A person holding a phone and an envelope

Cold Calls and Cold Emails: What is Allowed under GDPR and ePrivacy?

General

Understanding the rules before you hit send or pick up the phone

Cold calls and cold emails have been around for decades. They are a classic way to find new customers, grow your business, or expand your network.

But what used to be standard practice is now heavily regulated in Europe.

Both the GDPR and the ePrivacy Directive set rules for when and how you can contact people. Getting it wrong can lead to big fines, loss of trust, or worse.

Let’s break down what is actually allowed today.

📬 What ePrivacy says about cold communications

The ePrivacy Directive governs electronic communications in Europe.

It says:

  • You generally need prior consent to send direct marketing messages to individuals.
  • "Direct marketing" includes emails, text messages, automated calls, and sometimes even personal messaging apps.

However, there are exceptions, especially for business-to-business (B2B) communication.

It all depends on who you are contacting and how you are contacting them.

🧠 Cold Emails: When Are They Allowed?

Cold emails to businesses (B2B) are usually allowed if:

  • You are contacting a business email address (like jane.doe@company.com), not a private Gmail or Hotmail address.
  • The email is related to the person's professional role.
  • You give a clear and easy way to opt out from future communication.

Cold emails to individuals (B2C) usually require prior opt-in consent.

That means you cannot just email a private consumer without their permission.

In short: B2B cold emails are possible under certain conditions. B2C cold emails almost always require consent first.

📞 Cold Calling: When Is It Allowed?

Rules about cold calling depend on national laws, but generally:

Cold calls to businesses (B2B) are often allowed without prior consent, as long as:

  • The call is related to the person’s professional activities.
  • You respect any opt-out requests or national do-not-call lists.
  • You stop immediately if someone asks not to be contacted again.

Cold calls to consumers (B2C) are much more restricted and often require prior consent or are prohibited unless specific conditions are met.

Always check the specific rules in the country you are targeting.

📋 Practical Tips to Stay Compliant

  • Keep it professional: Only contact people for topics that relate to their business role.
  • Respect opt-outs: Make it easy for recipients to unsubscribe or say no.
  • Be transparent: Say who you are, why you are contacting them, and how they can reach you.
  • Keep a suppression list: Maintain a list of people who opted out and never contact them again.
  • Check local rules: Some countries (like Germany) have stricter requirements than others.

🔍 GDPR’s Role in All This

GDPR does not prohibit cold outreach, but it regulates how you must handle personal data:

  • You must have a lawful basis for processing data (like legitimate interest for B2B cold emails).
  • You must provide privacy information (for example, in the email footer).
  • You must honor data subject rights if someone asks what data you have or wants to be removed.

In practice, GDPR and ePrivacy work together. Both must be respected if you want to run compliant marketing campaigns.

🚀 Cold outreach is still possible if you do it right

Many companies think that GDPR and ePrivacy killed cold emails and calls. That is not true.

Cold outreach is still allowed, especially in B2B environments. You just have to be more respectful, transparent, and organized.

Good compliance is not just about avoiding fines. It is about building trust from the very first contact.

ToolHive helps you manage your vendors, marketing tools, and compliance tasks. Start your free trial today and build connections the right way.