Playbook

Is Cold Email Legal in the UK? A Plain-English Guide to PECR and GDPR for B2B

Oliver Williamson

 ·

7 min read

Published:

July 1, 2026

Last update:

July 1, 2026

Get Strategies

Get actionable strategies every Week

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Not legal advice: This is a plain-English explainer to help you understand the landscape, not legal advice. For decisions specific to your business or a particular campaign, take qualified counsel.

"Is cold email even legal?" is the question that stops a lot of founders from running outbound at all. The honest answer for the UK is yes, you can cold email businesses, but there is a specific carve-out, a catch most people miss, and two duties that always apply. Once you understand the shape of the rules, outbound stops feeling like a legal risk and starts looking like the predictable channel it is.

The B2B carve-out: who you are emailing decides everything

UK electronic marketing is governed by PECR (the Privacy and Electronic Communications Regulations), and the key fact is this: the PECR email-marketing consent rules do not apply to corporate subscribers. That means you may email a limited company, an LLP or a public body without their prior consent. This is the carve-out that makes B2B cold email lawful in the UK.

The catch is in the definition of "corporate". It turns on the legal entity, not on whether someone runs a business.

The UK B2B decision: who the recipient is determines whether you need consent.

Sole traders and unincorporated partnerships are treated as individuals, not corporate subscribers. So are private individuals at a personal address. Emailing them for marketing needs consent or a soft opt-in, exactly as it would for a consumer. In practice this means a quick check before you build a list: a limited company is fair game; a sole trader is not, at least not without consent.

The two duties that always apply

Whoever you email, two obligations never switch off.

  1. Never disguise your identity. The sender name, the company and the address must be truthful. No spoofing, no fake-reply or fake-forward subject lines, no pretending to be someone you are not.
  2. Give a valid way to opt out, and honour it. There must be a genuine route for someone to tell you to stop, and when they do, you suppress them immediately. Keep one master do-not-contact list and screen every new list against it.

UK GDPR, in plain English

PECR is only half the picture. UK GDPR still applies whenever you process personal data, and a named person’s work email, jane@company.com, is personal data. That does not make cold email unlawful; it means you need a lawful basis and you must respect people’s rights. For B2B outreach the usual basis is legitimate interests: you must be able to show that your interest in contacting them is balanced against their rights, document that reasoning, and honour any objection promptly. A generic address like info@company.com is lower risk because it is not tied to an individual.

Legitimate interests, in three questions

Legitimate interests is not a free pass; it is a balancing test you should be able to show you have done. In plain terms, three questions. Is there a genuine interest? Yes: you are a business marketing a relevant product to another business. Is emailing them necessary to pursue it? Cold outreach is a reasonable, proportionate way to reach a B2B buyer. And does your interest override their rights and reasonable expectations? A relevant, easy-to-opt-out-of email to a work address usually passes; a barrage to a personal address does not. Write that reasoning down once as a short legitimate-interests assessment, keep it on file, and you have both a lawful basis and a ready answer if anyone ever asks.

The UK versus the EU

The EU position is broadly similar in spirit but is generally stricter and varies by member state, with several countries leaning towards requiring consent even for B2B. If you are emailing into the EU, treat consent as the safer default, especially for smaller businesses and individuals, and check the rules for the specific country rather than assuming the UK carve-out travels.

Does this only apply to email?

The same instincts travel to other channels, with their own rules layered on top. LinkedIn messages and InMail fall under LinkedIn’s own terms as well as data-protection law, and cold calling to businesses is governed by separate PECR provisions and the Telephone Preference Service and its corporate equivalent. The safe posture is identical across all of them: be honest about who you are, target relevantly, give an easy way to opt out, and honour it at once.

And remember that combining channels does not multiply your permission. If a contact is off-limits to email because they are a sole trader without consent, sending the same pitch by LinkedIn or phone does not make it cleaner. The question is always who the recipient is and whether you have a lawful, honest basis to contact them, never which inbox you happen to use.

The rules with teeth: provider requirements

Independent of the law, the mailbox providers set their own requirements, and these now carry real consequences, with Gmail tightening enforcement through late 2025. These apply to everyone, regardless of jurisdiction.

  • Authentication is mandatory: valid SPF, DKIM and DMARC, properly aligned to your sending domain.
  • Complaint rate is capped: stay below 0.3% as reported in provider tools, and realistically aim under 0.1%.
  • One-click unsubscribe is required for senders above roughly 5,000 messages a day to Gmail, and opt-outs must be honoured within two days.

A well-built, low-volume cold email system spread across many domains generally stays under that bulk threshold, which is why a reply-to-opt-out approach can be compliant for B2B sending. But authentication and the complaint-rate ceiling apply to everyone, always.

Three myths worth killing

Myth one: cold email is illegal. It is not; in the UK it is a regulated but lawful B2B channel. Myth two: you must include an unsubscribe link or you are breaking the law. You must offer a genuine, honoured way to opt out; for low-volume B2B that can be a simple "reply and I’ll remove you", though high-volume senders to Gmail do also need one-click unsubscribe. Myth three: GDPR means you need consent to email any business. It does not; for corporate subscribers you rely on legitimate interests, and consent is only the safer route for sole traders, individuals and most EU recipients. The through-line: the rules care far more about honesty and respecting opt-outs than about any single piece of boilerplate.

Compliant by default

Put it together and a safe operating posture is simple: email limited companies and public bodies, treat sole traders and individuals to a consent standard, always be identifiable, always offer and honour an opt-out, rely on legitimate interests for the personal data you hold, and keep your authentication perfect and complaints near zero. Do that and you are both compliant and deliverable.

Get the help: Want our pre-flight compliance checklist? Reply and we’ll send the one-pager you can run before any campaign.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Worried your domains are already burned? Reply and we’ll run a free placement test and tell you exactly where you stand. No form, no pitch, just the diagnosis.

Diagram of spam recovery steps: Stop campaigns, test email health, then deliver after near-perfect placement.

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript