What is the legal framework for cold B2B email in the UK?
Two pieces of legislation govern every cold B2B email sent from or into the UK. The Privacy and Electronic Communications Regulations (PECR) 2003 control whether you are allowed to send unsolicited direct marketing email at all. UK GDPR controls how you process the personal data involved in building, using, and maintaining the contact list. Both apply simultaneously, and satisfying one does not excuse a breach of the other.
PECR Regulation 22 sets the basic rule: you must not send unsolicited direct marketing email to an individual subscriber unless either (a) you have prior consent, or (b) the recipient is a corporate subscriber who has not opted out. UK GDPR Article 6(1)(f) provides the data processing lawful basis: legitimate interests. To rely on it, you must complete a Legitimate Interests Assessment (LIA) that weighs your commercial purpose against the recipient's reasonable expectations, and you must confirm that individual's rights are not overridden.
The Information Commissioner's Office (ICO) has consistently held that the two regimes must be read together. A useful way to think about it: PECR is the gatekeeper that decides whether the send is permissible, and UK GDPR is the ongoing obligation that governs everything you do with the data before, during, and after the campaign.
What does PECR Regulation 22 actually say about corporate contacts?
PECR distinguishes between individual subscribers and corporate subscribers. A corporate subscriber is a company or other corporate body, including a limited company, LLP, or public authority. Individual subscribers are natural persons, including sole traders and individual partners in unincorporated partnerships. The practical effect: you may send unsolicited marketing email to a generic corporate address (think [email protected] or [email protected]) without prior consent, provided you give the company a clear right to opt out. Named personal-work addresses like [email protected] sit in a grey area that the ICO treats closer to the individual-subscriber end, making a well-documented legitimate interests basis the correct approach.
Who counts as a corporate contact, and who does not?
The corporate-versus-individual distinction matters enormously because the compliance obligations differ sharply. Here is a working table:
| Contact type | PECR classification | Cold email without prior consent? | Lawful basis for data processing |
|---|---|---|---|
| Named employee at Ltd/LLP/PLC (e.g. [email protected]) | Treated as individual subscriber by ICO | Yes, if legitimate interests assessment passes and opt-out is provided | UK GDPR Article 6(1)(f) legitimate interests |
| Generic corporate address ([email protected], [email protected]) | Corporate subscriber | Yes, with opt-out mechanism | UK GDPR Article 6(1)(f) legitimate interests |
| Sole trader personal email | Individual subscriber (consumer-equivalent) | No, prior consent required unless soft opt-in applies | UK GDPR Article 6(1)(a) consent, or soft opt-in under PECR Reg 22(3) |
| General partnership (unincorporated) | Individual subscribers (each partner) | No, same treatment as sole trader | Consent or soft opt-in |
| LLP employee email | Treated as individual subscriber by ICO | Yes, with legitimate interests assessment and opt-out | UK GDPR Article 6(1)(f) legitimate interests |
Sole trader confusion trips up a surprising number of B2B email programmes. A plumber operating as "Bob Harris Plumbing" with a Gmail or personal-domain address is legally a consumer for PECR purposes, even if your campaign is positioned as a trade offer. The Companies House registered-company test is a practical proxy: if the entity has a company number, it is almost certainly in the corporate subscriber category.
What must every cold B2B email contain?
PECR Regulation 23 requires that every unsolicited direct marketing email clearly identifies the sender and provides a valid address at which the sender can be contacted. The ICO interprets this as meaning your trading name (or registered company name), a postal or registered address, and a mechanism for opting out that actually works. These are the bare minimum; there are additional requirements under UK GDPR that a first cold email must also address.
Required elements checklist
The following must appear in every cold B2B marketing email you send:
- Sender identification: the name under which you trade, not just a first name or team alias. "SortedIQ Ltd" or "SortedIQ Data", not just "the team at SortedIQ".
- Physical address: a registered office address or a trading address. A PO box is generally insufficient; the ICO expects a genuine postal address.
- Unsubscribe mechanism: a one-click or clearly explained opt-out process. It must be free to use and must not require the recipient to log in to an account they do not have.
- Article 14 privacy information (first email only): the source of the contact's data, the lawful basis, categories of data held, and the right to object. Many senders include a short paragraph in the footer: "We hold your details sourced from publicly available business information; our lawful basis is legitimate interests. You may object at any time by replying 'remove' or clicking the link above."
- Honest subject line: the subject must not disguise the commercial nature of the message or deceive the recipient about the sender's identity.
- Honest from-name: using a personal-sounding from-name to disguise that the message is commercial marketing is a PECR breach.
Subject line and from-name rules in more detail
PECR Regulation 23(a) prohibits concealment of the sender's identity, and Regulation 23(b) prohibits disguising or concealing the address to which replies can be sent. A noreply address in the "from" field is technically permissible provided a reply-to address is active, but using a misleading display name is not. Subject lines like "Following up on your enquiry" when there was no prior enquiry cross the line: they disguise the commercial purpose of the message and could also attract ICO scrutiny under its guidance on direct marketing.
In practice, the safest subject lines are accurate and concise. "Introduction: B2B data lists for your next campaign" is compliant. "Re: our conversation last week" (when there was no conversation) is not. Short, direct subject lines also tend to perform better, so compliance and commercial interest align here.
How does UK GDPR Article 14 fit in when using a bought list?
If you acquire B2B contacts from a third-party supplier, the contacts did not give you their data directly. Under UK GDPR Article 14, you must provide them with a privacy notice "at the latest at the time of the first communication". For a cold email programme, that means the first message you send must contain or link to information covering: the identity of the data controller (you), the categories of data you hold, the source of the data, the lawful basis for processing, the retention period, and the individual's rights including the right to object.
You do not need to send a standalone "we have your data" email before the campaign email. The Article 14 disclosure can live inside the campaign email itself, typically as a short footer paragraph with a link to a full privacy notice. For a detailed breakdown of the notice requirements and a sample footer, see our guide to Article 14 notices for bought B2B data.
One point that catches people out: the exemption in Article 14(5)(b) (where providing the notice would involve disproportionate effort) is not available to businesses conducting planned email campaigns. It exists for incidental data collection, not structured commercial outreach. Budget for Article 14 compliance from the start.
What is the soft opt-in, and does it apply to B2B cold email?
The soft opt-in under PECR Regulation 22(3) allows a sender to email an individual without prior consent where three conditions are all met: the contact details were collected during a sale or negotiations for a sale, the messages are about similar products or services, and the individual was given a clear chance to opt out at the point of collection and on every subsequent message. This is a relationship-marketing rule, not a cold-prospecting rule. It applies to your existing customers when you market to them by email on products they have already shown interest in.
Cold outreach to a list you have purchased or compiled from public sources cannot rely on the soft opt-in. You need legitimate interests under UK GDPR and compliance with the PECR corporate-subscriber provisions. For a detailed comparison of lawful bases, see our article on legitimate interests for B2B data in the UK.
Responding to objections and maintaining a suppression file
Every opt-out request received must be acted on. The ICO's position is that opt-outs should be honoured promptly, which in practice means within 28 days at most and ideally within a week. More importantly, you must not add the individual back to your mailing list later unless they have specifically re-opted in. A suppression file (a list of opted-out addresses that are checked against before every send) is the standard mechanism. It is not sufficient to delete the record; the address needs to remain on a do-not-contact list so that if you acquire the same contact from a new supplier, the suppression is still applied.
Under the Privacy and Electronic Communications Regulations, failing to honour an opt-out request is an enforcement-level breach. The ICO can issue fines of up to £500,000 under PECR (separate from, and in addition to, UK GDPR fines). Running without a suppression file is therefore not a minor operational gap.
Sole traders: check before you send
If your B2B contact list includes sole traders or freelancers, those records require prior consent for electronic direct marketing, not just a legitimate interests basis. Many B2B list providers do not flag this distinction. Before you run a cold email campaign, confirm with your data supplier which records are at incorporated companies and which may be individual traders.
Authentication requirements: SPF, DKIM, and DMARC
Compliance with PECR and UK GDPR is a legal question. Whether your compliant emails actually reach inboxes is a technical one. Google and Microsoft both require B2B senders to have Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records published for their sending domain before messages will be accepted from bulk senders. Without these DNS records in place, your messages will fail authentication checks and land in spam or be rejected outright.
These are not complex records to configure, but they do need to be done correctly. An SPF record that includes all your sending IP addresses, a DKIM key published in DNS and configured in your email platform, and a DMARC policy of at least p=none with reporting enabled form the minimum viable authentication setup. Most sending platforms (e.g. Mailchimp, Klaviyo, Mailjet) walk you through generating the correct DNS records on account setup.
For deeper guidance on authentication configuration, sending infrastructure, IP warm-up, and inbox placement, those topics are covered in full on messaging.sortediq.com. Authentication is a prerequisite, not a nice-to-have: a campaign that is legally compliant but technically misconfigured will simply not be read.
Cold B2B email compliance checklist
Use this table before you launch any cold B2B email campaign. Each row identifies the requirement, the source legislation, and what a passing state looks like.
| Requirement | Source | Passing state |
|---|---|---|
| Legitimate interests assessment completed | UK GDPR Article 6(1)(f) | Documented LIA on file, covering purpose, necessity, and balancing test |
| Contacts are corporate (Ltd, LLP, PLC, public body) | PECR Regulation 22 | List supplier confirms entity type; sole traders and general partnerships removed or handled separately |
| Source of contact data is lawful | UK GDPR Article 5(1)(a) | Data supplier can evidence lawful collection (Companies House, corporate web, public directories) |
| Sender name is honest and non-deceptive | PECR Regulation 23(a) | From-name matches trading name; no disguised personal names used to mislead |
| Reply address is functional | PECR Regulation 23(b) | Reply-to address is monitored; noreply-only configuration avoided |
| Physical address in every email | PECR Regulation 23 / ICO guidance | Registered or trading address in email footer |
| Unsubscribe mechanism present and working | PECR Regulation 22(3), ICO guidance | One-click unsubscribe link; opt-outs honoured within 28 days |
| Suppression file maintained | ICO enforcement guidance | Opted-out addresses retained on a do-not-contact list and checked before every send |
| Article 14 notice in first email | UK GDPR Article 14 | Footer paragraph or link covers data source, lawful basis, retention, and right to object |
| Subject line is not deceptive | PECR Regulation 23 | Subject accurately reflects commercial purpose; no false "Re:" or "Following up" pretexts |
| SPF, DKIM, and DMARC configured | Google/Microsoft sender requirements | DNS records validated; DMARC policy at minimum p=none with a reporting address set |
| Objections handled and recorded | UK GDPR Article 21 | Process exists to record objections, remove from list, and retain on suppression file |
A completed LIA, a clean and correctly segmented list, and a template email that meets the PECR content requirements get you the vast majority of the way there. The suppression file and Article 14 notice are the two areas most often overlooked by teams running their first purchased-list campaign.
For the full framework for running a legitimate interests assessment before a B2B email campaign, see our LIA template for B2B prospecting. For the PECR rules affecting other direct marketing channels alongside email, see our overview of PECR rules for UK marketers.