You’ve just built a list of 500 qualified prospects. You’ve enriched them with verified emails and job titles. You’re ready to send. Then the question hits: are you actually allowed to contact these people? And under what legal basis?
Under GDPR, two legal bases dominate B2B outbound prospecting: consent and legitimate interest. Getting this wrong can result in fines of up to 4% of your global annual turnover — or an enforcement order from your national data protection authority forcing you to stop your campaigns entirely.
The good news: for most B2B outbound teams, legitimate interest is the right foundation — and it doesn’t require opt-in. But it comes with real obligations that most sales teams overlook.
Here’s a straight-to-the-point comparison of both legal bases, when to use each, and what compliance actually looks like in practice.
Find verified B2B emails directly in Google Sheets
Derrick enriches your prospects with professional emails sourced from LinkedIn — no CSV export, no manual work.
Quick comparison table
| Criteria | Consent (Art. 6.1.a) | Legitimate Interest (Art. 6.1.f) |
|---|---|---|
| Definition | Explicit, active agreement from the prospect | Company’s legitimate commercial interest |
| Required for B2B email? | No (but valid option) | Yes, default legal basis |
| Required for B2C email? | Yes, mandatory | Not applicable |
| Prior opt-in needed? | Yes | No |
| Opt-out required? | Yes | Yes, one click |
| Documentary proof? | Yes (consent records) | Yes (balancing test documentation) |
| Relevance to prospect’s role required? | No | Yes, mandatory |
| Data retention limit | 3 years after last contact | 3 years after last contact |
| Ideal for | B2C, newsletters, retargeting | B2B outbound prospecting |
What is GDPR consent? Definition and scope
Consent under GDPR Article 6.1.a must be freely given, specific, informed, and unambiguous. That means the prospect has to take a deliberate, positive action to authorize you to use their data.
What doesn’t count as valid consent:
- A pre-ticked checkbox in a form
- Acceptance of terms and conditions
- Silence or failure to object
Valid consent must be documented (timestamped and auditable), granular (separate for each purpose), and revocable at any time. If a prospect withdraws consent, you must stop processing their data without delay.
Consent is the mandatory legal basis for B2C email and SMS marketing. In B2B, it’s an option — but it’s not required in most cases. That’s where legitimate interest comes in.
What is legitimate interest? Article 6.1.f explained
Legitimate interest under GDPR Article 6.1.f allows companies to process personal data without prior consent when three conditions are met:
1. A real, legitimate business interest — your company has a concrete commercial goal, such as acquiring new clients or developing a market.
2. Relevance to the prospect’s professional activity — your offer must make sense for the prospect’s role or industry. This is the condition most frequently ignored, and most frequently sanctioned.
3. A positive balancing test — your commercial interest must not override the fundamental rights and freedoms of the person you’re contacting. This analysis must be documented.
The ICO confirms that legitimate interest can serve as the legal basis for B2B prospecting — provided the associated obligations are properly implemented.
A real-world example of misapplied legitimate interest: in France, the company Nestor was fined €20,000 for sending prospecting emails to professionals promoting meal delivery at their workplace. The regulator found that meal delivery had no meaningful connection to the recipients’ professional activity — which invalidated the legitimate interest claim.
Detailed comparison: consent vs legitimate interest for B2B
Criteria 1: Burden of proof
With consent, the burden falls entirely on you. You need a dated, timestamped, auditable record of every opt-in. If a regulator comes knocking, you must prove that a specific person agreed to be contacted on a specific date.
With legitimate interest, the burden is different but equally real. You need to document your balancing test, justify the relevance of your offer to the prospect’s role, and demonstrate that your commercial interest doesn’t disproportionately infringe on their rights.
Verdict: Legitimate interest has a lower barrier to entry (no opt-in to collect), but requires rigorous documentation. Consent is easier to audit — but much harder to collect at scale.
Criteria 2: Prospecting freedom
Consent gives you broad freedom once obtained. You can contact any profile — B2B or B2C — on any electronic channel, as long as the agreement is valid and on record.
Legitimate interest imposes a hard constraint: your outreach must be directly relevant to the recipient’s professional function. An SDR reaching out to a VP of Marketing to pitch a sales automation tool is squarely in scope. The same SDR reaching out to an HR coordinator to sell fleet management software is not.
Verdict: Legitimate interest covers most B2B outbound scenarios — but it demands careful list segmentation. Precise B2B data enrichment (job title, industry, company size) is essential to target the right profiles and keep your legal basis solid.
Criteria 3: Information obligations
Regardless of which legal basis you use, GDPR Article 14 imposes a full transparency obligation. From the very first contact, your message must include:
- Your company’s identity (name, contact details)
- Where you got their data (“Your profile was sourced from LinkedIn”)
- The purpose of the processing (commercial prospecting)
- The legal basis you’re relying on (legitimate interest or consent)
- Their rights (right to object, access, erasure)
- A working unsubscribe link
This applies equally to cold email, LinkedIn outreach, and phone calls.
Verdict: Draw. Transparency obligations are identical under both legal bases. Neither exempts you from informing prospects upfront.
Criteria 4: Channels and legal basis mapping
| Channel | B2B | B2C |
|---|---|---|
| Nominative professional email (first.last@company.com) | Legitimate interest valid | Consent required |
| Generic company email (info@, contact@) | Outside GDPR scope — governed by ePrivacy / PECR | Outside GDPR scope |
| Professional phone | Legitimate interest valid | Legitimate interest + TPS/do-not-call check |
| SMS | Consent recommended | Consent mandatory |
| Direct mail (postal) | Legitimate interest valid | Legitimate interest valid |
| LinkedIn direct message | Legitimate interest valid | N/A (professional context) |
| Ad retargeting | Consent (cookies) | Consent (cookies) |
Verdict: Legitimate interest covers the core channels of B2B outbound — email, phone, LinkedIn, postal. Consent becomes essential for SMS and all B2C outreach.
Criteria 5: Data retention
Both legal bases converge here. GDPR guidance and national regulators (including the ICO in the UK and the CNIL in France) recommend a maximum retention period of 3 years from the last active contact for inactive prospects. After that, data must be deleted or anonymized.
A simple email open doesn’t reset the clock. A reply, a link click, or an information request does.
This means your prospect lists need regular hygiene. Building a systematic email verification workflow helps identify stale or invalid contacts before they become a compliance liability.
Verdict: Draw. Three years maximum, regardless of legal basis.
Summary verdicts
| Criteria | Winner | Why |
|---|---|---|
| Ease of implementation | Legitimate interest | No opt-in to collect upfront |
| Targeting freedom | Consent | No relevance constraint |
| Scalability for outbound | Legitimate interest | Easier to run at volume |
| Legal certainty | Consent | Clear, auditable proof of agreement |
| B2B cold email compatibility | Legitimate interest | Recognized legal basis for pro-to-pro outreach |
| B2C compatibility | Consent | Mandatory for any consumer outreach |
The 3 non-negotiable requirements for legitimate interest
Legitimate interest is not a free pass to contact anyone without restriction. Here’s what you actually need to have in place before you send a single outreach message.
Requirement 1: A documented balancing test
Before starting any processing based on legitimate interest, you need to conduct a proportionality analysis and record it in your GDPR processing register. This analysis answers three questions:
- What is your specific, legitimate commercial interest?
- Is your offer genuinely relevant to the professional function of the people you’re targeting?
- Do your commercial interests outweigh the rights and freedoms of the prospects in a disproportionate way?
If you can’t answer all three clearly, legitimate interest isn’t the right basis for that campaign.
Requirement 2: Full disclosure at first contact
Every first message — email, call, or LinkedIn DM — must explicitly mention:
- The source of their data (“Your contact details were sourced from LinkedIn”)
- The legal basis (“We rely on legitimate interest under GDPR Art. 6.1.f”)
- The commercial purpose
- How they can object and where
In practice, a short paragraph at the bottom of your email is enough: “Your details were sourced from LinkedIn. You can opt out of our communications at any time by clicking the link below.”
Requirement 3: A one-click, no-friction opt-out
Every prospecting message must include a working unsubscribe mechanism — one click, no justification required, no multi-step form. Once someone opts out, they must be removed from all your lists and never contacted again, across every tool in your stack.
When to use legitimate interest — and when to use consent
Use legitimate interest when:
- You’re running B2B outbound prospecting (cold email, outbound calls, LinkedIn)
- You’re contacting people via nominative professional email addresses
- Your offer is directly relevant to the prospect’s job function or industry
- You’ve documented a balancing test in your GDPR processing register
- You have a functional one-click opt-out in every communication
Use consent when:
- You’re targeting consumers (B2C) via email or SMS
- You’re sending a commercial newsletter or recurring marketing communications
- You’re running ad retargeting campaigns (requires cookie consent)
- You’re operating in a country where legitimate interest for B2B isn’t recognized (Germany and Italy have stricter rules than the UK or France)
- You want maximum legal certainty and can collect opt-ins at scale
The special case of generic company emails
Generic addresses like info@company.com or contact@company.com are not personal data under GDPR, since they don’t identify a specific individual. Prospecting to these falls primarily under ePrivacy regulations (PECR in the UK, L.34-5 CPCE in France) rather than GDPR. But the moment an address is nominative — sarah.miller@company.com — GDPR applies in full.
The 5 most common mistakes (and what they cost)
Problem 1: Prospecting outside the professional context
Symptom: Your sales team is sending cold emails to HR managers pitching a fleet management solution — no connection to their actual job.
Impact: This directly invalidates your legitimate interest claim. French regulator CNIL fined Nestor €20,000 for exactly this pattern. The same logic applies under UK GDPR.
Solution: Enrich and segment your lists before sending. Make sure every campaign targets profiles for whom your solution has a direct, demonstrable business value.
Problem 2: No disclosure in the first message
Symptom: Your cold emails don’t mention where you got the prospect’s data or what legal basis you’re using.
Impact: Direct violation of GDPR Article 14. Regulators can issue compliance orders and financial penalties. In 2024, EU data protection authorities issued record sanctions — largely for failures around transparency and rights information.
Solution: Add a compliance block to every outreach template. Include the data source, legal basis, and an unsubscribe link. Three sentences at the bottom of your email is all it takes.
Problem 3: A broken or friction-heavy opt-out
Symptom: Your unsubscribe link leads to a multi-step form, asks for a reason, or doesn’t work at all.
Impact: Direct GDPR violation. Risk of regulatory complaint and reputational damage. Also a deliverability killer — friction-heavy opt-outs drive spam reports.
Solution: Implement a true one-click unsubscribe. No form, no justification required. Sync your suppression list across every tool in your outreach stack.
Problem 4: Keeping prospect data beyond 3 years
Symptom: Your CRM contains prospects you haven’t engaged with in 4+ years, including some who previously asked to be removed.
Impact: Non-compliance with retention limits. If a prospect files a complaint, you have no defense.
Solution: Build an automated data hygiene process. Set a rule to delete or anonymize any prospect with no interaction in 36 months. A well-structured B2B prospect database with clear “last contact” timestamps makes this straightforward.
Problem 5: No documented balancing test
Symptom: You’re prospecting under legitimate interest, but your GDPR processing register contains nothing about proportionality analysis.
Impact: If a regulator audits your operations, you can’t justify your legal basis. The absence of documentation is itself a violation.
Solution: Write a balancing test record for each processing activity based on legitimate interest. File it in your GDPR register. It doesn’t need to be long — it needs to answer the three core questions: interest, relevance, proportionality.
How data enrichment tools fit into the GDPR picture
When you use a tool like Derrick to find professional emails or enrich LinkedIn profiles, the data you collect remains personal data under GDPR as long as it’s nominative. The tool doesn’t create your legal basis — you do.
Here’s how the workflow looks in practice for B2B outbound:
- Collection: You retrieve nominative professional emails via Derrick’s Lead Email Finder or LinkedIn Profile Scraper.
- Legal basis: You rely on legitimate interest (GDPR Art. 6.1.f), provided your offer is relevant to the profiles you’re targeting.
- Obligation: In your first email, you disclose the source of their data and their right to object.
- Opt-out: Every message includes a one-click unsubscribe link. You honor every opt-out immediately.
B2B lead generation using enrichment tools is perfectly compatible with GDPR — but only if this four-step process is consistently applied.
Cold emailing and GDPR: the rules you need to know
A channel-by-channel breakdown of GDPR obligations for B2B cold email campaigns.
Key takeaways
- Legitimate interest (GDPR Art. 6.1.f) is the default legal basis for B2B outbound prospecting — no prior opt-in required.
- Consent is mandatory for B2C email and SMS, and recommended for recurring commercial newsletters.
- Legitimate interest requires three things: a documented balancing test, disclosure at first contact, and a one-click opt-out mechanism.
- Your offer must be directly relevant to the prospect’s professional role — this is the most frequently violated condition.
- Data retention is the same under both bases: maximum 3 years after the last active contact.
- Compliance isn’t optional: EU regulators set records for enforcement actions in 2024.
Conclusion: which legal basis should your B2B team use in 2026?
For most sales and growth teams running B2B outbound — cold email, LinkedIn outreach, outbound calls — legitimate interest is the right legal basis. It gives you the flexibility to prospect at scale without collecting opt-ins upfront, within a framework that GDPR explicitly recognizes for professional-to-professional outreach.
Consent is the right choice for specific scenarios: B2C campaigns, newsletters, retargeting, or markets with stricter national rules like Germany or Italy.
Either way, the fundamentals are the same: document your basis, inform your prospects, and make it easy to opt out. A compliant prospecting process isn’t a less effective one — it’s a more sustainable one.
Build GDPR-compliant B2B prospect lists in Google Sheets
Derrick finds and verifies professional emails from LinkedIn, directly in your spreadsheet. Qualify before you contact.
FAQ
Does legitimate interest exempt me from all GDPR obligations in B2B? No. It only removes the need to collect prior consent. All other obligations still apply: disclosure at first contact, a working opt-out, a 3-year retention limit, and a documented balancing test in your processing register.
Can I use legitimate interest to contact any professional? No. Your offer must be directly relevant to the recipient’s professional activity. An HR platform can reach HR directors — not IT managers. Regulators have fined companies whose outreach had no meaningful connection to the recipients’ job function.
What’s the difference between opt-in and opt-out? An opt-in is an active, positive action by the prospect (ticking a box, completing a consent form) — mandatory in B2C. An opt-out is the right to object after the fact — required for all processing based on legitimate interest in B2B. A functioning unsubscribe link at the bottom of your email is a valid opt-out mechanism.
How long can I keep B2B prospect data? A maximum of 3 years from the last active contact — a reply, a link click, or an inbound inquiry. A simple email open doesn’t reset the clock. After 3 years of inactivity, data must be deleted or anonymized.
Is legitimate interest recognized across all of Europe? Not uniformly. In the UK and France, legitimate interest is the standard basis for B2B outbound. Germany and Italy apply stricter rules and may require explicit consent even for professional outreach. If you’re prospecting across multiple European markets, adjust your legal basis on a country-by-country basis.
Jonathan Maurin
