Outbound marketing and GDPR: When is it legal to email a stranger? 

You’ve probably already received countless promotional emails from your local internet provider, favorite sportswear store, or even your bank offering new deposit rates. And that’s just your personal inbox. 

But think for a moment: how many cold emails land in your business inbox every day from companies you’ve never even heard of? Some of you might feel frustrated — after all, you never shared your contact details with them. So, is this kind of outreach even legal? 

Let’s take a closer look. 

Why you’re getting all these emails 

Whether we’re talking about personal promotions or business offers, the logic behind it is the same: marketing works like this. Companies promote their products and services through multiple channels, and email outreach remains one of the most powerful sales strategies. 

In many cases, when you receive offers in your personal inbox, it’s because you consented to it indirectly, maybe you made a purchase, signed up for a newsletter, or filled out an online form. 

But when it comes to unsolicited business emails, things get a bit more complicated. That’s where the GDPR comes into play. 

What is GDPR, and why does it matter? 

GDPR stands for General Data Protection Regulation — a comprehensive data protection law introduced by the European Union in 2018. Its main goal is to give individuals more control over their personal data and ensure that organizations handle this data responsibly, transparently, and with consent. 

Under GDPR, personal data includes any information that can identify a person — such as their name, email address, or even IP address. This means that even sending an email to someone’s business address can fall under GDPR, depending on the context. 

When outbound marketing emails cross the line 

Outbound marketing emails can become illegal under GDPR if they violate certain principles — especially those related to consent and legitimate interest. Here are a few examples: 

• Sending emails to private individuals (B2C) without prior consent.
• Collecting email addresses through scraping tools or third-party lists without verification or legitimate basis.
• Failing to provide an unsubscribe option or details on how the data was obtained.
• Continuing to contact someone who has requested removal from your mailing list. 

Such actions can be viewed as unauthorized processing of personal data, leading to warnings, fines, or even legal action from data protection authorities. 

When B2B outreach is perfectly legal 

However, not all cold emailing is illegal — especially in the B2B (business-to-business) context. 

Under GDPR and related EU ePrivacy rules, companies can send business-related emails without prior consent if the message is: 

• Relevant to the recipient’s professional role or company activity;
• Addressed to a corporate email (e.g., name@company.com);
• Sent with a legitimate interest — for example, offering a service that could benefit their business; and
• Includes a clear opt-out option.

In many cases, professional email addresses are publicly available on company websites, business directories, or professional networks like LinkedIn. When used responsibly and transparently, this kind of outreach complies with GDPR. 

Real-life examples: GDPR violations vs. Legal cases 

Let’s look at a few examples that illustrate both sides: 

1.  Violation example — €15,000 Fine in Austria (2020): 
   A marketing firm was fined for sending unsolicited promotional emails to individuals who never consented to receive them. The emails were sent to personal addresses obtained from online directories — without any legitimate interest. 

2. Legal case — Business-relevant outreach in Germany: 
   A consulting firm sent cold emails to company directors offering compliance audit services. Since the emails were related to the recipients’ professional activity, clearly identified the sender, and included an unsubscribe option, regulators ruled the practice GDPR-compliant. 

3. ️ Violation example — Spain’s Data Protection Authority (AEPD, 2022): 
   A company was penalized for failing to provide information on how it obtained the recipients’ contact details and for not including an unsubscribe link. Transparency is a key requirement under GDPR. 

Key takeaways for ethical B2B email marketing 

• Use corporate, not personal, email addresses.
• Ensure your message is professionally relevant to the recipient.
• Always include an opt-out link or reply option.
• Be transparent about who you are and why you’re contacting them. 

Outbound email marketing can be a powerful and legitimate business tool — as long as it’s done responsibly and in line with GDPR principles. 

Loopholes, legal threats and the dark side of cold-mailing 

Not all GDPR-related “complaints” are made in good faith. The uncertainty around cold outreach rules has created a grey zone that can be exploited—especially by actors who use legal language to pressure companies into quick payments. 

1) How the scheme typically works 

In the most common scenario, a recipient gets an unsolicited outreach email (often B2B). Shortly after, a third party (sometimes presenting itself as a claims enforcer, “legal service,” or debt-collection-style company) steps in and sends a formal-looking notice. The message usually claims: 

• the email was unlawful marketing,
• GDPR (and/or local unfair competition rules) were violated,
• compensation is owed for “non-material damage,” “legal expenses,” or “moral harm.” 

The notice then pushes for a fast settlement, often framed as “pay now and we won’t take this further.” 

2) What makes it suspicious 

While legitimate legal complaints exist, several red flags should raise caution: 

• Pre-set compensation amounts with little explanation of real harm or evidence.
• Communication exclusively through a third-party, not the recipient.
• Pressure tactics (short deadlines, urgent tone, threats of court).
• Payment demanded to the sender’s account, not to the alleged “injured” party.
• No clear proof of how data was processed unlawfully, or which legal basis is allegedly missing.
• “Cooperation” offers that resemble profit-sharing (e.g., an arrangement where the recipient is encouraged to participate in claims to split proceeds). 

In some cases, the business model appears to be less about protecting rights and more about monetizing fear and uncertainty. 

3) The key legal reality (and why it matters) 

A crucial point for readers: a GDPR violation does not automatically mean someone is entitled to compensation. In many jurisdictions, compensation requires showing actual damage (material or non-material) and a link between the infringement and that damage. This makes “invoice-like” compensation demands, without substantiation, especially questionable. 

4) Practical takeaway for companies 

If you receive a GDPR-based demand after outreach: 

• Don’t panic and don’t pay immediately.
• Check legitimacy (company registration, legal representation, formal authority).
• Request specifics (what data, what legal basis is claimed missing, what harm occurred).
• Document everything (email headers, consent/logs, opt-out handling).
• Consult counsel if a real claim appears credible. 

Conclusion 

Cold emailing can be legal, especially in B2B, when it’s relevant, transparent, and respectful of opt-outs. But the same grey areas that confuse marketers can be exploited by bad-faith actors using legal threats as a revenue tool. The safest strategy is simple: run compliant outreach, keep evidence of your lawful basis, and treat aggressive “pay-to-avoid-court” demands with careful scrutiny.