B2B marketing occupies a specific space in EU data protection law that many teams either over-restrict (treating every B2B contact like a consumer) or under-protect (assuming GDPR doesn't apply to work emails). The reality is more nuanced, and the practical compliance gaps in B2B marketing are significant.
This guide explains how GDPR actually applies to B2B marketing, where B2B gets more flexibility than B2C, and where the compliance gaps typically sit in B2B outreach, ABM, and event marketing.
What's different about B2B under GDPR
The primary distinction between B2B and B2C GDPR compliance is in the ePrivacy Directive — the EU law that governs electronic direct marketing. ePrivacy, which will eventually be replaced by the ePrivacy Regulation, currently applies differently to B2B and B2C in most EU countries:
- B2C electronic marketing (to personal email addresses, consumers) requires opt-in consent in almost all EU countries
- B2B electronic marketing (to professional email addresses, employees at companies) can rely on legitimate interest in most EU countries, subject to relevance and opt-out requirements
This means cold email outreach to a CFO's work email about finance software can usually rely on legitimate interest, while the same cold email to that CFO's personal Gmail requires consent.
However, the B2B carve-out only applies to the ePrivacy layer. GDPR still applies in full to all personal data processing, including:
- The right of access (the CFO can ask what data you hold on them)
- The right to erasure (they can ask you to delete their details)
- The right to object to marketing (they can tell you to stop)
- The storage limitation principle (you can't keep their data forever)
- The accountability principle (you need to document your lawful basis)
Lawful basis options for B2B marketing
Legitimate interest is the most commonly used lawful basis for B2B marketing, and it's legally viable when:
- You have a genuine legitimate interest — typically a commercial interest in reaching potential customers for a product or service that is relevant to their role
- The processing is necessary for that interest — you couldn't achieve the same purpose with less privacy impact
- The processing doesn't override the individual's rights and interests — assessed through the balancing test
The balancing test for B2B legitimate interest typically comes down to relevance: is the product or service genuinely relevant to this professional's role? A cybersecurity platform reaching out to a CISO is far easier to justify than the same platform cold-emailing an HR manager.
Contractual necessity applies once you have a B2B customer relationship — processing for contract performance covers CRM data for existing accounts, billing contacts, and service delivery.
Consent is rarely the starting point for B2B marketing (unlike B2C), but it becomes relevant for special category data, for marketing that goes beyond the individual's professional role, and in countries with stricter B2B ePrivacy rules (Germany, Austria).
Country-level variation in B2B ePrivacy rules
This is the most under-recognised risk in EU B2B marketing: the ePrivacy Directive is implemented differently across EU member states, and several countries have stricter B2B requirements than others.
Germany: The UWG (Unfair Competition Act) requires consent for B2B electronic marketing in most cases. Legitimate interest is accepted in narrow circumstances only. Germany is the strictest major EU market for B2B cold outreach.
Austria: Similar to Germany — consent required for electronic B2B marketing.
Netherlands: The ACM (Authority for Consumers & Markets) requires either consent or a genuine existing customer relationship for B2B electronic marketing.
France, Spain, Italy, Belgium: Generally permit legitimate interest for B2B electronic marketing with proper opt-out, but enforcement activity is increasing.
Nordics: Generally more permissive for B2B outreach under legitimate interest with clear opt-out.
Operating across the EU with a single B2B outreach policy based on the most permissive country is a common and significant gap. Each country should be assessed individually for its ePrivacy implementation.
Data quality and retention: the forgotten B2B obligations
B2B CRM databases tend to grow without cleaning. Every contact record represents personal data under GDPR, and the storage limitation principle requires that it be kept no longer than necessary.
Common B2B retention issues:
- Contacts from a conference three years ago with no subsequent interaction
- Leads that never converted, retained indefinitely on the assumption they might one day
- Data from departed employees still in the CRM under the company account
- Data enrichment records with no record of when or how the data was acquired
A defensible B2B data retention policy typically includes:
- Active contacts (regular engagement or open opportunities): retained
- Inactive contacts (no engagement for 24–36 months): flagged for re-permission or deletion
- Departed employees: deleted when the departure is identified
- Source records: maintained alongside each contact showing when and how the data was collected
B2B ad copy and LinkedIn targeting under GDPR
LinkedIn advertising for B2B is subject to the same GDPR framework as other digital advertising. The LinkedIn Insight Tag is a tracking cookie that requires prior consent under ePrivacy rules. Company-based targeting (job function, seniority, company size) uses LinkedIn's own data, which users consented to when they created their profile — this shifts some of the consent obligation to LinkedIn, but you remain responsible for the lawful basis of any follow-on processing.
For B2B ad copy specifically:
- Claims about ROI, productivity gains, or business outcomes should be substantiated
- Copy that targets specific industries should not imply knowledge of individual sensitive attributes (financial difficulty, specific business problems that imply negative company status)
- Lead gen forms on LinkedIn are subject to the same disclosure requirements as any other form
Tools and processors in B2B marketing stacks
Every tool in a B2B marketing stack that processes personal data is a GDPR data processor. The standard B2B marketing stack includes multiple processors:
- CRM (Salesforce, HubSpot, Pipedrive)
- Email automation (Mailchimp, Lemlist, Apollo)
- Data enrichment (Clearbit, ZoomInfo, Lusha)
- Ad platforms (LinkedIn, Google, Meta)
- Analytics (GA4, Mixpanel, PostHog)
Each requires a data processing agreement. Data enrichment providers are a particularly common gap — companies buy enriched B2B contact lists without fully considering that the original data may not have been collected with a GDPR-compliant lawful basis.
Scan your B2B campaign copy before launch
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.