Cold Email and GDPR: What B2B Companies Need to Know in 2026

In the UK, B2B cold email is governed by two separate regimes that work together. The first is the Privacy and Electronic Communications Regulations, known as PECR, which sets the specific rules for electronic marketing such as email, SMS, and calls. The second is the UK GDPR, which governs how you process personal data more broadly. People confuse the two because they overlap, but they answer different questions. PECR asks whether you are allowed to send a marketing message at all. GDPR asks whether you are allowed to process the personal data behind that message.

The single most important fact for B2B senders is that PECR's consent rule for marketing email does not apply to corporate subscribers. As the ICO's business-to-business marketing guidance confirms, you can send marketing email to a corporate body without prior consent. That is the legal foundation that makes cold outbound possible in the first place.

But PECR being satisfied is only half the picture. If your message is addressed to a named individual at that company, you are still processing their personal data, and the UK GDPR requires you to have a lawful basis for doing so. This is the step most cold email guides skip, and it is the step that matters most.

The corporate subscriber exemption is generous, but it has clear boundaries. Corporate subscribers include limited companies, limited liability partnerships, government bodies, public authorities, and certain business partnerships in Scotland. Email anyone at these organisations in a business capacity and PECR does not require their consent.

The trap is everyone else. Sole traders and most ordinary partnerships are treated as individual subscribers under PECR, which means the consent rule does apply to them in the same way it applies to consumers. A freelance designer using firstname@theirname.com or a two-person partnership without LLP status is not a corporate subscriber. If your prospect list is built from scraped data, you almost certainly have a mix of both, so the safe approach is to assume that some contacts will fall outside the exemption and to keep your volumes, targeting, and opt-out handling tight enough that it does not matter.

Generic role addresses such as info@ or sales@ are also worth treating carefully. They are less likely to be personal data, but they are also far less likely to convert, so there is rarely a reason to email them in a serious outbound programme.

For the GDPR side of cold email, the lawful basis almost every B2B sender relies on is legitimate interests under Article 6(1)(f). This is not a loophole. Recital 47 of the GDPR explicitly names direct marketing as a purpose that may qualify as a legitimate interest, so the law anticipates exactly this use.

Relying on legitimate interests is not automatic, though. You are expected to complete and document a legitimate interests assessment, a three-part test set out in the ICO guidance. The purpose test asks whether you are pursuing a genuine, legitimate interest. The necessity test asks whether processing this personal data is actually necessary to achieve it. The balancing test asks whether the individual's rights and interests override your interest. For well-targeted B2B outreach to a relevant decision-maker about a product genuinely useful to their role, that balance usually tips in the sender's favour. For irrelevant blasts to thousands of unmatched contacts, it does not.

In practice, a strong legitimate interests assessment is also your best defence if a complaint ever arises. It shows you thought about proportionality before you pressed send, which is precisely what regulators want to see.

The biggest recent development is the Data (Use and Access) Act 2025, which is being phased in between June 2025 and June 2026. The Act introduces a statutory list of recognised legitimate interests, and importantly it confirms that processing for direct marketing purposes can sit within the legitimate interests basis. The ICO updated its legitimate interests guidance on 23 March 2026 to reflect these changes.

There is a nuance worth flagging. Some commentary has suggested the new recognised legitimate interests remove the need for a legitimate interests assessment entirely. As the ICO's own DUAA explainer makes clear, that simplification applies to a defined set of recognised interests, and direct marketing still benefits from a proper, documented assessment rather than being treated as a blanket pass. The DUAA also extended the soft opt-in to charities, but that change does not alter the corporate subscriber position for ordinary B2B senders.

The practical takeaway is that the legal footing for B2B cold email got slightly clearer in 2026, not looser. The discipline of documenting why your outreach is proportionate remains the right approach.

Whatever basis you rely on, certain obligations apply to every single message. You must identify yourself clearly so the recipient knows who is contacting them, and you must not disguise or conceal your identity as the sender. You must provide a valid way to opt out of further messages, and you must honour the right to object under Article 21 of the GDPR.

Opt-outs are where good senders separate themselves from bad ones. When someone asks to stop hearing from you, the legal backstop is removal within a reasonable period, and the regulations point to acting without undue delay. Best practice, and the approach we use for client campaigns, is to suppress the contact immediately so they are removed before your next send rather than weeks later. Maintain a permanent suppression list and check every new campaign against it.

Transparency about where you obtained the data is also expected under GDPR's information requirements. You do not need to recite a privacy policy in a cold email, but you should be able to tell someone, if they ask, how you came to contact them and point them to where they can exercise their rights.

GDPR is an EU-wide regulation, but the ePrivacy rules that govern electronic marketing are implemented country by country, so cold email legality varies significantly across Europe. Treating the EU as a single market for outbound is a common and costly mistake.

Germany sits at the strict end. Under its Act Against Unfair Competition, commercial email to businesses generally requires prior consent, which makes pure cold email to German prospects legally risky and pushes most senders towards LinkedIn or warm introductions instead. France is more permissive for B2B prospecting, broadly allowing cold email to professional contacts provided you disclose the source of the data, make the commercial nature of the message clear, and include a working unsubscribe. The Netherlands, the Nordics, and Ireland each sit at different points on that spectrum.

The lesson is to research the destination country before you scale, not after. A sequence that is perfectly compliant for UK and French prospects may need a different channel entirely for German ones. If you want a deeper view of how Europe's national markets differ for outbound, our guide to B2B lead generation in Germany covers the DACH region in detail.

Pulling this together, a compliant B2B cold email programme in 2026 looks like this. Target named decision-makers at corporate subscribers, not sole traders or consumer addresses. Make sure each contact is genuinely relevant to what you are offering, because relevance is what makes your legitimate interests assessment hold up. Document that assessment once per campaign type and keep it on file.

Identify yourself honestly in every message, include a clear opt-out, and suppress anyone who objects before your next send. Keep a permanent do-not-contact list and screen against it every time. Be ready to explain, on request, how you obtained someone's details. And before you enter a new European market, check that country's specific rules rather than assuming the UK position travels.

Done this way, cold email is not a legal grey area. It is a legitimate, well-established channel with clear guardrails. The companies that get into trouble are almost never the ones who followed these steps. They are the ones who treated a purchased list of fifty thousand unverified addresses as a licence to blast, and then wondered why the complaints arrived.