Is It Legal to Cold Email New UK Companies? GDPR & PECR Rules for B2B Outreach
You've got a list of freshly incorporated UK companies. Directors' names, registered addresses, SIC codes — all public data from Companies House. You want to email them about your accountancy practice, your insurance brokerage, or your web design agency.
But is it actually legal?
The short answer: yes — B2B cold email is legal in the UK. But there are rules. Two overlapping pieces of legislation govern what you can and can't do: the UK GDPR (data protection) and PECR (electronic marketing). Get them right and you have a powerful, compliant sales channel. Get them wrong and you risk ICO enforcement action and fines.
Here's exactly how it works in 2026.
The two laws you need to understand
Most people talk about "GDPR compliance" as a single thing. In reality, cold email to UK businesses is governed by two separate but overlapping regulations:
You need to comply with both. PECR tells you whether you're allowed to send the email at all. GDPR tells you whether you're allowed to process the recipient's personal data (their name, email address, etc.) in order to send it.
The good news: for B2B cold outreach to limited companies, both laws are on your side — as long as you follow the rules.
PECR: The corporate subscriber exemption
PECR is where most of the confusion lives. Under PECR, you generally need consent before sending unsolicited marketing emails to individuals. But there's a critical exception for businesses.
The ICO (Information Commissioner's Office) is clear on this point:
This is the corporate subscriber exemption, and it's the legal foundation for B2B cold email in the UK. A newly incorporated limited company is a corporate subscriber. You can email its general business address (info@company.co.uk) or any address that routes to the company — without needing consent first.
The sole trader and partnership exception
There's an important caveat. Sole traders and partnerships are NOT corporate subscribers. Under PECR, they're treated like individual consumers, which means you DO need consent to email them unsolicited marketing.
This distinction matters because Companies House data includes various entity types:
| Company type | Corporate subscriber? | Cold email allowed? |
|---|---|---|
| Private limited company (Ltd) | Yes | Yes |
| Public limited company (PLC) | Yes | Yes |
| Limited liability partnership (LLP) | Yes | Yes |
| Community interest company (CIC) | Yes | Yes |
| Sole trader | No | Consent needed |
| General partnership | No | Consent needed |
The vast majority of new incorporations at Companies House — over 95% — are private limited companies (Ltd). If you're working from Companies House incorporation data, you're almost certainly dealing with corporate subscribers.
UK GDPR: Legitimate interest for B2B outreach
Even though PECR allows you to email corporate subscribers without consent, UK GDPR still applies whenever you process personal data. A director's name and email address are personal data, even when used in a business context.
To process that personal data lawfully, you need a legal basis. For B2B cold outreach, the relevant basis is legitimate interest (Article 6(1)(f) of the UK GDPR).
Legitimate interest works like this: you can process someone's personal data without their consent if:
- You have a legitimate interest — growing your business by reaching potential clients is a legitimate commercial interest
- The processing is necessary — you need their name and email to contact them; there's no less intrusive way
- It doesn't override their rights — the individual wouldn't be surprised or harmed by receiving a relevant business email
This three-part test is called the Legitimate Interest Assessment (LIA). You don't need to file it anywhere, but you should document it internally. If the ICO ever asks, you need to show you considered it properly.
When legitimate interest works (and when it doesn't)
Legitimate interest is strong when your outreach is relevant, targeted, and proportionate. Here's how it plays out in practice:
| Scenario | Legitimate interest? |
|---|---|
| Accountant emails newly incorporated Ltd companies offering tax setup services | Strong ✓ |
| Insurance broker emails new construction companies about public liability cover | Strong ✓ |
| Web agency emails new companies offering website design | Strong ✓ |
| Irrelevant product blast to thousands of random companies | Weak ✗ |
| Repeated emails after someone has asked you to stop | Unlawful ✗ |
| Selling email lists of directors to third parties without transparency | Unlawful ✗ |
The key principle: would the recipient reasonably expect to receive this email? A new company director receiving an email from an accountant offering help with their first year's accounts? Completely reasonable. The same director receiving emails about industrial machinery when they run a consultancy? Not reasonable.
This is why sector targeting matters. Using SIC codes to match your outreach to the right type of company isn't just better marketing — it's better compliance.
The seven rules for compliant B2B cold email
Putting PECR and GDPR together, here are the concrete rules for legally emailing new UK companies:
1. Only email corporate subscribers without consent
Limited companies, LLPs, PLCs, and CICs are corporate subscribers. You can email them without prior consent under PECR. Sole traders and general partnerships require consent — treat them like consumers.
2. Have a legitimate interest and document it
Write a brief Legitimate Interest Assessment. It doesn't need to be complex — just a paragraph explaining why your outreach is relevant to the recipient, why you need their data to make contact, and why their interests aren't overridden. Keep it on file.
3. Include a clear opt-out in every email
Every marketing email must include a simple, working unsubscribe mechanism. This is non-negotiable under both PECR and GDPR. A one-click unsubscribe link at the bottom of your email is the standard approach. When someone opts out, honour it immediately — continued emailing after an opt-out request is unlawful.
4. Identify yourself clearly
Your email must clearly identify who you are. Include your company name, registered address, and a way to contact you. Hidden identities or misleading sender names are a compliance failure and a trust killer.
5. Be transparent about where you got their data
Under GDPR, when you contact someone for the first time using data you didn't collect directly from them, you must tell them where you obtained their information. For Companies House data, this is straightforward:
This single sentence satisfies your transparency obligation and builds trust. Directors know their incorporation is public record — being upfront about it demonstrates professionalism, not intrusion.
6. Keep your data accurate and up to date
GDPR requires personal data to be accurate. If someone's details change or they ask you to correct their information, you must comply. Using stale data — emailing directors who resigned months ago, or contacting dissolved companies — is both a compliance risk and a waste of time.
This is where data freshness matters. Emailing a company that incorporated yesterday is far more compliant (and effective) than blasting a list you bought six months ago. The data is current, the context is obvious, and the recipient understands exactly why you're contacting them.
7. Don't email individuals at their personal addresses
The corporate subscriber exemption covers emails sent to business email addresses — addresses associated with the company. If you somehow obtain a director's personal Gmail or Hotmail address and email them marketing content, you're in consumer-email territory and need consent.
Stick to business domains and company-associated addresses. If a director has registered their company with a personal email address at Companies House, proceed with caution — while the data is public, the line between business and personal communication becomes blurry.
Common mistakes that create compliance risk
Most ICO enforcement actions against B2B emailers stem from a handful of avoidable mistakes:
No unsubscribe link
This is the single most common violation. Every email must have a working opt-out. No exceptions. The ICO has issued fines for this alone, even when the underlying data processing was otherwise lawful.
Ignoring opt-out requests
When someone clicks unsubscribe or replies "stop", you must remove them from all future marketing within a reasonable timeframe — the ICO expects this to happen within days, not weeks. Continued emailing after an opt-out request escalates a minor compliance issue into a genuine enforcement risk.
No privacy information
Failing to tell people who you are, where you got their data, and how to opt out is a GDPR transparency violation. It's also the fastest way to trigger a complaint to the ICO. A single sentence at the bottom of your email solves this.
Bulk blasting without targeting
Sending identical marketing emails to every new company regardless of sector weakens your legitimate interest argument. If you're an accountant emailing 50,000 companies across every industry, that's harder to justify than emailing 2,000 new construction companies in your region. Relevance strengthens compliance.
Buying data from unknown sources
If you purchase email lists from a third-party provider, you're responsible for ensuring that data was collected lawfully. Cheap, scraped lists from unknown origins are a compliance minefield. Stick to data sources you can verify — Companies House is a public register maintained by the UK government, which makes it one of the cleanest, most defensible data sources available.
Why newly incorporated companies are the safest outreach target
From a compliance perspective, newly incorporated companies are arguably the lowest-risk cold email target in B2B marketing. Here's why:
- Public data source: Companies House is a UK government register. The data is publicly available by design and by law. Using it is not a privacy violation — it's using data for exactly the purpose it was published
- Clear legitimate interest: New companies demonstrably need services. An accountant emailing a week-old company about tax registration isn't speculative — it's responding to an obvious, time-sensitive need
- Reasonable expectation: Directors who incorporate a company know their details become public. They expect to receive business communications — most are actively hoping to hear from relevant service providers
- Fresh, accurate data: Contacting a company within days of incorporation means the data is current. The director is still the director. The company is still active. The need is still real
- Corporate subscriber status: New Ltd company incorporations are automatically corporate subscribers under PECR, removing the consent requirement for electronic marketing
Compare this with, say, buying a three-year-old email list of unknown origin and blasting it with generic marketing. The compliance difference is enormous.
Compliant new company data, delivered daily
NewCo Data delivers sector-filtered lists of newly incorporated UK companies every morning — sourced directly from Companies House, with director details included. GDPR-friendly by design.
Start Your 7-Day Free Trial →Cold calling rules: how they differ
While this guide focuses on email, it's worth noting that cold calling has different rules under PECR:
- B2B cold calls are legal — you can call businesses without consent, provided they haven't registered with the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS)
- You must screen against TPS/CTPS — calling a number registered on these lists without consent is a PECR violation. The ICO actively enforces this
- New companies won't be on TPS/CTPS yet — a company that incorporated yesterday hasn't had time to register. This creates a natural compliance window for phone outreach to new businesses
Combining compliant cold email with well-timed phone follow-up is the approach most B2B sellers find most effective. Email first (day 1-2 after incorporation), phone follow-up (day 3-5), and a second email if no response (day 7-10).
What about LinkedIn outreach?
LinkedIn messages (InMails and connection requests) are not covered by PECR — they're governed by LinkedIn's own terms of service, not UK electronic marketing law. However, GDPR still applies to any personal data processing involved in your targeting.
In practice, LinkedIn outreach to new company directors is a useful complement to email. You can find the director on LinkedIn using their name from Companies House data, send a connection request with a personalised note, and follow up once connected.
This sits comfortably within legitimate interest — you're using publicly available Companies House data to identify a relevant business contact, then reaching out via a professional networking platform.
ICO enforcement: what actually happens
The ICO's approach to B2B email enforcement is proportionate but real. Some context on how they prioritise:
- Complaint-driven: Most ICO investigations begin with a complaint. If nobody complains, enforcement is unlikely — but that doesn't mean non-compliance is safe
- Fines are increasing: The ICO issued over £2.4 million in fines for unsolicited marketing in 2025. Most were for B2C violations, but B2B cases are growing
- Focus areas: No unsubscribe, no sender identification, ignoring opt-outs, and excessive volume are the most common triggers
- Proportionality: A small business that emails 500 targeted companies with clear opt-outs is treated very differently from a bulk operation blasting millions with no identification
The practical reality: if you follow the seven rules above, your enforcement risk is minimal. The ICO isn't targeting well-run B2B outreach to relevant audiences. They're targeting spam operations and repeated offenders.
A compliance checklist for your next campaign
Before you hit send on your next outreach to newly incorporated companies, run through this checklist:
If you can tick every box, your outreach is compliant, defensible, and professional. You're not just following the law — you're building trust with potential clients from the first touchpoint.
Start reaching new companies — compliantly
NewCo Data delivers fresh Companies House incorporation data every morning, filtered by sector and region. Director names, SIC codes, and registered addresses — all from the UK's official public register.
Start Your 7-Day Free Trial →