Can I send cold emails under UK GDPR and PECR?

By SuLe · Updated 18 June 2026

Sometimes: you can cold email a named person at a limited company if you have a lawful basis under UK GDPR and give a clear opt-out, but cold-emailing consumers and most sole traders needs their prior consent. The dividing line is who the subscriber is — corporate or individual — because PECR treats the two completely differently.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • PECR requires prior consent to email individual subscribers — consumers, sole traders and some partnerships.
  • Corporate subscribers (a named person at a limited company or public body) sit outside the consent rule, but UK GDPR still applies.
  • The soft opt-in lets you email your own existing customers about similar products without fresh consent.
  • Every marketing email must identify who you are and carry an easy opt-out.
  • PECR penalties historically capped at £500,000 are being aligned upward with UK GDPR by the Data (Use and Access) Act 2025 — check commencement.

Who can I legally cold email?

The lawful answer turns on the "subscriber" type. PECR — the Privacy and Electronic Communications Regulations — splits recipients into individual subscribers and corporate subscribers, and only the second group can normally be cold-emailed.

Individual subscribers are consumers, sole traders and most partnerships. To send them marketing email you generally need prior consent, so a cold blast to a bought consumer list is unlawful.

Corporate subscribers are named people at a limited company, an LLP or a public body — someone@company.com of a Ltd. PECR's consent rule does not bite there, so business-to-business cold email is generally permissible if you clear the UK GDPR hurdle below.


What does UK GDPR add on top of PECR?

PECR governs whether you may send the message; UK GDPR governs whether you may hold and use the person's data at all. Both apply, and clearing one does not clear the other.

A work email like jane.smith@company.com identifies an individual, so it is personal data. That means you need a lawful basis — for B2B prospecting this is usually legitimate interests — plus a record of your reasoning and a way to honour objections promptly.

You must also be transparent: people are entitled to know where you got their data and how to stop you using it. In practice, targeted, relevant B2B outreach with a genuine opt-out is defensible; scraped, irrelevant mass mail is not.


What is the soft opt-in, and when can I use it?

The soft opt-in is a narrow exception that lets you market to your own existing customers without collecting fresh consent. It exists so a business can tell buyers about similar products.

Three conditions must all hold. You obtained the contact details in the course of a sale or negotiation for a sale; you are marketing your own similar products or services; and you offered a simple opt-out when you collected the address and in every message since.

Crucially, it never reaches cold prospects. Someone who downloaded a free guide but never transacted, or a name from a purchased list, is not an existing customer — so the soft opt-in cannot rescue an otherwise unlawful send.

RecipientCold email allowed?Basis you rely on
Consumer (personal email)No, without consentPrior consent under PECR
Sole trader / most partnershipsNo, without consentPrior consent under PECR
Named person at a Ltd / LLPGenerally yesUK GDPR lawful basis + opt-out
Your own existing customerYes, for similar productsPECR soft opt-in
Generic inbox (info@, sales@)Not "marketing to an individual"Still identify yourself + allow opt-out

Worked example

Amara runs Deploybird, a B2B DevOps SaaS, and wants to prospect. She builds a list of named platform engineers at UK limited companies, each address in the someone@company.com format.

Because these are corporate subscribers, PECR's consent rule does not stop her. She documents legitimate interests as her UK GDPR basis, keeps the pitch relevant to their role, names Deploybird clearly, and puts a working unsubscribe in every email.

Her co-founder suggests also emailing 2,000 consumer addresses from a marketing-list vendor. Amara declines: those are individual subscribers with no consent and no prior relationship, so the send would breach PECR — exactly the pattern the ICO receives complaints about.


Where founders go wrong

  • Treating a sole trader like a company.

    Sole traders and many partnerships are individual subscribers, so they need consent even though they are "a business".
  • Assuming B2B means no rules.

    The work email is still personal data, so you always need a UK GDPR lawful basis and an honoured opt-out.
  • Stretching the soft opt-in to cold prospects.

    It only covers your own existing customers and only for similar products.
  • Buying a marketing list.

    Bought consumer lists almost never carry valid consent for you, and reliance on the seller's assurances rarely survives scrutiny.

Related questions

Is cold emailing illegal in the UK?

Not automatically. Cold emailing corporate subscribers — a named person at a limited company or public body — is generally allowed if you have a lawful basis under UK GDPR, offer an opt-out and identify yourself. Cold emailing individual subscribers, meaning consumers and most sole traders, needs prior consent, so untargeted consumer blasts usually break the rules.

What is the PECR soft opt-in?

The soft opt-in lets you email existing customers about your own similar products without fresh consent, provided you collected their details during a sale or negotiation, gave a simple opt-out then, and repeat that opt-out in every message. It only ever applies to people who already bought from or engaged with you — never to cold prospects.

Can I email business contacts I find on LinkedIn?

Emailing a corporate address of a limited company is generally permitted under PECR if you have a legitimate-interests basis, keep it relevant, identify yourself and honour opt-outs. But scraping personal data still engages UK GDPR, so you need a lawful basis, and messaging a person at their consumer email or a sole-trader address falls back under the consent rule.

What are the penalties for breaking PECR?

PECR penalties were historically capped at £500,000, but the Data (Use and Access) Act 2025 moves to align them with UK GDPR levels — check the commencement position before assuming a figure. The ICO also enforces through audits and enforcement notices, and unlawful marketing is a common source of complaints. [More: What are the rules for marketing to consumers vs businesses?]


The gap between lawful B2B outreach and an ICO complaint is often a single misjudged list or a missing opt-out — and the penalty regime is being pushed upward as the law changes. A SuLe solicitor can check your outreach playbook against PECR and UK GDPR before you hit send at scale. Book a free compliance check call and market with confidence.

Keep reading: What are the rules for marketing to consumers vs businesses? · What does UK GDPR require from an early-stage startup? · Does my startup need to register with the ICO? · Do I need a cookie banner on my website? · Do I need terms and conditions and a privacy policy for my startup? · Can I publicly advertise that my startup is raising money?

Primary sources: GOV.UK — Marketing and advertising: the law · ICO — For organisations

AI-generated content. General information, not legal advice.