Home · Journal · GDPR & Outreach
GDPR & Outreach

B2B Email Opt-In: When You Need It, When You Don't

Most UK B2B founders overthink opt-in. Here's a practical rulebook based on legal-entity type and purpose.

Albert Rosu · · 5 min read

Confusion about UK B2B email opt-in costs founders real time. The short answer: you need explicit opt-in far less often than you think, and more often than cold-email agencies pretend. Here’s the practical rulebook.

The decision tree

Ask these three questions about each email you send:

1. Is the recipient a Ltd company or LLP?

  • Yes → PECR B2B exemption may apply. Can proceed under legitimate interest (Art 6(1)(f) UK GDPR) with documented balancing test.
  • No (sole trader, partnership, overseas individual) → treat as consumer. Opt-in required.

2. What’s the purpose?

  • Cold outreach about a product/service → Legitimate interest pathway (subject to balancing test)
  • Newsletter / content marketing → Soft opt-in only works for existing customers. Otherwise opt-in required.
  • Transactional (invoice, support response) → No opt-in needed. Contract basis.
  • Re-engagement of dormant contacts → Depends on original collection basis.

3. What’s the contact source?

  • Publicly available business contact (website “contact us” page) → Legitimate-interest often defensible
  • Bought email list → Almost never defensible. Multiple ICO cases against this.
  • Scraped from LinkedIn → Almost never defensible + TOS risk
  • Event attendee list where you paid to access → Check the event’s opt-in language; often not transferable
  • Previously-engaged prospect (responded, downloaded, etc.) → Depends on what you told them at that moment

When opt-in IS required

  • Sole traders and non-LLP partnerships
  • Any consumer-facing marketing (B2C)
  • Newsletters to non-customers
  • Multi-product up-sell to customers of one product (soft opt-in applies only to “similar products”)
  • Overseas recipients under stricter regimes (GDPR applies to EU citizens + UK)

When opt-in is NOT required

  • Cold first-touch to a Ltd/LLP under B2B exemption + documented legitimate interest
  • Transactional emails (order confirmations, invoices, support)
  • Legal notices (terms changes, policy updates)
  • Follow-ups to responses you already received

Common scenarios and the right answer

Edge cases that founders ask about repeatedly:

  • “They attended our webinar and gave us their email.” If the webinar signup clearly said “we will email you about our products”, that is opt-in and you can proceed. If it only said “we will email you about this webinar”, further marketing needs fresh consent.
  • “They downloaded our whitepaper.” Same rule. The opt-in must specifically cover marketing, not just the one-off download.
  • “They replied to our cold email.” A reply is engagement, not opt-in. You can continue the conversation on legitimate interest grounds, but if they stop replying you cannot drop them into a nurture sequence without a new opt-in.
  • “They connected with us on LinkedIn.” A LinkedIn connection is not consent for email marketing. DMs on the platform are governed separately.
  • “They gave us a business card at an event.” Ambiguous. Best practice is to follow up once specifically referencing the event, then ask whether they would like future emails.
  • “We are renewing an existing customer relationship.” Soft opt-in covers “similar products or services”. New-product cross-sell to existing customers often does not qualify and needs explicit consent.

When in doubt, the conservative answer is usually correct: fresh opt-in where the scope is unclear.

The hybrid: soft opt-in

Regulation 22(3) lets you email existing customers about similar products without explicit consent, as long as you gave them an opt-out at the original collection point and in every subsequent email. Narrow. Don’t lean on it for cold outreach.

The documentation bar

For legitimate-interest processing:

  1. Identify the purpose in writing (one paragraph)
  2. Identify why processing this data is necessary
  3. Run the balancing test — why your interest doesn’t override theirs
  4. Retain the documentation
  5. Review annually

The ICO has said repeatedly: no documentation = no defence.

What goes in the email

Required by PECR and Companies Act:

  • Clear sender identifier (company name, registered address, company number)
  • Working one-click unsubscribe
  • Subject line not misleading
  • No impersonation of prior conversation

Optional but strongly advised:

  • Reference to why you thought they’d be relevant (proves legitimate interest + reduces annoyance)
  • Frequency statement (“we’ll follow up once; that’s it”)

Running a compliant opt-in form

For the scenarios where opt-in is required, the form itself has to meet a clear bar:

  • Unambiguous action. A checkbox, clearly labelled. Pre-ticked does not count.
  • Specific purpose. “We will send you product updates and occasional marketing” beats “we may contact you”.
  • Identified sender. Your company name on the form. Not “get in touch”.
  • Linked privacy policy. One click away, with retention, sub-processors, and rights listed.
  • Single-purpose consent. Don’t bundle marketing consent with terms acceptance. The ICO treats bundled consent as no consent.
  • Timestamped storage. Capture when and where the opt-in was given, and what they were told at the time.

A well-designed opt-in form is unobtrusive but specific. The goal is informed consent, not maximising conversions at any cost.

Frequently asked questions

Is legitimate interest easier to defend than consent? Usually yes for UK B2B cold outreach. Consent is binary and revocable; legitimate interest survives with good documentation. For cold first-touch to Ltd contacts, legitimate interest is typically the right pathway.

What if a prospect says they never opted in? If you relied on consent, produce the opt-in record (timestamp, source, wording). If you relied on legitimate interest, produce the balancing-test document and the sender identification. Either way, apology plus immediate opt-out is always the right operational response regardless of who is technically right.

How long can we keep someone in our system after opt-out? Personal data should be deleted or fully anonymised on opt-out, except for the minimum record required to prove the opt-out was honoured. Most UK B2B operators retain a suppression list indefinitely for that single purpose.

Do we need double opt-in for B2B newsletters? Not legally required but strongly advised. Double opt-in reduces spam complaints, raises deliverability, and provides cleaner documentation if the ICO ever asks.

How LeadKing handles this

LeadKing discovery only surfaces business contacts from public UK business records. For outreach (post-launch), we plan a built-in compliance checklist that verifies legal-entity type before enabling cold email to sole traders.

GDPR-compliant cold outreach pillar → · PECR for founders →.

Not legal advice.