5 Simple Steps to Sending GDPR-Compliant B2B Cold Emails

5 Simple Steps to Sending GDPR-Compliant B2B Cold Emails

Contrary to popular belief, it is still legal and effective to send businesses sales emails now the GDPR is enforceable. This article dispels the myths around cold emailing under the new regulations and gives you some simple, actionable tips to ensure your campaigns stay compliant.

GDPR Compliance

First off, I am sure you have seen a few definitions of what the GDPR is and what it means so I will keep this brief. The General Data Protection Regulation is a legal regulation issued by the Council of the European Union and The European Parliament. Its main purpose is to protect the personal data of EU citizens. The GDPR is not about cold emailing. It is not about businesses. It is about personal data protection. However, sending business emails does mean processing personal data so there are some key things you need to keep in mind when emailing in a post-GDPR environment.

Here are the key points to be running through:

Step 1: Ensure Your Prospecting Is Targeted and Appropriate

Step 2: Explain Legitimate Interest in Your Email Copy

Step 3: Make It Quick and Easy To Unsubscribe or Opt-Out

Step 4: Regularly Cleanse and Maintain Your Database

Step 5: Prepare An Informative Reply For GDPR Complaints And Questions

GDPR Compliance

Why is it OK to email businesses after GDPR?

First off, I am going to briefly deal with this question as I know that anyone who has experienced the onslaught of GDPR articles and emails from B2C companies will be confused about this point.

#The GDPR protects individuals, NOT businesses.

The EU even declares: “The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.” The ePrivacy Regulation specifically leaves it up to the individual countries within the EU to decide whether ‘unsolicited commercial communications’ (a.k.a B2B cold email campaigns) should be opt-in or opt-out. In the UK we have opted to follow PECR (the Privacy and Electronic Communications Regulations of 2003) which means that business to business communications do not require opt-in consent.

Why is it OK to email businesses after GDPR?

Step One: Ensure Your Prospecting Is Targeted and Appropriate

Lead generation and prospecting are essentially sourcing personal data to use in sales campaigns. Despite protecting personal data, the GDPR doesn’t stop people prospecting or collecting leads, it simply demands a greater level of care and accuracy from lead generators. Under the GDPR, the personal data you collect should be adequate and relevant to the purpose of its processing. That means you have to consider two key things: the adequacy of your data collection (how much data do you really need for what you are going to achieve) and the relevancy of your data collection (is the data you are collecting the right data for your purposes).
As professional lead generators, we help set the target criteria for our client’s prospecting activities routinely.

Why is it OK to email businesses after GDPR?

Here are a few simple qualifiers to work with:

Geographical location

where are the prospects you want to speak to? Where will your service or product be most relevant?

Target industries

who do you already work with? Which of your clients are most profitable/find your service most useful? Who have you spoken to who has a use for your service? What experts can you consult to evaluate industry need?

Company size

are the companies you are approaching large enough or small enough to require your service? How many employees do they have? What is their annual revenue?


are you contacting the right person from your chose company? Are they senior enough to make a decision? Are they in a department with a use for your product or service?

A quick word about bought lists…

It is your responsibility to ensure any lists you buy are fully compliant under the new regulations. As a supplier of email lists and leads for countries across Europe Phlox Digital has taken steps to ensure total compliance.
How do we do this? We build and verify lists for ourselves and for our clients from scratch according to very specific targeting criteria, from publicly available sources. Building the lists ourselves with target criteria in mind means we can ensure the adequacy and relevance of the data collected, and that we can keep detailed records of our lead generation process.

A quick word about bought lists…

Step Two: Explain Your Legitimate Interest In Your Email Copy

With effective targeting your reasons for contacting a prospect should be self-evident, but always follow through in your email copy and explain exactly why your offering is relevant and why you are reaching out
You need to immediately cut to why you think your recipient is a relevant person for you to be contacting and how you have then processed their data to make contact.

Step Two: Explain Your Legitimate Interest In Your Email Copy

Using the Legitimate Interest basis correctly

Legitimate interest is one of the 6 lawful bases of processing data under the GDPR and covers business interests. The ICO describe it as the most appropriate basis when “the processing is not required by law but is of a clear benefit to you or others”.
However, the legitimate interest basis is NOT a catchall excuse you can use to cover anything in the realm of business. A process needs to be followed to ensure you remain compliant with the GDPR. Using legitimate interest as a lawful reason for processing data is only legal if your interest outweighs an individual’s right to privacy.
As Article 6, Clause 1 in the GDPR Legislative Acts states, legitimate interest is only legal if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Here are a few examples of reasons for Legitimate Interest THAT WE SUPPORT:

Look up the company’s LinkedIn profile or website and check to see if your offering would support their goals

Check for recent investment or funding if your offering supports growth

Check to see if any of our past clients are in a similar industry or have a similar offering

Look for referrals or inside information from our network

Check to see if the company is expanding into a relevant area for your service, or expanding generally if your offering supports growth

Check to see if the contact has asked for any information or has begun a search for a service or product your provide

Here are a few examples of reasons for Legitimate Interest THAT WE SUPPORT:

How to include Legitimate Interest in your email copy

There are a few ways to do this. Woodpecker in their excellent guide to GDPR preparation suggests including a disclaimer that informs the recipient of your email their data has been processed. This should include three key pieces of information:

a statement informing the recipient how you keep their data confidential;

a short explanation of why are you contacting them;

Instructions the recipient can follow to change the data you process or request removal of their data from your list.

How to include Legitimate Interest in your email copy

Step Three: Make It Quick and Easy To Unsubscribe or Opt-Out

As someone sending cold email campaigns, you need to inform your recipients how to exercise their right to erasure and their right to restriction. In layman’s terms — you need to give people a clear way to opt-out. An ‘unsubscribe link’ at the bottom of your email is the easiest way to automate that process and ensure compliance across your lists. Any outreach program or software today will have an automated unsubscribe feature as a basic part of the service. However an unsubscribe link is only one of the suggested ways of opting out. In’s official Marketing & Advertising guidelines, they say: “You must make it easy to opt-out — for example by sending a ‘STOP’ text to a short number, or using an ‘unsubscribe’ link.”

Step Three: Make It Quick and Easy To Unsubscribe or Opt-Out

Step Four: Regularly Cleanse and Maintain Your Database

Beyond simply removing people who have opted out or unsubscribed, the GDPR also means that you shouldn’t be holding onto leads for months on end or inaccurate contact information. You must cleanse your CRM database regularly of inactive or unresponsive leads, check that your contact records are fully up-to-date, and appropriately label and tag your data to record how you have collected and processed personal data.

Step Five: Prepare an Informative Reply for GDPR Complaints and Questions

Finally, expect some pushback from your prospects. There is a lot of misinformation about the GDPR and what it means for sales and marketing strategies going forward. Some people are going to be angry you emailed.
Of course, if your targeting is accurate and your copy is respectful and informative, your offer may carry you through. However, if a few cases prospects will lash out. Cold emails are still cold emails, regardless of how relevant they are. Here are a few questions you might get asked and what to cover in your answer. Any response can include a combination of these three main points.

“What right do you have to email me?”

This is completely within a prospect’s rights to ask, even if the email address in question is corporate. The fact their name is written out within the email address makes it personal. Your legitimate interest needs context. If your service does not specifically relate to the company’s statute, explain the reasons you thought them a relevant person to contact. By keeping detailed records of your lead generation process, you will be able to give a detailed answer about how and why you sourced a person’s data.

If your service does not specifically relate to the company’s statute, explain the reasons you thought them a relevant person to contact. A new company project? Their website? Their LinkedIn profile? An article they have recently shared?

If you are emailing people at scale, take care in researching the companies you are contacting. Is there something on their website or in the press which gives you particular reason to email them? Have you been helpful to other companies in this industry? There are more general answers that do not require a deep dive into someone’s LinkedIn likes.

If you have used past customers to build out your target criteria (a typical customer profile), a response you can use across your campaign is:

“We have collected and processed your data on the basis of legitimate interest. Given how beneficial our [product/service] has been for [company profile/prospect profile] in the past, I believed our offering to be of benefit to you.”

Here is an example of an answer one of our reps might use: “I was researching [company name] as I thought our services might be of interest given success we have seen for FinTech solutions in the past and after finding your public profile on LinkedIn I believed you to be the most relevant person to contact regarding our services. I then guessed your email address and ran it through a verification tool we use to build lists for all our clients.”

“Where did you source my details from?”

Explain where you found their data, why you thought they were appropriate to contact and why you thought they’d be interested in your offering.
Again, if you keep detailed lead generation records, or ask for these from your suppliers, then you have a detailed response to this question.
If you are using Phlox Digital for list building, check with your account manager what sourcing process we are using. For example, if we are using LinkedIn to source your leads, a good response to the prospect would be:
“We are using a third party prospecting service ( and they found your profile on LinkedIn as you fit our typical customer profile. They then guessed your email using publicly available information and ran it through a verification tool.”

“What information do you have on me?”

The GDPR enforces your prospects’ right to be informed and right of access (subject request), which means if asked you must provide the information you have collected and how it has been processed. At Phlox Digital, we collect minimal prospect information all of which is exclusively B2B and publicly available. A good response for our process would be:

“Your name, email address, company name and job title are the only data that we hold. As per your rights, we will delete this from our database if you are not interested in our services or wish us to do so. Your data is not being held in any other database or being resold.”

CAN-SPAM Act of 2003: Email Marketing and SPAM – What you need to know

⦁ OVERVIEW  FOR  BUSINESSES: What  the  act  covers  
⦁ PRIMARY REQUIREMENTS OF THE LAW: Respect for non-compliance & International laws apart from relevant professional practices.
⦁ CAN-‐SPAM  ACT 2003: Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003).  2008: Commission voted to approve a Federal Register Notice clarifying various elements of the original Act CAN-SPAM addresses U.S., not other countries.  
⦁ TWO PRIMARY TYPES OF MESSAGES COMMERCIAL CONTENT: Transactional or Advertises or promotes a Relationship Content: commercial product or Facilitates an already service, including content agreed-upon transaction or on a website operated for a updates a customer about commercial purpose. Inform the primary purpose.
⦁ STRAIGHT FROM OUR DESK: •  Question: How do I know if what I’m sending is a transactional or relationship message? •  Answer: The primary purpose of an email is transactional or relationship if it consists only of content that: •  facilitates or confirms a commercial transaction that the recipient already has agreed to; •  gives warranty, recall, safety, or security information about a product or service; •  gives information about a change in terms or features or account balance information regarding a membership, subscription, account, loan or other ongoing commercial relationship; •  provides information about an employment relationship or employee benefits; or •  delivers goods or services as part of a transaction that the recipient already has agreed to. Contact PHLOX DIGITAL at for a copy of the OUR DESK document.  
Know  the  primary  purpose | Look  at  the  subject  line | Determining  factor | Look  at  the  content  | Location  of  transactional  portion.
⦁ A  COMMERCIAL  EMAIL  EXAMPLE:   Subject Line: [First Name], it’s the LAST DAY for FREE SHIPPING & a FREE $20 Reward E-Card
⦁ PRIMARY REQUIREMENT# 1: Do not use false or misleading header information – From, To, Reply-to, etc. routing information (originating domain name). Be accurate—identify the person who initiated the message.  
⦁ PRIMARY REQUIREMENT# 2:   Do not use deceptive subject lines Examples – Guilt free eating, Try it FREE, Here’s Money You Never Knew You Had, etc.
⦁ PRIMARY REQUIREMENT# 3: Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement. Do not hide the fact that your message is commercial in nature, if it is.  
⦁ PRIMARY REQUIREMENT# 4:  Tell your recipients where you are located. Valid physical postal address. Post office box registered with the U.S. Postal Service. Private mailbox registered with a commercial mail receiving agency established under Postal Service regulations.
⦁ PRIMARY REQUIREMENT# 5:  Tell recipients how to opt-out of receiving future email from you. Clear and conspicuous explanation of how to opt-out. Ordinary person must be able to understand. Use type size, colour, and location for clarity. Provide a return email address or another easy Internet-based way to communicate choice. Opt out menu allowed, but must include option to stop all commercial messages from you.
⦁ PRIMARY REQUIREMENT# 6:  Honour opt-out requests promptly. Opt-out mechanism must last for at least 30 days AFTER you send your message. Must honour opt-out request within 10 business days. Can’t charge a fee. Can’t require any personally identifying information beyond email address. Can’t require any step other than sending a reply email or visiting a single page on an Internet website as a condition for honouring opt-out request. Can’t sell or transfer opt-out email addresses, except to a company you’ve hired to help comply with CAN-SPAM.
⦁ PRIMARY REQUIREMENT# 7:  Monitor what others are doing on your behalf§. Even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law
⦁ MESSAGES FROM MORE THAN ONE COMPANY:  One can be designated as sender IF they Meet definition of “sender” according to CAN-SPAM (i.e. initiate a commercial message advertising or promoting their own goods, services, or website. Are identified in the “from” line. Comply with the “initiator” provisions of the Act. Initiator—non-deceptive transmission information, no deceptive subject heading, valid postal address, working opt out link; proper identification of message’s commercial or sexually explicit nature
⦁ SEXUALLY  EXPLICIT  EMAIL: Messages with sexually oriented material must include the warning below at the beginning of the subject line:  “SEXUALLY-EXPLICIT” Brown paper wrapper—no images, UNLESS, recipient has given affirmative consent to receive the sender’s sexually oriented messages
⦁ PENALTIES – HOW MUCH? Each separate email in violation of the law is subject to penalties of up to $16,000, and more than one person may be held responsible for violations. 
Aggravated – if Violation was wilful, one or more violations.
Reduced – if Defendant established and implemented, with due care, commercially reasonable practices and procedures designed to effectively prevent such violations,   Violation occurred despite commercially reasonable efforts to maintain compliance.
⦁ STATE LAWS COULD APPLY TOO: “This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.”
⦁ INTERNATIONAL LAWS: CANADA  Opt-in law –  “It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied”. “Implied” suggests “existing business relationship,” but 2-year limit§. Unsubscribe requirements: similar to CAN-SPAM§.  No harvesting; no dictionary attacks.
⦁ UNSOLICITED ADVERTISEMENT:  Any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.