Who can I email? Your complete guide to GDPR for email marketing

Table of contents

• Why email marketing still matters in 2025
• What type of data is protected under GDPR?
• The golden rule: generic email addresses
• Are work emails exempt from GDPR?
• Can I still buy lists of data for email marketing?
• What about my existing customer list?
• Cold outreach: what's allowed in 2025
• Getting consent right: 2025 best practices
• Alternative strategies for building your list
• Your GDPR email marketing checklist
• Key takeaways

Why email marketing still matters in 2025

An opted-in email list of people who genuinely want to hear from you is one of your organisation's most valuable marketing assets. But if you're starting from scratch or looking to expand your reach, you might be wondering: who exactly can you email legally?

When GDPR was introduced in 2018, there were fears it would spell the end of email marketing. Fortunately, that hasn't been the case. However, you do need to understand the rules to ensure you're compliant whilst building your business.

What type of data is protected under GDPR?

GDPR is designed to protect individuals' personal data. Understanding what counts as personal data is crucial for your email marketing efforts.

GDPR defines personal data as "information that relates to an identified or identifiable individual". This means that if you can identify a specific person from their email address, it counts as personal data and must be handled accordingly.

For example:

• Personal data: [email protected] or [email protected]
• Not personal data: [email protected] or [email protected]

The golden rule: generic email addresses

Here's some good news for B2B businesses: generic email addresses such as sales@, info@, contact@ and so on do not count as personal data as they do not identify any named individual.

This means you can send marketing emails to these addresses without explicit consent. The Information Commissioner's Office confirms that data excluded from GDPR includes "business data such as your work email address (as long as it doesn't contain someone's name)".

Best practices for generic email marketing:

• Always include a clear unsubscribe option
• Process unsubscribe requests in a timely fashion
• Clearly identify who you are in the email
• Keep a "do not email" list (suppression list) of email addresses that have opted out

If you're a B2B organisation targeting businesses rather than individuals, you're free to email any generic email address associated with that organisation. This approach works particularly well for initial outreach and relationship building.

Are work emails exempt from GDPR?

This is a common misconception that could land you in trouble. There is no blanket exemption from GDPR for work email addresses.

If someone's name appears in their email address, it counts as personal data regardless of whether it's their work or personal email. For example:

• Requires consent: [email protected] (contains a person's name)
• Doesn't require consent: [email protected] (generic business email)

The UK GDPR still applies to B2B marketing if you are processing personal data, for example, if you hold the name of the individual who represents the business.

Can I still buy lists of data for email marketing?

Yes, you can still purchase email lists, but you need to be smart about it. There are reputable list brokers who provide GDPR-compliant data with proper documentation about how the data can be used.

What to look for when buying lists in 2025:

• Clear GDPR compliance statements from the provider
• Documentation of lawful grounds for data collection
• Transparent usage licences (typically 12 months or up to 12 emails)
• Regular data cleansing and verification

Important note: Some email platforms like Mailchimp don't allow purchased lists, but many others do. Always check your email service provider's terms before purchasing data.

Making purchased lists work for you:

The ideal approach is to use bought lists to attract people to opt in with you directly. Consider offering:

• Free webinar registration
• Downloadable guides or whitepapers
• Small initial purchase incentives
• Newsletter subscriptions with valuable content

What about my existing customer list?

The answer depends on your specific situation and relationship with these customers. Ask yourself: would they reasonably expect to hear from you in a marketing context?

If you have customers with ongoing relationships, you may be able to market to them using "legitimate interest" as your lawful grounds for contact. However, this requires careful consideration.

Legitimate interest considerations:

• Do you have an ongoing business relationship?
• Would they reasonably expect marketing communications?
• Are you offering similar products or services?
• Have you provided easy opt-out options?

Best practice for 2025: Build opt-in processes into your customer acquisition journey. This ensures new customers explicitly consent to marketing communications, giving you a stronger legal foundation.

Cold outreach: what's allowed in 2025

Your sales team can still send one-to-one emails to people who haven't opted in, but you need to be strategic and justified in your approach.

Requirements for cold outreach:

• Strong business justification: You must have a clear reason why your offering benefits their business
• Logical connection: Your business activity should connect logically with theirs
• Easy opt-out: Always provide a method to unsubscribe
• Data retention limits: Don't store personal information longer than necessary

The rules on electronic mail marketing state that you must not send marketing emails or texts to individuals without specific consent, with limited exceptions for existing customers.

Alternative outreach methods:

Consider these GDPR-friendly approaches:

• LinkedIn messaging (under their terms of service)
• Phone calls to businesses
• Direct mail to business addresses
• Social media engagement

Getting consent right: 2025 best practices

Consent must be clear and affirmative, meaning you can't use pre-checked boxes. The customer has to actively check that box.

2025 consent requirements:

• Explicit and informed: Clearly explain what they're signing up for
• Freely given: No forced bundling with other services
• Specific: Separate consent for different types of marketing
• Documented: Keep records of when and how consent was given

Double opt-in: the gold standard

Implement double opt-ins where possible to ensure individuals explicitly confirm their willingness to receive marketing communications. This significantly reduces spam complaints and strengthens your compliance position.

Alternative strategies for building your list

Rather than relying solely on purchased lists or cold outreach, focus on these proven list-building strategies:

Content-driven lead magnets

• Industry-specific guides and whitepapers
• Free tools or calculators
• Webinars and online workshops
• Email courses and tip series

Website optimisation

• Exit-intent popups with valuable offers
• Newsletter signup boxes in blog posts
• Footer subscription forms
• Gated premium content

Social media integration

• Facebook and LinkedIn lead ads
• Instagram story promotions
• Social media contest entries
• Cross-promotion with complementary businesses

Your GDPR email marketing checklist

Before sending any marketing email:

• ☐ Identify if the email address contains personal data
• ☐ Confirm you have proper consent or legitimate interest
• ☐ Include clear sender identification
• ☐ Add easy unsubscribe mechanism
• ☐ Maintain suppression lists for opt-outs

For ongoing compliance:

• ☐ Regularly clean your email lists
• ☐ Document consent collection methods
• ☐ Review data retention policies
• ☐ Update privacy policies to reflect email practices
• ☐ Train team members on GDPR requirements

When in doubt:

• ☐ Consult with legal professionals
• ☐ Review ICO guidance
• ☐ Choose the more conservative approach

Key takeaways

The bottom line: You can't market to people at their personal or named email accounts without their consent. However, there are several compliant ways to build and grow your email list.

What you can do without explicit consent:

• Email generic business addresses (info@, sales@, contact@)
• Send one-to-one sales emails with strong business justification
• Market to existing customers using legitimate interest (with caution)
• Use purchased lists from reputable, compliant providers

Building for the future:

Focus on attracting people to opt in voluntarily through valuable content, special offers, and genuine relationship building. This creates a higher-quality, more engaged audience that's more likely to convert.