Is cold email legal?

Cold B2B email is legal. These are the conditions.

The short answer is yes - B2B cold email is legal under both GDPR and national ePrivacy rules in the Netherlands and the UK, provided you send to a business address, identify yourself, and include a working opt-out. Germany is the exception: the UWG sets a different bar. The confusion arises because the rules differ between jurisdictions, between B2B and B2C, and between company addresses and personal ones. This guide sets out the exact conditions per country, who qualifies as a business contact, and where the risks actually live.

Try for free Read the jurisdiction breakdown

You probably came here because

Someone on your team said cold email is illegal under GDPR and you're not sure if they're right.
A prospect replied asking on what legal basis you emailed them.
You're expanding outbound into Germany and want to know if the rules are different.
Your legal team asked whether you have an LIA and you're not sure what that is.

If any of that lands, the rest of this page is for you.

Free trial, no card

Ten prospects built on a clean legal basis.

Each Hooklyne package includes the source per contact, a citable data lineage, and the LIA template that covers the campaign. Free to try, no card.

Try for free

What the law actually says

Cold B2B email: what's required in NL, UK and DE.

Three jurisdictions, three slightly different answers under the same GDPR umbrella. ePrivacy rules sit on top of GDPR and vary by country.

Netherlands: legal under Telecommunicatiewet Art. 11.7, to a legal entity.

Dutch law permits unsolicited commercial email to a contact at a registered legal entity (BV, NV, stichting, association) at a business address, without prior consent. The conditions: you clearly identify yourself and your company in every message, you include a working opt-out mechanism, and you honour opt-outs immediately. The Autoriteit Persoonsgegevens enforces this under Art. 11.7 Tw alongside the AVG. Private individuals and ZZP'ers registered as a natural person (eenmanszaak) are outside this carve-out - the AP treats them as consumers.

UK: legal to a corporate subscriber under PECR Reg. 22.

UK PECR Regulation 22 permits unsolicited B2B email to a 'corporate subscriber' - a limited company, LLP, government body, or Scottish partnership. Sole traders, most ordinary partnerships, and one-person businesses are treated by the ICO as 'individual subscribers' and require prior consent or an existing customer relationship. Practically: check Companies House. If there's a company number, you're likely fine. If there isn't, treat the contact as B2C. UK GDPR Article 6(1)(f) legitimate interest applies in parallel for the data processing basis.

Germany: prior consent is the default bar under UWG §7.

Germany is the strict outlier. UWG §7(2) Nr. 3 prohibits unsolicited commercial email to a natural person - including a named employee at a company - without prior express consent, unless sender and recipient have an existing business relationship. The BGH has consistently upheld this even for B2B contacts. For outbound to German named contacts, assume you need consent or a prior commercial relationship. Running NL-posture outbound into Germany is a compliance problem.

GDPR Article 6(1)(f) runs underneath all three - you need the LIA.

The national ePrivacy rules govern whether you can send. GDPR governs whether you can process the data to do so. Across NL, UK and DE, the data processing basis for B2B direct marketing is legitimate interest under Article 6(1)(f). This requires a Legitimate Interest Assessment: a documented three-part test covering purpose, necessity, and a balancing test against the prospect's rights and interests. The LIA doesn't have to be long - one page covers a standard B2B campaign - but it has to exist before you send.

Opt-out is absolute and must survive re-imports.

GDPR Article 21 gives data subjects an absolute right to object to processing for direct marketing. Once exercised, the processing stops - no exceptions, no re-adding from a refreshed database. The suppression list must persist across senders, sequences, and quarterly data refreshes. The classic failure: someone opts out in Q1, the data provider re-syncs the row in Q3, and the same person lands in the next sequence. From the AP's view, that's the same violation as ignoring the original objection.

Where to actually look

The primary sources, in case you want to read them yourself rather than trust a vendor blog post:

- GDPR Article 6(1)(f) and Recital 47 on legitimate interest for direct marketing.
- Telecommunicatiewet Art. 11.7 for the Dutch B2B email carve-out.
- ICO Direct Marketing Guidance and PECR Reg. 22 on corporate vs individual subscribers.
- UWG §7(2) Nr. 3 and BGH case law on unsolicited B2B email in Germany.
- Autoriteit Persoonsgegevens enforcement decisions and published direct marketing guidance.
- EDPB Opinion 06/2014 on legitimate interests.

Where senders go wrong

Four failure modes that show up in AP complaints.

Each of these is a real finding from AP or ICO investigations, not a theoretical concern.

Sending to personal email addresses rather than business ones.

The NL and UK ePrivacy carve-outs apply to business contacts at a business address. firstname@company.nl at a registered company is a business address. firstname.lastname@gmail.com is a personal address - regardless of whether that person runs a business. If your enrichment tool surfaces personal email addresses (gmail, hotmail, icloud) for professional contacts, those addresses fall outside the B2B carve-out and require individual consent. Filter them out before sending.

No working opt-out or delayed processing of unsubscribes.

A working opt-out is a legal requirement in both NL (Art. 11.7 Tw) and UK (PECR Reg. 22) - not a courtesy. The opt-out must be easy to use, must work, and must be acted on promptly. Promptly means within days, not at the next CRM sync or next sequence run. Delayed processing is one of the most common findings in complaints-led AP investigations.

Using contacts sourced from tools that scrape without a lawful basis.

The lawfulness of your sending depends partly on how the underlying data was collected. If your contact came from a tool that bulk-scraped LinkedIn profiles or bought lists without a traceable chain of legitimate interest from the original collector, you are processing data whose source cannot be defended. The AP's decisions on Clearview AI and OLVG both turned on whether the original collection was lawful - not just whether the subsequent use was proportionate.

Sending into Germany without adapting your approach.

Running NL or UK-posture outbound into Germany without adjusting for UWG §7 is a Wettbewerbsverstoß - an unfair competition violation, not just a data protection issue. German competitors can bring claims under UWG directly. If you're running cold sequences to German personal business email addresses with no prior relationship, you don't have a basis.

When this approach works (and when it doesn't)

Cold B2B email is defensible in NL and UK. The conditions are specific.

Works when

- Sending to a named role at a registered legal entity (BV, Ltd, LLP) at a business email address.
- Your LIA is documented, your source per contact is citable, and your suppression list persists.
- The jurisdiction is NL or UK (corporate subscribers) and the message is materially relevant to the role.
- Your opt-out mechanism is tested, working, and processed within days.

Doesn't work when

- You're sending to personal email addresses, sole traders, or most ordinary partnerships.
- You're sending into Germany to natural persons without prior consent or an existing commercial relationship.
- Your opt-out handling is delayed or breaks on re-import from a data provider.
- Your contact source cannot tell you when the data was collected and on what basis.

Honest steelman

The most honest answer on cold email legality is that for very small, consumer-adjacent B2B targets - a freelancer who happens to run a company, a sole trader, a ZZP'er - the legal position is genuinely uncomfortable. The rules were written for larger corporate entities. Hooklyne focuses on NL and UK SMEs with a company registration and a professional buying role. For consumer-adjacent contacts or DE-heavy outbound, the right answer is probably consent-based marketing, not legitimate interest cold email.

How Hooklyne is built for this

The legal basis is part of the product, not a separate document.

Every Hooklyne prospect package is built around the conditions that make B2B cold email defensible. Contacts are sourced from public registries - KVK for NL companies, Companies House for UK - and from verified professional data partners operating under their own Article 6 basis. Personal email addresses (gmail, hotmail, icloud) are filtered out before a package ships. What you receive is a business contact at a registered entity, with the source URL or registry citation that supplies the legal basis for the contact.

The LIA that covers a standard B2B direct marketing campaign is included as a template with each trial. It covers the three-part test - purpose (reaching a professional buyer with a relevant commercial offer), necessity (direct email is the proportionate way to do this), and balancing test (business contacts at registered entities have a reduced privacy expectation in their professional capacity). One page. Producible on demand. Updated when the campaign motion changes.

Suppression is durable across senders, sequences, and provider refreshes. The opt-out mechanism is tested before any sequence runs. We don't send to German contacts under a legitimate interest basis by default - if you're running DE outbound, we flag the jurisdiction and discuss the right approach before building. The compliance posture is built into the workflow, not bolted on after the fact.

Simple pricing.

Simple credit system. Every action priced transparently. Switch plans or cancel anytime.

Start

from€39/mo

100credits / month

Solo rep. Test and validate your outbound. Self-serve.

Recommended

Growth

from€129/mo

400credits / month

1-2 reps. Full pipeline. Setup call included.

Scale

from€239/mo

800credits / month

Small sales team. Volume outbound. Up to 5 reps.

See full pricing Request pilot access

FAQ

Cold email legality questions, answered.

Is cold email illegal under GDPR?

No. GDPR doesn't ban cold email. Article 6(1)(f) explicitly lists legitimate interest as a valid processing basis, and Recital 47 explicitly contemplates direct marketing as a possible legitimate interest. What GDPR requires is that you document the basis, balance it against the prospect's interests, and honour opt-outs absolutely. The confusion usually comes from conflating B2C rules with B2B rules, or from the German UWG position which does require consent in most B2B cold email cases.

What counts as a business email address for the NL and UK carve-outs?

An email address tied to a registered company domain - company.nl, company.co.uk - where the company is a legal entity (BV, NV, Ltd, LLP). Personal email addresses (gmail, hotmail, outlook personal) are always treated as individual subscriber addresses regardless of whether the person runs a business. Role addresses like info@company.com count as business addresses but are lower quality for personalised outreach.

Do I need consent to send B2B cold email in the Netherlands?

No, not under the Telecommunicatiewet carve-out for legal entities. You need a legitimate interest basis under the AVG (which requires an LIA), a business address, identification in every message, and a working opt-out. Consent is actually harder to use for prospecting - it must be freely given, specific, informed, and unambiguous, and can be withdrawn at any time.

What about emailing ZZP'ers?

ZZP'ers registered as a natural person (eenmanszaak) are treated as individual subscribers by the AP. The Telecommunicatiewet Art. 11.7 carve-out doesn't apply. Check the KVK registration: if the entity is a BV or NV, you're in the corporate carve-out. If it's an eenmanszaak, treat them as a consumer contact.

Is it enough to have an unsubscribe link?

Necessary but not sufficient. The unsubscribe mechanism must work, must be processed within days, and must persist across subsequent sends - including re-imports from your data provider. The AP has found violations where unsubscribe links were broken and where re-imported contacts received new sequences despite having opted out previously.

Does Hooklyne provide the legal documentation?

Hooklyne provides an LIA template covering a standard B2B direct marketing campaign for NL and UK. It's a starting point - your DPO or counsel should review it for your specific motion. The source citation per contact is included with every prospect package so you can answer a 'where did you get my details' question in under a minute.

Is this legal advice?

No. This is plain-language operator guidance based on the published text of the relevant legislation, the AP's and ICO's published guidance, and BGH case law. Your specific motion should be reviewed by a qualified DPO or specialist data protection counsel before you scale.

This page is plain-language guidance and not legal advice. Rules differ between jurisdictions and your specific motion should be reviewed by a qualified DPO or specialist counsel before scaling.