GDPR and Cold Emails: The Practical Guide to Staying Compliant

Sujan Patel is the founder of Mailshake, a sales engagement software used by 38,000 sales and marketing professionals. He has over 15 years of marketing experience and has led the digital marketing strategy for companies like Salesforce, Mint, Intuit and many other Fortune 500 caliber companies.
  • March 24, 2024

Contrary to what you might have read, GDPR didn’t kill cold emails. You can still send them. You just have to be more careful about the way you collect, manage and store the data you use to send them.

The good news is, if you’re already following cold email best practices – that is, you aren’t “spraying and praying” or spamming people with irrelevant messages – you’re half way there already.

You don’t need a data process administrator to do this (quite frankly, most companies don’t have the money to do this anyways). Instead, check out this practical, step-by-step guide to staying GDPR compliant as an individual or a small sales team.

As a note, this guide only focuses on sending cold emails. There are plenty of other requirements you’ll need to get comfortable with when it comes to sending marketing emails to those who opt-in to hearing from you or using cookies on your website.

And of course, we’re not lawyers. If you have any specific concerns about your GDPR status or its requirements, consult with a lawyer who’s familiar with the regulation.

A Quick GDPR Refresher

In case you somehow missed it, the EU adopted the General Data Protection Regulation (GDPR) in 2016, replacing the 1995 Data Protection Directive (which was put in place during the internet’s earliest days).

EU member states were given two years – until May 2018 – to become compliant with the new regulation, which, according to Digital Guardian’s Juliana De Groot, “mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.”

Basically, to comply with the GDPR, companies need to be more conscious of the way they handle and use personal data, which includes, among other things:

  • Names
  • Phone numbers
  • Email addresses
  • IP addresses
  • Mobile device IDs

Even encrypted data can fall under this category.’s Jory MacKay writes, “Basically, if the information you have can be used to identify a person in any way, it’s covered under GDPR.” Failing to protect information appropriately according to the regulation can lead to fines.

5 GDPR Best Practices for Cold Emails

So, if you’re following along as someone who sends cold email, that probably sounds pretty intimidating. Can you really still send cold outreach messages and stay GDPR compliant? Yes, but it may look different than what you’ve done in the past.

1. Only reach out out to people who can benefit from your product

According to Dan Vanrenen, Managing Director of Taskeater, “Under the GDPR, the personal data you collect should be adequate and relevant to the purpose of its processing (Principle c: Data Minimisation). That means you have to consider two key things: the adequacy of your data collection (how much data do you really need for what you are going to achieve) and the relevancy of your data collection (is the data you are collecting the right data for your purposes).”

Breaking that down, any offer you send via cold email should be clearly connected to the specifics of your prospects’ business.

  • For example, reaching out to a company you’ve discovered is using your competitors’ SaaS product because they left a review of it on Product Hunt in order to pitch your solution as a replacement is related to their business activity.
  • Spamming every address you can find with your CRM sales pitch because “every company needs a CRM” is not.

To get to this level of specificity, you’re going to need to segment your lists and closely personalize your cold emails based on your prospects’ business needs. Email personalization tools like Mailshake can help.

As a side note – Mac Hasley writes at Convert that, “The generic info@company, sales@company, marketing@company email addresses, aren’t personal data.” Since GDPR applies to individuals, generic email addresses such as these may not be affected.

They aren’t ideal from a marketing standpoint, but may be an option if you aren’t able to meet the specificity of purpose guidelines described above.

2. Be able to explain exactly how you got someone’s email address

Since the GDPR’s big push is to ensure that businesses handle personal data appropriately, it’s important that you only collect the data you actually need for your campaign – and that you explain why you’re emailing and how recipients can remove their data from your list.

For example, use a message like this:

“I’m reaching out because I found your name and email address on LinkedIn, and it looks like your company might benefit from our [product/service]. If you’d rather not hear from me, just let me know and I’ll delete your information.”

As you can see, you don’t have to use a cold unsubscribe link. In fact, you need more than that to cover all your GDPR bases. Two things to keep in mind:

  1. You have to be clear about how you found their information (no lawyer-speak here)
  2. You have to actually delete their data immediately if they ask you to

Don’t just mark them as unsubscribed in your email management system. Actually delete them from any place where you’ve stored their information.

3. Understand the limits of data consent

Sending a valid, justified cold email is one thing. What you do after that is just as affected by GDPR.

Most marketers like to throw cold email contacts into a nurture sequence after the initial engagement. Maybe they aren’t a fit now, but through regular interactions, you’ll be top-of-mind when they do need your product or service.

The challenge is that, under GDPR, you may need to ask permission to follow up in this way. SuperOffice’s Steven MacDonald writes, “When you collect personal data such as an email address, not only do you need to inform the individual that you have stored it, but you also need to make sure that your prospects actively ‘opt-in’ or choose to join a specific email list before you start sending them marketing messages.”

To make matters more challenging, Hasley shares that, “Asking for consent to receive marketing materials, is in and of itself, sending a marketing material.”

So, what options remain? Follow-up emails may be ok as long as they follow the same criteria as initial cold outreach messages, in that you must:

  • Have a legal basis (aka, a specific, targeted reason) for sending the message
  • Clearly specify what personal information you’re using, why you’re using it and how you’re storing it
  • Not hold personal information longer than necessary

Under these restrictions, sending personalized follow-up messages that cover these three elements may be ok. Plunking every email you encounter into a generic nurture sequence may not (unless you’re able to incentivize recipients to clearly and explicitly opt into receiving marketing messages).

4. Practice good data security

Finally, be a good data steward. Do this whether or not you’re subject to GDPR by:

  • Only giving data access to people who need it
  • Making sure any data you’ve stored is secure while you process it
  • Only holding on to data for as long as you need it
  • Not sharing data with anyone else, without informing the prospect you’re doing so

You don’t necessarily need a dedicated data steward if you’re able to take these steps on your own. Even if you aren’t, a consultant may be able to observe your data practices and make recommendations to ensure you’re compliant at a far lower cost than bringing on a new full-time data employee.

Does GDPR Apply to Me?

Having said all that, there’s one last thing we need to clear up. The GDPR is an EU regulation. So does that mean that if you’re U.S.-based, you don’t need to worry?

Yes and no. The GDPR covers the personal data of all EU citizens – no matter where they are in the world. If you’re 100% confident that your business only works with U.S. citizens, GDPR compliance may be less important. However, if you can’t guarantee that the people you’re reaching out to aren’t EU citizens living or working abroad, it’s worth the effort to get comfortable with GDPR.

Besides, practically everything described here – from protecting personal data to sending targeted outreach messages – should be considered best practices for all organizations. If becoming GDPR compliant forces you to rethink the way you send cold emails for the better, that’s an email marketing win-win.

Continue reading

Grow Your Revenue Faster

Automate all your sales outreach with Mailshake.

Book a Demo
Footer CTA