GDPR and Cold Email Explained in 4 Rules

Broadly speaking, the GDPR (or General Data Protection Regulation) is a law that came into force on May 25, 2018, and aims to protect European citizens' data.

Not really… To be honest with you, I've heard everything so I ended up doing my research. We will detail all you need to understand when it comes to B2B prospecting. And we're going to simplify it into 4 easy-to-remember rules.

The GDPR is a text that is 88 pages long if you have the courage or cannot sleep tonight, you can consult it here in the language of your choice.

What we are trying to figure out by reading this text is: can I send a prospecting email to someone I have never met? And the answer is yes, provided that the latter has a legitimate interest in your solution.

Well, it's not 100% clear. Legitimate interest is what they wrote in the text. This amounts to correctly targeting your prospects (and cleaning up your lists) so that they are at least interested in what you are selling to them. To caricature, sending an email to sell a TV to a blind man or accounting software to marketers breaks this rule.

Yes, and it makes sense if you think about it a little. Prohibiting prospecting means reducing Europe's GDP in the coming years and putting a lot of people out of work because many B2B companies will be in trouble. The rule is simple. Your recipient must have a legitimate interest for you to contact them.

Another thing to know is that the GDPR has not reinvented everything. In France, for example, we have the CNIL, which has long set the rules concerning prospecting. For instance, it stipulated that c but that it was authorized on a professional email. This rule has not changed. Also, as you can imagine, each country has its regulations. Except for a few exceptions that I am unaware of, the vast majority prohibit prospecting on a personal email.

So, I'm not a lawyer, so check well before if you are in this case, but there seems a profession that could derogate from this rule: recruiters. At least, that's what one of them told me. And after all, that would make sense. If you don't have a job, you don't have a professional email.

If you are a non-European company, you do not have to comply with the GDPR if you do not prospect for any European citizen and establishment in Europe. Otherwise, you are concerned (and fortunately). We tend to forget that the European regulators did not make this law to prevent startups from prospecting but to put in place a well-defined legal framework to protect the data of European citizens. As if to avoid the digital giants of today and tomorrow from continuing to do anything.

Another critical point to respect concerns the fact of allowing the recipients of your emails to unsubscribe from your sequence. There must be a clear and visible way to opt-out of your emails.

Yes, for example. Or a sentence at the bottom of the email that states that they can reply to this email indicating that they are not interested and do not wish to be contacted again.

Yes, it's true. I tend to put a short sentence at the end of the message. Another benefit is that it slightly increases deliverability as mail services see people responding to our emails.

Yes. Hence, it is essential to use your CRM as a source of truth between teams and set it up properly to avoid this scenario.

Another point that must be anticipated when prospecting is that a user can request that we delete all personal data concerning him (and his email address is one of them).

Exactly and every other place it may be. It's something you have to honor and can sometimes be more complicated than you think, especially in large companies with many nested solutions. For startups, the process should be reasonably quick overall.

Well… In most cases, a fine. The text stipulates that this can reach 20 million euros or 4% of annual income depending on the circumstances.

I was able to see a few startups that were sanctioned, and of course, the fines did not reach an amount close to the maximum amount. It all depends on the context and the seriousness of the violation. In 2020, according to a study by DLA Piper, European regulators imposed $188 million in fines, the majority of which came from big players: Google ($56.6 million), British Airways ($26 million), and Marriott ($23.8 million).

The bottom line is that the GDPR is overall (in my opinion) a good law. It aims to protect the interests of European citizens against the excesses of certain companies. If you do it right and follow the rules laid out here, you shouldn't worry. Again, this regulation aims not to kill email marketing but to prevent aggressive and harmful behavior. This law has also inspired countries such as Brazil, Australia, and Japan to toughen their rules on protecting their citizens' data. There is no reason why things should not continue to go in this direction in the years to come. Hence the interest in taking the wave now in your outbound strategy.

Of course, I'm not a lawyer. If you still have doubts about what you can or cannot do, I encourage you to contact people who are experts on the subject to answer your questions.