GDPR-Compliant Cold Email 2026: Six Requirements, Vendor Scorecard, and What Changes with the EU AI Act
Last updated: May 2026 · Category: Compliance · Author: Knowlee Team
Conflict of interest disclosure. Knowlee publishes this on its own domain and operates Knowlee 4Sales, a product reviewed in the vendor scorecard below. We have scored Knowlee where it is strongest and have not inflated scores where competitors handle specific requirements more completely. This is a compliance reference, not a product pitch.
Cold email to EU contacts is legal. It is also more regulated than most sales and marketing teams realise, and that regulation is getting more specific in 2026 with the EU AI Act's (Regulation 2024/1689) general-purpose AI transparency obligations entering force in August. The combination of GDPR, the ePrivacy Directive, and the AI Act does not ban AI-generated or AI-sent outreach — but it does impose requirements that, if ignored, create meaningful legal exposure for the company sending the emails and, in some member states, for the individual who approved the campaign.
This article maps the six requirements that make cold email legally defensible in the EU, scores seven vendors on each, and explains what changes specifically with AI-generated content under the upcoming AI Act obligations. It is structured for the compliance officer, the VP of Sales, and the revenue ops person who has been asked "are we allowed to do this?" and wants an honest answer rather than a vendor's marketing claim.
The short version: compliant cold email is achievable, but "compliant" is not the same as "ticked a GDPR box in the platform settings". It requires a defensible legitimate-interest assessment, a verifiable data-sourcing audit trail, a functioning opt-out at first contact, personalisation built on minimal data, controls on cross-border data flows, and disclosure of the sub-processors involved in generating and sending the emails. Platforms differ materially on how much of this they handle natively versus leave to you.
For the broader compliance context, see /blog/eu-ai-act-2026-complete-guide and /blog/agentic-ai-governance-2026. For the pre-procurement checklist, see /blog/ai-act-buyers-checklist-2026. For tactical cold email tool comparison outside the compliance angle, see /blog/cold-outreach-ai-tools-2026.
The legal framework
Three instruments govern cold email to EU contacts. They interact, and the interaction is not always intuitive.
GDPR (Regulation 2016/679, EUR-Lex) is the data protection framework. It applies to any processing of personal data of EU contacts, including obtaining their contact details from a data provider, storing them in a CRM, using them to generate personalised content, and sending them an email. The relevant provisions for cold email are Article 6 (lawful basis), Article 13/14 (transparency at point of collection and at first contact), Article 17 (right to erasure), Article 22 (automated decision-making), and Recital 47 (direct marketing as a legitimate interest).
ePrivacy Directive 2002/58/EC (EUR-Lex) governs the use of electronic communications for marketing. Article 13 prohibits unsolicited direct marketing by email to natural persons unless the recipient has given prior consent (opt-in) or is an existing customer in specific circumstances. The critical carve-out for B2B cold email: Article 13(5) allows member states to provide exemptions for legal persons (companies) under national law. Most EU member states implement a B2B carve-out that permits cold email to business contacts (role-based email addresses, business accounts) using legitimate interest as the lawful basis. This carve-out is national, not uniform — Germany is stricter than Ireland, for example. The safest position is to treat every individual business email address as subject to the full ePrivacy regime (i.e. require a valid legitimate-interest assessment) even where a national carve-out technically applies.
EU AI Act (Regulation 2024/1689, EUR-Lex) applies from 2 August 2026 for the GPAI provisions. Article 50 requires that AI systems interacting with natural persons disclose that the interaction is AI-generated unless the context makes it obvious. Article 14 requires meaningful human oversight for systems with material risk. Article 50(4) specifically addresses AI-generated content that is intended to inform or influence — which describes AI-generated outbound email. The obligation is on the deployer (the company sending emails), not the model provider or the platform vendor.
Requirement 1: Lawful basis — legitimate interest done right
The standard lawful basis for B2B cold email under GDPR is legitimate interest (Article 6(1)(f)). Recital 47 explicitly names direct marketing as an example of legitimate interest — but the recital is not a blank cheque. A valid legitimate-interest assessment (LIA) requires three steps:
Purpose test: identify a genuine legitimate interest. "We want to sell our product" is insufficient. "We have a product that addresses a specific operational problem for companies in this profile, and we have reasonable grounds to believe this contact faces that problem given observed signals" is closer to defensible.
Necessity test: the data processing must be necessary for the purpose. You cannot use a contact's home address, family information, or browsing history to personalise a cold email; you can use their business role, company size, and a publicly observable trigger event.
Balancing test: the interests and rights of the data subject must not override the legitimate interest. For a business contact, a well-targeted cold email on a relevant professional topic generally passes this test. A blast to all contacts in a purchased database without any relevance assessment generally does not.
Most platforms provide a template LIA or a checkbox that says "I confirm I have a valid legitimate interest basis." That checkbox does not constitute an LIA. The LIA is a document — ideally a formal assessment — that your data protection officer or legal counsel can produce in response to a supervisory authority inquiry. Platforms that help you document the LIA (rather than just check a box) provide materially better compliance posture.
What changes with AI: when the personalisation is AI-generated based on automated signals, the automation itself becomes part of the necessity and balancing assessment. The AI cannot be using more data than is necessary for the legitimate purpose, and the automated nature of the personalisation must be disclosed at the point of first contact (Article 50, EU AI Act).
Requirement 2: Data sourcing audit trail
GDPR requires that data subjects be informed of the source of their data (Article 14(2)(f)) when the data was not collected directly from them — which is the case for every contact obtained from a data provider (Cognism, Apollo, ZoomInfo, LinkedIn, or any equivalent). The disclosure must name the source or category of sources.
This requirement has two practical implications:
At point of first email: the first email must include a statement like "I sourced your contact details from [named provider / public professional profiles]." Generic "publicly available sources" is the minimum; named provider is better for compliance posture.
In the data audit trail: your CRM or sales platform must maintain a record of the source of each contact's data, when it was collected, on what basis, and what was disclosed to the contact. If you cannot produce this record in response to a data subject access request (DSAR), you are non-compliant regardless of what the platform's privacy policy says.
Platforms that log data source automatically — where you see, against each contact record, which provider surfaced the data and when — provide this requirement natively. Platforms that treat all contacts as equivalent, regardless of source, require you to build the audit trail externally. If you are enriching from multiple providers (Apollo for email, Cognism for mobile, LinkedIn for profile), the multi-source log is your responsibility unless the platform handles it.
Requirement 3: Opt-out at first contact
GDPR and the ePrivacy Directive both require that a data subject can opt out of further communications. For cold email, best practice is to include an unsubscribe mechanism in the first email — not after the third follow-up. The opt-out must be:
- Immediate: clicking "unsubscribe" or replying "remove me" must suppress the contact from all future sends, not just the current campaign.
- Permanent: the suppression must persist across campaigns and, where possible, across platforms. If the same contact is in two sequences with two different ICPs, an unsubscribe in one must propagate to the other.
- Logged: the suppression event and its timestamp must be in the audit trail.
Platforms vary on how well they handle cross-campaign suppression and audit-trail logging of opt-outs. Platforms that treat each campaign as isolated — where an unsubscribe in campaign A does not suppress the contact in campaign B — create compliance risk when both campaigns share a data source.
For AI-generated sequences, there is an additional consideration: if the AI autonomously creates new campaigns, the suppression logic must apply to new campaigns created after the opt-out. A system that respects suppressions only for campaigns that existed at the time of the opt-out is insufficient.
Requirement 4: Data minimisation in personalisation
GDPR's data minimisation principle (Article 5(1)(c)) requires that personal data used in processing is limited to what is necessary for the purpose. For cold email personalisation, this means:
- Using the contact's business role, company, and publicly observable professional events: compliant.
- Using the contact's LinkedIn activity, company revenue, and hiring signals: generally compliant if the data was sourced from a legitimate provider under legitimate interest.
- Using the contact's personal social media activity, consumer data, or data obtained from sources the contact would not reasonably expect to be used for B2B outreach: likely non-compliant.
- Using sensitive categories of data (Article 9 GDPR: health, political opinion, religion, etc.) in any personalisation: prohibited without explicit consent.
For AI-generated personalisation, the minimisation principle applies to the data passed to the model. If your AI system sends the contact's full LinkedIn profile, personal email, and social history to a model to generate a personalised opener, you are processing significantly more data than is necessary. The compliant pattern is to pass only the specific signal (job change event, company funding round, publicly stated initiative) that justifies the outreach — not the full contact profile.
Platforms that allow fine-grained control over what data is included in the personalisation prompt, and that log what data was used for each generated email, provide data minimisation natively. Platforms that send a full contact dump to the model and let the AI decide what to use do not.
Requirement 5: Cross-border data transfers and CLOUD Act exposure
If your AI-generated cold email system processes EU contact data on US infrastructure — US-based model APIs (OpenAI, Anthropic US endpoints), US-based CRM vendors, US-based email delivery infrastructure — you are making a cross-border data transfer under GDPR Chapter V.
The legal basis for most such transfers is the EU-US Data Privacy Framework (DPF), which replaced Privacy Shield in 2023. The DPF is operational but legally contested; a Schrems III challenge is anticipated. Buyers with high data-residency requirements (financial services, healthcare, public sector) should not rely on the DPF as the sole safeguard.
The additional complication for AI-generated email is the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, US, 2018). The CLOUD Act permits US law enforcement to compel US-based companies to produce data stored on servers outside the US. This means that if your European contact data is processed by a US-based model provider or email delivery service, it may be accessible to US authorities regardless of where the servers are located. For EU buyers with strict data sovereignty requirements, this is a procurement-level concern that eliminates certain vendor configurations.
The EU-native path: process EU contact data on EU-based model endpoints (Mistral, EU-region Anthropic endpoints where available), EU-based email delivery (EU-region infrastructure), and EU-based storage. Knowlee 4Sales is deployable on EU-resident infrastructure (Hetzner, on-prem); ZELIQ operates with EU data residency. Apollo and Lemlist operate primarily on US infrastructure.
Requirement 6: Sub-processor disclosure
Every service your AI-generated outreach system calls is a data processor or sub-processor under GDPR. If you are processing EU personal data and passing it to a model API, an email delivery service, a data enrichment provider, and a CRM, each of those is a sub-processor that must be disclosed in your privacy notice and, where required, listed in your data processing agreement with the contact's employer (for B2B contexts where a DPA has been signed).
The sub-processor list for a typical AI-generated outbound stack in 2026 includes:
- Model provider: OpenAI (US), Anthropic (US), Mistral (EU), or equivalent
- Email delivery infrastructure: Mailgun, SendGrid, Postmark, or equivalent
- Contact data provider: Cognism, Apollo, LinkedIn Sales Navigator, or equivalent
- CRM: Salesforce, HubSpot, or equivalent
- Sales platform / orchestration: Knowlee, Amplemarket, ZELIQ, or equivalent
Each of these needs to appear in your privacy notice if EU personal data flows through it. Platforms that provide a machine-readable sub-processor list that updates when they add or change a sub-processor are better positioned than platforms that require manual legal review each time the stack changes.
Vendor scorecard
The matrix below scores seven vendors across the six requirements. Native = the platform handles this requirement by default without buyer configuration. Partial = the platform provides tools to comply, but configuration or external process is required. Buyer-responsible = the platform does not address this requirement; the buyer must handle it externally.
| Requirement | Knowlee 4Sales | Cognism | Lemlist | Apollo | ZELIQ | Amplemarket | Genesy/Enginy |
|---|---|---|---|---|---|---|---|
| Legitimate interest documentation | Native (LIA log in job registry) | Partial (guidance only) | Partial (checkbox) | Buyer-responsible | Partial | Partial | Buyer-responsible |
| Data-source audit trail | Native (per-contact provenance log) | Native (GDPR-grade data sourcing) | Partial | Buyer-responsible | Partial | Partial | Buyer-responsible |
| Opt-out at first contact + cross-campaign suppression | Native | N/A (data only) | Partial (per-campaign) | Partial | Native | Native | Partial |
| Data minimisation in personalisation | Native (controlled prompt payload) | N/A | Buyer-responsible | Buyer-responsible | Partial | Partial | Buyer-responsible |
| EU data residency (no CLOUD Act exposure) | Native (Hetzner / on-prem) | Partial (EU data centre, US entity) | Buyer-responsible (US infra) | Buyer-responsible (US) | Native (EU) | Partial (EU option) | Not disclosed |
| Sub-processor transparency | Native (registry disclosure) | Partial | Partial | Partial | Partial | Partial | Buyer-responsible |
Notes on the scorecard:
Cognism scores highly on data sourcing because its core product value proposition is GDPR-compliant contact data; it verifies mobile numbers and emails against opt-out registries. It is a data provider, not a sending platform — the compliance of what you do with the data after sourcing it from Cognism is your responsibility.
Lemlist and Apollo are sending platforms with reasonable compliance tooling, but their data residency is US-infrastructure by default and their personalisation data minimisation is buyer-configured, not platform-enforced. For buyers in the EU with strict DPA requirements, this is a procurement risk.
ZELIQ and Knowlee 4Sales are both EU-native by design. ZELIQ's strength is the EU data residency and the opt-out management; Knowlee 4Sales' strength is the governance metadata layer (job-registry fields that satisfy AI Act Article 14 human-oversight requirements) and the data minimisation controls in the personalisation pipeline.
Amplemarket offers an EU data residency option but defaults to its standard infrastructure; EU buyers should confirm at procurement that the EU option is configured and not just available.
What changes with the EU AI Act from August 2026
Three specific changes affect cold email senders using AI-generated content:
Article 50 transparency obligation. AI systems that generate text interacting with natural persons must disclose the AI-generated nature of the interaction "in a clear and distinguishable manner" unless the context makes it "obvious." Whether an AI-generated outbound email "obviously" comes from an AI is a judgment call that supervisory authorities in different member states may interpret differently. The safe position is a disclosure in the email footer: "This email was drafted with the assistance of an AI system. [Company name] operates this system and is responsible for its content." Platforms that allow you to configure a compliant disclosure footer and log that it was included per send are preferable to those that do not.
Article 14 human oversight. For AI systems that pose a material risk, Article 14 requires that a natural person can effectively oversee, interrupt, and override the AI's decisions. For cold email systems, the practical implication is that the campaign-approval flow must include a human sign-off before the system sends at scale — not a checkbox that was approved six months ago, but a documented approval per campaign or per campaign-configuration-change. Knowlee 4Sales' job-registry approval metadata (approved_by, approved_at) is the practical implementation of this requirement.
GDPR Article 22 automated decision-making. If the AI system makes a decision that has legal or similarly significant effect on a natural person — for example, automatically classifying a contact as "not interested" and suppressing them from future campaigns without a human reviewing the classification — this may constitute automated individual decision-making under Article 22. The safeguard is human review of classification decisions above a certain volume threshold, or explicit notice to contacts that automated classification decisions can be contested. Most commercial platforms handle this at the edge of their default configuration; buyers should validate.
For the complete regulatory text and timeline, see /blog/eu-ai-act-2026-complete-guide. For the pre-procurement checklist applicable to cold email tools specifically, use /tools/ai-act-compliance-scorer and /tools/gdpr-cold-email-checker.
Six-step compliance checklist
Before your next cold email campaign to EU contacts:
- Document the LIA. Write down the purpose test, necessity test, and balancing test for this campaign. File it with your DPO or legal team. Update it if the ICP or the data processing changes.
- Confirm data source. Know exactly where every contact's email address came from and when. Check that your sourcing provider has a documented GDPR compliance position for the territory.
- Verify opt-out at first contact. Test the unsubscribe link before the campaign goes live. Confirm that unsubscribes propagate across campaigns in your platform.
- Audit the personalisation payload. If you are using AI-generated personalisation, check what data fields are passed to the model. Remove anything beyond the minimal relevant signal.
- Check your sub-processor list. Confirm your privacy notice lists every service in your sending stack. Update it before the campaign if you have added a new tool.
- Add the AI disclosure footer (from August 2026). If the email is AI-drafted or AI-sent, include a disclosure statement. Log that it was included per send.
For step-by-step validation against the ePrivacy and GDPR requirements, use /tools/gdpr-cold-email-checker. For cold email quality scoring independent of compliance, see /tools/cold-email-scorer.
Frequently asked questions
Is cold email to EU contacts legal under GDPR? Yes, subject to conditions. GDPR does not prohibit cold email; it regulates the processing of personal data involved in it. Legitimate interest (Article 6(1)(f) GDPR) is the correct lawful basis for B2B cold email where you have a genuine, proportionate interest, a necessity argument, and the contact's rights do not override that interest. Recital 47 specifically names direct marketing as an example of legitimate interest. The conditions — LIA documentation, transparency at first contact, functioning opt-out — must all be met for the basis to hold.
Does the ePrivacy Directive override GDPR on cold email? The ePrivacy Directive 2002/58 applies alongside GDPR for electronic communications specifically. Article 13 of the ePrivacy Directive requires consent for unsolicited marketing email to natural persons, but Article 13(5) allows member states to provide B2B exemptions under national law. Most EU member states implement this exemption for business-to-business email. In practice: cold email to business email addresses of individual professionals using legitimate interest is legal in most EU member states, but you must comply with GDPR data-protection requirements and local implementations of the ePrivacy Directive. Always validate country-by-country if you are sending to a specific national market.
What does the EU AI Act require for AI-generated cold email? From August 2026, Article 50 of the EU AI Act (Regulation 2024/1689) requires transparency when AI systems generate text that interacts with natural persons. For AI-generated outbound email, the safe interpretation is a disclosure in the email that the content was AI-generated. Article 14 requires human oversight for AI systems with material risk — for cold email, this means a documented campaign approval by a human before the system sends at scale. These obligations fall on the deployer (the company sending emails), not the platform vendor, though platform vendors with governance tooling can make compliance tractable.
Can we use Apollo or Lemlist for EU cold email and be compliant? With appropriate configuration and external processes, yes. Neither platform is non-compliant by design; they are US-infrastructure-first and require the buyer to build the data-source audit trail, the LIA documentation, and the sub-processor disclosure list externally. If your privacy team or DPO is resourced to own those processes, Apollo and Lemlist are viable. If you want the platform to carry more of the compliance burden natively, Knowlee 4Sales or ZELIQ are better fits for the EU market.
What is the CLOUD Act and why does it matter for cold email? The US CLOUD Act (2018) permits US law enforcement to compel US-based companies to produce data held on non-US servers. For EU cold email campaigns processed on US-based model APIs or email delivery infrastructure, the CLOUD Act creates a theoretical (and in some cases practical) risk that EU contact data could be accessed by US authorities without an EU legal process. For most commercial B2B outreach, this risk is academic. For public sector, healthcare, financial services, or any buyer under sector-specific data-sovereignty requirements, it is a genuine procurement constraint that points toward EU-resident infrastructure.
What is a sub-processor and do I have to disclose all of them? A sub-processor is any service provider that processes personal data on your behalf as part of your services. Under GDPR Article 28, you must use sub-processors under a written data processing agreement and must inform data subjects of sub-processors in your privacy notice. For a cold email stack, sub-processors typically include the model provider, the email delivery service, the data enrichment provider, and the sales platform. The disclosure must be in your privacy notice; the DPA must be in place with each sub-processor. See /glossary/sub-processor-ai for the definitional context.
Country-level variation: what changes by member state
GDPR is directly applicable across all EU member states, which means Articles 6, 13-14, 17, and 22 apply uniformly. The ePrivacy Directive, however, is a directive — it requires transposition, and transposition is inconsistent.
Germany (§ 7 UWG). Germany's Unfair Competition Act takes a strict position on unsolicited commercial email. Even with a valid legitimate interest under GDPR, sending cold email to a German individual without prior consent can breach the UWG and attract injunctions from competitors or trade associations. The B2B carve-out is narrower than in most EU states. German B2B cold email is safest when sent to a clearly professional role-based address (info@company.de, sales@company.de) with a directly relevant product message and a clear opt-out. Legal counsel is strongly advised before running high-volume cold email campaigns targeting German contacts.
Italy (Codice Privacy, D.lgs. 196/2003 as amended). Italy's DPA (Garante) has taken a strict position on bulk marketing email. The Garante has issued fines for companies using legitimate interest as the basis for mass email without a documented balancing test. Small, targeted, relevant outreach passes; bulk prospecting blasts do not.
France (Loi Informatique et Libertés). France aligns closely with the GDPR position. Legitimate interest is a valid basis for B2B cold email. The CNIL emphasises that the communication must be relevant to the recipient's professional activity and that the opt-out must be simple and immediate.
Spain (LSSI and LOPDGDD). Spain requires opt-in for marketing email to natural persons under the LSSI (B2C). For B2B, legitimate interest applies, but the AEPD (Spanish DPA) has issued guidance that the relevance test must be met — generic blasts are not protected by legitimate interest.
Ireland. Ireland's Data Protection Commission (DPC) has issued relatively permissive guidance on B2B cold email with legitimate interest, making it one of the more accessible markets for legitimate-interest-based outreach. The DPC is also the lead supervisory authority for many large tech companies under GDPR's one-stop-shop mechanism.
The practical implication for compliance teams: maintain a country-level matrix of where your cold email campaigns operate and validate the local ePrivacy transposition before scaling into new markets. Knowlee 4Sales' governance metadata allows country-level campaign flags — you can mark campaigns with the target market and apply different approval requirements by country.
The common mistake: confusing platform compliance with legal compliance
The most frequent compliance gap in sales teams deploying AI-generated cold email is assuming that because the platform is "GDPR compliant", the campaigns run on it are compliant. They are not the same thing.
A GDPR-compliant platform means: the vendor has signed appropriate DPAs with their sub-processors, they have a privacy programme, they store data in compliant infrastructure, and their product provides the tools needed to comply. It does not mean that every campaign run on the platform is automatically lawful.
The lawfulness of the campaign depends on the deployer's decisions: the LIA they wrote (or did not write), the data source they used (compliant or not), the suppression list they maintained (properly or not), the personalisation data they passed to the model (minimal or excessive), and the AI disclosure they included (present or absent).
A useful analogy: a car being road-legal does not mean every journey taken in it is within the speed limit. The platform is the car; the campaign is the journey. Compliance officers who accept a vendor's "we are GDPR compliant" statement as the end of the inquiry are making an error that will surface in the first regulatory inquiry.
Conclusion
GDPR-compliant cold email in 2026 is achievable but requires deliberate process, not just platform selection. The six requirements — defensible legitimate interest, data-source audit trail, opt-out at first contact, data minimisation in personalisation, cross-border data transfer controls, and sub-processor disclosure — are not independently complex. The complexity is in maintaining all six simultaneously, at scale, across multiple campaigns and multiple target markets.
Platforms differ materially in how much of this they handle natively. EU-native platforms (Knowlee 4Sales, ZELIQ) carry more of the compliance burden structurally; US-infrastructure-first platforms (Apollo, Lemlist) require more external process from the buyer. Neither configuration is unworkable, but the cost of the external process is real and should be priced into platform comparisons.
From August 2026, the EU AI Act adds transparency and human-oversight obligations that apply to every company using AI-generated outbound — not just to the platform vendor. The companies that will pass their first AI Act audit are the ones that started building the governance record before the audit, not in response to it.
Use /tools/gdpr-cold-email-checker to validate your current setup against the six requirements before your next campaign launch.
Related reading
- EU AI Act 2026 complete guide — the full regulatory timeline and obligation map.
- Agentic AI governance 2026 — governance requirements for AI systems in production.
- AI Act buyers checklist 2026 — pre-procurement compliance checklist.
- Agentic AI for sales teams 2026 — the operating model behind agentic outbound.
- Agentic AI vs sales engagement platform 2026 — category context for AI-generated outreach.
- Build vs buy AI SDR 2026 — compliance as a build vs buy decision factor.
- Cold outreach AI tools 2026 — tactical tool comparison, less compliance-focused.
- B2B sales automation AI 2026 — automation tools landscape.
- Sales intelligence platform 2026 — data providers in the cold email stack.
- Apollo vs Cognism — data provider comparison with GDPR angle.
- 4Sales vs Amplemarket — Knowlee vs Amplemarket EU compliance comparison.
- 4Sales vs ZELIQ — Knowlee vs ZELIQ EU data residency comparison.
- GDPR and AI glossary — definitional context for the compliance terms in this article.
- Sub-processor AI glossary — what counts as a sub-processor in an AI stack.
- Sovereign AI glossary — EU data sovereignty concepts relevant to cross-border transfers.
- GDPR cold email checker tool — validate your campaign setup against the six requirements.
- AI Act compliance scorer — score your platform against AI Act obligations.
- Cold email scorer — quality and deliverability scoring for outbound.