GDPR Cold Email FinesReal cases, real numbers, and how to stay clear
Regulators do not fine cold email itself. They fine the mistakes around it. Here are real GDPR and AEPD marketing sanctions, what went wrong in each, and the compliant way to prospect with legitimate interest.
Legal··6 min read
Across Europe, data protection authorities have issued thousands of GDPR fines since 2018, and a steady share of them target unsolicited marketing and email. The pattern is almost never the email itself. It is the missing lawful basis, the ignored opt-out, and the data nobody could account for.
Key takeaways
Cold email is not banned: GDPR regulates how you do it, and fines hit the process, not the channel
The legal ceiling is 20 million euros or 4% of global turnover, but real marketing fines are usually far smaller
Legitimate interest, documented, is the lawful basis that makes B2B cold email compliant in most of the EU
Per Vonsel internal data (2026), teams using verified, public business data log far fewer bounces and complaints than those buying recycled lists
Definition
What are GDPR cold email fines?
GDPR cold email fines are penalties issued by data protection authorities for unsolicited marketing email sent without a valid lawful basis, or for ignoring opt-outs and sender identification rules. Under Article 83 GDPR they can reach 20 million euros or 4% of global annual turnover, though most marketing sanctions are far smaller.
The penalty regime is set out in Article 83 of the GDPR, and the public record of enforcement keeps growing: the independent GDPR Enforcement Tracker lists thousands of decisions across the EU, with unsolicited communications a recurring category. Email marketing also sits under the ePrivacy rules, which national regulators like Spain's AEPD enforce alongside the GDPR.
The takeaway from the case files is consistent: according to Vonsel internal data (2026), teams that prospect with verified public business data record far fewer bounces and spam complaints than those buying recycled broker lists, and bounces and complaints are exactly what trigger investigations. If you sell into Europe, a clean data source is your first line of defense. Our GDPR guide for B2B sales teams covers the full framework.
€20M
or 4% of global turnover: the GDPR fine ceiling (Article 83)
1000s
of GDPR fines logged across the EU since 2018 (Enforcement Tracker)
Art. 6(1)(f)
legitimate interest: the lawful basis behind compliant B2B cold email
The case files
4 real fine patterns and what went wrong
The amounts vary, but the failures repeat. These are the recurring patterns behind marketing and cold email sanctions in the EU, drawn from regulators' published decisions:
1
No lawful basis at all
A company emails a list with neither consent nor a documented legitimate interest assessment. When the regulator asks "why were you processing this person's data?", there is no answer on file. This is the single most common cause of a marketing fine, and the easiest to avoid.
2
Emailing people who opted out
The recipient unsubscribed, complained, or asked to be deleted, and the next campaign reached them anyway. Authorities treat ignoring an objection as an aggravating factor, because it shows the opt-out was never wired into the sending system.
3
Hidden or missing unsubscribe
No working opt-out link, or one buried so deep it does not function. Both the GDPR and ePrivacy rules require an easy, free way to object in every message. A broken unsubscribe turns one complaint into a documented violation.
4
Personal addresses scraped without context
Targeting named individuals' personal inboxes, scraped from social profiles or web pages, fails the relevance and proportionality test. B2B cold email should reach the business mailbox about a business need, not a person's private address. See using public business data for sales.
Start from clean, compliant data
Verified public business contact data, sourced and stored under EU/GDPR rules, so your outreach starts on the right side of the line. 20 verified leads when you start the free plan.
Two companies can make the same mistake and pay wildly different amounts. Regulators weigh the factors in Article 83, and a handful of them move the number most:
Factor
Lowers the fine
Raises the fine
Lawful basis
Documented legitimate interest assessment
No basis, no records
Opt-out handling
Honored immediately, suppression list kept
Objections ignored, repeat sends
Scale
Small, targeted, relevant list
Mass blast to scraped data
Cooperation
Quick fix, voluntary action
Stonewalling the investigation
History
First, isolated incident
Repeat offender, prior warnings
The decisions are public for a reason. Both the European Data Protection Board's register of decisions and national authorities publish reasoning you can learn from before you ever hit send. The cheapest compliance lesson is someone else's fine.
Regulators rarely punish the outreach. They punish the company that cannot explain where the data came from or why the email was sent.
Legitimate interest, done right
How to cold email Europe without the fine
For B2B, Recital 47 of the GDPR expressly recognizes direct marketing as a possible legitimate interest. That makes legitimate interest, documented in a short assessment, the practical lawful basis for cold outreach. Our deep dive on cold email without breaking GDPR law walks through it; here is the compliant routine:
Run a legitimate interest assessment: your interest, the necessity, the balance against the recipient's rights. Keep it on file.
Use business contact data and target the business need, not private personal inboxes.
Identify yourself and your company clearly in every message.
Include a one-click, free opt-out and wire it into a suppression list.
Honor objections and deletion requests immediately, and keep proof you did.
Red flag: bought broker list
Recycled lists carry no provenance and decay fast. You cannot document a lawful basis for data you cannot trace, and high bounce rates flag you to filters and regulators alike.
Red flag: no suppression list
If opt-outs are not enforced automatically, a single careless re-send becomes a documented violation. Maintain a suppression list from day one and check every campaign against it.
Red flag: irrelevant pitch
Legitimate interest fails the balancing test when the offer has nothing to do with the recipient's role. Segment for relevance: the wrong message to the right person is still a complaint.
Red flag: no paper trail
"We thought it was fine" is not a defense. The assessment, the source of the data and the opt-out logs are what you show the regulator. No records, no basis.
How Vonsel helps
How Vonsel keeps your data on the right side of GDPR
Vonsel's Business Finder sources verified public business data, name, address, phone, website, Google rating and a verified email per business, across 120+ countries, with 85-95% email accuracy and 90%+ phone accuracy, stored EU and GDPR compliant. That gives you traceable, business-level contact data instead of scraped personal inboxes, so your legitimate interest assessment actually holds up. Plans on the pricing page start at €17.99/month, and the free tier includes 20 verified leads when you start the free plan.
In short:
Fines target the process, not the channel: missing basis, ignored opt-outs, untraceable data.
Document a legitimate interest assessment and keep opt-out and source records.
Start from verified public business data, not recycled broker lists, to cut bounces and complaints.
Prospect Europe with data you can account for
Verified public business contacts, sourced and stored under EU/GDPR rules, ready for compliant outreach in minutes. See plans.
Yes. Data protection authorities can fine you for sending marketing email without a valid lawful basis, for ignoring opt-outs, or for failing to identify the sender. Fines under GDPR can reach up to 20 million euros or 4% of global annual turnover, though most marketing cases land in the thousands or tens of thousands.
How much are GDPR fines for cold email?
Most cold email and marketing fines in Europe range from a few thousand to several hundred thousand euros, depending on volume, intent and repeat offences. The legal maximum is 20 million euros or 4% of global turnover, but the typical AEPD marketing sanction is far smaller and often reduced for early payment.
Is B2B cold email legal under GDPR?
Yes, B2B cold email is legal under GDPR when you rely on legitimate interest, the offer is relevant to the recipient's role, you identify yourself, and you offer an easy opt-out. The data must be business contact data, not private individuals' personal addresses, and you must honor objections immediately.
What is legitimate interest in cold email?
Legitimate interest is a lawful basis under Article 6(1)(f) GDPR that lets you process business contact data for direct marketing without prior consent, provided your interest is not overridden by the recipient's rights. You must run and document a legitimate interest assessment and give a clear way to opt out.
Why do companies get fined for marketing emails?
The most common reasons are sending without a lawful basis, emailing people who already opted out, hiding or omitting the unsubscribe option, and using personal addresses scraped without context. Authorities also fine companies that cannot show records of consent or a documented legitimate interest assessment.
How do I avoid GDPR fines when prospecting?
Use verified business contact data, document your legitimate interest assessment, identify yourself in every email, include a one-click opt-out, and keep a suppression list. Avoid private personal addresses, segment for relevance, and delete data on request. Source data from compliant providers, not scraped or recycled broker lists.
Start Free Trial