GDPR for Cold Sales Email Senders – FAQ

GDPR for cold email senders

We get lots of questions from Woodpecker users about GDPR (General Data Protection Regulation) and how it affects cold email outreach. It’s still a new topic but very important to anyone using things like automation software, a crm database and other tools for direct marketing purposes or reaching out to prospective clients.

That’s why we’ve put together a GDPR FAQ – a list of frequently asked questions about the regulations along with our answers. We hope you’ll find some useful information and practical tips about processing data and managing your email campaigns according to the GDPR principles.

After all, sending GDPR-compliant cold emails is a must if you want to stay on the right side of the law.

If you want some background on the basics of GDPR first, take a look at this post:

GDPR – General Data Protection Regulation Practical Guide for Email Senders >>

Disclaimer: You should treat this post as a guide that will help you understand GDPR, not as legal advice. If you are unsure about how to organize your marketing activities in accordance with GDPR, contact a lawyer to get definitive answers to your questions and help you stay GDPR compliant.


Download GDPR Compliance Checklist >>

Q1: I’m based in the US, do I have to be GDPR compliant?

It depends. GDPR is designed to protect EU citizens, so it’s not really a matter of your company’s location. It’s about whose personal data you process. If your company is based in the US but some of your clients, partners, subscribers or prospects are EU citizens, you should process their data in a way that is compliant with the provisions of GDPR. This is your obligation as a data administrator.

If you have a company that offers a piece of software, and this software allows other data administrators to process data, it would be reasonable to assume that at least a part of this processed data will belong to EU citizens. GDPR defines some obligations not only for data administrators but also for data processors.

So in short, if there’s a chance your US-based company is an administrator of processed personal data, or a processor of personal data of EU citizens, you should be GDPR compliant.

Q2:I send numerous email campaigns a year. Should I stop doing that when GDPR becomes legally binding?

Not at all. First of all, GDPR has not been designed to kill email marketing or cold emails. It’s not even a regulation about emails, or marketing, or cold calling, or business. It’s about protecting personal data.

You have to remember, though, that in the course of sending your email campaigns and running a business you probably process personal data. If at any point you process the personal data of EU citizens, make sure you follow the rules. Processing personal data should be GDPR compliant – that is, you must follow certain principles. Read more about the GDPR principles here.

So no, you don’t have to stop your email marketing campaigns, or your cold email campaigns when GDPR becomes binding. You should make sure the data used in those campaigns are being processed according to the rules of GDPR.

Q3: Can I send cold emails to people under GDPR?

Yes, you can send cold emails to people at companies under GDPR. Again, the point of GDR is not to limit cold email marketing or make it contacting prospects difficult. It’s all about protecting the legitimate interest of EU citizens when it comes to the handling and use of their personal data in the digital world.

Back to cold emails. You need to target your prospects very carefully. You need to have a compelling reason to claim that the company the person works for can benefit from what your company offers in the email. Moreover, your business activity should be logically connected with the business activity of your prospect. That will be the legal basis to send someone an email without their previous consent to process their data.

In other words, both parties have business interests and your aim is to help both sides benefit.Secondly, in each of your email messages, you need to inform your cold email recipients about exactly what personal data you are processing, for what purpose, and how they can remove their data from your mailing list, or change the data. That’s how you fulfill the information duty described in GDPR.

Thirdly, you should not process your cold email recipients’ personal data for longer than necessary to complete the task of the purpose for which you are using it. GDPR does not specify any particular period of time. We advise removing from your lists the data of prospects who have not replied within 30 days from sending a cold email campaign to them. This will keep you in compliance with the data storage limitation principle while sending cold emails.

In summary, GDPR allows cold email outreach, just there has to be some real, legitimate reason why you pick a particular recipient for your cold email campaign.

Q4: Is follow-up email a violation of GDPR?

Sending follow-ups does not violate GDPR as long as it meets the three requirements described in the answer above.

Processing data in case of sending a follow-up is not much different from processing the same data to send the first message. The only thing that changes is the time you have for sending follow-ups to non-responsive prospects in the EU. Again, GDPR does not define a time span for that, but we advise removing from your lists the data of prospects who have not replied within 30 days from the first email you sent them.

Q5: Do I always need to have consent before emailing anybody?

You can send B2B cold emails without the previous consent of your addressees to process their personal data only if the emails meet the three requirements described in detail in the answer to Q3 above:

  • a legal basis for data processing
  • fulfillment of information duty
  • compliance with data storage limitation

Q6: What about my current list of email subscribers? Should I remind them why they are on my list and ask them again for permission to continue sending them the emails?

If you asked their permission at the very beginning and they granted you their consent to process their data for specified purposes, you don’t need to ask them for permission again.

However, if the purpose of data processing has changed, or you plan to change it soon, you should inform them about the change and give them an easy way to decide if they agree to the new purpose of processing their data.

Or, at the moment of their sign-up to your newsletter, if they were informed that their data will be processed for a specified period of time but the period has already ended, you should also ask if they agree to further data processing for specific purposes.

Q7: Should all outbound emails (or emails in general) have an unsubscribe link included as mandatory under GDPR now?

Absolutely. The GDPR unsubscribe rule states that all emails should specify clearly the way in which the recipient can remove his or her data from your list, or change it. GDPR does not specify the way, so it does not say “You should use an ‘Unsubscribe’ link”. It only says it should be an easy way, understandable for each person.

In practice, however, this does mean using an “Unsubscribe” link.

As part of email good practices, the ‘Unsubscribe’ link is common in email marketing messages, we add them to all of our marketing messages. There are, however, other ways you can provide a way to opt out to your cold email recipients. You can read more about them here:

Should I Give My Cold Email Addressee a Way to Opt Out? (Updated) >>

Q8: What if I outsource list building. I have nothing to do with personal data gathering. Does it mean I have to be concerned with GDPR?

Yes, if you’re going to use the personal data that someone else gathered for you and if the data owners are EU citizens, then GDPR still applies. Remember that GDPR is not just about gathering or storing data. It’s about processing (using) and storing personal data. According to the regulation:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Remember that if you make decisions about the data subject and the purpose of the data collection and use, you are the data administrator. And as the data administrator, you definitely should be concerned with GDPR. You should also make sure that the company you outsource list building to, should collect the data in a legal, fair and transparent way. In other words, you should know exactly how they obtain the data and be able to explain to the data owners how and why you got their data and for what purpose you’re using it.

Data consent is based on being able to meet this standard.

Q9: What does “privacy by design” mean?

Privacy by design means developing every part of your solution in a way that it ensures data access controls the highest level of data privacy at every stage. In other words, you have to think of protecting the privacy of your users/subscribers/customers all the time while planning the processing of their personal data.

Q10: I don’t want to hire a GDPR specialist. Does that mean I won’t have a chance to comply?

You don’t have to hire any new people to specifically to keep your cold email GDPR compliant. You can appoint a current employee to take the role of Data Protection Specialist, or you can become one yourself.

Note that Data Protection Specialist and Data Protection Officer are two separate roles with different sets of competencies. If you run a small or medium business, and you don’t process any sensitive data and there are no high risks when processing and collecting personal data at your company, you don’t need a qualified Data Protection Officer. You can appoint a Data Protection Specialist, who will analyze the data processing and who will advocate solutions that will protect against data breaches that compromise contact details.

Q11: Where can I get a GDPR certificate?

There is no such thing as official GDPR certification, at least not yet. Various data security and certifications, like ISO, also aim at better data organization, processing, and security. Getting them will definitely be a step towards GDPR compliance. But you are not obliged to get any kind of official certification to prove that you are GDPR compliant. You can simply follow the principles described in the regulations themselves.

If you’re still working on our GDPR compliance, download GDPR compliance checklist >>

Q12: I got a cold email from someone and I feel it’s illegal under GDPR, how can I inform them that I don’t want to receive emails from them?

In a case like this, you can reply in writing and request the deletion of your data from their mailing lists. If they still don’t respect your request, you can try to verify what service they use to send the emails and contact this company as the processor of your personal data. As a data processor, they will also be obliged to help you get your data removed from a list you don’t want to be on.

Remember that anyone who claims that you asked for the emails you say that you don’t want has to show that you provided opt-in consent.

Q13: How does Woodpecker prepare for GDPR?

We have a separate section on our website that describes what Woodpecker does in order to be GDPR compliant. You can find it here:

GDPR Compliance >>

After hosting our second webinar related to handling email outreach and email marketing under GDPR, we wanted to add a couple more questions.

Q14: Can you send a B2B cold email to a personal email address (such as Gmail) if the email is used for someone’s job position?

If you’re certain that it is their work email or they expressed their consent they want to receive the message from you on that email, then yes, you can.

As with any type of communication under GDPR, the electronic history of your communications must be transparent. You need to be able to trace back how you got the email address and prove that your message is relevant to that person.

Let the person know why you’re contacting them and give them a clear way of opting out of your emails. Doing this via an unsubscribe link is not your only option. They can simply write that they don’t wish to receive any further messages from you. Once they do so, respect it and delete their email address.

The crucial thing when it comes to B2B cold emailing is to make sure that you’re contacting the right person at the right position who represents companies and fits your ICP. Untargeted emails may get you in trouble.

Q15: Is keeping a list of contacts in Woodpecker making me the owner/processor of the personal data?

When you upload a list of prospects into Woodpecker, the prospect whose personal data you process is the owner. You are, in that case, a data administrator. You decide whose and what kind of data personal data you want to process.

Moreover, you’re responsible for following the storage limitation principle that was introduced by GDPR. It means that you cannot process the data longer than is necessary for the purpose of processing it.

Additionally, what comes from that is that you need to respect the personal data owner’s wish to be deleted from your prospect list if they ask for it and not contact them again. You will face penalties if you abuse the storage limitation principle or any other GDPR principle.

Woodpecker, on the other hand, becomes a data administrator when it processes your personal data as a user of the app or a newsletter subscriber. It should treat your data with appropriate care and comply with with all the provisions of GDPR.

Q16: How can I compile a base of contacts in a legal way?

GDPR says that you should have a strong reason to contact your prospects. Make sure both sides are likely to benefit from such a potential business relationship and that the offer you put in your cold email should be logically connected with their business area.

Also, you should obtain any personal data for your prospects’ lists in a legal and transparent way, and be ready to explain how the data was collected and why you decided to process personal data of specific EU citizens.

It matters that GDPR introduces a new principle of data storage limitation, which does not allow you to process personal data for longer than necessary. The exact amount of time is not specified in the document. We recommend removing the data of non-responsive cold email addresses 30 days from your first contact.

In the case of opt-in lists, you can process the data in clearly specified ways the data owner has agreed to, for as long as they granted you their consent, or until they express their wish to withdraw it.

Any kind of data you ask for should be justified by the purpose for which you want to process it. Don’t ask for a phone number if you want to send someone an ebook. And if you do want to collect their phone number, tell them straight that you may want to call them.

Again, it’s all about transparency.

Give your cold email recipients as well as your opt-in list subscribers a clear way to opt-out from further correspondence if that’s what they want, and instructions on how to change their personal data, or completely remove it from your list. The ‘unsubscribe’ link mechanism is a popular one, but it’s not the only one you can use for that.

If you wish to know more about GDPR, read this blog post:

GDPR Practical Guide for Email Senders >>

And if you prepare for GDPR, download our GDPR Compliance Checklist >> that will help you do it.

FAQ Section

1. How does the General Data Protection Regulation (GDPR) impact the processing of personal data in email marketing campaigns?

The General Data Protection Regulation (GDPR) significantly impacts the processing of personal data in email marketing campaigns by imposing strict rules on how businesses collect, use, and protect personal data. Under GDPR, companies must obtain explicit consent from data subjects (i.e., the individuals whose data is being processed) before using their personal data for marketing purposes. This means that for email marketing, customers must actively opt-in to receive communications, and the process for obtaining this consent must be clear and unambiguous. Additionally, GDPR mandates that individuals have the right to opt-out at any time and that their personal data must be securely protected to prevent data breaches.

2. What measures must companies take to protect personal data and comply with GDPR during data collection for marketing purposes?

To protect personal data and comply with GDPR during data collection for marketing purposes, companies must:

  • Ensure that consent forms are clear, concise, and separate from other terms and conditions, allowing data subjects to give informed consent.
  • Implement a double opt-in process, where after initially opting in, the customer receives an email to confirm their subscription, providing an additional layer of consent verification.
  • Securely store customer data to prevent unauthorized access and data breaches, employing encryption and other security measures as necessary.
  • Maintain records of consent and provide easy options for individuals to withdraw consent (opt-out) at any time.
  • Only collect data that is directly relevant and necessary for the intended marketing purposes, respecting the principle of data minimization.

3. How does GDPR define sensitive personal data, and what implications does this have for email marketers targeting existing customers?

Under GDPR, sensitive personal data includes information related to racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health information, and a person’s sex life or sexual orientation. The regulation imposes stricter conditions for processing this type of data, requiring explicit consent and a clear justification for its use. For email marketers targeting existing customers, this means that if any campaign involves collecting or using sensitive personal data, they must obtain explicit consent from the customers for that specific purpose. Marketers must also ensure that they have robust data protection measures in place to handle such sensitive information securely.

4. In the context of GDPR, what is the significance of obtaining explicit consent for processing customers’ personal data for marketing purposes?

Obtaining explicit consent under GDPR is significant because it ensures that customers are fully informed and have actively agreed to their personal data being used for marketing purposes. This level of consent requires a clear affirmative action, such as ticking a box or clicking a button, that indicates the customer’s agreement to receive marketing communications. The significance lies in the empowerment of customers, giving them control over their personal data and ensuring that businesses respect their privacy and data protection rights. For businesses, obtaining explicit consent helps build trust with customers, enhances brand reputation, and ensures compliance with GDPR, thereby avoiding potential legal penalties and damage to reputation.

5. What are the benefits and challenges of implementing a double opt-in process for email marketing under GDPR?

The benefits of implementing a double opt-in process for email marketing under GDPR include increased data quality, as only genuinely interested individuals confirm their subscription, leading to a more engaged audience. It also provides clear evidence of consent, which is crucial for GDPR compliance. However, challenges include the potential for lower initial sign-up rates, as some users may not complete the confirmation step. Additionally, businesses must ensure that the double opt-in process itself complies with GDPR requirements, such as providing clear information about the use of personal data and the right to withdraw consent. Despite these challenges, the double opt-in process strengthens trust and transparency between businesses and their customers.