Cold email outreach is one of the lowest-cost ways to win your first clients - but most early-stage founders approach it either too aggressively or not at all, often because they are unsure whether it is even legal in the UK.
The short answer is: yes, it can be legal - if you understand the rules and apply them properly. This guide walks you through the UK regulatory framework, how to write emails people actually reply to, and how to follow up without damaging your reputation.
Is Cold Email Legal in the UK? PECR and GDPR Explained Simply
Two regulations govern cold email in the UK: PECR (the Privacy and Electronic Communications Regulations) and UK GDPR. They work together, and you need to understand both.
What is PECR?
PECR is the UK regulation that specifically controls unsolicited electronic communications - including email. It sits alongside UK GDPR and is enforced by the ICO (Information Commissioner's Office). PECR sets the rules on when you can send a commercial email to someone who has not asked to hear from you.
To send a cold email to someone in the UK, you need a legal reason to hold and use their contact details. For cold outreach, that reason is usually legitimate interests - the idea that your reason for contacting them is proportionate and wouldn't override their privacy rights if weighed fairly.
The Data (Use and Access) Act 2025 (key data protection provisions commenced 5 February 2026) has now codified direct marketing as an example of processing that may qualify under the existing legitimate interests lawful basis — which gives businesses firmer ground to stand on. But this doesn't remove the need for due diligence - you still need to carry out and document a Legitimate Interests Assessment (LIA) to show you've genuinely weighed your interests against the recipient's right to privacy.
One important note: the Act introduced a new "recognised legitimate interests" category, but this doesn't cover commercial cold email. You're working under the standard legitimate interests basis.
In practice, this means three things:
Be targeted. Only contact people you have a genuine, specific reason to reach.
Keep a record. Document why you believe you have a legitimate interest in contacting each audience or individual.
Make opting out easy. Every email must give recipients a simple, friction-free way to say no.
B2B vs B2C Cold Email: Why the Rules Are Different and Why It Matters
This is the most important distinction for a UK founder running outreach. PECR treats B2B and B2C contacts very differently.
B2C outreach requires prior consent
If you are emailing individuals (consumers) who have not opted in to hear from you, PECR requires prior consent before you send a marketing email. There is no opt-out loophole for B2C cold email - consent must come first.
Breaching this can result in serious ICO enforcement action. Since 5 February 2026, PECR penalties for breaches of direct marketing rules have been raised to the same level as UK GDPR under the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026 — meaning fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. The ICO can also issue enforcement notices requiring you to change your marketing practices directly.
When you're doing B2B cold outreach, the rules are more permissive - but they're not a free pass.
Limited companies, LLPs, Scottish partnerships, and public bodies fall outside the consent rules under PECR (the regulations that govern marketing emails). This means you don't need prior consent to contact them cold. That said, UK GDPR still applies whenever you're handling personal data - so if the email address includes someone's name (think j.smith@company.com), the data protection rules kick in alongside.
Good practice - and legal compliance - means doing all of the following:
Identify yourself and your business clearly in every email
Include a valid way for recipients to contact you or reply
Make opting out straightforward, and honour those requests promptly
Document a Legitimate Interests Assessment before you start sending
Sole traders and unincorporated partnerships (in England, Wales, and Northern Ireland) are treated the same as individual consumers under PECR - even if you found them through a business directory. That means you need either prior consent or a valid soft opt-in before emailing them. Scottish partnerships are the exception: they have separate legal personality and are treated as corporate subscribers.
One more edge case worth knowing: if a sole trader uses a personal email address - a Gmail account, for example - consent is required regardless of where you sourced their details.
A note on current ICO guidance: The ICO is actively reviewing and updating its direct marketing and PECR guidance following the Data (Use and Access) Act 2025 — its electronic mail marketing guidance carries a live notice that it is under review. Until updated guidance is confirmed, if you're targeting one-person businesses and you're not certain of their legal status, apply the consumer consent standard to stay on the safe side.
How to Write a Cold Email That Gets a Reply: The Four-Part Structure
Most cold emails fail not because of the channel, but because of the message. The instinct is to introduce yourself at length, list your services, and close with a vague 'let me know if you're interested.' That approach rarely works.
A cold email that earns a reply is short, specific, and written entirely from the recipient's point of view. Use this four-part structure:
The Four-Part Cold Email Structure
1. The Hook
One sentence that shows you have done your homework. Reference something specific about their business, their industry, or a challenge you have reason to believe they face. Generic openers are deleted. Specific openers get read.
2. The Relevance Line
One or two sentences explaining who you are and why that is relevant to them - not a bio, just the part that matters. 'I help B2B service businesses in the UK generate inbound leads without paid ads' is more useful than 'I am a marketing consultant with 10 years of experience.'
3. The Value Statement
State, briefly and concretely, what you are offering or suggesting. What would change for them if they replied? Keep this to two or three sentences. Do not oversell - you are looking for a conversation, not closing a deal in one email.
4. The Single Ask
End with one specific, low-friction request. 'Would a 20-minute call this week be useful?' works better than 'Let me know if you'd like to discuss further.' The goal is to make replying easy, not to give them a decision to make.
Aim for under 100 words if you can. The data consistently shows that brevity drives replies - elite performers average fewer than 80 words per first-touch email. If you cannot make your point concisely, the message is not clear enough yet.
Subject Lines That Work and Subject Lines That Get You Marked as Spam
Your subject line determines whether the email gets opened or deleted. The standard advice - 'make it intriguing' or 'use the person's name' - misses the point. What actually works is subject lines that feel relevant and human, not promotional.
Subject line principles that hold up
Keep it under 8 words. Make it feel like a direct message, not a campaign. Avoid anything that resembles a marketing headline.
Curiosity-led subject lines that are specific to the recipient tend to outperform generic sales pitches - but overused patterns can lose their edge as recipients become familiar with them.
'Quick question' is a widely cited example of a formula that has become so common it risks being tuned out - the principle of curiosity still holds, but the specific phrasing has worn thin.
A better rule of thumb: reference something specific to the recipient's business rather than reaching for a formula. 'Noticed your onboarding flow' will typically outperform 'Transform Your Business With Our Proven System' — but the most reliable approach is to A/B test your own audience rather than applying any universal rule.
Avoid these patterns - they trigger spam filters and erode trust:
ALL CAPS or excessive punctuation (!!!)
Words like 'FREE', 'GUARANTEED', 'ACT NOW'
Vague teaser lines: 'You won't believe this opportunity...'
Overly familiar openers: 'Hey [Name], just circling back!'
Misleading subject lines designed to trick the reader into opening - these aren't just bad practice, they're prohibited.
Regulation 23 of PECR prohibits disguising or concealing the sender's identity; Chapter 1 of Part 4 of the Digital Markets, Competition and Consumers Act 2024 (which replaced the Consumer Protection from Unfair Trading Regulations 2008 on 6 April 2025) and the CAP Code impose broader honesty requirements; and the ICO expects transparency as part of UK GDPR compliance generally.
The subject line that works best is usually the simplest one - a plain statement of what the email is about, written as one human would write to another.
The Follow-Up Sequence: How Many Times and How Far Apart
58% of all replies in a cold email sequence are generated by the first email, with the remaining 42% coming from follow-ups, according to Instantly's 2026 benchmark report analysing billions of cold email interactions. That makes a structured sequence worthwhile - not because the first email failed, but because people are busy and a single message is easy to miss or defer.
There is, however, a line between persistent and annoying. A sensible B2B sequence looks like this:
Initial email - Day 1
First follow-up - Day 4 or 5: a short nudge referencing your first message, no more than 3 sentences
Second follow-up - Day 10 or 11: a different angle or a brief addition of value - a relevant article, a specific question
Final follow-up - Day 18 to 21: a polite close. Let them know you won't follow up again, and leave the door open
Stop when someone says no - or does not respond after your sequence
If someone explicitly asks not to be contacted, stop immediately and record the opt-out. Continuing to email after an opt-out is a PECR breach. If someone has simply not replied after your full sequence, respect that silence. Move on - do not cycle the same contacts repeatedly.
Each follow-up should add something, not just restate the original email. If you are simply saying 'just checking in' repeatedly, you are training the recipient to ignore you.
How to Build a Cold Email List Without Breaking the Law
Where your list comes from matters as much as what you send. The most common mistake early-stage founders make is buying a contact list. This is almost always non-compliant under UK GDPR and PECR - and it produces poor results regardless of the compliance question.
Do not buy contact lists
Bought lists typically contain data collected without a lawful basis that covers your use, contacts who have no connection to your offer, and high volumes of stale or incorrect addresses. Using them damages your sender reputation, risks ICO attention, and almost never generates useful replies.
The compliance risk runs deeper than it might appear. Consent collected by a list broker does not transfer to your organisation unless you were specifically named at the point of collection - a position the ICO reinforced through a March 2025 enforcement action (published April 2025), fining compensation company AFK £90,000 for making 95,277 unlawful marketing calls after its third-party data supplier's consent statements did not specifically name AFK as the calling organisation. The same principle applies to email: consent collected by a third party does not transfer to you unless you were specifically named at the point of collection.
You are responsible for independently verifying that the data was collected with a lawful basis that covers your intended use, and for providing the required privacy information to everyone on the list within one month of obtaining it. Where you can't satisfy yourself on either point, using the list is likely to breach both UK GDPR and PECR.
Build your list manually or through legitimate sourcing. It takes longer, but every contact you add is one you can stand behind.
Legitimate ways to build a B2B cold outreach list include:
LinkedIn prospecting: identifying decision-makers by role, company size, and sector, then finding their professional contact details through the company website or public directories
Industry directories and membership bodies: many sectors publish member directories with professional contact details
Company websites: for businesses where the contact email is publicly listed alongside a clearly business-related purpose
Event attendee lists or speaker lists from relevant trade events — where the professional context is clear
Keep your list small and relevant. Research consistently shows that smaller, tightly targeted lists outperform high-volume blasts - Hunter.io's State of Email Outreach 2026 report, based on 31 million emails sent in 2025, found that sequences targeting 21–50 recipients achieved a 6.2% reply rate, compared with 2.4% for sequences of 500 or more - a 2.6× difference driven primarily by message relevance.
Fifty targeted contacts who match your ideal client profile will consistently outperform five hundred loosely matched addresses. Quality of targeting is the primary driver of reply rates - not volume.
Illustrative example - based on a common UK founder scenario, not a specific documented case
A freelance UX designer in their second year of trading is targeting SaaS companies with between 10 and 50 employees. Rather than buying a database, she manually identifies 40 companies via LinkedIn and ProductHunt, finds the relevant decision-maker for each, and locates their professional email through the company's public website. She emails each contact individually with a message referencing a specific element of their product.
Over four weeks and a two-touch follow-up sequence, she books six discovery calls - a reply rate of around 15%, well above the 3.4–4.5% platform-wide average recorded across large-scale cold email datasets (Instantly, 2026; Hunter.io, 2026; Belkins, 2025). High-volume bulk sequences of 500 or more recipients typically perform at the lower end of that range or below it.
Measuring Your Outreach: The Numbers That Tell You Whether It Is Working
Cold email outreach is not guesswork - but you only get useful signal if you track the right things from the start. Many founders measure open rates and stop there. Open rates tell you whether your subject line worked. They do not tell you whether your outreach is working.
The metrics that actually matter for an early-stage founder doing manual outreach:
Reply rate: the percentage of contacts who respond to any message in your sequence. This is your primary signal. A low reply rate points to a targeting problem, a message problem, or both.
Positive reply rate: replies that express genuine interest or agree to a call. This is the number that connects outreach to pipeline.
Opt-out rate: how many contacts ask to be removed. A high opt-out rate suggests your targeting or your message is not resonating - you are reaching the wrong people, or reaching the right people with the wrong pitch.
Conversion to meeting: of the positive replies, how many result in a call or meeting. This tells you whether your reply-handling and booking process is working.
At the volume of a typical early-stage founder running cold outreach manually - 30 to 60 contacts per month - you are not working with statistically significant data. Use the numbers directionally: if you send 40 emails and get zero replies, something is wrong. If you get 8 replies and 4 convert to calls, you have a working sequence worth repeating.
The goal for cold email as a channel is not to scale it indefinitely - it is to use it as a targeted, compliant, low-cost way to start conversations with people who do not yet know you exist. Done with discipline and UK regulatory awareness, it remains one of the most direct routes to early-stage client acquisition available to a founder.
Get Practical Guidance You Can Use This Week
Get Practical Guidance You Can Use This Week
Ready to cut through the noise? Join the BGE newsletter for practical guidance, tool recommendations, and real-world insights for UK founders and business owners - delivered weekly to your inbox. No fluff, no spam, unsubscribe any time.
BGE newsletter
