Do B2B senders not need consent?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A lot of B2B senders assume that emailing a work address is somehow exempt from consent rules. It's one of the most common misconceptions in email marketing, and it can get you into real trouble.
The short answer is no, B2B doesn't get a free pass. GDPR covers individuals at companies just as much as it covers consumers. If you're emailing someone at their work address in the EU, you need a lawful basis for doing so. Consent is one option, but so is "legitimate interests" (which means you need a documented reason that genuinely holds up, not just "we want their business").
CASL, Canada's anti-spam law, requires either express or implied consent before you send commercial email to anyone, B2B included. Implied consent exists when there's a prior business relationship, like a recent inquiry or purchase, but it has a time limit and it expires. CAN-SPAM in the US is the most permissive of the three, but it still requires a functioning unsubscribe and honest sender identification. It doesn't require prior consent, which is why so many US-based cold outreach tools cite it, but CAN-SPAM compliance doesn't protect you if your recipients are in the EU or Canada.
A few places do treat B2B more leniently than B2C. The UK's PECR regulation, for example, allows unsolicited email to corporate addresses (not personal ones) in some cases. But "more lenient" is not the same as "anything goes."
There's also a practical argument here, separate from legality. Even where cold B2B outreach is technically allowed, it drives complaints, spam reports, and low engagement. Those signals hurt your sender reputation whether or not you broke a law. Cold outreach still counts as email in the eyes of a spam filter, and filters don't care about your jurisdiction.
So what does good B2B consent actually look like in practice? A few approaches that hold up:
- Event-based consent: Someone attends a webinar or downloads a resource and checks a box agreeing to future emails. That's clean, documented consent.
- Direct opt-in: A prospect fills out a contact form or signs up for updates. Simple and solid.
- Implied consent from a business relationship: You've had a recent commercial exchange. Under CASL this lasts two years from the date of the transaction. Under GDPR it still needs legitimate interest documentation.
- LinkedIn or event connections: Meeting someone at a conference doesn't automatically grant email permission. It gives you a reason to reach out once and ask if they'd like to hear from you. That's it.
Whatever your source, document it. If someone files a complaint, "I found their address online" is not a defense. "They filled out our contact form on March 4th" is.
Not sure how your current list was built or whether your signup process is solid? Our SOS hotline is free, and we can help you figure out where you actually stand.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.