Is Cold Email Legal in the EU? Yes, With Conditions (2026 Guide)

Key takeaways

• Cold email is legal in the EU for B2B. It is not banned, it is regulated, by two laws working together: the GDPR and the ePrivacy Directive (2002/58/EC).
• Your lawful basis for B2B cold outreach is usually “legitimate interest” under GDPR Article 6(1)(f), not consent. Recital 47 explicitly recognises direct marketing as a possible legitimate interest.
• The ePrivacy Directive governs the email itself, and national rules vary. Most countries allow B2B cold email with conditions. Germany is the strict exception; France is permissive for genuine B2B.
• To stay compliant you must target a real business fit, identify yourself, disclose how you got the data (GDPR Article 14), and offer a clear opt-out in every message (the Article 21 right to object is absolute).
• What gets senders in trouble: scraped data with no lawful basis, no opt-out, and storing EU contact data outside the EU without safeguards.

Cold email is legal in the EU for business-to-business outreach, but it is regulated, and “regulated” is the word that trips people up. There is no EU law that says “you may not send cold email.” There are two laws that say “you may, if you do it this way”: the General Data Protection Regulation (GDPR), which governs the personal data you process, and the ePrivacy Directive (2002/58/EC), which governs electronic marketing messages. For most B2B senders, the path is legitimate interest under GDPR plus an identifiable, opt-out-friendly email under ePrivacy. The catch is that ePrivacy is a directive, not a regulation, so each member state implements it slightly differently, and a few countries are notably stricter. This guide walks the short answer, the two laws, the country differences, and the checklist that keeps a sender on the right side of the line.

This is general information, not legal advice. GDPR and ePrivacy are interpreted by national regulators, and your situation may differ. Check the rules in the country you are emailing into, and talk to a qualified advisor before you scale a program.

Is cold email legal under GDPR?

Yes. GDPR does not ban cold email; it requires a lawful basis for processing the recipient’s personal data, and for B2B outreach that basis is normally legitimate interest, set out in Article 6(1)(f). The regulation’s own text supports this. Recital 47 states that “the processing of personal data for direct marketing purposes may be regarded as a legitimate interest.” A work email address tied to a named person is personal data, so sending to it is processing, and legitimate interest is the basis that makes that processing lawful without asking permission first.

Legitimate interest is not a free pass. To rely on it you are expected to run and document a Legitimate Interest Assessment (LIA), which is a three-part test: a purpose test (is there a genuine, specific interest), a necessity test (is the outreach actually needed to achieve it), and a balancing test (do the recipient’s rights and reasonable expectations override your interest). “We want to sell something” fails the purpose test. “We sell a tool that solves a specific operational problem, and this contact’s role and company fit that problem” is the kind of reasoning that holds up. B2B sits on safer ground than B2C here, because a professional contacted at their work address about a relevant business matter has a weaker expectation of privacy than a private individual at home.

GDPR or ePrivacy: which law actually governs cold email?

Both, and they stack. GDPR governs the data; the ePrivacy Directive governs the message. Where ePrivacy has a specific rule for the same situation, it takes precedence over the general GDPR rule. So even when GDPR’s legitimate interest covers your data processing, the ePrivacy national implementation can still set the bar for whether and how you may email.

One thing changed recently and is worth knowing. The EU spent years drafting an ePrivacy Regulation to replace the 2002 Directive, but the European Commission formally withdrew that proposal in February 2025. The replacement never happened. As of 2026, the ePrivacy Directive (2002/58/EC) is still the law, and each member state still applies its own national version. (A separate November 2025 “Digital Omnibus” proposal would move cookie rules into the GDPR itself, but that is a draft about cookies, not cold email, and it is not in force.) The practical takeaway: there is no single EU-wide email rulebook coming soon. You comply country by country.

Do you need consent to cold email a business in the EU?

In most EU countries, no, you do not need prior consent to cold email a business, as long as you rely on legitimate interest and follow the conditions. The ePrivacy Directive’s default for unsolicited commercial email is prior consent (Article 13(1)), with a “soft opt-in” exception for existing customers (Article 13(2)). But most member states layered a B2B exemption on top: you may email a corporate address for direct marketing without prior consent, provided you identify yourself clearly and include a working opt-out.

That is the general rule. It is not universal, and the exceptions are where senders get burned. The safe mental model is: B2B legitimate interest works in most of the EU, consent is the safer route for B2C everywhere, and a couple of countries demand consent even for B2B.

Why do Germany and France have such different rules?

Because each country implemented the ePrivacy Directive in its own national law, and they made different choices about B2B. Germany and France are the two examples worth knowing because they sit at opposite ends.

Germany is the strictest major market. German courts interpret section 7 of the UWG (the unfair-competition act) narrowly, and the upshot is that unsolicited commercial email generally requires prior consent, often documented via double opt-in, even in B2B. The “soft opt-in” does not reliably work there. Cold emailing German contacts without consent is genuinely high-risk.

France is permissive for B2B. The French regulator, the CNIL, allows B2B prospecting email without prior opt-in when the message relates to the person’s profession (emailing someone about a product relevant to their job). France requires opt-in for B2C. So the same cold email can be lawful in France and unlawful in Germany, sent on the same day.

Here is the country picture for B2B cold email in 2026:

Country	B2B cold email without prior consent?	Key rule	Strictness
Germany	No (effectively requires consent)	UWG section 7, read narrowly by courts	Strictest
France	Yes, if relevant to the person’s profession	CNIL B2B exemption; B2C needs opt-in	Permissive (B2B)
Netherlands	Yes, with conditions	B2B exemption; identify + opt-out	Moderate
Ireland	Yes, with conditions	B2B exemption under national ePrivacy rules	Moderate
Belgium	Yes, with conditions	B2B exemption; identify + opt-out	Moderate
Nordics (SE/DK/FI/NO)	Generally yes for B2B	National variations, B2B leans permissive	Moderate

Always check the live national rule before you email into a country, because these are national implementations and they shift. The table is a starting map, not a legal sign-off.

What’s on the compliant-sender checklist?

If you are emailing EU B2B contacts under legitimate interest, these are the conditions that keep it lawful. They come straight from GDPR and ePrivacy, not from a vendor playbook.

1. Target a genuine business fit. The recipient’s role and company should plausibly need what you sell. This is your purpose and balancing test in practice. Random blasts fail it.
2. Identify yourself clearly. Real sender name, real company, real reply address. Hiding who you are breaches ePrivacy’s identification rule and torches the legitimate-interest balance.
3. Disclose how you got their data. GDPR Article 14 requires that, when you did not collect the data from the person directly (you found it, bought it, or scraped it), you tell them where it came from and what you hold, no later than one month or at first contact. Put it in the email, not a footer nobody opens.
4. Offer an easy opt-out in every message. The Article 21 right to object to direct marketing is absolute: no balancing test, no exceptions. A one-click unsubscribe satisfies it. When someone objects, you stop, permanently.
5. Honour deletion and objection requests fast. Suppression has to be real and durable, not a list you re-import next quarter.
6. Store the contact data securely, with disclosed residency. Where EU personal data physically lives, and who can reach it, is part of compliance, not an afterthought.

What makes a cold email illegal in the EU?

The same three failures show up in almost every enforcement story, and none of them is “you sent a cold email.”

The first is data with no lawful basis, usually scraped contacts where you cannot explain a genuine legitimate interest or where you ignored Article 14 and never disclosed the source. The second is no opt-out, or an opt-out you do not honour, which breaches the absolute Article 21 right and removes the safety valve regulators expect to see. The third is storing EU personal data outside the EU without safeguards, most often by piping it into a US-based tool whose provider can be compelled to hand it over under US law regardless of where the server sits. That last one is less about the email and more about the stack behind it, and it is the part most senders never check.

The honest summary: cold email is not the risk. Scraping without a basis, ignoring opt-outs, and careless data storage are the risk. Fix those three and a B2B program is on defensible ground in most of the EU.

Where your data lives is part of “legal”

People treat “is cold email legal” as a question about the message. Half of it is a question about the data. If your outreach tool stores EU contacts in the US, GDPR’s rules on international transfers and the reach of US law become your problem, not the vendor’s. This is why EU-targeting teams increasingly ask a second question alongside “can I send this”: where does this tool keep my prospects’ data, and who can access it. We cover that in detail in GDPR-compliant cold email and, for AI-driven outreach specifically, in GDPR-compliant AI outbound.

This is the part of the problem Pyng is built around. Pyng is an EU-native AI outbound platform that stores data in an EU region and isolates each customer’s data from every other’s. Pyng is early and pre-launch, so that is a description of how it is built, not a customer outcome, and the certifications that prove these claims are on the roadmap, not done. But the design choice is deliberate: for an EU-targeting sender, the tool’s data posture is part of whether the program is lawful, so it should be provable, not asserted. You can see how that is built on the security page.

The short version

Cold email is legal in the EU for B2B. You rely on legitimate interest under GDPR (Recital 47 backs it), you follow the ePrivacy Directive’s national rules (which vary, with Germany strict and France permissive), and you identify yourself, disclose your data source, and offer a real opt-out every time. The ePrivacy Regulation that was meant to standardise this was withdrawn in 2025, so the country-by-country patchwork is here for a while. Get the lawful basis, the opt-out, and the data storage right, and a B2B program holds up. Skip them and the problem was never that you sent a cold email.

FAQ

Is cold email legal in the EU? Yes, for B2B. Cold email is legal in the EU when you rely on legitimate interest as your lawful basis under GDPR (Article 6(1)(f), supported by Recital 47), follow the ePrivacy Directive’s national rules, identify yourself, disclose how you obtained the contact’s data, and include an easy opt-out in every message. It is regulated, not banned.

Do I need consent to cold email a business in the EU? Usually not. In most EU countries you can cold email a corporate address under legitimate interest without prior consent, provided you identify yourself and offer an opt-out. The Netherlands, Ireland, Belgium and the Nordics generally allow it. Germany is the main exception, where prior consent is effectively required even for B2B.

Is cold email legal in Germany or France? They are opposite cases. Germany is the strictest EU country: under section 7 of the UWG, unsolicited commercial email generally needs prior consent, and courts read the exceptions narrowly. France is permissive for B2B: the CNIL allows prospecting email without opt-in when it relates to the recipient’s profession, while requiring opt-in for B2C.

What is “legitimate interest” in plain terms? It is a lawful basis under GDPR that lets you process someone’s data without asking permission first, when you have a genuine, specific reason and the recipient’s rights do not override it. For cold email you should document a Legitimate Interest Assessment: a real purpose, the necessity of the outreach, and a balance that respects the recipient. “We want to sell” is not enough; a specific fit is.

Can I cold email EU contacts from the US? You can send from anywhere, but if you process or store EU residents’ personal data, GDPR applies to you regardless of where you sit, and the ePrivacy national rules of the destination country still govern the message. Many US-based tools also store EU data on US-controlled infrastructure, which raises separate transfer and access questions. Where the data lives, and who can reach it, matters as much as where you press send.

---

Pyng is an EU-native AI outbound platform, currently pre-launch. We build in the open and we will tell you exactly what is live and what is still being built. This article is general information, not legal advice. See how Pyng handles your data →