GDPR + Cold Emails: What it Means for Your Outbound Strategy

21st May 2020 – GDPR + Cold Emails: What it Means for Your Outbound Strategy
So, ugh.
Moral of the story: if you’re sending these kinds of emails, you should already be doing your research on what they must include to be legal.
And you should only be contacting people who are hyper-relevant.
So maybe your circumstances are different.
So maybe your circumstances are different.
It’s true, not all cold emails are the same—and so GDPR may apply slightly differently, depending on who you’re contacting.
Fun fact: for a most countries, this is already against the law.
Third—as it stands, ePrivacy let’s each country within the EU make its own rules about whether cold B2B emails should be “opt-in” only, or simply require the “opt-out.”
So if someone’s already bought something from you, you can probably reach out without consent—as long as you’re advertising something related.
If you’re still buying lists, we can’t recommend enough that you cut. it. out.

But there does seem to be a clear trend here. Asking for consent to receive marketing materials, is in and of itself, sending a marketing material.
We’ll breakdown what’s what in this article. But first, lightning fast…
So if anytime you’re working with a list that wasn’t obtained by you, with documented, explicit consent: do your due-diligence. If you can’t prove that you’re compliant—you’re not.
Now is the time to either run a re-permissioning campaign, or start gutting.
The standard for consent is also higher, now. It needs to be explicit. It needs to be affirmative. It needs to be specific. There are a lot of rules. We listed them here.  
The gist is, most countries have have their own legislation regarding emailing from a purchased list.
Second—the ePrivacy Directive is being replaced within the coming year or two with the new ePrivacy Regulations.

1. Bought Lists

And there’s more bad news.  
And GDPR doesn’t care if this email is publicly available information. It doesn’t care how you came across it. It just cares that you have it and you are using it to send stuff to people who haven’t given the “okay.”
Looks good right?
“Just stop buying from lists.”
There’s a lot of bad information out there on GDPR and cold emails.
And remember, even IF they are opt-out only, they still have rules you need to follow.
And now is the time to start evaluating your current marketing tactics—shifting them and improving them, to be more transparent and more effective.
The email addresses that fall into this category are not “I sent someone shady 20 bucks and they gave me your contact info” email addresses. This is still explicitly restricted just about everywhere.
But let’s focus on the “for commercial communications sent by means not mentioned above” segment.

2. Third Parties

The ePD leaves it up to Member States to decide whether to impose a prior consent requirement (i.e. opt-in) or a right to object (i.e. opt-out) for commercial communications sent by means not mentioned above (Article 13.3). For example, this is the case regarding person to person telephone communications.”And here’s an example you may have seen floating around, from the folks at
Rules on this comes down more to a provision outlined in GDPR’s sister law: the ePrivacy Directive.
The generic info@company, sales@company, marketing@company email addresses, aren’t personal data.

  1. GDPR states that if Company A is going to share data with third parties, it needs to get explicit, active, consent. It has to be an independent ask. It can’t just be bundled together with consent to get emails from Company A.
  2. Consent now has to be given to named companies. It has to be specific. If partners want to throw you an email list (or even, let you reach out after a joint-hosted webinar)—their list needs to opt-in to hear from your company specifically. And they need to agree to hear about promotions, or marketing offers, or information specifically.

Here’s a tactic we’ve seen suggested across the web:
Plot twist! Something you can do!
No no no no no.

3. Personalized, direct, targeted.

“Oh, you just have to make sure it’s relevant.”
They’re the “I saw you were part of this group on LinkedIn, and you made a comment on an article I wrote. So I added you, downloaded your email address, threw it on a list, and reached out with this targeted piece of information” email addresses.
Now, this doesn’t mean that your partners won’t give you lists without having properly obtained consent. But the burden of proving that the people you’re contacting, have signed up to hear from you, falls on you.
Now both of these cases mentioned are in the UK. And the laws that are being broken are pre-GDPR laws.
For example, in the UK, B2B cold emails for corporations have very different rules than B2B small business and B2C emails. Some countries require that your initial email contains a physical business address. Some require you include access to recipient rights, or your privacy policy, when you make contact. Each EU nation has its own set of criteria, that if you don’t follow—can bury you in fines.

Now I know.
They violate the new laws of consent. And they’ve already landed big companies with big fines.

In even shorter: yes, emails count.
And here’s an example you may have seen floating around, from the folks at
Personal data means a lot of things. In short: anything that can identify a specific person—either on its own, or with the help of other data at your disposal.
This is the: “but why are you still doing this?” type of cold emailing. And it usually refers to mass-messaging questionably collected, purchased lists.
But if that hasn’t killed these sorts of cold emails stone dead—GDPR will.
“Both companies sent emails asking for consent to future marketing. In doing so they broke the law…Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law.”
“I would like to receive updates from Company A and trusted third parties.”
…as long as you can’t tie it to a specific individual, with any other data you might have in your possession.
So if you have email addresses on your lists, that you never got consent to store—just keeping them around becomes noncompliant starting May 25th.
And if you’re company was one of those vague, unidentified “third parties”—this is how emails might have come your way.
“You just have to give them a chance to opt out.”

Privacy Vendor List
Privacy Vendor List

But if you’re just looking for a foot-in-the-door, are reaching out to well targeted prospect, and have as solid, relevant offer—throwing an email to one of these accounts might be worthwhile.
Here’s Article 13 of the current directive:
Once GDP gets enacted, this goes to die. Because:

Maybe you wouldn’t contact someone who already opted out—like Flybe.

(…or something called “legitimate interest”—for which the requirements can be pretty strict).
Let’s see what they mean for different cold-emailing tactics.
“However, companies which have acquired an end-user’s contact details in the context of a sale of products or services can send direct marketing by email to advertise their own similar products or services, provided that the end-user is given the possibility to object (often referred to as “opt-out”)
And then there’s this category of contact called “unsolicited commercial information.”
And here’s a quote from Steve Eckersley, the ICO’s (UK’s Information Commissioner’s Office) Head of Enforcement:
Beyond the illegality of it all—bought email lists are bad news. They have abysmal open rates. They bounce back. They anger your email provider. They frequently lead you to be reported as spam (because you are spam!).
Most common cold-emailing tactics are a GDPR nightmare.
GDPR applies not only to email addresses you’ve acquired after it’s instated. But instead, it applies to ALL the personal data that you have lying around.
You may have seen an opt-in checkbox that looks like this:
In terms of lead acquisition—nothing about sending an email to an “info@” excites me.
A simple: “Would you like to hear more? Pass me along to the right person!” might go along way.

5. Generic Business Addresses

“If you rely on cold email: send ‘non-promotional outreach email,’ first. Then use that email to get consent to send marketing materials.”
CAN-SPAM made this sort of emailing illegal in the US eons ago. Same with Canada’s CASL, Australia’s Spam Act, the UK’s Data Protection Act, Germany’s Federal Data Protection Act, etc. etc. etc.
Because no “legitimate-interest” clause, or any other series of loopholes, will help you to prove: “these people have consented to hear from me”—if you bought their names and contact info.
Here’s an article about how a similar tactic landed Honda and Flybe in £83,000 worth of fines.
So you know the basics.
Our advice: if your marketing strategy relies on tactics like these, best to start diversifying your lead acquisition methods now.
You might just be able to start moving a totally cold prospect down a funnel—GDPR worry free.
But none of those differences result in a clear green light. For some cold emails, upcoming regulations warn: “um…be careful.” And for some it screams the loudest possible “NO!”

To be brief and brutal:

It’s already easy to trip up on this sort of outreach. And odds are, when new ePrivacy regulation is passed, even this sort of cold email will be under threat.
(In GDPR speak: You must maintain clear records of consent).
And if you’re getting lists thrown your way via partners, well….
Not just bad information. Scary information.
So sending an email, to get permission to send emails—seems, at the very least, like an expensive gamble.
Want to process, store, or even so much as glance at personal data? GDPR says you need consent
Or you wouldn’t re-ask for consent from folks who you didn’t have it for in the first place—like Honda.

Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There
Get a Taste of One of the Most Privacy Aware A/B Testing Tools Out There