• Blog
  • Will GDPR Affect Cold Emailing?

Will GDPR Affect Cold Emailing?

Simon Coulthard July 01, 2022

3-minute read

Cold emailing has been one of the more popular marketing methods for quite some time.

But things have changed, and GDPR has substantially impacted this activity. Many see this EU data privacy legislation as the final nail in the coffin for cold marketing tactics, with social media a far better channel for enticing unknown prospects.

However, cold emails do still have their uses, and can be done legally in Europe. This article will explain how GDPR has affected this marketing tactic, before looking at how to run these campaigns in a way that sidesteps data privacy issues.

What is Cold Emailing?

This is the practice of sending unsolicited emails to either customers or business prospects.
It’s a useful tool for contacting people who might not be aware of your business, creating awareness within a target audience that helps generate leads and drive sales.
Remember though that you don’t use cold emails to directly sell to unknown prospects. Instead, you use them to connect and engage with them.

Since thought is put into who they are sent to, cold emails are not spam, which are junk emails sent out in bulk with no thought to the recipient.

However, if not done properly, cold emails will violate the terms of service for most email marketing platforms - and if they look like spam, they will hardly be effective.

To prevent this from happening, make sure that the topic of your cold emails is easy to identify, and that they are tailored to each recipients’ interests. It should also be clear who the email was sent by, and your company’s physical address should be visible somewhere. 

Is Cold Emailing Possible Under GDPR?

Unlike other data privacy laws, GDPR does not specifically regulate unsolicited communication. Its focus is instead on protecting the personal data rights of EU residents.

As such, cold emailing remains entirely legal.

However, an email address is considered personal data under GDPR, meaning that the way you use this information needs to comply with EU data protection regulations.

As such, you can’t simply fire them out to anyone - unsolicited emails can result in huge fines from data protection authorities - up to €20 million or 4% of your company’s annual revenue from the previous financial year.

By following a few procedures, you can still send out cold emails in a way that respects the GDPR regulatory framework:

1. Explain how you Obtained any Email Addresses

If data protection agents arrive at your office, you need to be able to explain how you found a prospects email address in the first place.

Gone are the days when you could simply use your website to automatically collect email addresses without an explicit say-so from data subjects or buy them in bulk like some people did before.

GDPR pushes permission-based marketing, meaning that consent is now key.

2. Ensure your Legal Basis for Contact

GDPR requires that you have a legal justification for contacting people. 

Consent is one acceptable legal basis but if you don’t have this - and you won’t for cold marketing - then you need to be sure that the person you contact will benefit from your company’s product or service.

As such, if you’re emailing people who are unlikely to buy anything from you - a common issue with unpersonalized email campaigns - then in all likelihood you’re breaking GDPR rules.

And if you’re emailing professionals, then you can’t just use any old company address - if you’re selling marketing software for instance, then the cold email needs to go to the organization’s marketing manager rather than the company’s info@ email account.

Crucially, this legal basis needs to be included somewhere in the cold email, which can be done by briefly explaining your justification for contacting them.

3. Inform Prospects About Your Personal Data Practices

GDPR demands that data subjects know everything related to their personal information.

As such, you’ll need to include a disclaimer in each cold email that tells prospects:

  • What personal data you’re collecting - and this phrase is broader than you think
  • How you will store their personal data
  • What you will do with their personal data
  • How the prospect can edit, transfer or delete their personal data

You’ll also want to keep a record of how and why you’ve collected personal data, and what you’ve done with it - remember, documentation is a crucial long-term GDPR commitment.

4. Respect Rules Limiting Data Storage

GDPR requires that you do not hold on to any personal data for any longer than is absolutely necessary.

When it comes to cold emails, best practice means deleting personal data (i.e. their email address) held by your company after a month if they have not replied to you - and not spamming them with any further emails in the future.

5. Allow Prospects to Unsubscribe Easily

GDPR demands that people can easily remove themselves from emailing lists and this means that any cold email should include an automated unsubscribe link in the footer.

And once done, you need to ensure that any of their personal data is also deleted.

GDPR’s Effect on Cold Emailing Campaigns

As you can see, GDPR has had a real impact on unsolicited emailing campaigns and it is now an offense to do these in a way that does not respect Europe’s data privacy legislation - even if you collected those email addresses before the law was enacted in May 2018.

It can be done legally however, but complying with GDPR means that your database of cold prospects will undoubtedly reduce substantially. This is no bad thing though, because you’ll be left with grains and not the chaff - i.e. the prospects most likely to buy from you.

And, if these interested prospects do reply to your emails, you’ll need to then obtain opt-ins from them and record this consent on a secure database to sustain GDPR compliance.

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security

You might also like
Facebook Subscription: Meta to Charge for Tracking Opt-Out
Facebook Subscription - Meta Charging Users Who Want Their Privacy Rights - TWIPLA Website Intelligence
23 October 2023 - by Simon CoulthardFacebook Subscription: Meta to Charge for Tracking Opt-Out
What is GDPR. Implications of GDPR on Marketers
09 February 2022What is GDPR. Implications of GDPR on Marketers
23andMe Privacy Mess: Hacker Steals Millions of Profiles
23andMe privacy - customer profiles available on Dark Web - TWIPLA Website Intelligence blog
16 October 2023 - by Simon Coulthard23andMe Privacy Mess: Hacker Steals Millions of Profiles

Insights to Your Inbox

Receive a monthly summary of website intelligence news, advice, and also product updates. And don't worry, we won't tell sales!