Email Compliance & GDPR Checklist

GDPR gives you six legal bases, but for B2B email outreach you're realistically choosing between three: consent, legitimate interest, or contractual necessity. Most B2B cold outreach falls under legitimate interest — but you can't just claim it. You need a documented Legitimate Interest Assessment (LIA) for each segment of your database. We've seen companies fined not because their basis was wrong, but because they couldn't produce the documentation.

Check every opt-in form on your site and landing pages. Each one should clearly state what the contact is signing up for — the specific emails they'll receive, how often, and from whom. Pre-checked boxes are not valid consent under GDPR. Neither are vague statements like "we may contact you." If your forms say anything less specific than "You'll receive our weekly sales tips email," they probably need rewriting.

For every contact, record three things: when consent was given (timestamp), how it was given (which form, which page, what was displayed), and what exactly was consented to. Store this in your CRM or a dedicated consent management platform. When a regulator asks — and they do ask — "show me proof this person opted in" needs to be a 30-second lookup, not a 3-day scramble.

This is the one that catches most B2B teams off guard. If you buy contact lists, use data enrichment providers, or import leads from any third-party source, you are responsible for verifying that data was collected with a proper legal basis. Ask your providers for their data processing documentation. If they can't produce it, or if they get cagey about sourcing methods, that's your signal to find a different provider.

CAN-SPAM requires a valid physical postal address in every commercial email you send. A PO box or registered agent address works — it doesn't have to be your office. GDPR similarly requires clear sender identification. Check your email templates right now. If your footer doesn't have an address, every email you've sent is technically non-compliant.

Every commercial email needs a visible, one-click unsubscribe option. CAN-SPAM gives you 10 business days to process opt-outs, but in practice, aim for instant. Google and Yahoo's 2024 sender requirements made one-click unsubscribe headers mandatory for bulk senders — if you're sending 5,000+ emails per day, you need the List-Unsubscribe header, not just a footer link.

Your 'From' name, email address, and subject line must accurately represent who is sending and what the email contains. This sounds obvious, but it gets murky fast. Sending from 'John at Google' when John works for your agency and you're emailing on Google's behalf? That's a CAN-SPAM violation. Subject lines like 'Re: Our conversation' when you've never spoken? Also a violation. Keep it honest.

Commercial emails should be recognizable as promotional content. You don't need a giant "ADVERTISEMENT" banner — but the commercial intent should be obvious from context. Where this gets tricky: cold outreach emails that look like personal messages. They're still commercial emails under CAN-SPAM and need to follow the same rules (physical address, unsubscribe option, honest sender info).

When someone asks "what data do you have on me?" — and under GDPR, they have every right to — you need to produce an answer within 30 days. Build a repeatable process now, before the first request arrives. That means knowing exactly where personal data lives across your CRM, email platform, enrichment tools, analytics, and any spreadsheets floating around. Most teams discover they have data in 6-8 more places than they thought.

Deletion requests are the hard one. When someone says "delete my data," you need to remove it from everywhere: CRM, email platform, marketing automation, backups, exported CSVs, third-party enrichment tools, and that one spreadsheet your SDR keeps on their desktop. Map every system that touches personal data and build a deletion checklist. Then test it. Actually run a deletion request through your full stack and see if any data survives.

Define clear retention periods: how long do you keep contact data after last engagement? After a deal closes? After a lead goes cold? GDPR's data minimization principle means you can't store data indefinitely "just in case." A common B2B approach: active prospects for 24 months after last interaction, closed-lost for 12 months, unresponsive cold outreach contacts for 6 months. Document it, automate the cleanup, and stick to it.

Every third-party tool that touches personal data on your behalf needs a signed Data Processing Agreement (DPA). That includes your CRM, email platform, enrichment providers, analytics tools, and cloud storage. Most SaaS vendors have a DPA template on their legal page — but you need to actually sign it, not just assume it's covered by the Terms of Service. Audit your vendor list and check off each DPA. We've seen companies using 15+ tools with zero DPAs signed.