The goal of the GDPR wasn’t to stop cold emailing in the EU. Outbound sales are essential to many businesses and will continue to be. But improving the privacy of consumers means adding new rules that we need to understand and follow. Here’s our opinion on what is changing with cold emailing and how it affects companies doing it.
Before we dive in, keep in mind that I’m only talking about B2B sales. I would also recommend you talk to your own DPO or legal council ensure the compliance of your outbound sales strategy.
Can you send an email to someone you’ve never met?
A recurring idea of the GDPR is that you need the consent of the data subject to process any data. If you’re reaching out to someone who doesn’t know you, you obviously don’t have any consent. So should you stop all cold emailing
? Thankfully, consent isn’t the only case where processing is considered lawful. In particular when the « processing is necessary for the purposes of the legitimate interests pursued by the controller » (Article 6
). The controller is the company sending the email, i.e., you.
Of course, the controller’s legitimate interests don’t apply « where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data ».
provides some additional clarification on the idea of legitimate interests. In particular, it states that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
” At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. “
This last quote is particularly interesting. Will it be a surprise for the recipient to get your email? It shouldn’t be. For example, if you want to sell a technical service and reach out to one of our developers, it’s not a surprise.
Should I include an unsubscribe link?
of the GDPR describes the « Right to object » of data subjects. Because you are processing their data to send emails and potentially store the status in your CRM
, the recipient has the right to object to the processing. He or she could ask at any point that you stop or even destroy the data. In particular, the article states «
“At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
It couldn’t be more clear: you need a dedicated paragraph in your email letting the user know that he/she can ask for the processing to stop. Whether it is done by asking for in a reply or clicking on a link is up to you.
What should I include in our first communication?
describes the « Information to be provided where personal data have not been obtained from the data subject ». In particular, you should share:
“the identity and the contact details of the controller and, where applicable, of the controller’s representative & the contact details of the data protection officer, where applicable”
You should make it clear who you and your company are. But having in every sales email information regarding your DPO and/or representative might be a lot. A « know more » link could be enough to redirect to a page where everything would be. « the purposes of the processing for which the personal data are intended as well as the legal basis for the processing »: It might be obvious but be clear on the fact this is a sales email. B2B sales fall into the “legitimate interest” category, so there’s no reason to hide it.
« from which source the personal data originate, and if applicable, whether it came from publicly accessible sources » They are other requirements described in Article 14 that you need to meet. I invite you to take a look at the article as not to miss any.
Also, note that « it is not necessary to impose the obligation to provide information where the data subject already possesses the information » (Recital 62
) . For example, if you find someone’s email on their company’s website, and contact them regarding a relevant subject (as you always should, obviously), then most of those points become irrelevant as the recipient already has the information.