GDPR Compliance for B2B Marketing

The General Data Protection Regulation (GDPR) applies to business-to-business marketing emails—most of the time. You don’t normally need consent to email businesses—but sometimes you do.

The rules on B2B email marketing under the GDPR can be confusing, but getting this right is important.

This article will explain the law on B2B email marketing. We’ll explore when you need consent, help you identify when the GDPR applies, and provide some GDPR-compliant email marketing strategies.

The Basics of the GDPR

The GDPR provides rules and principles for processing personal data.

“Personal data” is any information related to an identifiable individual. It can include names, contact details, and job titles—plus other information like IP addresses, cookies, and user IDs.

“Processing” means doing something with personal data—collecting it, storing it, sharing it, or otherwise using it.

The GDPR impacts B2B email marketing because most email addresses are personal data. People have rights over personal data about them, and you have an obligation to keep personal data well-organised and secure.

Why B2B Email Marketing Is Important

B2B email marketing helps businesses promote their products and services to other businesses and can help a company to:

• Obtain new clients.
• Retain existing customers.
• Build customer relationships.

Non-profits, governments, and other organisations are also covered by B2B marketing rules.

“Marketing” is a broad term. An email containing any sort of promotion or ad can be a marketing email. “Direct marketing” means marketing sent to an individual, which is always the case when marketing by email.

Marketing emails can include newsletters, promotions, or information about new products and services.

B2B marketing is a crucial way for many businesses to grow. But people hate spam, and regulators tend to enforce marketing rules robustly. 

For example, the UK’s regulator, the Information Commissioner’s Office (ICO), has issued 65 fines for direct marketing violations since 2021—by far the most common type of violation leadig to a fine.

ePrivacy Directive vs GDPR

Along with the GDPR, there’s another law you’ll need to consider when conducting email marketing: the ePrivacy Directive.

Here’s how the ePrivacy Directive and the GDPR interact in the context of email marketing:

• The GDPR applies when email addresses are personal data. Among other things, the GDPR also provides the definition of “consent”.
• The ePrivacy Directive sets rules on electronic direct marketing (including email, phone, and SMS), including when to get consent.

Let’s consider how these rules work in practice.

UK Privacy and Electronic Communications Regulations 2003 (PECR)

To explain how the ePrivacy Directive works, we’ll look at the UK’s version of the law, known as the Privacy and Electronic Communications Regulations 2003 (PECR). 

As in other European countries, PECR sits alongside GDPR (or, in the UK’s case, the “UK GDPR”, which remains practically identical to the EU’s version).

Each EU country (plus Iceland, Liechtenstein, and Norway) has its own version of the ePrivacy Directive. These national versions of the ePrivacy Directive can be quite different. We’ll look at some other examples later in the article.

Here’s how B2B email marketing works under PECR.

Corporate Subscribers (B2B) vs. Individual Subscribers (B2C)

Under PECR, any person or business with an email address is a “subscriber”, meaning they subscribe to an email provider.

There are two types of subscribers under PECR:

‍Individual subscribers (B2C), including:

• Individuals (consumers)
• Sole traders (one-person, non-limited liability businesses)
• Some types of partnerships

Corporate subscribers (B2B):

• “Legal persons”, including businesses, charities, most public bodies, and most partnerships.

You’ll probably send most B2B marketing emails to corporate subscribers.

But you might also email some individual subscribers, like sole traders and businesspeople using personal email addresses.

Compliance tip: Look through your email marketing list and figure out which email addresses belong to “corporate subscribers” and which belong to “individual subscribers”. The rules apply differently to each group.

You can normally tell whether an email address belongs to a corporate subscriber by looking at the domain—the information after the “@” symbol. 

For example: 

• “info@apple.com” and “stevejobs@apple.com” belong to a corporate subscriber (Apple). 
• “stevejobs@gmail.com” is an individual subscriber (Steve Jobs).
• “steve@plumbingjobs.com” is also an individual subscriber (a sole trader).

How PECR and the GDPR Apply to Corporate Email Addresses

In addition to PECR, the GDPR applies whenever an email address is personal data.

For example, the GDPR applies to “stevejobs@apple.com” but not “info@apple.com”.

A sole trader’s email address is likely always personal data—regardless of whether it contains a name—because it relates to an individual.

Compliance tip: Look through your email marketing list and identify which email addresses are personal data. You must comply with the GDPR—as well as PECR—when handling these email addresses.

Under PECR, you don’t need consent to email corporate subscribers—as long as you comply with other parts of the law. 

You usually need consent to email individual subscribers, but there is an exception called the “soft opt-in”, which we’ll explain below.

How PECR’s Marketing Rules Apply to Different Types of Email Addresses

‍

Now let’s look in more detail at how PECR’s rules on B2B marketing apply to different types of email addresses.

‍

PECR is slightly unclear on whether you must comply with unsubscribe requests from generic corporate email addresses (such as “info@apple.com”). 

However, the UK’s ICO says you should always include an unsubscribe mechanism and allow corporate email addresses to opt out.

Compliance tip: Always include an easy-to-use unsubscribe option in marketing emails, regardless of the recipient. Create a list of unsubscribed contacts to ensure you don’t send them unwanted marketing emails.

As mentioned, sole traders and people using their personal email addresses are individual subscribers under PECR. But, as with consumers, you don’t need consent to send email marketing messages if the “soft opt-in” applies.

The ‘Soft Opt-In’: Sole Traders and Personal Email Addresses

The “soft opt-in” allows businesses to send email marketing to individuals without consent. The rule exists under the UK’s PECR and some other national versions of the ePrivacy Directive.

The soft opt-in is most relevant to B2C email marketing. But the rule also applies to B2B email marketing directed at sole traders and people’s personal emails—plus certain types of partnerships, but most businesses are unlikely to encounter these.

You can rely on the soft opt-in to send someone marketing emails if:

• The person gave you their email address when buying something from you or negotiating a sale with you (for example, they filled in a web form to ask you for a quote).
• You provided a way to opt out when the person gave you their email address.
• The person did not opt out.
• Every marketing email you send to the person relates to your company’s similar products and services.
• Every marketing email you send to the person includes a way to unsubscribe.

If you meet all these criteria, you can send marketing emails to any individual in the UK without consent—including sole traders (B2B) and consumers (B2C).

So, for example, you can provide a box at checkout saying, “Please send me emails with news about special offers and new products. You can unsubscribe at any time”. 

Because you don’t need consent under the soft opt-in, you can “pre-tick” this box.

Compliance tip: If you want to grow your email marketing list, consider setting up a “soft opt-in” process during your checkout process. This enables people to opt out of receiving marketing emails from your company, rather than having to opt in.

Consent for B2B Email Marketing to Sole Traders

If you want to send B2B email marketing to a sole trader or someone using a personal email address and can’t meet the requirements of the soft opt-in, you must get consent.

For more information on how to get consent under the GDPR, see the section below about obtaining consent.

ePrivacy Directive: Country-Specific Rules

Remember that PECR is just the UK’s version of the ePrivacy Directive. 

If you want to send B2B marketing emails to people based outside the UK, you’ll need to comply with their country’s version of the law.

We won’t list every national version of the ePrivacy Directive across Europe, but here are three examples:

‍

These three examples show how different the rules can be across Europe. 

You can use our interactive tool to check whether you need consent in each EU country and to see whether you can rely on the “soft opt-in” for B2B or B2C email marketing.

Compliance tip: If your company targets customers in multiple countries, you should always make sure you’re familiar with how privacy and data protection law works each country.

GDPR-Compliant Email Marketing Strategies

We’ve seen that the GDPR applies when email addresses are personal data. The GDPR also applies to personal data contained within any emails you send or receive, and any other personal data you process. 

Now let’s look at some key GDPR B2B email marketing considerations.

Identifying a Legal Basis

Before processing personal data, the GDPR requires that you identify a “legal basis for processing”. Think of this as a way to justify using personal data.

For sending marketing emails, finding a legal basis is simple. 

The ePrivacy Directive tells you whether you need consent. Consent is one of the GDPR’s legal bases. 

If you don’t need consent, you might be able to use “legitimate interests”.

We’ll walk you through the concept of legitimate interests below. But first, note that if you’re processing personal data under legitimate interests, people have “the right to object”. This is particularly important in the context of email marketing.

If someone asks you to stop sending them direct marketing, you must stop immediately. Keep a record of their objection so you don’t send them marketing emails again.

Compliance tip: If you want to send B2B marketing emails to an email address that contains a name or other personal data, figure out whether the ePrivacy Directive requires you to get consent. If not, consider whether you can rely on “legitimate interests” instead.

Legitimate Interests for B2B Email Marketing

You can rely on “legitimate interest” as your legal basis under the GDPR if: 

1. You have a legitimate purpose for processing personal data.
2. You need to process personal data to meet that purpose.
3. The processing benefits you or a third party, and these benefits outweigh the interests, rights, and freedoms of the individual.

This is sometimes called the “three-part test”. If you can meet each part of this test, you can use “legitimate interests” as your legal basis for processing (including sending marketing emails without consent). 

You’re responsible for determining whether you pass the three-part test. However, the UK ICO states that businesses will likely have a legitimate interest in most B2B marketing activity. 

This is partly because people are more likely to expect to be contacted about business matters on their business email address. People’s reasonable expectations are relevant to the third part of the three-part test.

But, as always with the GDPR, it’s worth considering some edge cases.

Webinars and Events

Webinars and events are a common way to generate B2B email marketing prospects.

If you’re running a webinar, do you have a legitimate interest in sending attendees marketing emails? Or do you need to get consent?

In the UK, if an attendee signs up using a corporate email address, you likely have a legitimate interest in sending them marketing emails without consent—unless the person is a sole trader. 

Of course, you must be transparent and enable people to opt out.

If you’re likely to end up with a mix of “corporate subscribers” and “individual subscribers” (sole traders, personal emails), requesting consent at sign-up might be the safest option.

You could also consider using the soft opt-in—but not if your event is free to attend.

Partially Completed Onboarding

If someone signs up for your company’s services with a corporate email address, you probably have a legitimate interest in sending them B2B marketing emails without consent.

But what about if someone provides a corporate email address during signup but abandons the process part-way through? Can you send them an email to encourage them to finish the process?

In the UK, likely yes—the ICO’s guidance suggests you would have a legitimate interest in the situation above. But remember that the rules vary between countries.

Buying and Selling Corporate Email Addresses

The GDPR doesn’t explicitly prevent companies from buying and selling personal data, including corporate email addresses.

But if you’re considering buying or selling an email list, be very careful.

If you need consent to send marketing emails under the ePrivacy Directive, that consent must be provided to specifically you. The same rule applies to the “soft opt-in”. 

If you buy a list of marketing prospects’ email addresses, you won’t have consent to send them emails. But as noted, you might not need consent for emails belonging to corporate subscribers.

When it comes to selling data about corporate subscribers, it depends on the circumstances.

Suppose you’re running a webinar and plan to share corporate email addresses with a sponsor for direct marketing purposes.

In the UK, the ICO’s guidance suggests most businesses would have a legitimate interest in doing this, provided they meet all of PECR and the GDPR’s compliance requirements.

Obtaining Consent

The GDPR tells you how to get consent. Under the GDPR, consent must be:

• Freely given
• Specific
• Informed
• Unambiguous
• Given via a clear, affirmative action
• Easy to withdraw.

This consent definition sets a high bar for consent. Among other things, it means that you:

• Must not use a pre-ticked box to get consent.
• Must be clear about why you’re asking for the person’s email address and how you’ll use it, providing a link to your privacy policy.
• Must request consent for marketing emails separately from consent for other things.
• Must include an unsubscribe link in every email to help people easily withdraw consent.

‍

Identifying and Managing Third-Party Providers

Under the GDPR, you’re accountable for your “data processors”. 

A data processor is another company that processes personal data on your behalf, which can include an email service provider.

Among other things, this means you must ensure that:

• Any email service provider you use can meet the GDPR’s requirements.
• You and your email service provider have a data processing agreement (DPA)—a GDPR-compliant contract.
• You’re transparent about how you use email service providers, including in your privacy policy.
• You keep track of what personal data you’re sharing with your email service provider.

Managing Data

Managing data is crucial to GDPR compliance. Among other things, you must ensure that:

• You always know where you obtained personal data, how you store it, and who you share it with.
• You keep personal data secure.
• You can facilitate people’s rights.

Getting data management right means greater transparency, better security, and less time spent on GDPR compliance.

Privasee’s portal takes your personal data map and creates GDPR-compliant policies and cookie banners. The portal uses AI to update your policies based on changes to the current global landscape and help you easily present your policies in multiple languages.

Privasee lets you take a “hands-off approach” to the GDPR—keeping you compliant, saving time and money, and reducing compliance headaches.

Conclusion: B2B Email Marketing Checklist

We’ve explored how the GDPR and ePrivacy Directive apply to B2B email marketing.

Before you send a direct marketing email, consider the following:

• Is the email address personal data under the GDPR? If so, how will you meet the GDPR’s requirements?
• Does the email address belong to a “corporate subscriber” or “individual subscriber”?
• Does the ePrivacy Directive require you to get consent before sending marketing emails to this address?
• If you don’t need consent: 
• Can you rely on the “soft opt-in”?
• Do you have a “legitimate interest” in sending marketing emails?

Make sure your email explains who you are, what you’re promoting, and how people can opt out of future emails.

FAQs

Does the GDPR apply to B2B?

Yes, the GDPR applies to any business-to-business (B2B) activity involving personal data. This includes B2B email marketing involving an email address linked to an individual.

Is it legal to cold email businesses in the UK?

Yes, it is legal to send cold emails to businesses in the UK under certain circumstances. 

You must meet the requirements under PECR, a UK law covering electronic direct marketing. You may also need to comply with the UK GDPR.

What is an unsolicited email sent for advertising purposes?

An “unsolicited email” is an email sent to a person without consent. An email sent for “advertising purposes” means an email containing marketing or promotional material. 

Emails about genuine market research and transactional emails (such as invoices, receipts, or service messages) don’t count as marketing emails unless they contain marketing material.

Do the rules on email marketing also cover social media?

Yes, the rules on email marketing also apply to direct messages on social media platforms like LinkedIn, Twitter, and Instagram—at least according to the UK’s regulator, the ICO.

If someone unsubscribes, can we email them asking them to re-subscribe?

If someone unsubscribes from your marketing emails, you should not email them asking them to re-subscribe. Doing this would violate data protection and direct marketing rules. The person might choose to re-subscribe, but you must respect their choice.

Do we need a double opt in for marketing email subscribers?

In the UK, you don’t need a “double opt in” before you can send someone marketing emails. But the law is different in some European countries, and some regulators (such as in Austria and Germany) recommend a double opt in.

‍