If you run B2B outbound in the Netherlands or the UK, you have almost certainly had the conversation: is this actually legal? Someone on your team read something about GDPR. A LinkedIn reply asked how you got their email. Now you are second-guessing every send.
The short answer is yes, B2B cold email is legal in both countries. The slightly longer answer is that it depends on what you are sending, to whom, and how you sourced the data.
This post covers what the law actually says, what the Dutch and UK regulators have published on enforcement, and what distinguishes a compliant cold email from one that creates real risk.
The legal basis: legitimate interest
GDPR does not require consent for every use of personal data. It requires a lawful basis. For B2B cold email, the basis most teams rely on is legitimate interest (Article 6(1)(f) GDPR, Article 6(1)(f) UK GDPR).
Legitimate interest has three parts:
- Purpose test - you have a genuine commercial reason for reaching out (your product is relevant to this person’s role)
- Necessity test - email is a reasonable way to pursue that purpose
- Balancing test - your interest does not override the individual’s privacy interests
For B2B outreach to a professional at their work email address, this test typically passes when your product is genuinely relevant to their job. The balancing test is harder for consumer messages where the recipient has no professional context for what you are selling.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and the UK’s ICO have both published guidance on this. Neither prohibits B2B cold email. Both require that it is targeted, clearly attributed, and easy to stop.
What the Dutch Telecommunicatiewet adds
The Netherlands implements the EU ePrivacy Directive through the Telecommunicatiewet (Article 11.7). This sits alongside, but is separate from, the GDPR.
For B2C email: opt-in consent is required. You cannot cold email a consumer without prior permission.
For B2B email to corporate addresses: opt-out is sufficient. You can send without prior consent, but you must:
- Clearly identify yourself as the sender
- Include a valid reply address
- Include an unsubscribe or opt-out mechanism
- Not use misleading subject lines or sender names
- Not email someone who has previously opted out
This is the same framework that applies in Germany, Belgium, and France under their equivalent national implementations. Practitioners sometimes call this the “B2B opt-out model.”
One nuance worth flagging: sole traders registered at the KvK under their personal name can sometimes be treated as individuals rather than business contacts, bringing them closer to the B2C rules. If your list includes self-employed people registered under their own name, treating them as consumers is the safer approach.
What the UK’s PECR adds
Post-Brexit, the UK runs its own version: the Privacy and Electronic Communications Regulations 2003 (PECR) alongside UK GDPR.
The rules for B2B cold email in the UK are similar to the Netherlands:
- Corporate subscribers (limited companies, LLPs, public bodies): opt-out is sufficient
- Individual subscribers (sole traders, some partnerships): opt-in is required, same as consumers
The ICO defines a “corporate subscriber” as a company, LLP, or other corporate body. Emailing a work address at a Ltd company sits comfortably in the opt-out category, provided the contact is relevant to your message.
The ICO has taken enforcement action under PECR, but that record is almost entirely focused on mass consumer spam, nuisance calls, and financial marketing. There is no meaningful enforcement history against targeted B2B outbound to corporate contacts.
What actually creates legal risk
Knowing the rules is useful. Knowing what trips teams up is more useful.
Buying scraped lists without provenance. If your data provider cannot tell you where the data came from, how it was collected, and what lawful basis applies, you are holding data with no demonstrable legal grounding. “Scraped from LinkedIn” is not a lawful basis. “Sourced from publicly available business directories under legitimate interest” is a start, but you still need to be able to demonstrate the balancing test if the regulator asks.
No opt-out mechanism. Every B2B cold email in the Netherlands and UK must include a clear and easy way to opt out. Not a buried footer. A plain instruction. “Reply to be removed” is sufficient. What is not sufficient is no mention at all.
Ignoring opt-out requests. If someone opts out, they must be off your send list before the next send. Not “we will update the CRM later.” Immediately. Both the Telecommunicatiewet and PECR treat this as a hard requirement.
Misleading subject lines or sender names. Disguising a commercial email as a personal message, using a sender name that is not accurate, or writing a subject line that misrepresents the content is prohibited under both frameworks. “Quick question” as a subject line for an unsolicited pitch is legally grey and increasingly triggers spam filters regardless.
Mass-sending to unvetted lists. Sending the same message to tens of thousands of people without segmentation or relevance checking is unlikely to pass the legitimate interest balancing test. The Dutch AP has been explicit that the relevance of the message to the recipient is part of what makes the basis hold.
What the regulators actually go after
The Dutch AP’s published enforcement record on email mostly covers:
- Consumer marketing without consent
- Health, financial services, and political messaging to individuals
- Data breaches caused by unsecured marketing lists
Targeted B2B outbound to corporate addresses, done with clear sender identity and an opt-out, does not appear in Dutch enforcement actions.
The ICO’s record is similar. The cases that make the news are spam operations sending millions of messages, not SDRs emailing relevant prospects.
This does not mean the rules do not apply. It means that a well-run B2B outbound operation sits well below the enforcement threshold, and the risks that are real - deliverability damage, domain reputation, irritating the right people in a small TAM - are practical risks, not primarily legal ones.
The compliance and conversion overlap
Here is what gets missed most often: the practices that keep you legally compliant are the same ones that improve your reply rates.
Relevance. The legitimate interest test requires that your message is relevant to the recipient’s role. A relevant email is also one that earns a reply. Spray-and-pray fails both tests.
Clear sender identity. The law requires you to identify yourself accurately. An email that clearly states who is sending it, from which company, and why, also outperforms vague or anonymous senders on deliverability and replies.
Easy opt-out. Giving someone a low-friction way to stop emails makes you compliant. It also means the only people who stay on your list are the ones who have not opted out, which keeps your engagement metrics clean and your domain reputation intact.
Specific reason to reach out. The balancing test is stronger when your email references a genuine signal - a funding round, a new hire, a contract announcement - because it demonstrates that the outreach is targeted and contextually relevant, not a bulk blast.
A cold email that passes the legitimate interest test looks like this: a specific person, at a specific company, contacted by a specific sender with a specific reason. That email also performs better than a generic sequence.
The practical compliance checklist
Before your next send:
- Can you name the lawful basis? For B2B cold email, usually legitimate interest. Be able to say why it applies.
- Is the contact corporate or individual? Sole traders in the UK and KvK-registered individuals in the Netherlands warrant more caution.
- Does the email identify you clearly? Name, company, valid reply address.
- Is there an opt-out? A plain instruction to reply or click if they want no further emails.
- Is the message relevant to their role? If you cannot explain why this specific person, the legitimate interest basis is weaker.
- Do you have a suppression list? Previous opt-outs must not receive the email.
- Where did the data come from? You should be able to answer this for every contact.
If you can answer all seven, you are running a compliant B2B cold email operation. The legal risk is low. The practical risks are the ones worth more of your attention.
A note on data sourcing
Where your data comes from matters for both compliance and deliverability. A contact sourced from a public business directory with a clear legitimate interest basis is different from one scraped from a social media profile with no documentation.
Hooklyne sources and verifies contacts across 21 providers and retains the source for each record. Every contact ships with a citable origin so you can answer “where did this data come from” without guessing. That is not just good compliance practice. It is also how you avoid the 20 to 40 percent bounce rates that damage domain reputation before a campaign gets going.
More to read
Guide Cold email personalization at scale: what actually works
How to write cold emails that feel genuinely personal when you're sending 50 a week. The signal-first framework that separates reply-worthy outreach from ignored.
Guide B2B buying signals and how to use them before the window closes
A buying signal tells you a prospect is in motion. The six most useful B2B signals, why most teams miss them, and how to act before the window closes.
Guide How to find B2B prospects in the Netherlands without paid tools
Practical guide to sourcing Dutch B2B prospects using KvK, LinkedIn, and free directories. Where each method works, where it stops scaling, and what to do next.