Q1: Is B2B cold email legal under GDPR in 2026? Yes, subject to conditions. Article 6.1.f of the GDPR (legitimate interest) permits B2B email prospecting if three conditions are met: (1) the communication is directly related to the recipient's professional role, (2) the sender's identity is clearly identifiable, (3) a functional opt-out mechanism is present in every message.

Q2: What is the difference between B2B cold email and spam? Spam is untargeted, unsolicited sending with no relevance to the recipient. Legal B2B cold email is targeted (defined ICP), relevant (tied to the role), identified (clear sender) and reversible (opt-out). The CNIL distinguishes the two on the basis of these criteria.

Q3: Can you contact a generic email address (contact@, info@)? Yes, because these addresses are non-personal data within the meaning of the GDPR. They do not represent an identifiable natural person. No specific legal basis is required to contact them.

Q4: Do you need prior consent in B2B? No, unlike B2C. In B2B, legitimate interest (Art. 6.1.f) is the appropriate legal basis. Consent (Art. 6.1.a) is not required for professional prospecting addressed to a role rather than to a person as a consumer.

Q5: Are the rules different across EU countries? Yes, some member states apply stricter rules via the ePrivacy directive. Germany requires explicit consent even in B2B for electronic communications (§ 7 UWG). Belgium and the Netherlands follow the standard GDPR guidelines. France (CNIL) follows the legitimate-interest interpretation for strict B2B.

Q6: Where can you legally source B2B emails? Legal sources: LinkedIn (public professional-profile data), official company registries (SIRENE, Infogreffe, Bundesanzeiger, KvK), company websites ('Team', 'Contact' pages), sector directories, databases from platforms like Apollo or Kaspr (which declare their sources). Illegal sources: purchased databases with no source traceability, data extracted from leaks.

Q7: Do you have to inform prospects that their data is being processed? Yes, but this can be done in the first email (mentioning the data source, purpose, rights). There is no need to send a separate prior notification. Mention in the first contact is sufficient under CNIL guidelines.

Q8: How long can you keep a prospect's data? A maximum of 3 years from the last active contact, per CNIL recommendations (2023 commercial-prospecting reference framework). For prospects who have requested opt-out: immediate and permanent deletion, addition to a blocklist.

Q9: Do you need a record of processing activities for prospecting? Yes. Any organization processing personal data for commercial purposes must keep a record (Art. 30 GDPR). Minimum content: purpose (B2B prospecting), data categories (name, professional email, role, company), legal basis, retention period, security measures.

Q10: Can you use automated LinkedIn scraping to collect emails? LinkedIn prohibits scraping in its Terms. Under GDPR, public LinkedIn profile data can be processed under legitimate interest, but its automated extraction exposes you to a contractual dispute risk with LinkedIn. Compliant tools use LinkedIn's official API or certified partners.

Q11: How do you implement a compliant opt-out? The opt-out must be: (1) present in every email (clickable link or clear instruction such as 'Reply STOP'), (2) functional (actually leading to unsubscription), (3) free and unconditional, (4) effective immediately. Opt-outs must be centralized in a permanent blocklist synced with all sending tools.

Q12: What do you do if a prospect requests deletion of their data? Right to erasure (Art. 17 GDPR): delete all personal data within a reasonable time (CNIL recommendation: within 30 days). Exception: keep the email on an opt-out blocklist to avoid contacting them again.

Q13: Can a prospect ask to see the data you hold on them? Yes, that is the right of access (Art. 15 GDPR). Response time: 1 month (extendable to 3 months for complex requests). Content: all personal data, its source, purpose and retention period.

Q14: Can you re-contact a prospect after an opt-out? No. The opt-out is permanent for the channel concerned. Reactivation can only occur if the prospect initiated a new contact (reply to a later email, site visit, demo request) constituting a new legitimate-interest basis.

Q15: Are the personal contact details of an executive (e.g. CEO of a micro-business) personal data? Yes. Even in B2B, the email of a micro-business executive (jean.dupont@his-company.fr) is personal data under the GDPR because it identifies a natural person. GDPR rules fully apply, including legitimate interest and the right to erasure.

Q16: Is AI lead scoring subject to GDPR? Yes, if the scoring is based on personal data. Article 22 GDPR governs automated decisions: if scoring leads to a significant decision affecting the person (permanent exclusion from a sales process, for example), a right to explanation must be provided.

Q17: Do you have to state in emails that scoring is performed by an AI? No, not mandatorily. Mentioning an AI in communications is not required by the GDPR for standard marketing scoring. It can, however, strengthen trust. Lead-Gene platforms mention the legitimate-interest basis but not the internal technical mechanism.

Q18: How do you govern the use of third-party data (Bombora, 6sense intent data)? Verify that the data provider has a valid legal basis for collecting and transferring this data. Request a GDPR compliance attestation and check the standard contractual clauses (SCCs) if the provider is outside the EU.

Q19: Can you transfer prospect data to US-hosted tools (HubSpot, Salesforce)? Yes, subject to conditions: these transfers must be governed by standard contractual clauses (SCCs) or a data processing agreement (DPA). HubSpot and Salesforce offer compliant DPAs. Verify the DPA is signed before any transfer.

Q20: Is a DPO mandatory to set up a lead machine? Not systematically. The DPO obligation applies to organizations processing data on a large scale or sensitive data. For an SME doing standard B2B prospecting, an up-to-date processing record and a compliant privacy policy are generally sufficient.

Q21: What are the penalties for a non-compliant cold email campaign? The CNIL can issue a formal notice, a warning, then a fine of up to 4% of global revenue or audit-based scope (whichever is higher). In practice, penalties for non-compliant B2B prospecting mainly affect organizations with high volumes or repeat offences. The most common outcomes for SMEs are formal notices without an immediate fine.

Q22: How do you prove a campaign's GDPR compliance in the event of an inspection? Keep: the processing record, documentation of data sources, opt-out evidence (timestamp and confirmation email), signed DPAs with subprocessors, sending logs with timestamps. Lead-Gene automatically generates an exportable record.

Q23: Is GDPR-style prospecting possible in Switzerland (FADP)? Yes. Switzerland has its own law (revised FADP, applicable since September 2023). The principles are similar to the GDPR: legitimate interest for B2B, mandatory opt-out, processing record. Switzerland is recognized as an adequate country by the EU, facilitating data transfers.

Q24: Quick checklist before sending a compliant cold email campaign. ✅ Legal and documented data source. ✅ Professional email addresses only (no @gmail, @yahoo). ✅ Professional relevance verified (defined ICP). ✅ Identified sender (first name, last name, company, physical address). ✅ Functional opt-out link in every email. ✅ Up-to-date processing record. ✅ DPA signed with every AI subprocessor. ✅ Reasonable frequency (max 5 touches / 30 days).

Q25: Where do you find the official guidelines on email prospecting? CNIL: guidelines on commercial solicitation by electronic means (2023). EDPB (European Data Protection Board): opinion 5/2019 on legitimate interest. For a full guide to AI compliance, see our article AI Prospecting & GDPR 2026.