Cold Email Outreach

What You Should Really Do About GDPR for Cold Email Outreach

GDPR. No doubt you are sick of hearing about it. We know we are. Prior to May 2018, when it was officially enacted, we read a thousand articles about it. And a thousand more since (one thing Pearl Lemon does better than almost anyone else; research.) And no doubt you have too. And you probably have the basic rules (almost) clear in your head.

You probably know that it is still OK to do cold email outreach on a B2B basis. You probably know that because the UK decided that B2B communications via email do not require an opt-in (that was one element of GDPR that the EU left up to its member states) And you may even wonder why you are getting all nervous about this stuff as we – as in the UK – are supposed to be leaving the EU soon anyway. But, as that is a political hot potato, politicians can’t even figure out yet, we’re not going to and suggest for now you do keep GDPR in mind.

And that’s where so many of the articles we read fell down. They explained the rules. But very few gave a clear, simple outline of how you should implement them yourself in a cold email campaign. So here is that very thing:

Know the 6 legal grounds for contacting someone

There are six legal grounds for storing someone’s information. It’s important to know all six in order to be clear about who you should email and why. For each email interaction you have with a cold lead, you should have at least one of these as a reason for contacting them in order to abide by GDPR rules.

Here they are:

  1. Opt-in consent: the prospect has opted-in to your list or has given you permission to email you. 
  2. Contractual requirement: your business is required to process the customer’s personal data to fulfil a contract. 
  3. Legal compliance: your business is required to process the prospect’s data to be legally compliant. 
  4. Best interest: your business is required to process the data to protect the best interest of the data or the best interest of someone else. 
  5. Publish interest: processing their data is essential to the interests of the public.
  6. Legitimate interest: there is some legitimate interest for you to email this prospect.

Be familiar with CPRA and other privacy laws

Before sending cold emails, you must familiarize yourself with the CPRA and other related privacy laws. The California Privacy Rights Act (CPRA) is a frontrunner Act dedicated to protecting website visitors and ensuring that consumers are kept abreast of and in charge of how their data is used.

To be sure you’re not invading the privacy of your recipients or breaking any part of the CPRA, go through the document carefully and ensure you comply with the rules to avoid penalties. Any profit-making organization is eligible to follow these guidelines for consumer privacy. If you collect people’s personal data in the course of your business or you have it collected on your behalf, you are bound by this Act.

Target Your Ideal Client Accurately

Think about the geographic location you want to cover, and the specific types of businesses that represent your best clients. If you do that, then most likely it is OK to make contact using a cold email introduction. Under GDPR you must have a good enough reason to be contacting the businesses with your email, be it a legitimate interest, necessary for initiating a contract or required under a legal obligation but the good thing here is that is a pretty broad definition.

Respect People’s Wishes

If someone asks you not to contact them again, honour the request. Make a note on their file not to contact them again, and ensure any other staff working with you understand what this means. The best way to do this is to use the email and domain blacklists or equivalent functions of whatever software and systems you are using. Many of them have added some very helpful GDPR protections so make sure you take the time to review them (and then actually use them)

Don’t Harass People

If you regularly clear the list of sent emails so that everyone is contacted again, consider doing that less frequently. Depending on your particular industry and target market, it might be reasonable to not email cold prospects more often than once a quarter, for example. Don’t bombard people who haven’t subscribed with emails every few hours! (and actually, that’s always been a terrible idea, GDPR or not so hopefully you’ve never done it anyway)

Be Honest

Make sure that your email subject line is not a trick to open the email, as this can result in annoyance (to say the least). You know what it’s like when you see a video on YouTube or on Facebook with a headline that forces you to click it – and the content normally doesn’t live up to the promise. Instead, have a clear email subject line that conveys the key benefit that the reader is likely to receive if they take action. Again, however, this is not something you should have needed GDPR to tell you, it’s basic common sense.

Make sure your targeting is appropriate

You should always make sure that the prospects that you are targeting are appropriate to your business and that your content is relevant to them. You should be doing this in general, but now with stricter rules and regulations, you should really tighten your lead generation techniques. Improve your quality control processes to make sure that no one marks you as spam. 

Verify every lead

Make sure to use an email verification tool to verify every single email address that you have on your list. This will decrease the chance that you might email someone else by mistake. 

Explain your legitimate interest in every email

Legitimate interest is one of the 6 lawful bases of processing data under GDPR rules. So if you have a legitimate interest in emailing someone and it’s relevant, then you can contact them. Don’t use this as a catchall excuse, however, because legitimate interest can be contested in court. So if you define this too broadly for yourself, you might get into legal trouble later. 

How do you include a legitimate basis in your emails? Very simply. Write one sentence about how you found the prospect’s email and why you think it’s relevant (and mutually beneficial) to have a conversation.

Here’s an example:

“Hi Bob, I found you on LinkedIn as I was looking to build my network of influencers in industry X and after researching your company I thought that our product/service might be of interest”.

Make it easy to unsubscribe

Always make it easy to unsubscribe or opt-out of your emails. You can do this in several ways. You can include an unsubscribe link or button on the bottom of each email. You can also write this as a short sentence like this: “simply reply ‘No Thanks’ if you aren’t interested in hearing from me again”. 

If someone asks you to unsubscribe put them on a suppression list and make sure that all of their data is removed from your database. 

Regularly cleanse your database

Beyond just putting a lead in a suppression list, you should also routinely check your database and delete inaccurate or outdated information. Cleaning old inaccurate data using a bulk email verifier is going to improve the deliverability of your emails.

Personalize each email to make relevance clearer

This is a tip you should always be using, regardless of GDPR regulations. You should always customize and personalize every email. 

When we say personalize we aren’t just talking about adding the first name of your lead and spelling it correctly. You should also give them a compliment, referencing a blog post or project of theirs. 

Prepare an informative response to a GDPR complaint

Even if you do everything right, you might still get a complaint from one of the people you emailed. You have to make sure that you have a response prepared for every complaint. Here are some examples. 

“What right do you have to email me?”

This is a completely valid reply that you might encounter. The best response is an informative paragraph re-stating your legitimate interest and providing all of the context behind it. Explain the reasons that you thought that your product/service was relevant to the prospect.

“How did you find my email?”

Explain how you found their email and any relevant data on them. This is why it’s important to keep detailed lead generation notes to know where you sourced each lead list. 

“What data do you have of mine?”

The GDPR requires businesses to respond to every inquiry like this and disclose all of the data that they have on the prospect. Provide all the data that you have and how you obtained it. 

Here’s how you might respond to the prospect: 

“The only data that we hold is your first and last name, your job title and your email. As per your rights, we will delete all of your information immediately if you are not interested in our product or service. We will not sell your data to anyone.”


In order to be compliant with all the GDPR regulations, you should follow the basic tips that we outlined above. They are pretty easy to follow, and here they are again: 

  1. Know the 6 legal grounds for contacting the prospect
  2. Target your ideal client accurately
  3. Don’t harass people 
  4. Be honest
  5. Make sure that your targeting is appropriate
  6. Verify each lead
  7. Explain your legitimate interest
  8. Make it easy to unsubscribe
  9. Regularly cleanse your database
  10.  Personalize each email 
  11. Prepare an informative response to a GDPR complaint

If you follow these rules, you will not only make your business more protected, but you will begin to improve the quality of your leads and your email marketing campaigns.