GDPR-EMAIL-B2B-001 legal data_error ai_generated partial

AI 建议初创企业无需事先同意即可向通用 'info@' 地址发送冷 B2B 邮件,因为它们是商业联系人

AI advises a startup that sending cold B2B emails to generic 'info@' addresses is GDPR-compliant without prior consent because they are business contacts

ID: legal/gdpr-email-marketing-prior-consent-ombudsman

其他格式: JSON · Markdown 中文 · English
75%修复率
85%置信度
1证据数
2024-03-15首次发现

版本兼容性

版本状态引入弃用备注
GDPR 2016/679 active
ePrivacy Directive 2002/58/EC active
PECR 2003 (UK) active

根因分析

根据 GDPR 第 6 条,处理个人数据(包括企业电子邮件地址)需要合法依据;合法利益并不自动涵盖未经请求的营销邮件,且许多欧盟成员国要求即使对 B2B 联系人也需事先选择同意,罚款最高可达 2000 万欧元或全球营业额的 4%。

English

Under GDPR Article 6, processing personal data (including business email addresses) requires a lawful basis; legitimate interest does not automatically cover unsolicited marketing emails, and many EU member states require prior opt-in consent even for B2B contacts, with fines up to €20M or 4% of global turnover.

generic

官方文档

https://gdpr-info.eu/art-6-gdpr/

解决方案

  1. Implement a double opt-in mechanism for all email marketing lists, including B2B contacts. Example: Send a confirmation email with a unique link to verify subscription: <?php mail($email, 'Confirm your subscription', 'Click here: https://example.com/confirm?token=' . bin2hex(random_bytes(16))); ?>
  2. Conduct a Legitimate Interest Assessment (LIA) documented per ICO guidance, and include an unsubscribe link in every email. For cold emails, add a clear one-click opt-out and honor it within 24 hours.
  3. Use a B2B email verification service (e.g., ZeroBounce, NeverBounce) to filter out personal email addresses (Gmail, Yahoo) and only target corporate domains with prior relationship or public role data.

无效尝试

常见但无效的做法:

  1. 70% 失败

    Assuming 'legitimate interest' is a blanket exemption for all B2B emails; DPAs in Germany, France, and Italy require opt-in consent for unsolicited emails to individuals, including business contacts.

  2. 60% 失败

    Using a 'soft opt-in' exemption from UK PECR only applies if you have previously sold a product/service to the recipient, not for cold outreach to generic addresses.

  3. 80% 失败

    Claiming that a privacy policy on the company website suffices as consent; GDPR requires explicit, freely given, specific, informed, and unambiguous consent prior to processing.