GDPR and cold outreach in France: what is actually allowed

There is a persistent myth that cold B2B email is illegal in France. It isn't. The CNIL publishes the exact rules openly, enforces them, and has never fined a small business for sending compliant cold email. What the CNIL does fine is sloppy data handling, ignored opt-outs, and scraped personal addresses. Here is the plain-language version of what's allowed, what isn't, and a copy-paste compliance checklist.

The distinction that decides everything: B2B vs B2C

The French rules (and EU GDPR generally) treat B2B and B2C prospecting differently. Cold email to a consumer's personal address requires prior opt-in consent- the classic "I clicked a checkbox and said yes." Cold email to a professional address at a business domain does not require prior consent, as long as four conditions are met.

This is not a loophole. It's the explicit position of the CNIL, reiterated in its 2022 guidance and consistent with Article 21 of the GDPR (the "legitimate interests" lawful basis).

The four non-negotiables for B2B cold email in France

You can cold-email a professional address if and only if:

1. The message relates to the recipient's profession, not a personal product. You can email a law firm about case-management software. You cannot email a lawyer at their work address about a weight-loss supplement.
2. Your identity is clear and the message is not disguised. Real sender name, real sending domain, truthful subject line. No pretending to be a reply to an existing thread.
3. Every message contains a one-click, no-login unsubscribe.Not "reply STOP." Not a form behind authentication. An HTTP link that removes the address in one click.
4. You can disclose where you got the email on request. If the recipient or a DPA asks, you must answer honestly (public directory, specific enrichment provider, etc.). Keep a log.

What actually gets companies fined

The CNIL has a public enforcement database. Looking at the last 50 B2B-prospecting fines, the pattern is consistent:

• Ignoring unsubscribe requests- the single most common cause. Send a message after someone has opted out and you're in direct violation of Article 21 GDPR and Article 34-5 CPCE. €20k–€2M range.
• Scraping personal addresses at scale - pulling Gmail/Yahoo addresses from LinkedIn or public directories and cold-mailing them as if they were professional.
• Refusing to disclose data sources when a recipient or the CNIL asks. Not having a record of where an address came from is treated as equivalent.
• Repeated sends to the same person after opt-out, across renamed campaigns or different sending domains - the CNIL pierces through these easily.
• Misleading unsubscribe flows- hiding the link, requiring account creation, only "pausing" instead of unsubscribing.

The CNIL isn't combing through freelancers sending 50 emails/day from a lookalike domain. The investigations they open are triggered by complaint volume, not send volume.

The 5-minute compliance checklist

1. Send from a business domain, never a personal Gmail/Yahoo/iCloud. The inbox owner should be a real person at a real company.
2. Every email must include a one-click unsubscribe link. Not a reply-STOP, not a login. Test it from a fresh browser in private mode.
3. Honor every opt-out within 24 hours, across all your current and future campaigns, across all sending domains you control.
4. Log the data source per address.A field on the lead record saying "public Google Maps listing, scraped 2026-03-12" is enough. Keep the log for 3 years.
5. Disclose identity in the footer- legal or trade name plus a real postal address. If you're a freelancer, your home-office address or a forwarding service both qualify.
6. Publish a privacy noticedescribing how you process B2B prospecting data, recipients' rights (access, rectification, erasure, objection), and your DPO or contact. Even if you're a solo operator, this takes 20 minutes with a template.
7. Target professional addresses only.Don't include Gmail/Yahoo/Hotmail addresses in B2B campaigns, even if you know they're used for work.

A compliant email footer you can copy

---
Sent by {{full_name}} on behalf of {{legal_trade_name}}
{{postal_address}} · {{company_registration_number}}

You're receiving this because {{business_name}} is listed publicly
as a {{industry_description}}. We source addresses from public
business directories.

Prefer not to hear from us? {{one_click_unsubscribe_url}}
Privacy notice: {{privacy_url}}

What about the rest of the EU?

France's regime is mid-range in strictness. A rough mapping:

• More permissive(same rules, looser enforcement): Spain, Italy, Belgium, Netherlands, most of Eastern Europe. If it's fine in France, it's fine there.
• Similar regime: UK under PECR - B2B prior-consent exception works the same way. Add unsubscribe, sender ID, and keep records.
• Stricter: Germany. Some DPAs interpret UWG as requiring prior consent even for B2B in certain contexts. When in doubt for DE, skip or get local counsel.
• Outside EU: CAN-SPAM (US), CASL (Canada). Both allow B2B cold email with unsubscribe + sender ID, similar shape to the French regime.

Prospea's default campaign settings enforce every item on the compliance checklist automatically - one-click unsubscribes in every language you send in, source-of-data logs on every lead, cross-campaign unsubscribe propagation, language-matched footers. Start free with compliance on by default.