Back to blog
Acquisition

Is Cold Email Legal in France? What GDPR Says (2026)

Cold email legality in France: GDPR and CNIL rules

Yes, cold email is legal in France for B2B: the CNIL allows email prospecting to professionals without prior consent, under three specific conditions. In B2C, though, opt-in is mandatory, which rules out cold email entirely. Here are the exact rules, what you risk by ignoring them, and how to prospect with peace of mind.

L’essentiel
  • Legal in B2B without prior consent, under 3 CNIL conditions: message relevant to the recipient's role, sender clearly identified, simple opt-out in every email.
  • Banned in B2C without prior opt-in.
  • A named professional email address is still personal data: GDPR applies (disclosure, opt-out, retention periods).
  • The real everyday risk isn't the fine, it's deliverability and reputation.

What Exactly Does the Rule Say for B2B?

In France, email prospecting between professionals relies on the so-called legitimate interest basis: no prior consent needed, provided three cumulative conditions set out by the CNIL are met.

  • The message must relate to the recipient's professional role: writing to a sales director at an SME about a sales tool is legitimate; selling them a fitted kitchen is not.
  • The sender must be clearly identifiable: your name, your company, a real reply address. No hidden sender, no false pretense.
  • Every email must offer a simple, free way to opt out of future contact: an unsubscribe link or a plain "reply STOP," honored immediately.

Meet these three conditions and your B2B prospecting is in the clear.

And Why Is It Banned in B2C?

Because the rule flips: to reach out to an individual by email, prior consent (opt-in) is mandatory. Sending a cold email to a personal address without explicit agreement is a violation, regardless of the content.

RuleB2B (professionals)B2C (individuals)
Prior consentNot required (legitimate interest)Mandatory (opt-in)
Main conditionRelevance to the recipient's roleExplicit agreement before any send
Opt-out in every messageMandatoryMandatory
Generic address (contact@)Free to contact (not personal data)Not applicable

A word of caution: named addresses ([firstname.lastname@company.fr](mailto:prenom.nom@entreprise.fr)) remain personal data even in B2B. GDPR therefore applies: informing data subjects, keeping a processing record, reasonable retention periods, and immediate compliance with opt-out requests.

What Do You Actually Risk If You Get It Wrong?

On paper, GDPR penalties can be severe; in practice, for an SME prospecting properly in B2B, the risk of a CNIL sanction is low and mainly targets blatant abuse (mass spam, no opt-out, buying dubious lists). The everyday risk lies elsewhere: spam complaints that wreck your domain's reputation and send all your emails, including the legitimate ones, straight to junk. Compliance and deliverability point in the same direction: target accurately, identify yourself, respect opt-outs.

Buying contact lists deserves its own deep dive: is it legal to buy an email list?

How to Prospect Legally in Practice: The Checklist

  • Target professionals whose role directly relates to your offer.
  • Build your own list (LinkedIn + verified enrichment) rather than buying files.
  • Identify yourself clearly: name, company, real contact details.
  • Include a simple opt-out in every email and honor it immediately.
  • Keep an up-to-date suppression list and document your processing activities (GDPR record).
  • Limit follow-ups (2 to 4) and space them out: pushiness fuels complaints.

This is exactly the framework applied in our automated prospecting system.

GDPR- and CNIL-compliant B2B cold email checklist: professional relevance, sender identification, functional unsubscribe, data source disclosure

Key Takeaways

  • B2B: legal without prior consent under 3 CNIL conditions (role relevance, identification, opt-out).
  • B2C: opt-in mandatory, cold email is ruled out.
  • Named addresses remain personal data: GDPR applies in B2B too.
  • The real everyday risk is deliverability and reputation, not the fine.

FAQ: Cold Email Legality

Are LinkedIn outreach messages subject to the same rules?

LinkedIn messages aren't emails under prospecting regulations: the platform sets its own rules (quotas, terms of use). GDPR does apply, however, as soon as you export and process profile data.

Do I need to mention GDPR in my cold emails?

Not necessarily a legal paragraph: what matters is clear identification and an opt-out. A signature line with your identity and "reply STOP to stop receiving our messages" covers the requirement clearly.

Can I write to a generic address like contact@?

Yes, freely: a generic address isn't personal data. It's often less effective than a named address, but it comes with no GDPR constraints.

What should I do if someone asks to have their data deleted?

Remove their address from your tools, add them to your suppression list so you never contact them again, and confirm the deletion if they ask. All without delay.

Article written by Kevin Sazarin, Growth Marketer and founder of Skalia (Toulouse). Parent guide: Cold Email from A to Z.

Further Reading