GDPR-compliant cold outreach: the 2026 guide for SMBs

Cold outreach to EU and UK B2B contacts is allowed under GDPR — but only via the “legitimate interest” legal basis (Art. 6(1)(f)), and only with documented diligence. Most teams get the legal basis right and the documentation wrong, which is why they fold the moment a Data Protection Authority asks for records. This guide walks the practical recipe end to end.

Why legitimate interest, not consent

Consent (Art. 6(1)(a)) sounds like the safer default, but for cold outreach it is essentially impossible to evidence. You did not get the prospect’s consent before mailing them; you cannot claim consent as the basis. Legitimate interest is the right basis because it accepts that the business has a real need (finding customers), that the contact is in a B2B context (commercial roles, work email), and that the impact on the contact is low (one well-targeted email).

The trade-off is that legitimate interest requires you to prove the balance. You have to be able to show a regulator that you considered the prospect’s rights, took steps to minimise the impact, and gave them an easy way out. That proof is called the Legitimate Interest Assessment.

1. The LIA you actually have to write

Every campaign needs its own Legitimate Interest Assessment. It does not have to be long — a single page is enough — but it has to answer three questions in writing.

• Necessity. Why is this email the right tool? “Looking for design buyers at fintech scale-ups” is fine; “casting a wide net” is not.
• Balance. What are the risks to the recipient and how have you mitigated them? Mitigation is things like: low frequency cap, ICP-only targeting, unsubscribe in every message, no behavioural tracking.
• Mitigation. What are you doing to give the recipient control? A one-click unsubscribe, a suppression list that survives forever, a privacy notice on your domain.

Sign and date it. Renew it every year. Keep it in a folder that you can pull up inside an hour if a regulator asks. Most teams write it once and never look at it again — that is fine until it is not.

2. Suppression hygiene

Suppression is the most important habit in the entire compliance chain. Three rules cover ninety percent of what matters.

• Honour opt-outs forever. Once someone unsubscribes, the next campaign and the campaign after that have to honour it. Suppression has no expiry date.
• Hash, do not store raw. When you store a suppression record, store the SHA-256 of the email address, not the email itself. You can still match incoming sends against the hash, but the regulator cannot make a data-subject access request out of your suppression file.
• Propagate across channels. If someone unsubscribes from email, do not contact them on LinkedIn the next day. The cross-channel propagation is the part most outbound tools get wrong.

3. Per-country routing

Cold-outreach law is not GDPR-only. Each jurisdiction adds its own twist on top, and the twists matter.

• Canada (CASL). The strictest regime in the world. Requires either prior express consent or a documented existing business relationship within the last 24 months. Fines up to $10M per violation. Default to blocking until you have explicit authorisation.
• Germany. The UWG (against unfair competition) layers on top of GDPR. Generic cold B2B email is permissible only when there is a credible business interest the recipient would expect.
• France. CNIL takes B2B unsolicited mail seriously when the recipient is at a personal-style email (jean.dupont@cabinet.fr). Stick to role-based addresses (contact@, ventes@) for first-touch.
• UK. Post-Brexit the rules still mirror GDPR, but PECR adds the “corporate subscriber” carve-out — contacting a registered company at a corporate address is generally fine.

A country router sounds expensive. In practice it is one IP-to-country lookup at queue time and a small table of per-jurisdiction sending rules. Build it once and forget about it.

4. The audit log

Every send, every block, every opt-out has to be logged with a timestamp and the actor that triggered it. Retain for seven years (the GDPR statute of limitations period). Store it somewhere a regulator can read without having to dig through your application database.

The cheapest implementation is a JSONL file rotated daily, encrypted at rest, indexed monthly. The most expensive is a SIEM tied to a real-time anomaly detector. Both work. You do not need the expensive one until you are sending more than a thousand messages a day.

What kills you

Sending to a CASL recipient without consent. One complaint to Canada’s Spam Reporting Centre and you are on the hook for up to $10M per violation. Sending the same prospect on three channels the day after they unsubscribed from one of them. Telling a Data Protection Authority “we forgot to write the LIA” when they ask for it. Each of those is a self-inflicted wound and each of them is preventable with a checklist.

Tools that do this for you

Leafer ships with country routing, an LIA wizard, a hashed suppression list, an audit log, and a DPA template built into the workspace. We did not build any of it because we wanted to — we built it because we got tired of doing it in spreadsheets every quarter. If you would rather not build it yourself, that is the shortest path. If you would, we have written every line above as the recipe to follow.