GDPR-Compliant Cold Email in Norway: The 2026 B2B Playbook

GDPR Article 6(1)(f) permits the processing of personal data where it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. For B2B cold email, this means you can contact a professional at their work email address without prior consent, provided three conditions are met: you have a genuine business reason, the outreach is directly relevant to their professional role, and your interest is not overridden by their privacy expectations.

In practice, this standard is consistently met for: targeted outreach to named decision-makers whose roles are publicly listed on company websites or LinkedIn, emails that are directly relevant to the specific function or challenge of the role (not generic promotions), and one-to-one or small-scale outreach rather than mass broadcasting. It is not met for: buying scraped contact lists with no data provenance, sending identical emails to thousands of contacts with no relevance filtering, or continuing to email contacts who have opted out.

Norway's Datatilsynet (the national data protection authority) has confirmed that the Marketing Control Act (Markedsføringsloven) and GDPR work in parallel for B2B communications. The Marketing Control Act Section 15 permits electronic marketing to businesses without prior consent, provided the communication is directly relevant to the recipient's business activities and includes a clear opt-out option.

Datatilsynet's guidance makes clear that 'business to business' communication is treated differently from 'business to consumer' communication under Norwegian law. When you email a VP of Sales about a sales automation tool, you are communicating in a professional capacity about a matter directly relevant to their professional role — this falls squarely within the permitted zone. When you email the same person about something unrelated to their job, or when you purchase their contact data from a source that cannot demonstrate GDPR-compliant collection, you have a problem.

The key practical requirement Datatilsynet enforces: every marketing email must include a clear and functional unsubscribe mechanism, and opt-out requests must be honoured within a reasonable time. Datatilsynet has issued fines to organisations that continued sending emails after opt-out requests were received.

A Legitimate Interests Assessment (LIA) is a documented balancing test that demonstrates why your interest in sending outreach outweighs the privacy interests of the individuals you are contacting. It does not need to be a lengthy legal document — but it does need to exist and be retrievable if Datatilsynet requests it.

Your LIA should cover three elements: Purpose (what are you trying to achieve and why is it legitimate?), Necessity (is cold email the only realistic way to achieve this, or is there a less privacy-intrusive approach?), and Balance (when weighed against the individual's reasonable privacy expectations, does your interest outweigh theirs?). For targeted, role-relevant B2B outreach to professionals at companies with a clear use case for your product, this test is straightforward to pass. Document it once and update it if your outreach targeting changes significantly.

Every B2B cold email you send in Norway — regardless of volume — must include these elements to comply with both GDPR and the Marketing Control Act.

The data provenance question is where most Norwegian cold email programmes fall short. Datatilsynet has been clear: you cannot rely on the legitimate interests basis if the contact data itself was collected without a lawful basis. A list purchased from a data broker who scraped LinkedIn profiles without consent does not give you a clean lawful basis, regardless of how relevant your outreach is.

Use these sources for Norwegian B2B outreach: Cognism has built its European contact database under GDPR from the ground up and is the most defensible choice for verified Norwegian professional data. LinkedIn Sales Navigator allows you to identify and manually export contacts who have made their professional information publicly available — this is low GDPR risk. Proff.no provides verified company and director data from the Norwegian company registry (public data). Apollo.io has moderate EU data coverage and partial GDPR compliance documentation — use it with Standard Contractual Clauses in place.

Enforcement in Norway has focused on three patterns: organisations that continued sending marketing emails after receiving opt-out requests (most common), organisations that purchased contact data from brokers without verifying the provenance of that data, and organisations that sent bulk generic email with no relevance to the recipient's professional role. Targeted, relevant, single-sender B2B outbound has not been a Datatilsynet enforcement priority.

The practical risk profile: if you are sending 50–200 targeted emails per day to named decision-makers at companies that genuinely match your ICP, using Cognism-sourced contacts, with a working unsubscribe link and a documented LIA — you are in a defensible position and are not the type of organisation Datatilsynet is targeting. If you are sending 5,000 emails per week from a purchased list to anyone with a Norwegian email address, you are a different story.

Use this checklist before activating any cold outreach programme targeting Norwegian businesses.

B2B cold email is legal in Norway under GDPR Article 6(1)(f) — legitimate interests. You need a documented Legitimate Interests Assessment, a clear opt-out mechanism in every email, and contact data sourced from GDPR-compliant providers like Cognism. Datatilsynet's position aligns with most other EU DPAs: targeted, relevant outreach to decision-makers in their professional capacity is permissible. Buying scraped lists or sending generic bulk email is not.