GDPR and LinkedIn outreach

Disclaimer first

This is not legal advice. It's a synthesis of GDPR, the ePrivacy Directive, and the EU AI Act as they apply to B2B outreach in 2026, written for operators. For binding advice, talk to your DPO or counsel.

Is cold LinkedIn outreach legal in the EU?

Generally yes — under the GDPR's legitimate interest lawful basis (Article 6(1)(f)). B2B cold outreach to a person's professional LinkedIn profile, directed at their work role, is a recognized legitimate interest. You do not need prior consent.

There are conditions: the outreach must be relevant to the recipient's professional role (don't pitch Gen Z TikTok management tools to a 60-year-old shipyard manager), proportionate (don't message 50 times), and the recipient must be able to opt out easily.

Some EU member states (Germany, in particular) interpret cold messaging more strictly. If you're targeting Germany-based prospects, consider lowering message volume per prospect and being more conservative with personalization sources.

What you have to do

Maintain a record of processing. A GDPR Article 30 record listing what data you collect (name, role, company, public LinkedIn data), why (B2B outreach), how long you retain it (typically 12–24 months), and your legitimate interest assessment.

Provide a privacy notice. Your website's privacy policy must mention that you process LinkedIn data of professional contacts for outbound sales purposes, and explain the recipient's rights (access, deletion, object).

Honor opt-outs immediately. If a recipient says 'stop' or 'unsubscribe,' suppress them within 24 hours. Suppression must be permanent across all your campaigns and tools.

Don't enrich beyond LinkedIn-public data without basis. Pulling LinkedIn data is generally fine. Pairing it with leaked breach data, scraped phone numbers, or unconfirmed email addresses materially weakens your legitimate interest claim.

The ePrivacy wrinkle (cookies, tracking)

If you're running LinkedIn outreach plus any kind of email tracking pixel, the ePrivacy Directive (and its successor, the upcoming ePrivacy Regulation) require prior consent for non-essential tracking — even in B2B contexts.

Practical effect: don't use email open-tracking pixels for EU recipients without consent. Click-through tracking via clearly identifiable links (utm-tagged) is generally OK.

Most operators don't bother distinguishing — they either drop tracking entirely for EU recipients, or use IP-based geofencing in their email tool to skip pixels for EU IPs.

The EU AI Act (in force 2026)

The EU AI Act is in force as of 2026 and classifies AI systems by risk. AI personalization for outreach is a 'limited risk' system. The compliance ask: be transparent that AI is involved in generating the message, when asked.

Practically: if a recipient asks 'did an AI write this?', you have to answer truthfully. You don't need to label every message 'AI-generated' upfront, but you can't deny it on request.

If your AI does profiling (lead-scoring, prioritization that affects what messages a person gets), that triggers GDPR Article 22 — you need to offer human review on request.

Practical infrastructure

Suppression lists. A single global suppression list across every campaign, every tool. New campaigns must auto-pull from it.

Retention policy. Default 12 months. Delete prospect records that haven't responded in 12 months and aren't currently in pipeline.

Privacy policy with named purposes. Mention LinkedIn outbound, AI personalization, and CRM sync explicitly.

Audit log. Every message sent, when, by whom, on what lawful basis. Infonet exports this; most tools don't.

FAQ

Can I use LinkedIn data for cold email outreach in the EU?

Yes, under legitimate interest, provided the outreach is professional, relevant, and proportionate. You must respect opt-outs and provide a clear privacy notice.

What if a prospect emails me asking what data I have on them?

GDPR Article 15 requires you to respond within 30 days with a copy of their personal data and the purposes you process it for. Have a process documented in advance.

Does GDPR apply if I'm a US company?

Yes, if you target EU residents. The GDPR applies based on the data subject's location, not the controller's. A US SaaS prospecting EU contacts is fully under GDPR.