Cold Email in 2026: Definition, GDPR Framework, and Rules to Follow in France

You've heard the term "cold email" — perhaps in a sales prospecting or growth context — and you want to understand exactly what it means, what's legal in France in 2026, and what will get you sanctioned by the CNIL if you cut corners. Here is a complete definition, along with the current legal framework.

Cold email: the definition

A cold email is a prospecting message sent to a recipient with whom the sender has no prior commercial relationship. It is the modern equivalent of direct-mail sales outreach, transposed to the email channel with its own usage norms and specific legal framework.

Three characteristics define a cold email:

  • Unsolicited — the recipient never asked to be contacted, did not voluntarily share their email with the sender, and is not expecting the message
  • Commercial — the underlying goal is to sell a product or service, or to generate a meeting that will lead to a sale (as opposed to an informational, transactional, or institutional email)
  • Personalized or semi-personalized — a relevant cold email targets a specific recipient with content tailored to their context (as opposed to generic mass spam)

Cold email should not be confused with:

  • Transactional email (invoice, order confirmation, service notification)
  • Opt-in email sent to contacts who have explicitly agreed to receive communications
  • Warm email sent after a first contact (meeting, referral, prior exchange)
  • Spam — non-personalized mass sends with no regard for relevance — although the line is blurry from a legislative standpoint

The French legal framework in 2026

The regulation of cold email in France rests on three main texts and the associated CNIL guidance:

  • The GDPR (General Data Protection Regulation, applicable since 2018) — governs the use of personal data across the entire European Union
  • The LCEN (Loi pour la Confiance dans l'Économie Numérique — France's Digital Economy Trust Act, 2004), in particular Article L.34-5 of the French Postal and Electronic Communications Code — sets the specific rules for commercial prospecting by electronic means
  • CNIL guidance published and regularly updated on commercial prospecting by email

The basic principle: sending an email for commercial prospecting purposes is regulated, but the rules differ sharply depending on whether the recipient is an individual (B2C) or a professional (B2B).

B2C cold email: opt-in is mandatory

For commercial email prospecting targeting individuals, the French rule is clear: explicit prior consent (opt-in) is required before any send.

In practice, this means you cannot send a cold email to `marie.dupont@gmail.com` simply because you obtained her email address somehow. You must be able to prove that Marie Dupont:

  • Was informed of the commercial prospecting purpose
  • Gave explicit consent (box voluntarily checked, signed form, etc.)
  • Received a clear privacy policy before consenting
  • Had her consent recorded in a traceable and revocable manner

Without verifiable opt-in, the send is non-compliant. Applicable CNIL penalties can reach up to 20 million euros or 4% of annual global turnover for large companies, and in practice range between €5,000 and €150,000 for SMEs depending on severity.

B2B cold email: opt-out is sufficient under conditions

For commercial email prospecting targeting professionals, the regime is more flexible: opt-out is sufficient (the right to object can be exercised after receipt, not before). But this lighter regime is conditional on several cumulative criteria:

  • The recipient is contacted in their professional capacity (the email used is the generic or named professional email linked to their company, such as `firstname.lastname@company.com`)
  • The message content is directly related to the recipient's professional activity (an IT developer can receive a software offer, not a consumer food product offer)
  • The recipient is informed of their right to object within the message and has a simple way to exercise it (unsubscribe link, dedicated email address)
  • Any objection expressed is permanently respected from the first request

This B2B opt-out regime is what makes B2B cold email operationally viable in France. Without this flexibility, commercial email prospecting would be nearly impossible in practice (collecting prior opt-in from every prospect before being able to reach out would require contacting them through another channel first — a logical paradox).

Mandatory disclosures in every cold email

Regardless of the channel or regime (B2B or B2C), every prospecting email must contain:

  1. Clear sender identity — company name, legal name, and postal address (legal notices)
  2. The purpose of the message — why you are writing (commercial proposal, meeting request, product presentation, etc.)
  3. A simple way to opt out of future emails — a clearly visible unsubscribe link, or an explicit unsubscribe email address
  4. A link to the privacy policy — accessible in one click from the email

In a B2B context, these disclosures are mandatory even under the opt-out regime. Many senders assume that the B2B regime lets them skip them — that is incorrect. Opt-out only exempts the sender from obtaining prior consent; it does not waive the other GDPR obligations.

Article 14 of the GDPR: informing recipients when data was collected indirectly

If your prospects' email addresses were obtained indirectly — through a purchased list, a directory scrape, extraction from a public website, or structural email-finding from a company name — Article 14 of the GDPR imposes an additional obligation: inform the recipient of the origin of their data.

This information must be provided within a reasonable timeframe, at most one month after collection or at the time of first contact, whichever comes first. In practice, your first cold email must state how you obtained their address (for example: "your email was retrieved from the public directory of [organisation/site]").

This obligation is regularly overlooked by B2B cold email senders and is one of the most frequent compliance failures identified during CNIL audits.

Legitimate sources for building a B2B cold email list

B2B cold email remains legal under the right conditions — but the email addresses in your list must be legitimately collected. Sources recognized as compliant under CNIL guidance include:

  • Public professional directories (Sirene, bar association directories, professional orders, etc.)
  • Company websites — a professional email publicly displayed on a company's website is considered to have been made public by its owner for professional purposes
  • Google Maps business listings — for businesses that have themselves added their email to their Google Business Profile
  • Trade shows and professional events — business cards, exhibitor directories
  • Public registers — Infogreffe, Sirene, BODACC
  • Structural email finder — reconstructing the email address from the generic `firstname.lastname@company.com` format combined with the company name

By contrast, purchasing B2B databases from questionable vendors or conducting uncontrolled scraping of social platforms (LinkedIn in particular) does not guarantee compliance — the CNIL holds the data controller (the party sending the email) responsible for verifying the legitimacy of the upstream source. See our article on LinkedIn scrapers and clean alternatives.

Deliverability: the technical side of cold email

Beyond the legal framework, a cold email must also land in the inbox to have any commercial value. Deliverability is governed technically by ISPs (Gmail, Outlook, Yahoo), which since 2024 have enforced stricter requirements:

  • Mandatory SPF, DKIM, and DMARC authentication — without these three DNS records properly configured, your domain will be flagged as unauthenticated
  • Spam complaint rate below 0.3% — above this threshold, your domain is downgraded or blocked
  • Bounce rate below 2% — above this, ISPs consider that you failed to verify your list before sending
  • Domain warm-up — a new domain must scale up gradually (4 to 6 weeks) before sending 100+ emails per day
  • Daily volume limits — typically 30 to 100 emails per day per sending address to stay under anti-spam radar

Checking email deliverability before sending has become a discipline in its own right. See our article on deliverability checking via free inbox testing and our GDPR-compliant professional email finder guide.

The place of cold email in 2026 prospecting

In 2026, cold email remains a major B2B prospecting channel, but its effectiveness is declining as inboxes become more saturated and anti-spam rules tighten. What still works:

  • Controlled volume and precise targeting — 30 highly relevant emails per day outperform 1,000 generic ones
  • Short sequences — 4 to 7 emails over 3 to 4 weeks, with the first email alone capturing more than half of all replies
  • Short messages — 50 to 150 words, one clear call to action
  • GDPR compliance built in from the start (disclosures, unsubscribe, opt-out tracking)

Practical verdict

In 2026, cold email is legal in B2B under strict but practically achievable conditions (opt-out + mandatory disclosures + legitimate source + coherent purpose). It is nearly unworkable in B2C without prior opt-in. Beyond the legal framework, operational success depends as much on the quality of the targeted list and technical deliverability as on the message content itself.

To go further: email finder, definition and how it works, what is lead generation, B2B email prospecting in real estate after the August 11, 2026 law.

Frequently asked questions

Is cold email legal in France?
Yes in B2B under strict conditions (opt-out + mandatory disclosures + legitimate source + purpose coherent with the recipient's activity). No in B2C without explicit prior opt-in.

What is the difference between cold email and spam?
Legally: no intrinsic difference — compliance with the GDPR/LCEN framework is what draws the line. In practice: a cold email that respects the rules is personalized, relevant to the recipient, and offers genuine value; spam is a mass generic send with no regard for relevance.

How many cold emails can you send per day without risking the spam folder?
Typically 30 to 100 emails per day per sending address after full domain warm-up (4–6 weeks). Beyond that, ISPs increase their suspicion and downgrade deliverability.

Do you need opt-in to send a cold email to a company whose email is publicly listed?
No in B2B, provided the other conditions are met (coherent purpose, right-to-object notice, legitimate source). An email published on a company's website is considered to have been made public by that company for professional purposes.

Are CNIL sanctions for non-compliant cold emails common?
CNIL investigations specifically targeting cold email are less frequent than those focused on large-scale data processing (HR, customer marketing, mobile apps). But sanctions do exist and are increasing — typically triggered by repeated complaints from recipients.

What is a legitimate source for a B2B cold email list in 2026?
Recognized compliant sources: public registers (Sirene, Infogreffe), professional directories, publicly accessible company websites, Google Maps business listings, structural email finder based on the company name. To avoid: purchasing questionable databases, uncontrolled scraping of social networks.

To place this topic in context, browse the complete prospecting glossary.

Try outsend for free

Build your B2B cold email list from legitimate sources: Google Maps + structural email finder + deliverability verification. Free alpha access on application.

Request free alpha access

Try outsend for free

All-in-one. Far cheaper than every competitor. Alpha access on application.

Request free alpha access