If you’re sending cold emails to people in the EU, you’ve probably heard horror stories about GDPR fines. You want new leads, not legal headaches. This guide is for anyone using Mailrush (or thinking about it) who wants to stay on the right side of the law—without running every sentence by a lawyer.
Let’s cut through the noise and get into what actually matters when it comes to GDPR and cold emailing.
Step 1: Understand What GDPR Actually Requires for Cold Email
Before you start tweaking settings or rewriting templates, know this: GDPR isn’t out to destroy cold email. But it does give people in the EU more control over their personal data, including their email address.
Here’s what you really need to know:
- You need a “legal basis” to contact someone. The most common options are “legitimate interest” or explicit consent. For B2B cold email, “legitimate interest” is usually what you’ll rely on—but you need a good reason.
- You must only email business contacts. Emailing people at their work address about work topics is much safer than emailing consumers.
- You need to be transparent. Tell people why you’re emailing them, how you got their info, and how they can opt out.
- You must respect opt-outs and data deletion requests. No exceptions. If someone says “stop,” you stop.
What doesn’t matter:
You don’t need to get prior consent for every B2B cold email under GDPR. That’s a myth. But you can’t spam, and you can’t hide what you’re doing.
Step 2: Source Data Responsibly
Where you get your email list matters—a lot. GDPR cares about how you collected the data, not just what you do with it after.
- Don’t buy sketchy lists. If you can’t trace where the data came from, don’t use it. “B2B opt-in lists” sold online are rarely GDPR compliant.
- Stick to public, professional info. LinkedIn, company websites, or industry directories are usually fair game for business contacts. But don’t scrape personal Gmail addresses.
- Document your sources. Make a quick spreadsheet or note for each campaign: where did you get these contacts? If you’re ever questioned, you’ll want this.
Pro tip:
Mailrush is a sending tool, not a list provider. If your source is dodgy, no email platform can make you compliant.
Step 3: Set Up Your Mailrush Account for GDPR
Mailrush gives you the mechanics to send cold emails, but you have to use it responsibly.
- Use a dedicated sending domain. Don’t use your main company domain for cold outreach. If you wind up on a blacklist, you don’t want it affecting your main inbox.
- Warm up your sending domain. Mailrush offers automated warm-up features. Use them. Sudden blasts to hundreds of new contacts look spammy to ISPs and regulators alike.
- Set up unsubscribe links. This isn’t optional under GDPR (or CAN-SPAM, for that matter). Make sure every email has a clear, working unsubscribe button. Mailrush lets you add this automatically to your templates.
- Enable tracking carefully. Open and click tracking is handy, but it’s still personal data. Let contacts know you may track interactions, and don’t overdo it.
What to skip:
Don’t obsess over “GDPR-compliant templates” offered online. Compliance is about your process, not a magic set of words.
Step 4: Write Transparent, Respectful Emails
Most cold emails are ignored because they’re generic, misleading, or just plain annoying. GDPR wants you to be honest and clear—so does your reader.
Here’s what to include in every cold email:
- Who you are and who you represent. Don’t hide behind vague job titles.
- Why you’re emailing them. Be specific—“I found your profile on LinkedIn and thought you might be interested in X.”
- How you got their data. Just a line: “I came across your email on your company website.”
- How they can opt out. Spell it out: “If you’d prefer not to hear from me again, just click here.” (And make the link work.)
What to avoid: - Don’t pretend it’s a personal intro if it’s not. - Don’t use tricks to hide the unsubscribe link. - Don’t write in legalese—plain English is fine.
Example of a compliant cold email:
Hi Anna,
I found your contact info on the Acme Corp website and thought you might be interested in a tool that helps with GDPR-compliant email outreach.
If you’re not the right person or would rather not get these emails, just click here to opt out.
Best,
Luke
Notice there’s no hype, no tricks, and it’s clear why you’re emailing.
Step 5: Handle Unsubscribes and Data Requests Promptly
This is where a lot of folks mess up. GDPR isn’t just about how you start the conversation—it’s about how you stop it.
- Unsubscribes must be instant and permanent. If someone opts out, don’t email them again. Mailrush can automatically suppress contacts who unsubscribe, but double-check your settings.
- Delete data if requested. If someone asks you to remove their info, do it. Don’t just stop emailing—delete them from your list.
- Log data requests. Keep a simple record: who asked, what you did, and when. It doesn’t have to be fancy, just easy to find if needed.
Pro tip:
Don’t try to talk people out of unsubscribing. That’s a fast way to annoy folks, and it’s a GDPR risk.
Step 6: Keep a Basic Record of Your Compliance
You don’t need a 50-page GDPR policy, but if you’re emailing in the EU, have your ducks in a row. Here’s what’s worth doing:
- Privacy notice: Link to a privacy policy on your website. It should cover how you handle personal data, even for cold outreach.
- Processing log: Just a basic spreadsheet noting which campaigns you’ve run, where you got the data, and any opt-outs or deletions.
- Mailrush audit logs: Mailrush keeps sending logs—download and keep these for your records.
If you’re ever challenged, being able to show you have a process—and you follow it—is half the battle.
Step 7: Ignore the Hype, Stay Pragmatic
There’s a cottage industry selling “GDPR checklists” and “100% compliance tools.” Here’s the truth:
- No tool (Mailrush included) makes you magically compliant. The tool just sends emails. Compliance is about your decisions.
- Don’t overthink edge cases. Focus on being transparent, respectful, and quick to honor requests.
- If in doubt, ask. If you get a weird data request or aren’t sure, it’s better to pause and look for a real answer than to wing it.
Summary: Keep It Simple, Iterate as You Go
GDPR compliance with cold email isn’t rocket science, but it does take a bit of discipline. Use Mailrush for what it’s good at—sending and tracking emails—but don’t expect it to do the hard parts for you.
- Source clean data.
- Be honest and clear in your messaging.
- Make opting out easy (and respect it).
- Keep a simple record of what you’re doing.
Start simple, don’t freak out over every legal update, and improve your process as you go. If you’re thoughtful and respectful, you’ll stay out of trouble—and your cold emails will probably get better results, too.