- GDPR gives you six legal bases for processing personal data. For B2B outreach, the two that matter most are consent (opt-in) and legitimate interest - and they cover different things.
- Legitimate interest can cover B2B email outreach to professional addresses, but it does not override PECR rules on calls, and it does not work as a blanket justification for every type of processing an AI agent does.
- The moment an AI agent processes prospect data - enriching, segmenting, scoring, personalising - it is processing personal data under GDPR. The legal basis needs to cover every step, not just the final send.
The moment you add AI agents to your outreach workflow, a question that was already fuzzy becomes urgent: what legal basis are you actually relying on to process this data?
Most B2B teams have a vague sense that “legitimate interest” covers their outbound activity. Some have opt-in consent for parts of their list. Many have neither clearly documented - they just send and hope the distinction never matters.
When outreach was manual, that ambiguity was risky but contained. A human sending 30 emails a day operates at a scale where mistakes are small and correctable.
AI agents change that equation. An agent that enriches a list, segments it by persona, generates personalised openers, and triggers a multi-channel sequence is processing personal data at every step. Each of those steps needs a legal basis. And “we think legitimate interest covers it” is not a legal basis - it is a hope.
This guide explains how opt-in consent and legitimate interest actually work in the context of AI-assisted B2B outreach, where each one applies, and the specific mistakes that put teams at risk.
The two legal bases that matter for B2B outreach
GDPR provides six lawful bases for processing personal data. For B2B sales and marketing, two of them are relevant in practice.
Consent (opt-in)
The prospect has explicitly agreed to receive communications from your organisation. This needs to be freely given, specific, informed, and unambiguous. A pre-ticked checkbox does not count. A general privacy policy does not count. An email address submitted for a whitepaper download does not automatically count as consent to receive sales outreach - unless the form specifically said so and the prospect actively opted in.
Consent is the strongest legal basis because it is the clearest. The prospect said yes. You can prove it. But it is also the hardest to scale, because you need to collect it before you reach out - which is a challenge when your entire outbound strategy is based on reaching people who have not heard of you yet.
Legitimate interest
You have a genuine business reason to process the data, the processing is necessary for that purpose, and the prospect’s rights do not override your interest. This is the basis most B2B teams rely on for cold outreach.
Legitimate interest is more flexible than consent, but it comes with obligations. You need to conduct a legitimate interest assessment (LIA), document it, and be able to demonstrate that you balanced your business interest against the prospect’s reasonable expectations and rights.
“We want to sell them something” is a business interest. But it only holds up if the processing is proportionate, the prospect would reasonably expect to be contacted in this context, and you have given them an easy way to opt out.
How the two bases apply to different channels
This is where teams get confused, because the rules are not the same across email, phone, and LinkedIn.
B2B email to a professional address
In the UK, PECR allows unsolicited B2B marketing emails to corporate subscribers (business email addresses) without prior consent, provided there is a legitimate interest, the message is relevant to the recipient’s professional role, and every email includes a clear and functional unsubscribe mechanism.
This is the so-called “soft opt-in” or corporate subscriber exemption. It is why most B2B cold email to professional addresses is legal - but it only applies to professional addresses at identifiable organisations, not personal email accounts.
B2B email to a personal address
If a prospect uses a personal email address (gmail, hotmail, icloud, etc.), PECR treats them as an individual subscriber. Unsolicited marketing emails to individual subscribers require prior consent. Legitimate interest is not sufficient here.
This distinction matters because a lot of enrichment tools return personal email addresses alongside professional ones. If your AI agent is sending outreach to every email in the enriched dataset without distinguishing between professional and personal, you are likely breaching PECR for a portion of your list.
Phone calls
As covered in the TPS guide, unsolicited sales calls to individuals require either that the number is not on the TPS register, or that the individual gave specific prior consent. Legitimate interest does not override TPS registration.
For calls to corporate numbers (main switchboard, general reception), the CTPS register applies and legitimate interest can be used - but you still need to screen against the CTPS first.
LinkedIn messages
LinkedIn is a platform, not a communication channel you control. LinkedIn’s own terms of service govern what you can and cannot send through their messaging system. GDPR still applies to how you process the data (storing their profile, enriching it, segmenting them), but the outreach itself is governed by LinkedIn’s rules on top of that.
Where AI agents complicate the picture
An AI agent does not just send a message. It processes personal data at multiple stages, and each stage needs to be covered by a legal basis.
Enrichment is processing
When an AI agent takes a name and a company and enriches it with an email, phone number, job title, seniority, and company data, it is processing personal data. That processing needs a legal basis. If you are relying on legitimate interest, your LIA needs to cover the enrichment step - not just the outreach step.
Segmentation and scoring is processing
When an AI agent segments a list by persona, scores leads by fit, or decides which sequence a prospect should enter, it is making decisions based on personal data. That is automated decision-making under GDPR. If those decisions have a significant effect on the individual (determining whether they are contacted, how they are contacted, or what they are offered), additional safeguards may apply under Article 22.
Personalisation is processing
When an AI agent generates a personalised opening line using a prospect’s job title, company, industry, and recent activity, it is processing personal data to create new content. The legal basis needs to cover this use, and the prospect should be able to understand - if they ask - what data was used and how.
Storage and reuse is processing
If enriched, segmented, scored, and personalised prospect data is stored for future use - in a CRM, a saved list, or a reusable dataset - that ongoing storage is also processing. Legitimate interest may cover it, but only if retention is proportionate and time-limited. Keeping prospect data indefinitely “in case we want to reach out again” is hard to justify under a legitimate interest assessment.
The mistakes that actually cause problems
Treating legitimate interest as a default
Legitimate interest is not a fallback for “we do not have consent.” It is a legal basis with its own requirements: a documented assessment, a balancing test, and a clear rationale. If you have not conducted an LIA for your outbound activity, you do not have a valid legal basis - you have an assumption.
Not distinguishing professional from personal emails
This is one of the most common compliance gaps in B2B outreach. An enrichment tool returns a mix of professional and personal email addresses. The team sends to all of them under legitimate interest. But legitimate interest (via the PECR corporate subscriber exemption) only covers professional addresses. Personal addresses require consent.
Your data pipeline needs to flag or filter personal email domains before they reach the outreach workflow. This is not optional.
Assuming the legal basis covers the entire pipeline
A team might have a reasonable legitimate interest argument for sending a cold email. But that same argument might not cover the enrichment step, the AI-driven segmentation, the automated personalisation, or the indefinite storage of the prospect’s data. Each processing activity needs to be covered - not just the final touchpoint.
No opt-out mechanism or delayed opt-out processing
Every outreach message needs a clear, functional way for the recipient to opt out. When an AI agent is running sequences, opt-out requests need to be processed immediately - not batched weekly. If a prospect unsubscribes and receives another message the next day because the suppression list had not synced, that is a breach regardless of your original legal basis.
No record of the legal basis decision
If the ICO asks what legal basis you relied on for a specific outreach campaign, you need to be able to answer with documentation - not memory. Record which basis applies to which list, which campaign, and which processing activity. This is especially important when AI agents are involved, because the processing is automated and the volume is high.
How to get this right in practice
Conduct and document an LIA
If you are relying on legitimate interest for B2B outreach, write down the assessment. What is the business interest? What processing is necessary? What would the prospect reasonably expect? How do their rights weigh against your interest? What safeguards are in place (opt-out, data minimisation, retention limits)? This does not need to be a legal brief - it needs to be a clear, honest document that shows you thought it through.
Separate professional and personal emails in your pipeline
Before any outreach is triggered, classify email addresses as professional or personal. Professional addresses at identifiable company domains can be contacted under the corporate subscriber exemption. Personal addresses cannot - unless you have explicit consent. Build this filter into your cleaning or enrichment step, not your sequence tool.
Map the legal basis to each processing step
Do not just assign a legal basis to “outbound.” Map it to each stage: data collection, enrichment, storage, segmentation, personalisation, and outreach. If the basis changes between steps (consent for one, legitimate interest for another), document that clearly.
Make opt-out immediate and agent-proof
When a prospect opts out, the suppression must propagate to every system that could contact them - including AI agents. If your agent pulls from a list that is cached or not real-time synced with your suppression list, the opt-out will not take effect in time. Architect the suppression as a hard block at the data layer, not a filter at the send layer.
Set retention limits and enforce them
Decide how long you will keep prospect data and stick to it. If a prospect has not engaged in 12 months, do you still have a legitimate interest in holding their data? Probably not. Automated retention policies - where records are archived or deleted after a defined period - are much safer than relying on someone to remember to clean the database.
Wrapping up
The legal framework for B2B outreach has not changed just because AI agents are doing the work. What has changed is the scale, the speed, and the number of processing steps involved.
Consent covers what the prospect explicitly agreed to. Legitimate interest covers what they would reasonably expect, provided you have documented the assessment and balanced their rights against your interest. Neither is a blanket permission, and both require more rigour when AI agents are processing data at every stage of the pipeline.
The teams that get this right do not treat compliance as a checkbox at the end of the workflow. They build it into the data layer - classifying emails, screening numbers, documenting legal bases, enforcing suppression, and setting retention limits before any agent touches the data.
DataFixr separates professional from personal emails, validates phone numbers against TPS, and enforces retention and governance controls at the data layer - so your compliance posture is built into the pipeline, not bolted on after. Request early access ->