What is enrichment transparency and how to disclose it?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you receive a cold email from someone you've never heard of. They know your job title, the company you work for, and maybe even your industry segment. You didn't give them that information. So how did they get it?

That's the question enrichment transparency is designed to answer. Enrichment means someone took a basic contact record and layered on extra data from a third-party source (a data broker, a public database, a LinkedIn scrape). Under GDPR Article 14, if you collected data about someone from a source other than the person themselves, you have to tell them. It's not optional.

The disclosure has to cover a few specific things. You need to tell the person you have their data, where it originally came from, what extra information you added through enrichment, why you're contacting them and what your lawful basis is, and how they can access, correct, or delete their record. That last one matters more than people think. If someone can't easily find a way to ask you to remove them, that's a compliance gap.

When does the disclosure have to happen? At first contact with the person, or within one month of obtaining the data if you haven't contacted them yet. Whichever comes first.

How to actually do it in a cold email

And you don't need to write an essay. A short, honest paragraph in the email itself plus a link to your privacy policy is the standard approach. Something like this works well:

"Your contact information came from [source, e.g. a public company database]. We reached out because [specific reason]. You can see how we store and use your data, or request deletion, at [privacy policy link]."

That's it. Plain language, real source named, clear opt-out path. It doesn't need to be scary, and it doesn't need to be buried in a footer. Putting it in the body of the first email is both legally sound and, honestly, better for trust.

And one thing worth noting: the source you name has to be specific enough to be meaningful. "Publicly available sources" on its own is vague and courts have not looked kindly on it. If the data came from a broker like Cognism or Apollo, or from a scraped LinkedIn export, say that. Vague disclosures tend to read as evasion, and they invite complaints.

Your privacy policy should back up whatever you say in the email. It needs to describe enrichment as a data practice, name the categories of data involved, and explain the retention period. If your policy still only mentions data collected directly from users, it's time for an update before you run another enriched cold campaign.

If you're operating outside the EU, check your local rules. CCPA in California, PIPEDA in Canada, and PDPA in various Asian jurisdictions all have their own versions of these requirements. The specific disclosure format and timing can differ, so this answer focuses on the GDPR framework as a common baseline.

Not sure if your current outreach setup covers all of this? The SOS hotline is free and we're happy to take a look with you.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Draft my enrichment disclosure

I send cold outreach using enriched contact data. Based on the information below, draft a short disclosure paragraph I can include in my first email, and tell me if my privacy policy needs updating. Include the data source I used, my stated reason for contacting, and a link placeholder for my privacy policy.

Edit the yellow boxes, then send to the AI of your choice.