GDPR-compliant cold email in 2026 (Europe playbook)

B2B cold email in Europe sits in a legal grey zone. GDPR doesn't ban it outright, but ePrivacy adds member-state complications, and the legitimate interest test is fuzzy enough that founders often default to either over-cautious (don't send anything) or under-cautious (send like it's the US). Both are wrong.

This is the practical 2026 playbook for compliant B2B cold email targeting EU recipients — lawful basis, opt-out mechanics, and the country-specific gotchas.

Disclaimer: this is not legal advice. Talk to a qualified privacy lawyer before scaling outbound to EU prospects.

Key takeaways

• B2B cold email in EU is lawful under "legitimate interest" if you target work email addresses + offer a clear opt-out + don't process personal data beyond name/email/role.

• The strictest member states for B2B cold email: Germany, France, Italy, Austria. Default to opt-in there.

• Always include: identity, why you're emailing, where you got the contact, opt-out link. Missing any = non-compliant.

• B2C is different — ePrivacy requires opt-in for personal addresses. Don't cold-email gmail.com personal accounts.

• Pair with DKIM, SPF, DMARC setup — deliverability is separate from compliance.

Is B2B cold email legal in the EU?

For most member states + recipients with corporate email addresses (work@company.com), yes — under GDPR's "legitimate interest" lawful basis (Article 6(1)(f)). The legitimate interest test has 3 parts: (1) you have a clear legitimate purpose (selling B2B), (2) the processing is necessary to achieve it, (3) the impact on the recipient doesn't override your interest.

B2B cold email passes if you target the right people, offer easy opt-out, and don't enrich personal data beyond what's necessary. B2C cold email to personal addresses is a different game entirely — stricter, requires opt-in.

What does a compliant B2B cold email look like?

Four required elements:

1. Clear identity — your name + company + role visible.

2. Why you're emailing — reason tied to their business ("saw your post on X", "your company is hiring an SDR").

3. Where you got their contact — source disclosure ("found your email on LinkedIn" or "on your company website").

4. Easy opt-out — reply link, unsubscribe link, or both. Must be 1-click.

Missing any of these = non-compliant. The 4th (opt-out) is the most-skipped and the most enforced — a single "please remove me" you ignore can trigger a complaint to your DPA.

Which EU countries are strictest about B2B cold email?

Four to default to opt-in regardless of GDPR baseline:

For founders without country-by-country segmentation: send only to legitimate-interest-friendly countries OR build a separate opt-in-only sequence for the strict 4.

What's the practical opt-out mechanic?

Minimum: a working unsubscribe link in every cold email. Click → immediate removal from your list, no auth required, no "are you sure?" friction. The Irish DPC + French CNIL have both fined senders specifically for friction-laden unsubscribe flows.

Better: include both a 1-click unsubscribe link AND a "reply STOP" option. Honor either within 24 hours.

Best: maintain a centralized suppression list across all sending domains so an opt-out from one domain blocks future contact from any of your domains.

What about LinkedIn DMs and Reddit comments — are those GDPR-regulated?

Generally no, because LinkedIn DMs are sent through LinkedIn's platform (their privacy policy governs), and Reddit comments are public (no personal-data processing on your side). Where it gets fuzzy: if you scrape LinkedIn profiles to enrich a cold email database, that scraping is GDPR-regulated even if the resulting DM isn't.

repco's approach: monitor public posts only, never scrape profile databases. The intent-driven motion is structurally less GDPR-risky than fit-data-driven outbound.

What records do I need to keep for compliance?

Four items, retainable for at least 3 years:

1. Suppression list — everyone who opted out, with timestamp.

2. Source records — where you got each contact (LinkedIn URL, public website, etc).

3. Legitimate interest assessment — a 1-page document showing you considered the 3-part test for your motion. One per major outbound campaign type.

4. Privacy notice — link in every cold email pointing to your privacy policy.

None of this is hard. Skipping it makes you 10x more vulnerable in a complaint scenario.

Frequently asked questions

What about "info@" or "sales@" generic addresses?

Generally lower risk — these are role addresses, not individual personal data. Still apply opt-out + identity + reason. Avoid scraping these from public web at scale (could trigger enforcement).

Can I use Apollo / ZoomInfo data for EU outbound?

Yes if Apollo/ZoomInfo have a lawful basis for the data (they claim public sources). You inherit the responsibility for using it lawfully — check the recipient's country, apply the right framework, honor opt-outs.

What's the worst case if I'm non-compliant?

GDPR fines can reach 4% of global revenue or €20M, whichever is higher. Realistically: solo founders get warning letters first. Repeated non-compliance escalates to fines. The Irish DPC is the most active enforcer for B2B cold email cases in 2024–2026.

Compliance is structural, not aspirational

Get the 4 elements right (identity, reason, source, opt-out) + maintain the 4 records (suppression, sources, LIA, privacy notice) + segment strict countries. That's the compliance floor. From there, focus on actually moving pipeline.

repco's intent-driven motion is structurally lower-risk for GDPR because it monitors public posts (not contact databases) and produces fewer-but-better outreach (less chance of complaint). Find my buyers (Free).

Further reading: DKIM, SPF, DMARC for cold email setup | Why cold email stopped working in 2026 | The 6-touch follow-up sequence for cold email