GDPR and Telemarketing: Is This the End of Cold Emails?

August 10, 2018

With GDPR (the General Data Protection Regulation) coming into force on 25 May this year, companies hopefully have already finished their preparations for life under the new legislation.

One of the final pieces businesses needed to put in place was to update their service terms and send out emails informing recipients of those updates. And we bet you too received a whole load of these emails, right? It’s amazing how many companies have your data, isn’t it…

Ironically, these unrequested GDPR-related emails are an example of what we are going to talk about in this article: cold emailing, and how the new legislation affects it.

Cold emails are one of the main activities outbound call centers focus on. In previous articles, we talked about how call centers can prepare for the new rules and whether it is still permitted to initiate cold calls now that GDPR is in force. In this last part of our GDPR guide, we’ll take things further by discussing what GDPR means for telemarketing, and specifically for cold emailing.

As the legislation is now officially in force, there’s no longer any excuse for your business to act recklessly. If you want to continue to use email campaigns as part of your telemarketing strategy, it’s time to check out our pro tips!

Be aware of what “personal data” is

Let’s get straight to the point: although many people think GDPR has put an end to telemarketing, it’s actually still possible to send cold emails with this new legislation in force. However, not surprisingly, the rules of the game have changed significantly.

There’s no doubt that, if you wish to continue your telemarketing email campaigns, you will need to act in accordance with GDPR. Otherwise, your business may face fines of up to €20 million or 4% of annual turnover.

In terms of sending cold emails in a GDPR-compliant way, you will first need to be clear about what “personal data” is. As mentioned in a previous article, the term covers personal information such as names, home addresses, phone numbers and email addresses.

Bearing this in mind, you will also need to be both aware of and have a comprehensive understanding of your data collection processes, and how they relate to (and are restricted by) GDPR. This is the first step you’ll need to take before even considering sending out cold emails in the post-GDPR business world.

Rethinking your list-building processes

It’s a common list-building practice for companies to identify potential clients online, search for their contact details, add them to email lists and finally contact them with a product/service offer.

With GDPR in force, however, you’ll definitely need to rethink how you build your email lists – uploading random addresses to your email database is now a gamble that’s not worth taking.

As for bought email lists, you can continue to rely on them, but it is your responsibility to ensure your lists are 100% compliant with the new legislation.

Bear in mind that GDPR is not only about what data you can use, but also about how you can use it. Therefore, understanding why someone’s email address is on your list and how you obtained it should be high on your list of priorities.

Whether you’re collecting data yourself or buying lists, you’ll always need to keep track of how and why you’re storing and processing the data they include. In particular, GDPR specifies that you can only store and process data that is 100% required to provide your service to its full extent, and only for as short as needed. So, if you’re thinking in the long term, regular cleansing and maintaining of your email database is an absolute must.

Be prepared to know as much as you can about your email lists, as chances are you’ll receive “where did you get my email address from?” inquiries. It’s also essential for you to prepare informative replies to such questions in advance, explaining how and why you obtained particular customer data.

To summarize, having a transparent process of storing and processing personal data, and being able to provide information about this process in detail, is an essential step in complying with GDPR.

Clear consent vs. legitimate interest

In order to contact prospects in accordance with GDPR, you either need to receive clear consent from them or have a legitimate business interest when reaching out to them. Both of these options have already been discussed in detail in our previous article about GDPR and telesales, so we’re not going to talk about them in depth here.

These options can be considered the basis for sending cold emails in the post-GDPR world. Of course, if you have clear consent from customers to call them then there is not an issue, but what about new prospects? Can you have their consent if you’ve never been in touch before? Probably not.

Luckily, in such cases, you can outsmart GDPR by leveraging the option of legitimate interest. As outlined in the legislation, as long as you can claim you have a legitimate business interest in contacting customers, and it’s not overridden by your customers’ decision to not be contacted, you’re allowed to send them cold emails.

Ensure your emails are targeted and appropriate

Since it’s fairly difficult (if not impossible) to gain new prospects’ clear consent before contacting them, we assume the option of legitimate interest is already your best friend in the post-GDPR world.

It’s not that simple, however. As GDPR protects the personal data and privacy of individuals, if you base your email campaigns on the basis of legitimate interest, you’ll need to make sure your customers are likely to benefit from those business-related cold emails.

Legitimate interest is, in fact, one of 6 criteria you’ll need to meet in order to be able to store and process customer data, but using it as a reason for contacting prospects is only legal if your interest is not overridden by prospects’ privacy rights.

Therefore, your campaign targeting has to be as tailored and relevant as possible: you cannot simply just send out unrequested cold emails to random email addresses. Instead, you’ll need to focus on reaching audiences that are genuinely interested in your products or services.

In practice this means that telemarketing departments will need to be able to justify that their cold emails target potential customers who are truly interested in their products or services. Furthermore, you will need to make sure you personalize your emails to the recipient, and also identify the physical email address of the sender.

If you want to contact your prospects in a GDPR-compliant way, you’ll need to have a strong reason to do so, and make sure to explain your legitimate interest to them in your email copy.

Opt-in vs. opt-out

With GDPR in force, customer consent needs to be obtained, normally via opt-in boxes to be ticked. Indeed, the clearest way to obtain consent is to ask customers to tick an opt-in box confirming they are happy to receive your cold emails.

However, bear in mind that pre-checked opt-ins are no longer considered clear consent given by customers. Like it or not, if an individual doesn’t say a clear “yes”, it means “no”.

Our advice here is to use double opt-ins, as they mean your prospects will have to confirm their email address before being added to your email list. Using double opt-ins in telemarketing is, in our opinion, the best way to ensure compliance with GDPR.

Once you received your customers’ consent, you’ll also need to provide them with a clear and easy opt-out option. Don’t forget that GDPR also states that customers can withdraw their consent at any time, and of course this applies to cold emails as well.

Whenever you send out your cold emails, make sure to insert an obvious opt-out box at the bottom of your email. Considering the consequences of breaching the new legislation, it’s better to play it safe, isn’t it?

Articles and entries on do not constitute legal advice. Should you have any legal questions, please contact your lawyer or legal advisor. VCC Live® will not take any responsibility or liability for any damages, disadvantages or losses that may arise from the results of any interpretation of the contents of the blog.

Read our practical GDPR GUIDE for contact centers for all the information you need to know about the regulation!

Get regular updates
from VCC Live

You'll get an email as soon as we publish
new insights or have updates worth checking out.

Leave your email for regular insights

By submitting your email, you agree for VCC Live to send you service related news and updates, as well as agree that VCC Live will use your data according to the Privacy Policy.

This field is for validation purposes and should be left unchanged.

Subscribe to get emails when we post something you might like

By submitting this form I agree to be contacted by VCC Live. Review Privacy Policy

This field is for validation purposes and should be left unchanged.