What are rules for B2B outreach in the EU (PECR)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You want to send a cold email to the procurement manager at a company in Germany. You've found their business address on LinkedIn. Is that legal under EU rules? Under PECR (the Privacy and Electronic Communications Regulations), the answer is: it depends, but you have more room than most people think.

PECR is a UK law that originally came from an EU directive (the ePrivacy Directive). The EU member states each implement their own version of this directive, so while the UK has PECR, Germany has its own rules, France has its own, and so on. The underlying principles are broadly similar across the bloc, though enforcement and interpretation vary by country.

Here's the key distinction. PECR and its EU equivalents treat business email addresses differently from personal ones. If you're emailing someone at their corporate address (think captain@acmeshipping.eu), and the message is relevant to their professional role, most EU frameworks allow this without prior consent, as long as you clearly identify yourself and make it simple to opt out. That concept is sometimes called a "corporate subscriber" or "business exemption." It's not a free pass to spam, but it does mean you don't need explicit opt-in the way you would for B2C outreach.

The rules you need to follow for compliant B2B outreach in the EU:

  • The email must be relevant to their role. Sending a cold pitch about logistics software to a logistics director is on-topic. Sending it to the company's HR team is not.
  • You must clearly identify who you are. No hiding behind a vague display name or a domain that doesn't match your actual company.
  • You must include an easy opt-out. A clear unsubscribe link or reply instruction is required every time. If someone opts out, you stop. Full stop.
  • You must keep records. If you're processing personal data (and a name plus work email counts), GDPR still applies to how you store and use that data, even if PECR gives you room to contact them.

That last point matters more than most cold email guides admit. PECR (and its EU equivalents) governs whether you can contact someone. GDPR governs whether you can hold and process their data. You need a lawful basis under GDPR for storing that contact's details, and "legitimate interest" is the most commonly used one for B2B prospecting. That means you need to be able to show the interest is real, proportionate, and not overriding the individual's rights.

A few things that will get you in trouble regardless of the business exemption:

  • Emailing individuals at generic addresses like info@company.com where there's no named person (some jurisdictions treat these as personal data anyway)
  • Ignoring opt-outs or re-adding people who've unsubscribed
  • Buying lists without knowing how the data was originally collected
  • Using deceptive subject lines or sender names

And the safest framing: treat B2B outreach in the EU as "consent not required, but respect still required." You can reach out without prior consent if the relevance and transparency conditions are met. But the moment someone says no, that's the end of it.

If you're building a cold email workflow that touches EU contacts, it's worth reading up on how cold email tools need to adapt for EU compliance, and making sure your sending streams are set up correctly before you scale. Not sure if your setup passes the test? Drop into our SOS hotline and we'll take a look.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your answers above and ask: is my B2B outreach compliant with PECR and GDPR?

I read this on the Email Almanac about B2B email outreach rules under PECR and the EU ePrivacy Directive. I want to understand whether my cold email setup is compliant. Help me assess my situation. I need: 1. Whether my outreach qualifies for the business exemption 2. What GDPR obligations I still have even if PECR allows contact 3. What my opt-out and suppression process should look like 4. Red flags in my current setup that could cause legal or deliverability problems --- My details (fill in what applies): - Who I'm emailing: job title / department / company type - How I sourced the contacts: LinkedIn / bought list / scraped / referral / other - What I'm pitching: describe briefly so we can assess relevance to role - My sending domain and company location: country - Audience countries: EU member states / UK / both / global - ESP or tool I'm using: e.g. HubSpot, Instantly, Mailchimp, custom SMTP - Opt-out method: unsubscribe link / reply to remove / none yet - Whether I store suppression records: yes / no / not sure - GDPR lawful basis I'm relying on: legitimate interest / contract / consent / not sure - Any complaints or legal concerns so far: describe

Edit the yellow boxes, then send to the AI of your choice.