What are the GDPR Rules for Cold Emailing?

Cold emailing can be an important tool, especially for small businesses, but many are unclear as to how the General Data Protection Regulation (GDPR) will change the rules regarding cold emailing practices.

Cold emailing is a way of generating interest and alerting people about a product or service. Once the GDPR comes into force on May 25, 2018, cold emailing will still be permitted; but there are rules which need to be followed.

Pay Attention to Local Laws

One of the main reasons for the introduction of the GDPR is to create greater consistency as to the way data protection is dealt with across different EU states. This does not mean, however, that there will not be local rules to follow in certain circumstances.

EU Member States will still have leeway to introduce different rules and regulations in some areas. This is why some research on the specific rules applicable in the country where your business is based will be necessary.

What GDPR says about cold emailing

GDPR does not outlaw the use of cold emailing entirely, but your business or organisation cannot send random sales emails to a random selection of people. If it does so, it runs the risk of being penalized.

If you want to use cold emailing, you need to think carefully about who you are sending the emails too, as well as the relevance of the content. They must only be sent to people who could reasonably be assumed to find the content useful, or example due to their job title or business area. Certain other requirements also need to be satisfied.  

  • The topic of the email must be clearly identified.
  • The email should be personalized to conform to the recipient’s interests.
  • There must be an option provided to unsubscribe from future emails.
  • A genuine physical address of the sender must be included in the email.
  • The sender must be able to be clearly identified.
  • An explanatory note explaining, how, why, and what data was collected may be included in the interests of transparency.

Any business or organisation using email lists or services also needs to keep full records of email opt-ins and opt-outs. If personal data on the individual is no longer needed following an opt-out, it may be best practice to delete all information apart from the person’s email address. Keeping the email address may be defensible as being required to ensure opt-outs are respected. 

Any emails that are not delivered due to the addresses being incorrect should trigger steps to correct the address or deleted it from the database, in line with GDPR requirements to keep data accurate and up-to-data.

Organizations collecting information to create cold emailing lists or to reach out to a new contact should only gather what is necessary for the contact. For example, they may need the name, email address, and job title to personalize the email, but the telephone number should not be gathered in this case if it is not necessary for the contact purpose.

If the above requirements are not met, it is possible that the business or organisation could be found to be non-compliant with GDPR, and fines and other sanctions could be imposed.