The complete 2026 compliance guide to cold email, PECR, UK GDPR, and the Data (Use and Access) Act 2025 — written for the people who actually run link building outreach.
Cold outreach is the engine of link building. Every guest post, every digital PR placement, every resource-page link, and every broken-link pitch starts with an unsolicited email to someone who never asked to hear from you. That single fact puts the entire discipline squarely inside the United Kingdom’s data protection regime — and most link builders run their outreach in near-total ignorance of it. They worry endlessly about deliverability and almost never about lawfulness, despite the fact that the same email can be perfectly deliverable and completely unlawful at the same time.
This guide is the definitive UK reference for the people doing the work: in-house SEOs, agency outreach teams, freelancers, and founders who prospect their own links. It explains the two regimes that govern your outreach — PECR and UK GDPR — how the Data (Use and Access) Act 2025 has reshaped both during 2025 and 2026, what a lawful cold email actually looks like, and how to build an outreach process that survives a complaint to the regulator. If you are new to the wider discipline, start with our primer on what link building is and the broader outreach guide; this article is the compliance layer that sits underneath all of it.
A note on scope: this article explains UK regulation and industry practice. It is not legal advice, and with PECR fines now reaching £17.5 million, a UK business with material outreach volume should take qualified advice on its own arrangements. What follows is the practitioner’s map of the territory — and a close companion to our guide on UK disclosure requirements under ASA and CAP, which covers the advertising-disclosure side of the same compliance picture.
1. The two regimes that govern every outreach email
The first thing to understand is that UK cold outreach is governed by two separate laws at once, and they answer two different questions. People conflate them constantly, and the conflation is the source of nearly every mistake. PECR asks whether you are allowed to send the message at all. UK GDPR asks whether you are allowed to process the personal data — the name and email address — that the message depends on. You must satisfy both.
| Regime | Full name | The question it answers | Enforcer & penalty |
| PECR | Privacy and Electronic Communications Regulations 2003 | May you send this marketing message by electronic means? | ICO — fines up to £17.5m post-DUAA |
| UK GDPR | UK General Data Protection Regulation (as amended by DUAA 2025) | Do you have a lawful basis to process this person’s data? | ICO — fines up to £17.5m or 4% global turnover |
Notice that both are now enforced by the same regulator — the Information Commissioner’s Office — and both carry the same headline maximum penalty since the Data (Use and Access) Act 2025 raised the PECR ceiling from £500,000 to align with UK GDPR. In practice the ICO reserves the largest fines for egregious cases: high-volume unsolicited sending, missing or broken unsubscribe mechanisms, and ignored opt-outs. But the legal exposure is real, and the reputational exposure — a public ICO enforcement notice — is arguably worse for an agency than the fine itself.
Why “it’s just a business email” is the wrong mental model
The most common misconception in link building outreach is that emailing a work address is somehow outside data protection law because it belongs to a company rather than a person. This is wrong, and understanding why is the foundation of everything else. PECR draws a line between corporate subscribers and individual subscribers — but that line is about the subscriber (who pays for the line or service), not about whether a human is identifiable. An address like sarah.jones@bigcompany.co.uk identifies a living individual, Sarah Jones, so UK GDPR engages on her personal data regardless of what PECR says about the corporate subscriber. The two regimes operate on different axes, and you can clear one while breaching the other.
2. PECR: when you are allowed to send
Regulation 22 of PECR is the provision that makes B2B link building outreach possible at all. It governs unsolicited marketing by electronic mail, and its treatment of corporate versus individual subscribers is the single most important distinction for outreach teams to master.
The corporate-subscriber exemption
PECR’s consent requirement for unsolicited marketing email does not apply in the same way to corporate subscribers — limited companies, LLPs, and public bodies. This is the exemption that lets you send a cold pitch to a named employee at a registered company without first obtaining their consent. It is why B2B outreach, including the kind that underpins most link building strategies, is lawful in the UK in a way that B2C cold email generally is not.
The individual-subscriber trap
Here is where outreach teams get caught. The corporate exemption does not extend to individual subscribers, and the category is broader than people expect. Sole traders, unincorporated partnerships outside Scotland, and anyone using a personal-domain address (a @gmail.com or @outlook.com address, even for business) are treated as individual subscribers — and emailing them with unsolicited marketing generally requires prior consent. A great many bloggers, freelance journalists, and one-person businesses that link builders pitch to fall into exactly this category. The blogger you want a guest post from, operating under their own name from a Gmail address, is an individual subscriber, and the corporate exemption does not protect that send.
| Recipient type | Example | PECR position on cold marketing email |
| Corporate subscriber | Named employee at a Ltd / LLP / plc | Exemption applies — no prior consent needed |
| Generic corporate alias | info@company.co.uk | Exemption applies, but UK GDPR transparency still bites |
| Sole trader / unincorp. partnership | A freelance writer trading as themselves | Individual subscriber — consent generally required |
| Personal-domain address | janedoe@gmail.com | Treated as individual subscriber — consent generally required |
The mandatory conditions that always apply
Even when the corporate exemption applies, PECR imposes conditions on every marketing email you send. These are non-negotiable and are the most commonly failed part of the regime:
- Identify yourself clearly — your real name and the organisation on whose behalf you are sending must be obvious, never disguised in the From field or subject line.
- Provide a valid reply address the recipient can use to opt out.
- Include a clear, working opt-out mechanism in every message, and honour opt-outs promptly once received.
- Do not obscure the sender’s identity or use misleading subject lines — worth remembering when you read our data on subject lines that get opened, because a subject line that lifts open rates by misrepresenting the email’s purpose is both a deliverability risk and a PECR breach.
3. UK GDPR: the lawful basis you actually rely on
Clearing PECR is only half the job. Because every personalised cold email processes someone’s personal data — their name, role, and email address, often enriched with data about their employer and recent work — UK GDPR requires you to identify a lawful basis under Article 6 before you process it. For cold B2B outreach, that basis is almost always legitimate interests (Article 6(1)(f)). Consent is the alternative, but consent is rarely workable in cold outreach for the obvious reason that you cannot ask someone’s permission to email them by emailing them.
The legitimate interests basis — and why DUAA 2025 strengthened it
The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025 with key data protection provisions taking effect on 5 February 2026, made a change that directly benefits link builders: it codified into the body of the UK GDPR what was previously only stated in a recital — that direct marketing can constitute a legitimate interest. This does not give you a free pass; it gives you firmer footing. Direct marketing is now an expressly recognised example of a legitimate-interest purpose, which makes the basis easier to rely on with confidence, provided you still do the work the basis demands.
A related DUAA innovation, “recognised legitimate interests” (a new seventh lawful basis that removes the balancing test for certain narrowly defined public-interest activities such as crime prevention and safeguarding), does not cover commercial marketing. Outreach link builders cannot rely on it. The ICO’s final guidance on recognised legitimate interests, published on 23 March 2026, confirms the narrow scope. Your basis remains ordinary legitimate interests — which means you still have to pass and document the three-part test.
The three-part legitimate interests assessment (LIA)
To rely on legitimate interests lawfully you must carry out and document a Legitimate Interests Assessment before you send. This is the single most-skipped compliance step in link building, and it is also the cheapest insurance you can buy: a one-page LIA per campaign type is usually enough, and the ICO publishes a free template. The assessment has three parts.
- Purpose test — Is there a genuine, specific business interest? “Contacting the editor of a relevant trade publication to propose a data-led story” qualifies. “Emailing 10,000 scraped addresses to ask for links” does not, because it is neither specific nor relevant to the individual.
- Necessity test — Is the processing necessary to achieve that interest, or could you achieve it in a less intrusive way? Tightly targeted outreach to genuinely relevant recipients passes; bulk untargeted sending fails because the same goal could be met with far less data.
- Balancing test — Do your interests override the recipient’s rights and reasonable expectations? A senior marketer at a company in your niche would reasonably expect relevant professional approaches. A private individual at a personal address would not. Relevance is what tips the balance in your favour.
The practical genius of this framework is that it rewards exactly the behaviour that also makes outreach effective. The same relevance and targeting that pass the balancing test are what drive reply rates, as our work on outreach psychology and negotiating link placements demonstrates. Compliant outreach and effective outreach are the same outreach. Spray-and-pray is both unlawful and ineffective; precise, relevant, well-researched pitching is both lawful and high-performing.
4. Where you got the data: sourcing and its hidden liability
How you obtained a prospect’s email address is a compliance question in its own right, and it is the area where link builders most often inherit risk without realising it. The ICO has been consistent that the public availability of data does not remove your data protection obligations — finding an address on a company website, in a LinkedIn profile, or via Companies House does not by itself make processing it lawful. You still need your own lawful basis, and you still owe the individual transparency about what you are doing.
First-party, second-party, and third-party data
| Data type | How you got it | Compliance risk for outreach |
| First-party | You researched and verified it yourself | Lowest — you control sourcing and can evidence it |
| Second-party | Shared with you via a partnership | Moderate — verify the partner’s lawful basis and DPA |
| Third-party | Bought or rented from a list broker | Highest — broker-collected consent does not transfer to you |
The bought-list problem
Buying email lists is the highest-risk sourcing method in UK outreach, and link builders should treat it as effectively off-limits. The core legal problem is that consent or lawful basis established by a broker does not transfer to you — you become a new controller with your own obligations, and you typically cannot evidence how the data was originally collected or whether the individuals were told it might be used for outreach like yours. Bought lists also wreck deliverability, which is its own reason to avoid them; we explain the sender-reputation mechanics in our guide to email warm-up and domain reputation. The compliant alternative is first-party prospecting: research each target, verify the address, and record where and when you found it.
Tooling, enrichment, and AI prospecting
The rise of AI-assisted prospecting raises the stakes here. When you use the kind of automated workflows described in our guides to AI agents for link prospecting and the broader AI-assisted link building workflow, you are processing personal data at scale, and the lawful-basis and transparency obligations scale with it. Two principles keep AI prospecting compliant: only process data for genuinely relevant, targeted outreach (which preserves your balancing-test position), and ensure any enrichment provider or outreach tool you use can demonstrate its own lawful sourcing and offers a data processing agreement. Automation does not dilute responsibility — it concentrates it.
5. What a lawful cold outreach email actually contains
Theory meets practice in the email itself. A cold outreach message that satisfies both PECR and UK GDPR has a recognisable anatomy, and once you internalise it you can audit any pitch in seconds. The good news is that none of these elements harms response rates; several improve them by signalling professionalism.
- A genuine, identifiable sender — your real name and organisation, not a disguised or misleading identity.
- Relevance the recipient would recognise — a clear, specific reason you are contacting this person in this role, which is also your balancing-test evidence.
- Transparency about data source — a brief, honest line on how you found them if it is not obvious (“I came across your work on X”), so that if they ask “how did you get my email?” you have an answer ready.
- A working opt-out — an easy way to decline further contact, honoured promptly. A simple “just let me know and I won’t follow up” can suffice for genuine one-to-one outreach, but a clear mechanism is safer at any scale.
- A link to your privacy information — a short pointer to where the recipient can read how you handle their data and exercise their rights.
The transparency obligation people forget
UK GDPR’s transparency principle means the individual is entitled to know who is processing their data, why, and how to object — even in cold outreach. You do not need to paste a full privacy notice into a pitch, but you do need a lawful way for the recipient to access that information, typically a link to your privacy policy. From 19 June 2026, the DUAA also gives individuals a new right to complain directly to the data controller before going to the ICO, which makes having a clear, responsive complaints route a practical necessity rather than a nicety. An outreach operation that cannot field a “why are you emailing me and how did you get this?” query is one annoyed recipient away from a regulator’s attention.
Follow-ups, sequences, and multi-channel outreach
Sequencing is where good intentions quietly drift into non-compliance. Every message in a follow-up sequence is a fresh marketing communication and must independently meet the PECR conditions — each one needs the opt-out, and an opt-out received at any point ends the sequence immediately. When outreach goes multi-channel — email plus LinkedIn plus other touchpoints — each channel carries its own rules, and a LinkedIn message is not a free workaround for someone who has opted out of email. The discipline of stopping cleanly when someone declines is also, not coincidentally, the mark of professional rejection handling: the same restraint that protects you legally protects your sender reputation and your brand.
6. How the regimes interact with the rest of your compliance stack
Cold-outreach compliance does not sit in isolation. It is one face of a larger UK compliance picture that every serious link building operation has to manage, and the pieces reinforce one another.
| Compliance surface | Governs | Where it connects to outreach |
| PECR + UK GDPR (this article) | Whether and how you may contact prospects | The outreach send itself |
| ASA / CAP Code | Whether resulting content is labelled as advertising | When outreach leads to paid placement |
| Google spam policies | Whether resulting links are attributed correctly | When outreach yields a paid or incentivised link |
| DUAA 2025 | Amends UK GDPR and PECR; raises PECR fines | Cuts across all data-driven outreach |
The link to the advertising side is the one outreach teams most often miss. If your outreach succeeds in arranging a paid or gifted placement, you have just triggered the disclosure obligations covered in our companion guides on UK disclosure requirements under ASA and CAP and nofollow, UGC, and sponsored attributes. The data protection regime governs the approach; the advertising regime governs the result. A campaign can be flawless on the GDPR side and still breach the CAP Code at the finish line if the resulting content is not labelled. Treat the two as bookends of a single compliant process, and document both in your link building SOPs and playbooks.
7. The failure modes that get UK link builders in trouble
Across ICO enforcement and the everyday near-misses that never reach the regulator, the same failure patterns recur. Recognising them in your own pipeline is most of the defence.
Failure 1: the scraped-and-blasted list
The classic mistake: a tool scrapes thousands of addresses, an automated sequence fires at all of them, and the campaign treats relevance as optional. This fails the necessity and balancing tests under UK GDPR, frequently catches individual subscribers in breach of PECR, and tanks deliverability all at once. It is the single most common pattern and the single most avoidable.
Failure 2: ignoring or burying the opt-out
An opt-out that is hard to find, slow to action, or quietly ignored on follow-ups is a direct PECR breach and one of the things the ICO most reliably acts on. The fix is procedural: opt-outs must be honoured promptly across every channel and every future campaign, which means maintaining a suppression list that all your sending respects.
Failure 3: no documented lawful basis
If a recipient or the ICO asks why you were entitled to process someone’s data and you have no Legitimate Interests Assessment to point to, you have failed the accountability principle even if your sending was otherwise reasonable. The absence of documentation is itself the violation. A short, dated LIA per campaign type closes this gap entirely.
Failure 4: misleading sender or subject
Disguising who you are, or using a subject line that misrepresents the email’s purpose to lift open rates, breaches PECR’s identification requirements. This is a tempting shortcut because it sometimes works in the short term, but it converts a deliverability tactic into a compliance liability. Honest, relevant subject lines — the kind our subject-line testing data shows perform best anyway — keep you on the right side of the line.
Failure 5: treating PR outreach as exempt
Some teams assume that pitching journalists and editors — through services like Connectively, Featured, and Qwoted, or via direct expert commentary pitches — sits outside data protection because it is “press relations,” not marketing. It does not. Pitching a named journalist still processes personal data and still needs a lawful basis, though relevance to their beat usually makes the balancing test straightforward. The exemption people imagine does not exist; the relevance that makes the pitch land is what actually protects it.
8. The UK cold-outreach compliance checklist
Run every outreach campaign through this checklist before the first send. If any box is unticked, the campaign is not compliant.
| # | Compliance check | Regime |
| 1 | Have you confirmed recipients are corporate — not sole traders or personal addresses? | PECR |
| 2 | Is there a documented Legitimate Interests Assessment for this campaign type? | UK GDPR |
| 3 | Is the outreach genuinely relevant to each recipient’s role? | UK GDPR (balancing) |
| 4 | Can you evidence where and when you sourced each address? | UK GDPR (accountability) |
| 5 | Did you avoid bought or rented lists? | PECR + UK GDPR |
| 6 | Is the sender identity genuine and the subject line honest? | PECR |
| 7 | Does every message — including follow-ups — contain a working opt-out? | PECR |
| 8 | Is there a suppression list that all future sending respects? | PECR |
| 9 | Can the recipient reach your privacy information and a complaints route? | UK GDPR + DUAA |
| 10 | If outreach yields a paid placement, is the resulting content disclosed? | ASA / CAP — see Article 177 |
That tenth row is the bridge to the rest of your compliance stack, and it is the one outreach specialists forget because it falls outside their immediate job. The send can be perfect and the outcome still non-compliant. Treat the whole arc — from first email to published link — as one process with one owner.
9. Building a compliant outreach operation at scale
For a freelancer sending a handful of considered pitches a week, compliance is mostly a matter of good habits. For an agency running thousands of touches a month across many clients, habit is not enough — you need a system, because volume guarantees that an ad-hoc approach eventually lets an unlawful send through. A defensible system has four components.
Documented: LIAs and a sourcing record
Maintain a short Legitimate Interests Assessment for each campaign type and a record of how prospect data was sourced. This is the evidence that turns “we were being reasonable” into “we can demonstrate we were reasonable,” which is the difference the accountability principle demands. Both belong in your standard operating procedures as mandatory artefacts, not optional extras.
Procedural: a suppression list that everything respects
A single, central suppression list that every campaign and every channel checks before sending is the most important operational control you can build. Opt-outs are not per-campaign; they are permanent and cross-channel. One person opting out of one pitch must never receive another from anywhere in your operation.
Technical: verification, DPAs, and provider hygiene
Verify addresses before sending to protect both compliance and deliverability, use providers that offer data processing agreements and enforce opt-outs, and configure your tooling so that the compliant choice is the default. The same monitoring discipline that supports the benchmarking clients expect also surfaces the bounce rates and complaint signals that flag a compliance problem early.
Cultural: relevance as the organising principle
The deepest protection is cultural. An outreach team that treats relevance as the point — not a constraint — naturally passes the balancing test, naturally avoids bought lists, and naturally writes honest subject lines, because all of those follow from caring whether the recipient actually wants to hear from you. This is the same ethic this journal argues for throughout, and it connects directly to link building ethics in 2026 and to future-proofing your backlink profile: the operation built on genuine relevance is the one that survives both the next regulatory tightening and the next algorithm update.
10. Cross-border outreach: which country’s rules apply
UK link builders rarely confine their outreach to UK recipients. The moment you pitch an editor in Berlin, a blogger in Dublin, or a marketing lead in New York, you have stepped into another jurisdiction’s rules — and the governing law is generally determined by where the recipient is, not where you sit. This is the dimension competitors almost never address, and getting it wrong is how a clean UK process produces a complaint in a country with far less forgiving enforcement.
Emailing into the EU
Pitching recipients in the EU brings EU GDPR and the relevant national implementations of the ePrivacy rules into play, and these are often stricter than the UK’s. The legitimate-interests basis still exists — EU GDPR’s Recital 47 expressly recognises direct marketing as a possible legitimate interest — but national rules diverge sharply on electronic marketing. Germany, in particular, is consent-heavy and is commonly enforced toward a double-opt-in standard even for business contacts; France is more permissive for profession-related approaches. The practical consequence is that a single pan-European campaign cannot assume the comparatively workable UK corporate-subscriber position applies everywhere. Enforcement is real: EU regulators have issued six-figure fines for commercial prospecting violations, and the trend is upward.
Emailing into the US and elsewhere
The United States runs on a different model entirely. Federal CAN-SPAM is comparatively permissive — it permits unsolicited commercial email provided you identify yourself, do not mislead in headers or subject lines, include a physical postal address, and honour opt-outs promptly — but several US states layer additional requirements on top, and Canada’s CASL is markedly stricter, closer to a consent regime. The lesson is not to memorise every regime but to recognise that “it’s fine under UK rules” is not a defence when the recipient sits elsewhere.
| Recipient location | Governing regime | Practical posture for outreach |
| United Kingdom | PECR + UK GDPR (DUAA-amended) | Corporate exemption + documented legitimate interests |
| European Union | EU GDPR + national ePrivacy rules | Stricter; some states effectively require consent |
| United States | CAN-SPAM + state laws | Permissive federally; identify, opt-out, postal address |
| Canada | CASL | Strict; closer to a consent-based regime |
The workable approach for a UK operation pitching internationally is to hold yourself to a single high standard that satisfies the strictest jurisdiction you regularly contact — genuine relevance, honest identification, a working opt-out, documented basis, and clean sourcing — rather than trying to run a different ruleset per country. That high standard is, once again, simply good outreach, and it travels across borders in a way that corner-cutting never does. It also dovetails with the deliverability reality that international sending stresses sender reputation hardest, a theme we develop in our guide to email warm-up and domain reputation.
11. Frequently asked questions
Is cold email legal for link building in the UK?
Yes, for B2B outreach to corporate subscribers, provided you identify yourself, include a working opt-out, and have a documented legitimate-interests basis under UK GDPR. It is stricter than US rules but workable. Outreach to sole traders and personal addresses generally needs prior consent.
Do I need consent to email a prospect?
Usually no, for named employees at registered companies — you rely on legitimate interests instead, which the DUAA 2025 expressly recognises as a valid basis for direct marketing. Consent is generally required for individual subscribers such as sole traders and personal-domain addresses.
What is a Legitimate Interests Assessment and do I really need one?
It is a short, documented three-part test (purpose, necessity, balancing) that records why your outreach is lawful. Yes, you need it — the absence of documentation is itself a breach of the accountability principle, and the ICO publishes a free template.
Can I buy an email list for outreach?
You should treat bought lists as off-limits. Consent or lawful basis established by a broker does not transfer to you, you usually cannot evidence lawful sourcing, and bought lists severely damage deliverability. First-party prospecting is the compliant path.
What changed with the Data (Use and Access) Act 2025?
Key provisions took effect on 5 February 2026. It codified direct marketing as a recognised example of legitimate interest, added a separate “recognised legitimate interests” basis (which does not cover marketing), raised the maximum PECR fine to £17.5m, and from 19 June 2026 gives individuals a right to complain directly to the controller.
Does GDPR apply if I’m only pitching journalists?
Yes. Pitching a named journalist processes personal data and needs a lawful basis like any other outreach. Relevance to their beat usually makes the legitimate-interests balancing test straightforward, but the obligation does not disappear because it is “PR.”
Conclusion: lawful outreach is better outreach
The instinct is to read data protection as a brake on link building — friction layered onto an already hard job. The reframe that experienced UK operators eventually reach is the opposite: the rules describe, almost exactly, what good outreach looks like anyway. The legitimate-interests balancing test rewards relevance. The transparency principle rewards honesty about who you are and why you are writing. The opt-out discipline rewards respecting a no. Every one of those is also what lifts reply rates and protects sender reputation. Compliant outreach and effective outreach converge.
So the practical path is the same one this journal argues for everywhere. Stop trying to contact everyone and start contacting the right people with something genuinely relevant. Document your basis, source your data first-hand, honour every opt-out, and label whatever your outreach produces. Build all of it into your standard operating procedures, and you convert a regulatory burden into a quiet competitive advantage — the kind of disciplined, trustworthy operation that the next generation of UK clients will increasingly insist on. For the advertising-disclosure half of the same picture, read UK disclosure requirements under ASA and CAP, and for the technical link-attribution half, nofollow, UGC, and sponsored attributes.
This article explains UK regulation and industry practice and is not legal advice. Businesses with material outreach volume should seek qualified legal advice on their specific arrangements. Regulatory positions, the DUAA 2025 implementation timeline, and ICO enforcement priorities are current as of mid-2026.
