Can You Send Emails to Companies Without Their Consent? What the Law Says in 2026
Introduction: The Question Everyone Asks When They Want to Start Reaching Out to Companies
You want to send an email to a company you have never communicated with. You don’t have their consent. You don’t have an opt-in. You simply found their contact and want to offer your service.
Is it legal? Or are you risking a fine?
This question holds back thousands of freelancers, agencies, and small businesses across Europe. Fear of GDPR is one of the most common reasons people don’t start direct outreach to companies — even though it’s the most effective way for them to acquire clients.
The truth is, the situation is not as clear-cut as it seems. It’s not “all forbidden” and it’s not “all allowed.” This article will explain what the law actually says, what rights you have, and where the boundaries lie.
Note: This article is an informative overview, not legal advice. If you need legal certainty for a specific situation, consult a lawyer or a data protection specialist.
1. GDPR and B2B Email: The Basic Principle
GDPR (General Data Protection Regulation) protects personal data of individuals within the European Union and EEA. An email address is personal data — even if it’s a corporate one (jan.novak@firma.sk still identifies a specific person).
This means that to process this email address, you need a legal basis. GDPR defines six legal bases. For B2B cold emailing, two are relevant:
Consent: The individual has actively permitted you to send them emails. This is the basis on which newsletters operate — you signed up, you consented.
Legitimate interest: You have a legitimate business reason to contact the individual, and this interest outweighs their right to privacy. This is the basis on which B2B cold email can operate.
Key point: GDPR does not prohibit contacting companies without prior consent. It allows it based on legitimate interest — but with conditions.
2. Legitimate Interest: What It Means in Practice
Legitimate interest is not a blank check to send emails to anyone. It’s a legal basis that requires meeting three conditions (the so-called legitimate interest test):
You have a legitimate interest. You want to offer a relevant service to a company that could benefit from it. This is a standard business interest, and GDPR recognizes it.
The processing is necessary. You cannot achieve this goal in a less invasive way. If the only real way to contact the company is through an email to its publicly available address, this condition is met.
The recipient's interest is not unduly compromised. Your message is relevant, not misleading, you do not have an aggressive approach, and the recipient can easily unsubscribe or decline.
Practically this means:
If you send a personalized email to a company in your target group with a relevant offer, identify yourself, state why you are contacting them, and provide an easy way to decline — you are operating within legitimate interest.
If you send the same generic email to thousands of companies without any relevance, without identification, and without an option to decline — that is not legitimate interest.
3. What Your Email Must Contain to Comply with GDPR
Even when sending an email based on legitimate interest, you must adhere to several rules:
Sender identification. The recipient must know who is writing to them — your name, company, contact details. Anonymous emails from “noreply” addresses are problematic.
Relevance of the message. The email should be relevant to the recipient — not a random offer, but something related to their industry, company, or situation.
Option to decline. The recipient must have an easy way to say “don’t send me more” — and you must immediately respect this request. You do not need to have a formal “unsubscribe” link like in a newsletter (you are not a newsletter). It is sufficient if it is clear that the recipient can respond and decline.
Transparent source of data. If the recipient asks where you got their contact, you must be able to answer. “From publicly available corporate sources” or “from a corporate database that draws from business registers and public sources” is an acceptable answer.
4. The Difference Between B2B and B2C (Why It Matters)
GDPR distinguishes between personal data and the context of its processing. In practice, this means that B2B communication has different rules than B2C.
When you send an email to jan.novak@firma.sk in the context of his professional role (he is a marketing manager and you are offering marketing services), the context is business. The legitimate interest is stronger here because:
You are contacting the individual in their professional capacity. Your offer relates to their job role. The expectation of privacy is lower in a professional context than in a personal one.
This does not mean that B2B emails are automatically fine. It means that the legitimate interest test is easier to meet in a B2B context.
B2C (sending emails to private individuals at personal addresses) is a completely different situation and usually requires explicit consent. This article focuses exclusively on B2B.
5. ePrivacy and National Legislation: Why GDPR Is Not the Only Law
GDPR is not the only law regulating emails. Each country in the EU has its own implementation of the ePrivacy directive, which relates to electronic communications. And the rules vary:
Some countries are stricter. For example, Germany (UWG — Act Against Unfair Competition) requires stricter conditions for B2B cold emails than GDPR itself. It is advisable to have very clear relevance and documented legitimate interest.
Some countries are more lenient. For example, the UK (post-Brexit applies its own version of GDPR) has relatively favorable rules for B2B cold emailing.
Central European countries (Slovakia, Czech Republic, Austria, Poland, Hungary, Switzerland) have their own implementations but generally recognize legitimate interest as a basis for B2B communication, provided there is relevance and an option to decline.
Practical conclusion: If you are reaching out to companies in multiple countries, adhere to the strictest standard — personalization, relevance, identification, option to decline. If you follow this, you are in a safe zone in most European countries.
6. What to Do When Someone Requests Deletion
GDPR grants every individual the right to deletion (“right to be forgotten”). If the recipient responds, “I’m not interested, delete my data,” you must:
Immediately stop sending emails to that address. Delete the contact from your database or mark it as “blacklist” — so you never contact them again. Confirm the deletion (you don’t have to do it formally, but it’s good practice).
At DataSend.ai, this is handled automatically — when a response contains a request for deletion or refusal, AI classification marks it as “Blacklist” and the contact is automatically removed from all campaigns and future outreach. You don’t have to think about it — the system takes care of it for you.
7. Common Myths About GDPR and Cold Emailing
“Cold emailing is prohibited by GDPR.” It is not. GDPR allows B2B communication based on legitimate interest. It is not an automatic permission, but it is not a prohibition either.
“I need opt-in for every email.” Not for B2B cold emailing. Opt-in (consent) is required for newsletters and marketing emails to existing audiences. For personalized B2B outreach, legitimate interest serves this purpose.
“If I use a contact database, I am violating GDPR.” No, if the database draws from publicly available and legitimate sources and you process the data based on legitimate interest while adhering to all rules.
“I risk a fine of 20 million euros for one cold email.” Fines are imposed for systematic and serious violations, not for one relevant email. This does not mean you shouldn’t strive to be compliant — but the fear of a draconian fine for normal business communication is unfounded.
“It’s enough to put an ‘unsubscribe’ link at the end of the email.” Cold email is not a newsletter. A formal unsubscribe link is not mandatory. What’s important is that the recipient can easily decline — by replying to the email or through another simple method. And you must respect this refusal.
8. Checklist: Is Your B2B Cold Email Compliant?
Before launching a campaign, check:
Are you contacting companies (B2B), not private individuals?
Is your offer relevant to the industry and role of the recipient?
Do you identify yourself in the email (name, company, contact)?
Does the recipient have an easy way to decline?
Can you explain where you got the contact details?
Do you have documented legitimate interest?
Do you immediately respect deletion requests?
Are you not sending the same generic email to thousands of people?
If you answer “yes” to all questions, you are operating within what GDPR and most European legislation allows.
Conclusion: Fear of GDPR Is Not a Reason to Avoid Reaching Out to Companies
GDPR is not the enemy of B2B communication — it is a framework that protects people from spam and data misuse. If you reach out to companies relevantly, transparently, and with respect for their right to decline, you are operating within the law.
The biggest risk is not a fine for a relevant cold email. The biggest risk is that due to fear of GDPR, you never start reaching out to companies — and never acquire the clients you need.
Want to reach out to companies in compliance with GDPR? DataSend.ai draws data from publicly available sources, automatically handles blacklisting, and provides you with tools for personalized, relevant communication. Database, campaigns, and pipeline all in one place.
KEYWORDS
RECOMMENDED ARTICLES
Want to be among the first?
DataSend.ai launches in June 2026. Sign up and get 50% off your first month.
Get early access →