Can I use legitimate interests as the lawful basis for cold B2B email?

Yes, under UK GDPR Article 6(1)(f), legitimate interests is a valid lawful basis for B2B cold email provided you complete a Legitimate Interests Assessment, the contact is relevant to the recipient's professional role, and you provide a clear opt-out in every message. PECR Regulation 6 also applies; the soft opt-in exemption under PECR covers existing customers, but for cold outreach to business email addresses at corporate domains, the ICO's current position is that legitimate interests under PECR can apply where the individual is contactable in a business capacity.

What is the difference between the right to object and the right to withdraw consent?

The right to object (Article 21 UK GDPR) applies when processing is based on legitimate interests. The individual can object at any time and you must stop unless you can demonstrate compelling legitimate grounds that override their interests. The right to withdraw consent (Article 7(3)) applies only where consent is the lawful basis; withdrawal must be as easy as giving consent, and you must stop processing once it is withdrawn. The practical difference: with consent, the individual holds a veto by default. With legitimate interests, you carry the burden of proving your interest overrides theirs.

Does PECR apply on top of UK GDPR for B2B email marketing?

Yes. The Privacy and Electronic Communications Regulations (PECR) apply to all direct electronic marketing, including B2B email. PECR is separate from UK GDPR and sets its own consent requirements. For email to corporate role addresses (e.g. sales@company.co.uk), PECR requires the organisation's consent, not an individual's. For named individual email addresses at a corporate domain (e.g. jane.smith@company.co.uk), the ICO treats these as personal data and the PECR rules around individual consent become more relevant, though the soft opt-in and existing relationship rules can apply.

When is consent actually the right lawful basis for B2B prospecting?

Consent is the correct basis when: you are marketing financial products regulated by the FCA where specific consent is a conduct requirement; you are marketing to sole traders or partnerships using personal-data email addresses; you have a consumer-facing brand that uses a single CRM for both B2C and B2B contacts; or when your data provider explicitly confirms records were obtained via a consent mechanism. If you cannot produce a consent record tied to a specific individual, legitimate interests with a documented LIA is almost always the more defensible route.

What should a Legitimate Interests Assessment cover for B2B cold outreach?

A Legitimate Interests Assessment for B2B cold outreach should cover three tests: (1) Purpose test: is there a genuine commercial interest, such as marketing relevant products or services to decision-makers in the target industry? (2) Necessity test: is processing personal data necessary to achieve that purpose, or could it be done without it? (3) Balancing test: do the individual's privacy interests, rights, and freedoms override your interest? Key factors in the balance include whether the contact would reasonably expect this type of outreach given their role, whether the data is minimal and role-appropriate, and whether opt-outs are easy to exercise.

Is B2B data from public sources automatically lawful to use for marketing?

No, public availability does not make processing lawful by itself. You still need a valid lawful basis under UK GDPR Article 6, and for electronic marketing you must also satisfy PECR. B2B data compiled from publicly available sources (Companies House, corporate websites, public directories) can support a legitimate interests claim, but you must still complete a Legitimate Interests Assessment, make the source transparent in your privacy notice, and honour opt-out requests promptly. The ICO's accountability principle means you need documentation of these steps, not just good intentions.

Consent vs legitimate interests for B2B prospecting

What are the six UK GDPR lawful bases?

Article 6 of UK GDPR lists six lawful bases for processing personal data. You must identify at least one before any processing begins, and you cannot swap between them retrospectively if your original choice turns out to be inconvenient.

The six bases are:

Consent (Article 6(1)(a)): The individual has given clear, specific, freely given, and informed agreement. Silence, pre-ticked boxes, and inactivity do not count.
Contract (Article 6(1)(b)): Processing is necessary to perform a contract with the individual, or to take pre-contractual steps they have requested.
Legal obligation (Article 6(1)(c)): Processing is required to comply with UK law, such as employment law or tax obligations.
Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life. Practically irrelevant to marketing.
Public task (Article 6(1)(e)): Processing is necessary for a task in the public interest, or to exercise official authority. Mainly applies to public bodies.
Legitimate interests (Article 6(1)(f)): Processing is necessary for the legitimate interests of the controller or a third party, unless those interests are overridden by the individual's rights and freedoms.

For B2B marketing, the contest is almost always between consent and legitimate interests. The other four bases simply do not fit a prospecting scenario. Contract requires an existing agreement; legal obligation means statute compels you; vital interests is reserved for medical emergencies; public task applies to government bodies.

Why legitimate interests is almost always right for B2B cold outreach

A Manchester-based SaaS company wanting to contact Finance Directors at UK manufacturing firms with 100 to 500 employees is a textbook legitimate-interests scenario. The company has a genuine commercial interest, the contact is proportionate to the recipient's professional role, and the individual would reasonably expect to receive relevant B2B marketing.

Under UK GDPR Article 6(1)(f), legitimate interests is a valid lawful basis for B2B prospecting to corporate email addresses provided you complete a Legitimate Interests Assessment, the contact is relevant to the recipient's role, and you honour opt-out requests. The Information Commissioner's Office (ICO) has explicitly acknowledged that direct marketing can constitute a legitimate interest, citing Recital 47 of the UK GDPR.

The three tests in a Legitimate Interests Assessment (LIA) are:

Purpose test: Is there a genuine, identified commercial interest? Generic "we want to make sales" is weak; "we want to reach Operations Directors at UK logistics firms because our software solves a specific workflow problem they face" is strong.
Necessity test: Is processing personal data actually required to achieve that purpose? If you could realistically achieve the same result without processing the individual's data, legitimate interests may not satisfy necessity.
Balancing test: Do the individual's interests, rights, or fundamental freedoms override yours? Key factors include whether the person would reasonably expect this type of outreach, the sensitivity of the data, and how easy it is to opt out. Business contacts in professional roles generally have a lower reasonable privacy expectation regarding relevant commercial outreach than, say, private individuals receiving unsolicited consumer advertising.

Completing and documenting an LIA is not optional. The ICO's accountability principle means you need a written record of your reasoning. See our LIA template for UK B2B outreach for a practical starting point.

When is consent actually the right choice for B2B?

Consent is not always wrong; it is just rarely the right fit for cold B2B prospecting. There are specific scenarios where it is the correct or compulsory basis.

Existing customers and the soft opt-in

Under the Privacy and Electronic Communications Regulations (PECR), the "soft opt-in" exemption at Regulation 22(3) allows you to email existing customers about your own similar products or services without fresh consent, provided you gave them a clear chance to opt out at the point of data collection and in every subsequent message. This is not quite consent as a lawful basis; it is a PECR exemption that sits alongside UK GDPR. The customer relationship itself provides the foundation, and the soft opt-in removes the need for explicit PECR consent only.

Regulated financial products

The Financial Conduct Authority (FCA) imposes its own conduct requirements on the marketing of certain financial products. In practice, some FCA-regulated firms require explicit consent for direct marketing communications regardless of what UK GDPR alone would permit. If your product falls under FCA oversight, check your sector-specific obligations before relying on legitimate interests.

Sole traders and partnerships

Sole traders and most partnerships are not companies in the legal sense; their business data is their personal data. A sole trader plumber's mobile number is personal data under UK GDPR even if they use it exclusively for work. Treating these contacts under a legitimate-interests framework is still possible, but the balancing test shifts: the line between business and personal life is much thinner, and the ICO expects greater care. Where there is any doubt, consent is the safer choice.

Where you genuinely hold valid prior consent

If a data provider confirms that records were obtained via a consent mechanism (such as a trade event registration form where the individual opted in to third-party marketing from named sectors), and you can access the consent record, using consent as your basis is valid. The critical word is "traceable": you must be able to produce evidence of the consent if challenged. If you cannot, legitimate interests with an LIA is more defensible than claiming consent you cannot prove.

Consent vs legitimate interests: a comparison across seven dimensions

Dimension	Consent (Article 6(1)(a))	Legitimate interests (Article 6(1)(f))
When to use for B2B cold outreach	Only where traceable prior consent exists, or in regulated sectors requiring it	Default choice for cold outreach to decision-makers at limited companies and PLCs
Documentation required	Consent record: who consented, when, to what, via which mechanism	Completed Legitimate Interests Assessment (LIA) covering purpose, necessity, and balancing tests
Individual's right to stop processing	Right to withdraw consent at any time; withdrawal must be as easy as giving consent	Right to object (Article 21); you must stop unless you have compelling legitimate grounds that override their interests
Controller's burden if challenged	Must produce evidence the consent was valid (specific, freely given, informed, unambiguous)	Must demonstrate the LIA was genuinely completed and the balancing test was reasonable
Suitability for purchased B2B data	Problematic; you must be able to show consent was given specifically to you, or to the type of marketing you intend to send	Well-suited where data is compiled from publicly available sources and the LIA is documented
PECR interaction	Electronic marketing to named individuals generally requires PECR consent unless the soft opt-in applies	UK GDPR legitimate interests does not automatically satisfy PECR; separate PECR analysis required for electronic channels
Risk profile if basis is wrong	Processing is unlawful from the start; no retroactive fix available	Potentially defensible if LIA was genuine but court or ICO finds the balance tips differently; still unlawful but often less clear-cut

How PECR interacts with your lawful basis choice

This is where a significant number of marketers get caught out. UK GDPR and the Privacy and Electronic Communications Regulations (PECR) are separate legal instruments. Satisfying one does not satisfy the other.

PECR applies to all direct electronic marketing: email, SMS, automated calls, and fax. For B2B:

Corporate subscriber addresses (e.g. [email protected]): PECR requires the corporate subscriber's consent, not an individual's. The ICO's position is that this is easier to satisfy than individual consent, but you must still provide an opt-out and honour it.
Individual business email addresses (e.g. [email protected]): These are personal data. PECR treats the individual as the subscriber. You need either their direct consent or you must fall within the soft opt-in exemption.
Telephone (live calls): TPS (Telephone Preference Service) suppression is required. Calling a TPS-registered number without consent is a PECR breach regardless of your UK GDPR position.

See our detailed guide to PECR rules for marketers in the UK for channel-by-channel analysis.

The practical upshot: running your B2B data under a legitimate-interests basis for UK GDPR purposes does not automatically cover your PECR obligations for electronic channels. You need a separate PECR justification for each channel you use.

Right to object vs right to withdraw consent: the practical difference

This distinction matters operationally, not just legally.

When you rely on legitimate interests, every marketing communication must include a clear and easy mechanism to object. Once someone objects, you must stop. You can only continue processing if you can demonstrate compelling legitimate grounds that override their interests, rights, and freedoms. In a direct marketing context, that bar is almost impossibly high. Treat every opt-out as absolute.

When you rely on consent, the individual can withdraw it at any time. The withdrawal mechanism must be as easy as the method used to give consent; if someone ticked a box on a form, they must be able to untick it (or equivalent) just as easily. You also cannot charge for processing a withdrawal request, and the withdrawal must take effect promptly. Processing before withdrawal remains lawful; processing after it does not.

In both cases, the practical result for a B2B marketer is the same: honour opt-outs immediately, keep a suppression file, and do not re-add removed contacts without a fresh basis. The difference is in the documentation and the theoretical threshold for overriding the request. With consent, there is no override threshold: withdrawal is absolute. With legitimate interests, there is theoretically an override, but the ICO's guidance makes clear that in direct marketing contexts you should treat opt-outs as final.

Our article on legitimate interests for B2B data in the UK covers the full operational workflow, including suppression file management.

Common mistake: conflating "publicly available" with "no consent needed"

A contact's business email appearing on a corporate website or LinkedIn profile does not mean you have a free pass to market to them. It means the data is technically accessible. You still need a valid lawful basis under UK GDPR and a PECR justification for electronic channels. Public availability supports the "reasonable expectation" limb of the legitimate-interests balancing test; it does not replace it.

Which basis applies to B2B data compiled from public sources?

B2B data compiled from publicly available sources (Companies House filings, corporate websites, public business directories, professional registries) falls squarely into legitimate-interests territory for most outreach scenarios. The data relates to a person in their professional capacity, the source is transparent and unsurprising, and the processing is limited to what is necessary for relevant commercial contact.

The buyer's obligations when using such data are:

Complete and document an LIA before the campaign begins, not after a complaint arrives.
Disclose the data source in your privacy notice and, if required, in the first marketing communication (UK GDPR Article 14 applies when you obtain data from a source other than the individual).
Provide a clear opt-out in every marketing message and action it within a reasonable time (ICO guidance suggests 28 days as a reasonable outer limit; industry good practice is faster).
Maintain a suppression file and check new batches of data against it before sending.
Review the LIA periodically; if your targeting, messaging, or data processing activities change materially, the original LIA may no longer cover you.

In our experience, businesses that skip the LIA documentation step are the ones that struggle when the ICO asks questions. A two-page written LIA that genuinely engages with the balancing test is worth far more than a verbal "we thought it was fine".