Is Cold Email Legal in the UK? PECR, GDPR and B2B Exemptions Explained

The Question Every UK Business Owner Asks

You have heard this before: "Cold email is illegal in the UK."

It is repeated in LinkedIn comments, regurgitated in Facebook groups, and confidently stated by marketers who have never actually read the legislation. And it is wrong.

The reality is more nuanced — and far more useful. Is cold email legal in the UK? The short answer is yes, for business-to-business communication, under clearly defined conditions. The longer answer involves two overlapping pieces of legislation, a specific exemption that most people do not know exists, and a set of compliance requirements that separate legitimate outreach from spam.

Email marketing delivers an average return of $42 for every $1 spent (DMA/Litmus, 2019) — though this covers all email marketing, not cold outreach specifically. The UK DMA's own figure is £35.41 per £1 (DMA UK, 2017) — making it one of the highest-ROI channels available to UK businesses. Cold email consistently delivers a lower cost per acquisition than paid advertising, with well-executed campaigns generating qualified leads at £15-£25 each compared to £45-£120 for paid ad channels. Across the 5.5 million SMEs operating in the UK in 2026, email remains the single most efficient way to start a business conversation. Yet most companies either avoid it entirely (leaving revenue on the table) or do it badly (risking fines and reputational damage).

This article gives you the complete picture. No hedging, no vague disclaimers. Just what the law actually says, what the ICO actually enforces, and how to build a cold email programme that is both legal and effective.

Want to know where your current outreach stands? Get a free growth audit and we will assess your email compliance alongside 50+ other metrics.

GDPR vs PECR: Understanding the Two Frameworks

This is where most people get confused. They assume GDPR is the only law governing email marketing in the UK. It is not. There are two distinct frameworks, and they work in parallel.

The UK General Data Protection Regulation (UK GDPR) governs how you collect, store, and process personal data. It applies to any information that can identify a living individual — names, email addresses, job titles, IP addresses.

The Privacy and Electronic Communications Regulations 2003 (PECR) governs how you send electronic communications — emails, texts, phone calls, cookies. PECR is the law that specifically addresses whether you can send an unsolicited email to someone.

Here is the critical distinction: GDPR tells you how to handle the data. PECR tells you whether you can send the message.

You need to comply with both. A cold email that satisfies PECR but ignores GDPR is still unlawful. An email that has a valid GDPR basis but violates PECR is equally problematic. Think of them as two gates — you need to pass through both.

The good news: for B2B cold email, both frameworks provide clear, workable paths to compliance.

The B2B Exemption: What PECR Regulation 22 Actually Says

PECR regulation 22 is the provision that governs unsolicited marketing emails. The default position is clear: you cannot send marketing emails without prior consent.

But regulation 22(3) contains an exemption. And this exemption is the legal foundation for every legitimate B2B cold email programme in the UK.

The exemption applies to messages sent to corporate subscribers — meaning businesses, partnerships, and limited companies. When you send an email to a corporate email address (like info@company.co.uk or firstname@company.co.uk where the address belongs to the organisation), the consent requirement under PECR is relaxed.

This is not a loophole. It is a deliberate policy choice. The UK government and the ICO recognise that businesses have a legitimate need to communicate with other businesses, and that requiring explicit opt-in consent for every B2B introduction would be commercially impractical.

The ICO's own guidance confirms this. Their direct marketing guidance document states that PECR's restrictions on unsolicited emails "only apply to messages sent to individual subscribers" and that "corporate subscribers are not covered by the email rules in PECR."

However — and this is the part most people skip — you still need to meet specific conditions.

For a deeper dive into building a complete cold email programme around this framework, read our pillar guide: Cold Email Lead Generation for UK Businesses: The 2026 Playbook.

The 6 Conditions for Legal B2B Cold Email in the UK

Meeting the PECR corporate subscriber exemption is necessary but not sufficient. You also need a lawful basis under UK GDPR and you need to follow best practices that the ICO expects. Here are the six conditions you must satisfy:

1. You Are Emailing a Corporate Subscriber

The recipient must be a business entity — a limited company, LLP, partnership, or government body. The email address should be a corporate one (info@, sales@, firstname@companyname.co.uk).

Important nuance: If you are emailing a sole trader or an individual at their personal email address, this exemption does not apply. Sole traders and individual partners are treated as individual subscribers under PECR, meaning you need consent.

2. You Identify Yourself Clearly

Every cold email must clearly state who you are. Your company name, your real name, and your business must be identifiable. No fake sender names. No misleading "From" fields. No pretending to be someone you are not.

This is not just a PECR requirement — it is also covered by the UK GDPR's transparency principle (Article 13) and the Electronic Commerce (EC Directive) Regulations 2002.

3. You Provide a Valid Contact Address

You must include a valid postal address or other contact mechanism in every email. This is a hard requirement. A PO Box counts. A registered office counts. A "reply to this email" option counts as supplementary, but you still need a physical or verifiable address.

4. You Offer a Clear Opt-Out Mechanism

Every single email must include a simple, free, and functional way for the recipient to opt out of future messages. An unsubscribe link is the standard approach. It must work. It must be honoured promptly — the ICO expects opt-outs to be processed within 28 days, but best practice is within 48 hours.

5. You Have a Lawful Basis Under UK GDPR

PECR handles the "can I send this?" question. GDPR handles the "can I process this person's data?" question. For B2B cold email, the most appropriate lawful basis is legitimate interest (Article 6(1)(f) of UK GDPR).

We cover this in detail in the next section.

6. You Honour Opt-Outs and Suppression Lists

If someone asks you to stop emailing them, you stop. Full stop. You should also check the Corporate Telephone Preference Service (CTPS) for telephone outreach, and maintain your own internal suppression list. Re-emailing someone who has opted out is the fastest way to attract an ICO complaint.

When all six conditions are met, your B2B cold email programme is lawful. Not grey-area. Not "technically okay." Fully, demonstrably compliant.

B2C Cold Email: A Different Story Entirely

Everything above applies to B2B communication. Business-to-consumer cold email operates under entirely different rules.

For B2C, PECR regulation 22 requires explicit prior consent — the individual must have actively opted in to receive marketing emails from you. There is a narrow "soft opt-in" exception where you can email existing customers about similar products, but true cold email to consumers without consent is unlawful.

If your business serves consumers directly, cold email is not your channel. Focus on content marketing, SEO and answer engine optimisation, paid advertising, and inbound lead generation instead. You may also find that database reactivation — re-engaging existing customers who have already bought from you — is a more effective and fully compliant alternative for B2C businesses. Our ReFlow service is purpose-built for exactly this kind of GDPR-compliant database reactivation, helping businesses re-engage dormant contacts without the compliance risks of cold outreach.

This article — and Ampliflow's SCALeMAIL service — focuses exclusively on compliant B2B cold email.

Legitimate Interest as a Lawful Basis Under UK GDPR

Legitimate interest is the GDPR basis that makes B2B cold email work. But it is not a blank cheque. You need to conduct a Legitimate Interest Assessment (LIA) — and be able to produce it if the ICO asks.

A LIA has three parts:

Purpose test: Do you have a legitimate reason for contacting this person? Offering a relevant service to a business that could benefit from it qualifies. Spamming every email address you can find does not.

Necessity test: Is cold email necessary to achieve this purpose? If there is a less intrusive way to reach the same outcome, you should use it. But for B2B outreach at scale, email is often the most proportionate channel.

Balancing test: Do the individual's rights and interests override your legitimate interest? For a B2B contact receiving a relevant, professional email with a clear opt-out, the balance typically favours the sender — provided the email is targeted, relevant, and infrequent.

Document your LIA. Keep it on file. Update it periodically. This is your evidence of cold email compliance if questions arise.

The ICO has been clear that legitimate interest is a valid basis for B2B marketing. Their guidance states: "Legitimate interests can be particularly relevant for business-to-business marketing, where you are contacting people in their professional capacity."

Technical Compliance: SPF, DKIM, DMARC and Deliverability

Legal compliance gets your programme past the regulators. Technical compliance gets your emails past the spam filters. You need both.

Since February 2024, Google and Yahoo have enforced strict authentication requirements for bulk senders. In 2026, Microsoft and Apple Mail have followed suit. If your sending domain lacks proper authentication, your emails will not reach the inbox — regulation compliance becomes academic.

SPF (Sender Policy Framework): A DNS record that specifies which mail servers are authorised to send email on behalf of your domain. Without it, receiving servers flag your messages as potentially spoofed.

DKIM (DomainKeys Identified Mail): A cryptographic signature that proves your email was not altered in transit. It ties each message to your domain with a verifiable digital signature.

DMARC (Domain-based Message Authentication, Reporting and Conformance): A policy that tells receiving servers what to do when SPF or DKIM checks fail. A proper DMARC policy (p=quarantine or p=reject) signals that you take email security seriously.

These are not optional extras. They are the minimum technical standard for any cold email programme in 2026. Our custom automation service includes full email infrastructure setup — SPF, DKIM, DMARC, domain warming, and deliverability monitoring — as standard.

What Happens if You Get It Wrong

The ICO has enforcement powers under both PECR and UK GDPR. And they use them.

Since the Data Use and Access Act 2025, PECR fines have been aligned with UK GDPR — up to GBP 17.5 million or 4% of global annual turnover, whichever is higher. In practice, most penalties for email marketing violations fall in the GBP 50,000 to GBP 500,000 range — but the reputational damage often costs more than the fine itself.

Beyond fines, non-compliance triggers:

• Domain blacklisting. Major email providers permanently block your sending domain. Recovering from a blacklist takes months.
• Complaint escalation. One ICO complaint often triggers an audit of your entire data processing operation.
• Loss of sending infrastructure. Email service providers like Mailgun, SendGrid, and Amazon SES will terminate your account for compliance violations.
• Reputational damage. ICO enforcement notices are public record. Your prospects can — and will — find them.

The message is straightforward: compliance is not a cost centre. It is the price of admission.

How to Build a Compliant Cold Email Programme

Here is the practical framework. Not theory — the actual steps.

Step 1: Define your Ideal Customer Profile (ICP). The more precisely you define who you are targeting, the stronger your legitimate interest case becomes. "UK-based accounting firms with 10-50 employees" is a valid ICP. "Anyone with a business" is not.

Step 2: Source data compliantly. Use reputable B2B data providers that verify their data is collected lawfully. Companies House public data, LinkedIn Sales Navigator, and verified business databases are all legitimate sources. Scraping personal email addresses from random websites is not.

Step 3: Conduct and document your LIA. Write out your purpose, necessity, and balancing tests. Keep the document accessible. Update it when your targeting changes.

Step 4: Set up proper email infrastructure. Dedicated sending domain (not your primary domain). SPF, DKIM, and DMARC configured correctly. Domain warmed gradually over 2-4 weeks before sending at volume.

Step 5: Write relevant, personalised emails. Generic mail-merge templates sent to thousands of recipients are a compliance risk and a deliverability disaster. Every email should demonstrate that you understand the recipient's business and have a relevant reason for reaching out.

Step 6: Include all required elements. Your real name and company name. A valid contact address. A clear, functional opt-out link in every email. No exceptions.

Step 7: Monitor and maintain. Process opt-outs within 48 hours. Maintain your suppression list. Monitor bounce rates and complaints. Adjust your approach based on engagement data.

Ready to build a cold email programme that actually works? Talk to our team about SCALeMAIL — compliant B2B cold email lead generation, built for UK businesses.

Why Most Businesses Get Cold Email Wrong (and How AI Fixes It)

Most businesses approach cold email in one of two ways. Either they avoid it entirely because they believe it is illegal (it is not, as we have established). Or they send mass-blasted, generic templates to purchased lists with no personalisation, no compliance infrastructure, and no suppression management.

Both approaches leave money on the table. The first misses the channel entirely. The second poisons the well — generating complaints, damaging sender reputation, and giving cold email its bad name.

AI changes the equation in three fundamental ways:

Hyper-personalisation at scale. Large language models can analyse a prospect's website, recent news, job postings, and financial filings to generate genuinely personalised opening lines and value propositions. Not "Hi {{first_name}}, I noticed your company..." — but real, specific observations about their business that demonstrate relevance.

Dynamic compliance monitoring. AI systems can automatically verify that every outgoing email includes required elements (sender identification, opt-out link, contact address), cross-reference against suppression lists in real time, and flag potential sole-trader recipients before the email is sent. AmpliDash provides a centralised compliance dashboard that tracks opt-out processing times, suppression list health, and bounce rates — giving you auditable evidence of compliance at a glance.

Intelligent send optimisation. Machine learning models optimise send times, follow-up sequences, and messaging variants based on engagement data — keeping response rates high while keeping complaint rates near zero.

This is what our SCALeMAIL platform does. It combines AI-driven personalisation with built-in cold email compliance — every message is checked against PECR and GDPR requirements before it leaves the server. The result: higher response rates, zero compliance risk, and a cost per acquisition 3-5x lower than paid alternatives.

For a complete breakdown of the strategy behind this approach, see our guide: Cold Email Lead Generation for UK Businesses: The 2026 Playbook.

Have questions about compliance for your specific situation? Get in touch — we will give you a straight answer.

Key Takeaways

1. B2B cold email is legal in the UK under the PECR corporate subscriber exemption — provided you meet all six conditions outlined above.
2. B2C cold email requires explicit consent. The exemption only applies to corporate subscribers. Sole traders are treated as individuals.
3. GDPR and PECR work in parallel. You need a lawful basis under GDPR (legitimate interest) and compliance with PECR's requirements. Both must be satisfied.
4. Technical compliance is non-negotiable. SPF, DKIM, and DMARC authentication are the minimum standard for deliverability in 2026.
5. The ICO enforces actively. Since the Data Use and Access Act 2025, PECR fines can reach GBP 17.5 million or 4% of global turnover — aligned with UK GDPR. Enforcement notices are public.
6. Documentation protects you. A written Legitimate Interest Assessment is your best defence if questions arise. Conduct one, file it, update it.
7. AI makes compliance easier, not harder. Automated checking, suppression management, and personalisation at scale solve the problems that made cold email risky in the first place.

The law does not prohibit B2B cold email. It regulates it. And businesses that understand the regulations have a significant competitive advantage over those that do not.

FAQ

Is cold email legal in the UK for B2B outreach?

Yes. Under PECR regulation 22, unsolicited marketing emails sent to corporate subscribers (businesses, LLPs, limited companies) are exempt from the consent requirement. You must still identify yourself, include a valid contact address, provide an opt-out mechanism, and have a lawful basis under UK GDPR — but B2B cold email is explicitly permitted under UK law.

Do I need consent to send cold emails to businesses?

No, not under PECR — provided the recipient is a corporate subscriber and you meet the six conditions outlined in this article. You do need a lawful basis under UK GDPR, and legitimate interest is the standard basis for B2B cold email. You should conduct and document a Legitimate Interest Assessment to demonstrate compliance.

What is the difference between GDPR and PECR for cold email?

UK GDPR governs how you collect, store, and process personal data (including email addresses). PECR governs whether you can send the electronic communication itself. For cold email compliance, you need to satisfy both. GDPR requires a lawful basis for processing the data. PECR requires either consent or an applicable exemption (such as the corporate subscriber exemption) for sending the message.

Can the ICO fine me for sending cold emails?

Yes, if your emails violate PECR or UK GDPR. Since the Data Use and Access Act 2025, both PECR and GDPR fines can reach GBP 17.5 million or 4% of global annual turnover. In practice, ICO fines for email marketing violations typically range from GBP 50,000 to GBP 250,000. Beyond fines, you risk domain blacklisting, loss of sending infrastructure, and reputational damage from public enforcement notices.

Can I send cold emails to sole traders in the UK?

No — not without consent. Under PECR, sole traders and individual partnerships are classified as individual subscribers, not corporate subscribers. This means the B2B exemption does not apply, and you need explicit prior consent before sending marketing emails to sole traders. If you are unsure whether a prospect is a sole trader or a limited company, check Companies House before sending.

Stop guessing about compliance. Talk to Ampliflow about building a cold email programme that is legal, effective, and scalable.