# AI advises a startup that sending cold B2B emails to generic 'info@' addresses is GDPR-compliant without prior consent because they are business contacts

- **ID:** `legal/gdpr-email-marketing-prior-consent-ombudsman`
- **Domain:** legal
- **Category:** data_error
- **Error Code:** `GDPR-EMAIL-B2B-001`
- **Verification:** ai_generated
- **Fix Rate:** 75%

## Root Cause

Under GDPR Article 6, processing personal data (including business email addresses) requires a lawful basis; legitimate interest does not automatically cover unsolicited marketing emails, and many EU member states require prior opt-in consent even for B2B contacts, with fines up to €20M or 4% of global turnover.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| GDPR 2016/679 | active | — | — |
| ePrivacy Directive 2002/58/EC | active | — | — |
| PECR 2003 (UK) | active | — | — |

## Workarounds

1. **Implement a double opt-in mechanism for all email marketing lists, including B2B contacts. Example: Send a confirmation email with a unique link to verify subscription: <?php mail($email, 'Confirm your subscription', 'Click here: https://example.com/confirm?token=' . bin2hex(random_bytes(16))); ?>** (85% success)
   ```
   Implement a double opt-in mechanism for all email marketing lists, including B2B contacts. Example: Send a confirmation email with a unique link to verify subscription: <?php mail($email, 'Confirm your subscription', 'Click here: https://example.com/confirm?token=' . bin2hex(random_bytes(16))); ?>
   ```
2. **Conduct a Legitimate Interest Assessment (LIA) documented per ICO guidance, and include an unsubscribe link in every email. For cold emails, add a clear one-click opt-out and honor it within 24 hours.** (70% success)
   ```
   Conduct a Legitimate Interest Assessment (LIA) documented per ICO guidance, and include an unsubscribe link in every email. For cold emails, add a clear one-click opt-out and honor it within 24 hours.
   ```
3. **Use a B2B email verification service (e.g., ZeroBounce, NeverBounce) to filter out personal email addresses (Gmail, Yahoo) and only target corporate domains with prior relationship or public role data.** (80% success)
   ```
   Use a B2B email verification service (e.g., ZeroBounce, NeverBounce) to filter out personal email addresses (Gmail, Yahoo) and only target corporate domains with prior relationship or public role data.
   ```

## Dead Ends

- **** — Assuming 'legitimate interest' is a blanket exemption for all B2B emails; DPAs in Germany, France, and Italy require opt-in consent for unsolicited emails to individuals, including business contacts. (70% fail)
- **** — Using a 'soft opt-in' exemption from UK PECR only applies if you have previously sold a product/service to the recipient, not for cold outreach to generic addresses. (60% fail)
- **** — Claiming that a privacy policy on the company website suffices as consent; GDPR requires explicit, freely given, specific, informed, and unambiguous consent prior to processing. (80% fail)