Is cold email legal under GDPR?

Yes — B2B cold email is legal under GDPR when it is based on legitimate interest. This requires a genuine business purpose, relevance to the recipient's professional role, and a proportionate approach. You must provide transparency and an opt-out option in every email and honour opt-out requests promptly.

Can I use an email finder for GDPR-compliant outreach?

Yes. Using a professional email finder to discover B2B contact information for legitimate outreach is generally lawful under GDPR's legitimate interest basis, provided your outreach is relevant to the recipient's professional role, you include required transparency information, and you honour opt-out requests.

What is the difference between GDPR, CAN-SPAM, and CASL?

GDPR (EU) requires a legal basis for processing personal data and legitimate interest covers most B2B outreach. CAN-SPAM (US) allows commercial email with opt-out mechanisms and requires identification and a physical address. CASL (Canada) is the strictest — it generally requires consent before sending commercial messages, with some exceptions for implied consent in existing business relationships.

What must every cold email include?

Every cold email must identify who you are and who you represent, explain why you are contacting the recipient, include a clear opt-out option, and for CAN-SPAM compliance, include your physical mailing address. Under GDPR, you should also be ready to respond to data subject requests (access, deletion) if received.

← Back to blog

June 16, 202610 min read

GDPR-Compliant Email Outreach: What's Allowed and What Isn't (2026)

A common misconception about GDPR is that it prohibits cold B2B email outreach. It does not. What GDPR regulates is how you process personal data and on what legal basis. For B2B prospecting, the relevant basis is legitimate interest — which explicitly covers commercial outreach to professionals when done correctly.

This guide covers what GDPR actually says about cold email, how it interacts with CAN-SPAM and CASL, what you need to do in practice to stay compliant, and the specific points where most teams get it wrong.

Does GDPR prohibit cold email?

No. GDPR does not prohibit cold B2B email outreach. It regulates the processing of personal data, including email addresses. For outreach, the relevant legal basis is legitimate interest (Article 6(1)(f)), which permits processing personal data when you have a genuine business purpose that is not overridden by the individual's rights.

The key recital (Recital 47) explicitly mentions direct marketing as an example of legitimate interest. The European Data Protection Board and national regulators have confirmed that B2B cold outreach falls within legitimate interest provided certain conditions are met.

GDPR applies to individuals (natural persons), not companies. A company email like info@acme.com is not personal data. A professional email like jane.doe@acme.com is personal data because it identifies an individual.

The legitimate interest test

To rely on legitimate interest, you need to pass a three-part test: purpose (you have a genuine, specific business reason for the outreach), necessity (email is a necessary and proportionate way to pursue that purpose), and balancing (your interest is not overridden by the individual's rights, particularly their reasonable expectations).

In practice, this means: you have a real business reason to contact this specific person (not just 'we want to sell to anyone'), the outreach is relevant to their professional role, and the email is not intrusive or unexpected in the context of their work.

B2B cold outreach to a VP of Sales about a sales tool they might find useful typically passes this test. Cold emails to personal Gmail addresses about the same product typically do not.

What you must include in every outreach email

Under GDPR and most equivalent laws, every cold email must include: identification (who you are and who you represent), a clear description of why you are contacting them, information on how they can access or request deletion of their data, and a clear, simple way to opt out.

The opt-out does not have to be a formal unsubscribe link for single-touch outreach — a line like 'Reply to this email to be removed from further contact' satisfies the requirement. For automated sequences, a proper unsubscribe mechanism is stronger.

You must also honour opt-outs promptly. If someone requests removal, they should not receive further emails. Keep a suppression list.

CAN-SPAM (United States)

CAN-SPAM governs commercial email in the United States and has somewhat different requirements from GDPR. Key requirements: identify the message as an advertisement, include your physical postal address, use a subject line that accurately describes the content, and provide a clear opt-out mechanism that must be honoured within 10 business days.

CAN-SPAM does not require prior consent for commercial email — opt-out is sufficient. It applies to the sending domain, not the recipient's location, so if you are sending from a US-based entity, CAN-SPAM applies regardless of where the recipient is.

Note that GDPR's requirements are generally stricter than CAN-SPAM's. If you comply with GDPR's legitimate interest framework, you are likely also meeting CAN-SPAM requirements.

CASL (Canada)

Canada's Anti-Spam Legislation is among the strictest commercial email laws globally. Unlike GDPR and CAN-SPAM, CASL requires express or implied consent before sending most commercial electronic messages to Canadian recipients.

Implied consent exists in some B2B scenarios — if there is an existing business relationship, or if the recipient has published their contact details for professional use (on a company website, LinkedIn, etc.) and the message is relevant to their business role.

If you are emailing Canadian recipients with no prior relationship and no clear implied consent basis, CASL compliance requires particular care. The penalties for CASL violations are significant.

Where email finders fit in

Using an email finder to discover professional email addresses for B2B outreach is generally lawful under GDPR's legitimate interest framework. The email address itself is personal data, and your use of it is covered by legitimate interest provided you meet the conditions above.

Best practice when using an email finder: document your legitimate interest basis (who you are contacting, why, and how you determined it is proportionate), include the required transparency and opt-out information in every email, maintain a suppression list, and do not use the addresses for purposes beyond the stated outreach.

Practical checklist

Before sending: document your legitimate interest basis, segment your list to ensure relevance, verify all addresses to reduce bounce rate.

In every email: identify yourself and your company, explain why you are contacting this specific person, include an opt-out option, include your physical address for CAN-SPAM compliance.

After sending: process opt-out requests promptly and maintain a suppression list, do not re-contact people who have opted out, respect data subject requests (access, deletion) if received.

Find verified B2B emails compliantly

Free credits included. No credit card required.