Home · Journal · GDPR & Outreach
GDPR & Outreach · Pillar

GDPR-Compliant Cold Outreach: What UK Law Actually Says

What UK GDPR + PECR actually say about cold B2B outreach. Practical guide for founders, with ICO enforcement examples.

Marius Nicola · · 12 min read

UK cold outreach law is less scary than LinkedIn posts claim. It is also not as permissive as some cold-email agencies sell it. The honest position is this: there is a legal way to do cold B2B outreach in the UK, it requires some thinking, and most of the horror stories come from people doing it wrong in ways that are easy to avoid.

This guide is for founders and operators. Not legal advice — where it matters, you want your own solicitor. But it is close enough to help you get the core decisions right.

Two laws, not one

UK cold outreach is governed by two laws, and confusing them is the first mistake:

  • UK GDPR (plus the Data Protection Act 2018) governs how you handle personal data — collection, storage, retention, sharing. It applies to both consumers and business contacts.
  • PECR (Privacy and Electronic Communications Regulations 2003, amended multiple times) governs electronic marketing — email, SMS, phone calls. This is what decides whether you can send a cold email to someone.

Most cold-email compliance discussion conflates the two. PECR is the one that matters for outreach; GDPR matters for what happens to the data afterwards. Both apply.

Lawful bases for B2B outreach

Under UK GDPR, every processing of personal data requires a lawful basis (Article 6). Six possible bases exist. For cold B2B outreach, two matter:

Legitimate interest (Art 6(1)(f)) — most relevant

You can process business contact data under legitimate interest if three conditions hold:

  1. Purpose test. You have a genuine business purpose (selling to businesses).
  2. Necessity test. Contacting this person is necessary to achieve that purpose (no less intrusive way).
  3. Balancing test. The individual’s rights and freedoms do not override your interest.

The balancing test is where cold-email agencies get lazy. It requires documenting that you considered the individual’s reasonable expectation. A senior executive whose work email is on their company website reasonably expects work-related inbound. A sole trader whose personal Gmail was scraped from a random forum does not.

Document the balancing test in writing, before sending. The ICO has flagged this repeatedly. No document = no defence.

Soft opt-in (PECR regulation 22(3)) is the consent-adjacent route. It applies only to existing customers — people who previously bought from you — and only for marketing “similar products or services”. It does not apply to cold outreach by definition. Do not lean on it for first-touch emails.

PECR B2B exemption — and its trap

PECR has a widely-misunderstood B2B exemption (regulation 22(1), as interpreted in ICO guidance). The exemption lets you send unsolicited marketing email to corporate subscribers — companies — without prior consent.

The trap: sole traders are not corporate subscribers. Nor are partnerships without legal personality. They count as individual consumers under PECR for the purposes of electronic marketing. This means:

  • Limited companies (Ltd): corporate subscriber. Exemption applies. You can email without prior consent (but must identify yourself, honour opt-outs, and still comply with GDPR).
  • Sole traders: consumer. Exemption does not apply. You need consent to send marketing email.
  • Partnerships (non-LLP): consumer. Same as sole traders.
  • LLPs: corporate subscriber. Exemption applies.

If you are selling to UK SMBs and do not know the legal structure of your target, assume conservative — treat as consumer unless you can verify Ltd/LLP.

LinkedIn: the messy middle

LinkedIn outreach is harder because three frameworks overlap:

  • UK GDPR applies to personal data in your CRM (name, title, employer).
  • PECR does not apply to LinkedIn DMs — PECR regulates unsolicited “electronic mail” which in UK statute means SMS and email, not in-platform messaging.
  • LinkedIn’s own Terms of Service restrict automated messaging, scraping, and mass-connect.

The cleanest LinkedIn approach:

  1. Send connection requests with a personalised note. Do not automate this with tools that violate LinkedIn TOS.
  2. After connection, send a normal DM — not a mass-blast. LinkedIn’s rate limits and TOS apply.
  3. Do not scrape LinkedIn profile data into your CRM. Meta has litigated against scrapers; the legal risk is real.

Scraping LinkedIn is separately risky from cold outreach. The legal conflict is not GDPR — it’s contract law (TOS breach) plus copyright.

Email outreach: what to include to stay compliant

Every compliant UK cold B2B email should have:

  1. Clear sender identification — your company name and registered address (Companies Act 2006 requires the latter for UK-registered companies on all business communications, including email).
  2. The legitimate interest basis made plain — e.g. “we are contacting UK Ltd companies whose leadership has posted about [topic]”. Explain why you thought this person was relevant.
  3. Opt-out mechanism — one-click unsubscribe. Honour it within the statutory timeframes (GDPR requires response within one month; PECR essentially requires immediate effect).
  4. Proportionate frequency — one initial outreach and one follow-up is reasonable. Six follow-ups is not.
  5. Relevance — the content has to be plausibly relevant to the recipient’s role. Generic blasts fail the legitimate interest balancing test.

What to leave out: dark patterns (fake urgency, misleading subject lines), pre-ticked consent boxes anywhere in your funnel, impersonation of previous conversations.

The balancing test, written out

The most common gap in UK cold-outreach practice is the undocumented balancing test. Most operators think “well, it’s B2B, we’re fine”, send the emails, and never write anything down. When the ICO comes asking — and they do — there is nothing to produce. Fix this with a short, dated document you can reproduce on request.

A minimum-viable balancing test for a UK B2B cold-email campaign might read:

  1. Purpose. To introduce [product] to [named segment — e.g. Ltd-registered UK B2B SaaS companies, £1M–£10M turnover, with a sales-ops function].
  2. Necessity. Direct outreach to a named decision-maker is the most effective way to assess product-market fit at this stage. Less intrusive options (advertising, inbound content) either do not reach this segment or take materially longer to produce a meaningful signal.
  3. Impact on individual. The recipient is a senior employee at a Ltd company whose business email is publicly listed on their employer’s corporate website. They receive an estimated [x] unsolicited business emails per week in the normal course of their role. One additional relevant, clearly-identified, single-follow-up email is unlikely to cause material distress.
  4. Mitigations. We honour opt-out immediately. We cap frequency at two emails total. We include sender identification, registered address, and Companies House number. We do not use dark patterns. We limit retention to 18 months.
  5. Outcome. We conclude legitimate interest is engaged and is not overridden by the individual’s reasonable expectations.

Sign, date, file. Review quarterly. If your campaign materially changes — new segment, new message, new cadence — redo it. This takes an hour the first time and ten minutes thereafter. It is the single cheapest compliance habit in UK B2B.

Sole traders: the detail most guides miss

The sole-trader edge case deserves its own section because most US-origin cold-email guides simply skip it, and a lot of UK campaigns walk straight into the same pothole.

Under PECR regulation 22, electronic marketing to individual subscribers requires prior consent. PECR defines individual subscribers to include sole traders and non-LLP partnerships. This is not folklore — it is in the Information Commissioner’s guidance on direct marketing, updated as recently as 2024. The result is:

  • A London-based consultancy trading as a sole trader with a business email on a .co.uk domain is, for PECR, a consumer.
  • A two-person partnership trading without LLP registration is, for PECR, two consumers.
  • A Ltd company with one employee — the same person, but legally distinct — is a corporate subscriber.

The practical effect on your list-building: you need to filter by legal structure, not by the look of the email address. Companies House data gives you the legal structure for Ltd and LLP registrations. Sole traders do not appear in Companies House at all — they are invisible to that register. A business email on its own is not evidence of incorporation.

A workable rule: if you cannot confirm Ltd or LLP status via Companies House (or equivalent for other UK registers), exclude the contact from PECR-exempt campaigns. Route them through a consented channel or leave them out entirely.

ICO enforcement: what we’ve learned

ICO enforcement action over 2024–2026 clustered around these breaches:

  • Failure to honour opt-outs. Multiple fines for continuing to email after unsubscribe.
  • Scraping without lawful basis. Consumer-facing scrapers have been hit harder than B2B ones, but the principle is the same.
  • Marketing to sole traders as corporate subscribers. The PECR exemption gap is a repeated enforcement target.
  • Missing identification data in email footers — Companies Act 2006 §82 requires UK-registered company details on business communications. Easy fix, commonly forgotten.

Individual fines have run from £5,000 for small-scale breaches up to £200,000+ for systematic ones. The pattern: the ICO prefers documented guidance first, then warnings, then fines. But it does fine.

Data minimisation in practice

UK GDPR does not just govern sending; it governs what you keep. A lot of cold-outreach stacks hoard data they do not need: full scraped LinkedIn profiles, historical roles, personal details, photos. That is a data-minimisation failure, and it raises your risk profile for no upside.

A defensible data-minimisation posture for UK cold outreach looks like:

  • Fields kept: name, role, company, business email, lawful basis, opt-out status, last-contact date.
  • Fields not kept: personal email, personal phone, home address, social-media handle unless relevant to the interaction, scraped biographical data, profile photographs.
  • Retention: 18 months from last contact or opt-out, whichever is sooner. After that, purge.
  • Access: logged per-user. No “admin-can-see-everything” without an audit trail.
  • Transfers: documented in your privacy policy. No silent data-sharing with sub-processors.

This is boring. It is also how data-protection audits are passed.

Opt-out mechanics

Opt-outs are where otherwise-compliant campaigns often fall apart. PECR is specific: opt-out must be simple and honoured promptly. “Prompt” in ICO practice means days, not weeks. A workable standard:

  • One-click unsubscribe link in every marketing email. Not a form. Not a login. One click.
  • Machine-readable list-unsubscribe headers (RFC 8058) in all messages, so email clients can honour them automatically.
  • A central suppression list that all sending systems check before dispatch. A single unsubscribe from any system removes the contact from all.
  • An acknowledgement response — optional but good practice — confirming the opt-out.
  • Audit logs retaining opt-out events forever, even after personal data is otherwise purged (evidence you honoured the request).

If you run campaigns across multiple tools, the suppression list is the hardest bit. A contact who unsubscribes from your nurture sequence must be suppressed from your outbound sequence too. Every ICO enforcement action we have read on “failure to honour opt-outs” traces to tooling that was not joined up.

Practical checklist

Before you send:

  • Lawful basis documented (legitimate interest balancing test in writing)
  • Recipient verified as Ltd / LLP (not sole trader) if using PECR B2B exemption
  • Sender identification: company name, registered address, company number in email footer
  • One-click unsubscribe working end-to-end
  • Frequency capped (1 initial + 1 follow-up max, per ICO “reasonable” guidance)
  • Content relevant to recipient’s role (not generic)

After you send:

  • Unsubscribes honoured immediately (under 24 hours) and recorded
  • Complaints logged with response plan (ICO response timeline: 1 month max)
  • Data retained only as long as reasonably necessary (12–24 months for B2B outreach data is typical)
  • Periodic review of the balancing test (quarterly for active campaigns)

Frequently asked questions

Do we need to register with the ICO? Almost certainly yes. Most UK businesses processing personal data must pay the ICO data-protection fee (£40–£2,900 a year depending on size) and register. There are narrow exemptions, but “we do B2B only” is not one. Register first; it is cheap and it is the first thing the ICO checks.

Is “I found your email on your website” a legitimate interest all by itself? It helps but it is not the whole story. Publicly listed business emails reduce the impact on the individual, which helps the balancing test. You still need a genuine purpose, a documented necessity, and mitigations. “Their email was public” is one factor, not five.

What about warm introductions? If a recipient has been personally introduced to you by a mutual contact and replies to your first email, you have consent by conduct. That is fine. Cold outreach based on “we were both at the same event three years ago” is not warm — it is cold with a justification.

Can we use AI to write the emails? Yes, provided the final content is still relevant, factually accurate, and passes the usual tests. AI-written emails are not themselves a compliance issue; AI-written emails with fabricated personalisation details (claiming a meeting that did not happen, misrepresenting a shared connection) are a different problem — that is straight-up misleading commercial communication, which breaches the Consumer Protection from Unfair Trading Regulations regardless of GDPR.

How does Brexit change things? Very little for UK-to-UK outreach. UK GDPR and PECR are substantially the same as pre-Brexit EU rules, administered by the ICO. The main change is that cross-border data flows to the EU and back require an adequacy decision (currently in force) or standard contractual clauses. Keep your DPA and your privacy policy aligned with UK law specifically, not generic “GDPR” templates.

What is the single fastest way to lower our risk? Switch off any automation that cannot verify Ltd or LLP status before sending, and make sure your unsubscribe link genuinely works end-to-end. Those two moves close the majority of the enforcement-risk surface we see in practice.

What LeadKing does

LeadKing’s discovery uses only UK public data — Companies House filings, public job postings, public news, public social posts, SERP. No scraped LinkedIn profile data. No personal data beyond what the data subject has published on a corporate website.

We process business-contact data under legitimate interest with a documented balancing test, covering every UK company we ingest. Sub-processors are listed in /privacy. DPA is available on request.

What to do next

This post does not constitute legal advice. Consult a UK solicitor for your specific situation. ICO guidance at ico.org.uk is the canonical source.