GDPR, ePrivacy and the EU AI Act: The New Compliance Stack for Outbound

European B2B outbound has always been a little more cautious than US outbound, and in 2024 that caution became structural. GDPR has been in force since 2018. ePrivacy rules vary country by country. And in August 2024 the EU AI Act entered into force, with provisions phasing in through 2026. Together they form a real compliance stack that any team selling into Europe needs to understand. This is not legal advice, but it is the framework most operators are now using.

GDPR — the foundation

GDPR applies to any processing of personal data of EU residents, regardless of where the processor is based. For cold outbound, the relevant points are:

• A lawful basis is required. For B2B, this is almost always "legitimate interest" — you must be able to justify why your outreach is proportionate, relevant, and low-impact.
• Transparency — your first message or your website must explain what you are doing with the data and how to opt out.
• Right to object — the prospect can tell you to stop at any time, and you must honour it immediately and permanently.
• Data minimisation — only keep what you actually need.

ePrivacy — the country-by-country layer

ePrivacy is a directive, which means each EU country implements it slightly differently. Germany (UWG) is stricter than most and effectively bans cold email to business addresses without prior consent. France and the Netherlands are more permissive. Ireland and the UK (post-Brexit, but aligned) are somewhere in between. Before sending into any country, check the local rules — they matter more than GDPR does for cold email specifically.

The EU AI Act — the new layer

The EU AI Act classifies AI systems by risk. Most AI tools used in sales — lead scoring, email drafting, reply classification — fall into the "limited risk" or "minimal risk" categories, which means disclosure obligations but not heavy oversight. The key points for outbound:

• Transparency about AI use. If you are using AI to generate messages at scale, prospects should be able to understand they are interacting with AI-assisted communication.
• No emotion-detection or biometric categorisation of prospects without consent. Some AI SDR tools that analyze tone or sentiment are in scope.
• No social scoring of individuals. Lead scoring is fine as long as it is transparent and the individual can contest it.

Most of the AI Act's hard obligations target high-risk systems (healthcare, employment, policing), not sales. But transparency obligations apply broadly and will ramp up through 2025-2026.

The practical compliance checklist

1. Document your legitimate interest. Write one paragraph explaining why your outreach is proportionate. Save it. If a regulator asks, you have an answer.
2. Working one-click unsubscribe on every cold email, including the first one.
3. Suppression list honoured across all domains and all sequencers. An unsubscribe from one mailbox must suppress across your whole stack.
4. Privacy notice accessible from every email — link in the signature works.
5. Country-specific rules checked for Germany, France, Netherlands, and any other country where you send meaningful volume.
6. AI disclosure somewhere in your footer or privacy page if you use AI to draft messages.
7. Data retention policy — delete prospects you haven't engaged with in 12 months.
8. Audit trail of which data came from which source and when.

"Compliance stopped being a legal problem and became a product problem. If your stack makes it hard to honour an unsubscribe, that's the stack's fault."

What this means for your 2025 planning

Budget for compliance as an operational line, not a one-time setup. European outbound now requires ongoing monitoring: country-by-country rule changes, AI Act phase-ins, and general tightening of regulator attention. Teams that build this into their workflow now will pull ahead of teams that treat it as a fire drill when the first warning letter arrives.