Can I cold-email any UK business?

You can cold-email any UK incorporated business at a corporate (work) email address, with a clear opt-out and an LIA in place. You cannot cold-email sole traders or personal email addresses (Gmail, Hotmail, etc.) without prior consent. Practically: filter out sole traders and personal-domain emails before sending.

Do I need consent to cold-email a UK B2B prospect?

No, not under PECR. Cold email to corporate subscribers (UK incorporated companies and similar) is allowed without prior consent provided you offer a clear opt-out. You do still need a lawful basis under UK GDPR, which is almost always "legitimate interest" for B2B cold email — supported by a legitimate interest assessment.

What is the maximum penalty for getting this wrong?

For PECR breaches, the ICO can issue monetary penalties up to £500,000. For UK GDPR breaches, penalties can reach £17.5m or 4% of annual turnover (whichever is higher). In practice, the ICO's enforcement on B2B cold email focuses on repeat offenders, sole-trader spamming, and failure to honour opt-outs — not on legitimate B2B campaigns sent with a working unsubscribe.

UK GDPR-compliant cold email: what is actually allowed in 2026

The two laws that govern UK cold email

Two pieces of UK law govern cold email: UK GDPR (data-protection law) and PECR (the Privacy and Electronic Communications Regulations). They apply together, and you have to satisfy both.

UK GDPR applies whenever you process personal data — including someone's work email if it identifies them (e.g. [email protected]). PECR sits on top and adds specific rules about marketing communications, including email.

The B2B carve-out (this is the important bit)

PECR Regulation 22 sets the rules for unsolicited marketing email. The regulation applies in full to individual subscribers — natural persons receiving email at a personal address. For corporate subscribers — companies, partnerships, and similar legal persons — Regulation 22 does not apply in the same way. The ICO confirms in its current guidance that you can send marketing email to corporate subscribers without prior consent, provided you give a clear opt-out.

What this means in practice: cold-emailing John at [email protected] is treated differently from cold-emailing John at [email protected], even if it's the same John. The first is a work address at a corporate subscriber; the second is a personal address.

UK GDPR: lawful basis for cold B2B email

Even with the PECR B2B carve-out, you still need a lawful basis under UK GDPR to process the personal data (the work email itself). For cold B2B email, the appropriate lawful basis is almost always legitimate interest. You do not need explicit consent.

Legitimate interest requires you to have done a legitimate interest assessment (LIA) — a documented analysis showing that (a) you have a real business interest in contacting the prospect, (b) reaching out is necessary to pursue that interest, and (c) the prospect's rights are not unreasonably overridden. For typical UK B2B cold email aimed at a relevant decision-maker with a clear opt-out, this assessment is straightforward.

The opt-out requirement

Every UK B2B cold email must contain a clear, easy way for the recipient to opt out. The standard mechanism is a one-click unsubscribe link in the footer. You must also include the sender's identity and a postal address (PECR Regulation 23).

Once a recipient opts out, you must stop sending to them within 30 days at the latest, and you must record the opt-out so you don't accidentally re-add them in future campaigns.

Records you must keep

A copy of the legitimate interest assessment for your cold-email programme.
Records of every campaign sent: date, recipient list, content of the email.
A list of all opt-outs (a "do not contact" suppression list).
Source of every prospect record (which licensed B2B database, scraping is a high-risk source).
Privacy policy on your website explaining what personal data you process and the lawful basis.

How AI Email handles compliance

AI Email is built around the UK B2B carve-out. Every prospect in our database is a corporate subscriber — a named person at an incorporated UK company, sourced from licensed B2B providers and public business records like Companies House. Sole traders are filtered out at source.

Every email we send on a customer's behalf carries a clear opt-out and the sender's identity. Opt-outs are recorded and honoured automatically across all campaigns and all customers. We keep transparent records of every campaign sent. We do not sell customer data. We do not use the customer's domain.

Personal data we hold per prospect is minimal — a work email and a derived business profile (job title, company, sector). We are transparent about this in our privacy policy.