Who can I email? A quick guide to GDPR for email marketing

As we’ve written about before, we’re big fans of email marketing. An opted in email list of people who have said that they want to hear from you is one of your organisation’s most valuable marketing resources. However, what if you don’t have such a list but you want to try email marketing? Who can you mail?

When GDPR was introduced in 2018 there were fears that it would mean the complete end of email marketing but fortunately that has turned out not to be the case. You do, however, need to consider GDPR if you are planning any form of email marketing and to ensure that you are compliant.

What type of data is protected under GDPR?

GDPR is designed to protect individuals’ personal data, so it is important to understand how personal data is defined. GDPR states that “Personal data is information that relates to an identified or identifiable individual”, further clarifying that “If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.” This means that email addresses do count as personal data if you can identify an individual from the email address.

However, generic email addresses such as sales@, info@, contact@ and so on do not count as personal data as they do not identify any named individual. Hence you can send marketing emails to such addresses without explicit consent if you wish. This is not in contravention of GDPR, as explained on the Information Commissioner’s website which states that data that’s excluded from GDPR includes “Business data such as your work email address (as long as it doesn’t contain someone’s name)”. Of course, you should still include an unsubscribe option in any email that you send to these addresses and ensure that unsubscribe requests are honoured.

So, if you are a B2B organisation targeting businesses rather than individuals then you are free to email any generic email address associated with that organisation.

Does this mean work emails exempt from GDPR?

This is a common misconception. There is no blanket exemption from GDPR for work email addresses. If you can be identified from your email address then it counts as personal data irrespective of whether it is your work email address or your personal email address. There is no exemption from GDPR for business email addresses. If someone’s name is in the email address then it is personal data and must be treated accordingly.

Can I still buy lists of data for email marketing?

Yes. There are all sorts of list brokers who are still selling and licensing lists for marketing emails. Each list broker or owner will be able to provide you with their GDPR statement and details of how the list can be used and under what lawful grounds. Of course as with all things some list and list brokers are better than others and with every purchase you should do your due diligence to be comfortable with what you are purchasing. Most lists are sold under some kind of license which allows you to use them for a year or up to 12 emails in a year or similar, of course be careful to make sure you use the data correctly under the license you have been granted. Also be aware that some email sending tools ask you not to use bought data lists (Mailchimp for example) but many do and there’s always old fashioned mail-merging to help you! The ideal when using bought lists is to attract these people to opt in with you so you capture them into your own systems as opted in contacts – offering a free thing in exchange for their subscription is a great way to do this whether that be registration on a free webinar, downloading a free white paper / e-book or making a small initial purchase.

What about my existing customer list – can I email them?

As ever with these things “it depends”. It’s worth pointing out we are not GDPR lawyers and if you have doubts then it’s worth seeking professional advice. You do need to put a bit of thought into who this list is comprised of and where they came from. Would they reasonably expect to hear from you in a marketing context? If they are customers who have an ongoing relationship with you then probably yes they would reasonably expect to hear from you and you may be able to market to them using “legitimate interest” as your lawful grounds for contact. It’s worth thinking about building in an opt in process to your customer acquisition process for the future so that as you gain more customers you are adding them to your email lists with explicit consent as your grounds for marketing rather than legitimate interest.

What about sending cold one to one emails?

Yes your sales team and send one to one emails to people who have not opted in with you. You do need to be able to explain and justify why the email has been sent so you need to target your prospects carefully. You need to have a strong reason to claim that the company the person works for can benefit from what your company offers in the email; your business activity should be logically connected with the business activity of your prospect. You should make sure you offer a method for the person to unsubscribe from your contacts and be sure you can process and enforce this opt out for the future. You also need to ensure you are not storing this personal information for longer than you need it. GDPR is a bit vague on this and doesn’t set a time limit but you can internally document your approach and processes to ensure you have thought this through and have a process for enforcing it.


Our advice (which is not legal advice!) is broadly that you can’t market to people at their personal / named email account without their consent so if you have a big list of personal email addresses that aren’t consented and you don’t have a legitimate reason to contact them then you need to be looking at how to build up a consented list (which is NOT emailing them all to ask if they consent). As discussed above there are ways you can work through this by using generic email addresses, one to one email and contact techniques such as LinkedIn messaging as well as buying in data lists and using all of these to drive individuals to opt in with you for the future.

Scroll to Top