Is cold emailing leads scraped from Instagram legal under GDPR? (2026 EU guide)

«Is this legal?» is the question we get on almost every demo. The short answer, for cold emailing business contacts extracted from public Instagram profiles to recipients in the EU or UK in 2026, is: yes, under specific conditions, and only if you can show those conditions were met before the first email left your server. The long answer is the rest of this post.

This guide is written for growth leads, founders, and outbound operators who run campaigns into EU markets and want to stay on the right side of the GDPR without turning legal compliance into a paralysis project. It is not a substitute for a lawyer familiar with your specific situation, and the editorial policy page explains where we draw that line. But it is a usable map of how the law tends to apply to the very specific workflow of extracting public Instagram contact data and cold‑emailing B2B prospects with it.

The companion post on how to extract Instagram emails without logging in handles the technical side. This one handles the legal one.

What the GDPR actually regulates

A lot of compliance confusion comes from misreading what the GDPR does. It does not ban cold email. It does not ban scraping. It does not even ban the use of personal data found on public profiles. What it does — and what matters for outbound — is require two things:

1. A lawful basis for processing personal data (Article 6).
2. Adherence to a set of data protection principles (Article 5): purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability.

Every cold email campaign you run into the EU is a processing activity. The email address is personal data. The act of storing it, filtering it, sending to it, and keeping a record of the response is processing. If you cannot point to a lawful basis for each of those steps, and if you cannot demonstrate that you respected the Article 5 principles, you are not compliant — regardless of where the data came from.

The good news: there is a lawful basis available for B2B cold email, and there is a practical way to operate within the principles. The bad news: neither is automatic, and neither is what most «send first, document later» outbound setups actually do.

The lawful basis choice: legitimate interest vs consent

The GDPR offers six lawful bases. For unsolicited commercial email, only two are realistically in play:

• Consent (Article 6(1)(a)) — the recipient has given a freely given, specific, informed and unambiguous indication they want to receive your messages. By definition, a cold email recipient has not done this. Consent is the basis for newsletter subscribers, not for prospects.
• Legitimate interest (Article 6(1)(f)) — your processing is necessary for a legitimate purpose pursued by you (or a third party) and that interest is not overridden by the recipient’s rights and freedoms.

For B2B cold outreach to business contacts, legitimate interest is the basis most serious senders rely on. It is not a loophole. It is a defensible choice that requires you to do real work up front — specifically, a written balancing test — and to offer the recipient a meaningful way to opt out.

For B2C outreach to personal, consumer addresses in the EU, the answer is effectively the opposite: consent is usually required in practice, because the balance between your commercial interest and a consumer’s privacy almost always tips in the consumer’s favour. If the Instagram list you built from public data contains personal consumer addresses, cold‑emailing them under legitimate interest is not defensible — regardless of how the data was sourced. This is one of the reasons we recommend filtering aggressively for business accounts and discarding personal ones, as described in the extraction post.

The balancing test, in practice

The legitimate interest balancing test — often abbreviated LIA, for Legitimate Interests Assessment — is the document that, in the event of a complaint, decides whether you had a basis or you did not. It has three substantive parts:

1. Purpose test. Is the interest you are pursuing legitimate? «Reaching out to businesses that plausibly benefit from our service» is legitimate. «Sending unsolicited marketing to whoever we can get an email for» is not.
2. Necessity test. Is the processing necessary for that purpose, or could you achieve it by a less intrusive means? Cold emailing a narrow, filtered list of plausible fits is generally necessary — you cannot achieve the same pipeline through inbound alone on the same time horizon. Cold emailing an unfiltered mass list is not; the same purpose could be achieved with much less data.
3. Balancing test. Does the recipient’s right to privacy override the interest? This is where filtering, relevance, and reasonable expectations matter. A founder of a B2B SaaS, whose business email is publicly displayed on their Instagram business profile, who receives one relevant message from a real company offering a relevant service, with a working opt‑out — that person has a weak privacy argument against your outreach. A private individual whose email you inferred from a domain guess, receiving bulk messages with no relevance to their role, has a very strong one.

The LIA is not a theoretical exercise. It should be a written document, maintained per campaign or per audience segment, revisited when you materially change targeting or messaging, and available to produce on request. In practice, a one‑page LIA per market segment is enough for most B2B senders. The critical property is that it existed before the campaign launched.

What «public data» does and does not get you

A dangerous myth in outbound circles is that publicly available contact details are GDPR‑free. They are not. The GDPR applies to the processing of personal data, not to the act of making it public. An email a business owner chose to publish on their Instagram profile is still personal data once you store it in your outbound tool.

What public sourcing does give you is substantial support in two specific places:

• Reasonable expectations. A business owner who has chosen to display their email on a business profile on a public social platform has created a reasonable expectation that commercial contacts will use it for commercial purposes. That weighs in your favour in the balancing test, but it does not replace the test.
• Article 14(5)(b) notice relaxation, sometimes. Under Article 14, when you collect personal data from a source other than the person themselves, you normally have to provide a privacy notice. There is a limited exception if providing that notice would involve a disproportionate effort, but it requires documentation and is narrower than operators often assume.

What public sourcing does not give you is:

• Freedom to send to personal consumer addresses.
• An excuse to skip opt‑out handling.
• Cover for misleading subject lines, impersonation, or inaccurate sender identification.
• A substitute for the LIA.

Treat «publicly available» as one factor that strengthens your position. Never treat it as the position.

Country‑level nuances: AEPD, CNIL, ICO

The GDPR is EU‑wide, but national regulators and national implementations add texture. For B2B cold email into EU markets in 2026, these are the three supervisory bodies most outbound operators touch, and a one‑line summary of how each behaves:

• Spain — AEPD. Relatively active in fining non‑compliant marketing practices, with a strong track record on transparency failures and unsolicited commercial communications under LSSI‑CE (the Spanish implementation of the ePrivacy Directive). LSSI‑CE in particular requires opt‑in for commercial electronic communications to consumers; the B2B exception is narrower than many senders assume and depends on the service being «relevant to the professional activity» of the recipient.
• France — CNIL. Also active, with detailed published guidance on B2B prospecting. CNIL accepts legitimate interest for B2B cold email in principle, but expects (a) the recipient to be contacted in their professional capacity, (b) the message to relate to their professional role, and (c) a simple opt‑out to be present and honoured.
• UK — ICO. Post‑Brexit the UK applies UK GDPR plus PECR. ICO’s guidance on direct marketing is one of the clearer regulator documents in this space and is worth reading even if your recipients are outside the UK, because it reflects how most EU authorities think about the same questions. PECR imposes additional rules on electronic marketing, including a soft opt‑in regime that is narrower than people assume for cold outreach.

In practice, if you build your workflow to satisfy the stricter of AEPD + CNIL + ICO expectations, you are in a defensible position across the broader EU. Where local law imposes genuinely stricter rules — as LSSI‑CE sometimes does on consumer outreach — you either comply explicitly or exclude those recipients from the campaign.

The documentation you need before you send

If you take one operational change from this post, make it this one: do not send the first email of an EU campaign before you have, in writing:

1. A Legitimate Interests Assessment for the campaign or audience segment.
2. A record of processing activity describing what data you hold, where it came from, how long you keep it, who can access it, and on what basis.
3. A privacy notice accessible from every email you send, covering Article 13/14 disclosures (who you are, why you are processing, the lawful basis, retention, recipient rights).
4. A working unsubscribe path. One‑click link or clear reply‑based opt‑out that is honoured within a small number of business days and that suppresses the address from future campaigns — not just that campaign.
5. A suppression list maintained across campaigns, not per campaign.
6. A contact for data subject requests. A monitored email address at the sender domain, capable of handling access, rectification, objection, and erasure requests within the GDPR timelines.

None of this needs to be baroque. A serious B2B sender can stand up the full set in a few days. But the documents need to exist before the send, not after the complaint. Regulators notice the difference.

Opt‑out mechanics that actually matter

A surprising amount of outbound compliance comes down to one question: when someone says «stop», do you actually stop? The answer in most outreach stacks is «mostly», and «mostly» is the wrong answer.

Three operational checks that turn an ambiguous opt‑out into a clear one:

• Suppression list is cross‑campaign. An address that opts out of one sequence must never receive any other commercial email from you. Regulators treat per‑campaign opt‑outs as bad faith; the recipient clearly did not mean «only this campaign».
• Reply‑based opt‑outs count. If your sender monitors replies, it must recognise and honour plain‑language unsubscribe requests («please stop», «remove me», «not interested») as hard opt‑outs, not just click‑through unsubscribes. Most complaints we have seen come from senders who processed clicks cleanly and ignored replies.
• Processing of the opt‑out itself is documented. The data subject has rights under Articles 16–21; «I asked to be removed and they kept sending» is the fastest path to a formal complaint. Keep an audit trail.

Common traps that turn defensible into complaint

There are four recurring patterns that turn a workflow that would otherwise be defensible into one that attracts regulator attention. All four are operational, not legal:

• Buying a list from an unverified vendor and telling yourself it is public data. You inherit the compliance posture of the source. If the vendor cannot document where the data came from and on what basis, neither can you.
• Sending to personal consumer addresses in the EU under a B2B justification. The B2B softening in the balancing test does not survive contact with a consumer inbox. Filter these out at extraction, not at send.
• Disguising commercial outreach as referrals, replies, or personal messages. Article 5’s transparency principle and national anti‑spam rules both forbid misleading sender presentation. Deceptive subject lines are one of the two or three things regulators will escalate on quickly, even at low volume.
• Ignoring opt‑outs across campaigns or between sending domains. Rotating sender domains to avoid the suppression list is exactly the behaviour that turns a regulator’s attention from «probably fine» to «deliberately evasive».

None of these are hard to avoid. They just require the operator to treat compliance as part of the workflow instead of bolted on afterwards.

When to talk to a lawyer

Three situations are worth a real conversation with counsel, not a blog post:

1. You are contacting consumers in the EU at any real volume. The B2B framing above does not carry you here.
2. Your data source includes special categories of data — health, ethnicity, political opinions, etc. Article 9 applies and the bar is much higher.
3. A regulator or recipient has already raised a complaint. Stop sending to the relevant segment, preserve the records, and get advice before you respond.

For the day‑to‑day B2B outbound case described here, the right move is usually to formalise the workflow — the LIA, the suppression, the opt‑out path, the notice — and run. This is part of what we build for clients at Scraphex alongside the extraction and deliverability work: the same no‑login public‑data workflow described in the extraction post, with the documentation that lets you send into EU markets without inventing a compliance process from scratch. It is not legal advice, but it removes the two or three operational failure modes that turn defensible campaigns into complaints.

The short version

Cold emailing business contacts extracted from public Instagram profiles to EU recipients can be legal under the GDPR in 2026. The requirements are concrete, not mysterious: a legitimate‑interest lawful basis with a written balancing test, tight targeting to business contacts, transparent sender identification, a working cross‑campaign opt‑out, and a privacy notice linked from every send. Do those six things, measure reply rate as the quality metric, and you have a channel you can run without looking over your shoulder. Skip any of them, and you are betting that no one ever complains — which, at any real scale, is not a bet.

If you want this operated for you — extraction, filtering, deliverability, and the compliance paperwork around EU sends — you can request a free sample and we will hand‑deliver 50 filtered leads in your niche within 24–48 hours. It is the fastest way to see the workflow end to end.