.

They violate the new laws of consent. And they’ve already landed big companies with big fines.

And there’s more bad news.  

GDPR applies not only to email addresses you’ve acquired after it’s instated. But instead, it applies to ALL the personal data that you have lying around.

So if you have email addresses on your lists, that you never got consent to store—just keeping them around becomes noncompliant starting May 25th.

Now is the time to either run a re-permissioning campaign, or start gutting.

And now is the time to start evaluating your current marketing tactics—shifting them and improving them, to be more transparent and more effective.

Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There
Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There
Originally published May 21, 2020 - Updated March 06, 2023
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Mac Hasley
Mac Hasley Mac is a content strategist at Convert, a copywriter across the webz, and an advocate for marketing that is humble and kind
Carmen Apostu
Carmen Apostu In her role as Head of Content at Convert, Carmen is dedicated to delivering top-notch content that people can’t help but read through. Connect with Carmen on LinkedIn for any inquiries or requests.

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!