If you’re running a business in the UK and using email for B2B outreach, you may be unsure what the law actually says about using business email addresses for marketing.
Many business owners get tangled in the web of GDPR, PECR, and data protection jargon. So here’s a clear, no-nonsense guide to what’s allowed, what’s not, and where the grey areas lie – written in plain English.
The two main laws you need to know
1. UK GDPR (as incorporated into UK law) & the Data Protection Act 2018 (DPA)
These laws govern how you collect, store, and use personal data. Yes, business email addresses (like joe.bloggs@company.com) often count as personal data because they can identify a living individual. If the address includes a name or other identifier, GDPR applies.
2. PECR (Privacy and Electronic Communications Regulations)
PECR sits alongside GDPR and specifically covers direct marketing by electronic means including email. This is the regulation that determines whether you need consent before sending cold emails.
What the law allows for B2B cold emails
The good news is that PECR treats B2B marketing differently from B2C.
You can send unsolicited marketing emails to:
- Corporate subscribers (this includes limited companies, LLPs, government bodies, and some other types of incorporated organisations),
- Without prior consent,
- As long as the email is relevant to their job and you provide a clear opt-out.
This is based on Regulation 22 of PECR and guidance from the Information Commissioner’s Office (ICO). The key here is that you’re targeting someone in a work capacity, not a private individual.
When PECR says “No”
You cannot send marketing emails to:
- Sole traders or partnerships (unincorporated entities),
- Without prior consent.
In these cases, they are treated similarly to consumers under PECR, and you must have consent before sending marketing emails.
What counts as a “marketing” email?
Even if you dress it up as a “connection request” or a “free consultation”, if your message promotes your business, services, or products – it’s marketing. The ICO is clear: intent matters more than language.
What about GDPR? You still need a lawful basis
Even if PECR allows you to send the email, GDPR still applies. You must have a lawful basis for processing the person’s data (i.e. their name and email address). In most cold B2B outreach cases, this is “legitimate interests.”
But you must:
- Conduct a Legitimate Interest Assessment (LIA),
- Be sure your interest (marketing your business) doesn’t override the recipient’s right to privacy,
- Inform them who you are, why you’re contacting them, how you got their data, and how they can opt out or complain.
What counts as First-, Second- and Third-party data?
Understanding these terms helps with compliance:
- First-party data: Info you’ve collected yourself (e.g. someone filled in a form on your site).
- Second-party data: Someone else’s first-party data shared with you via partnership.
- Third-party data: Bought or rented data from a list broker or similar.
Be especially cautious with third-party data. You must ensure it was collected legally, with appropriate privacy information, and the individuals would reasonably expect you to contact them.
Sourcing email addresses: What’s legal?
You can lawfully source B2B emails from:
- Company websites (public domain),
- LinkedIn (though LinkedIn’s terms of service prohibit scraping),
- Business directories—as long as you meet GDPR and PECR requirements.
But remember: just because the data is publicly available doesn’t mean it’s free to use for marketing without rules.
Top tips for lawful B2B cold outreach
- Know your audience: Is it a limited company (OK) or a sole trader (needs consent)?
- Use legitimate interest carefully: Do a written assessment balancing your need to market against the person’s privacy rights.
- Always include an opt-out: Every marketing email must have a simple way to unsubscribe.
- Be clear and transparent: Tell recipients who you are, why you’re emailing, and how you got their details.
- Avoid dodgy data: If you’re buying email lists, do due diligence – bad data equals big risk.
- Document everything: Keep records of your LIA, your sources, and your outreach processes.
- Train your team: Anyone sending emails needs to understand the basics or your business is exposed.
Final thought
Cold B2B email outreach is not illegal. In fact, it’s lawful and effective – when done properly. But the rules are clear: you must respect individuals’ privacy and always be able to justify your approach under both PECR and GDPR. If in doubt, seek legal advice – we’re always happy to help, or consult ICO guidance directly.
