Back to Blog

Cold Email Compliance: India DPDP Act & UK PECR 2026

Hero image for Cold Email Compliance: India DPDP Act & UK PECR 2026

Two Cold Email Bubbles You Didn't Know You're Ignoring: India's DPDP Act & UK's PECR 2026

You've got SPF, DKIM, and CAN-SPAM locked down—but are your cold emails legal in the world's fastest-growing markets? The uncomfortable truth is that most marketers who've mastered US compliance are about to get burned by two quieter, stricter frameworks. India's DPDP Act and the UK's updated PECR don't just add paperwork. They rewrite the consent and opt-out rules, and ignoring them can land your IP on blacklists or worse—trigger fines up to $30 million.

The US-Centric Blind Spot

CAN-SPAM is a low bar: identify yourself, include an opt-out, don't lie in subject lines. That's it. No consent required. No legitimate purpose documentation. No distinction between corporate and personal email addresses. American emailers have built entire cold outreach stacks on this assumption. Then they target prospects in Mumbai or Manchester using the same playbook, and wonder why inboxes disappear.

Here's the irony: your technical setup might be pristine—perfect SPF records, DKIM signatures, DMARC policy at p=reject. But compliance is not deliverability. Indian and UK gatekeepers are shifting focus from technical authentication to legal basis. Microsoft 365 and Google Workspace, which dominate those markets, are increasingly checking whether your email has a lawful purpose behind it, not just whether it passes DKIM.

India's DPDP Act: It's Not About Consent, It's About Documentation

India's Digital Personal Data Protection Act (DPDP) was passed in 2023 and has been rolling out through 2026. It's India's first comprehensive data protection law, and it directly governs cold email. The biggest shock for US senders: the DPDP applies to any processing of personal data affecting Indian residents, regardless of where you send from. If you're sitting in Austin and emailing a Bangalore-based decision-maker, you're subject to Indian law.

The good news: B2B cold email is generally allowed under a "legitimate use" basis. You don't need explicit consent for every corporate prospect. But you need something US senders rarely have: documented proof of that legitimate purpose. The DPDP expects you to show:

  • Why this specific prospect matches your service (role, industry trigger)
  • Why the contact is relevant in a B2B context
  • What lawful basis you're relying on (legitimate business interest, not just "I found their email on LinkedIn")

Fines? Up to ₹250 crore—roughly $30 million USD—for serious violations. The Data Protection Board is now operational and enforcement actions are surfacing. One high-profile failure could cost you the entire year's revenue.

What This Means for Your Cold Email Stack

If you're using Apollo, Smartlead, Instantly, or any sending platform, you need to layer in compliance documentation before you hit send. Your CRM should log the specific legitimate purpose for each Indian prospect. A simple spreadsheet with the reason, the date, and the prospect's role is better than nothing. But most US setups don't even do that.

A compliant Indian cold email template looks like this: "Hi [name], saw [Company] is doing [specific event]. We help similar [vertical] companies in India with [specific value]." Then footer includes: real name, title, business address, privacy notice URL, and unsubscribe link. No generic "info@" or "sales@" emails—those are treated differently under Indian rules.

India's Cultural Twist: Hierarchy and Volume

The Indian B2B market tolerates 200-500 emails per day for typical operations—higher than EU or Canada but lower than the US. More importantly, decision-making is hierarchical. One cold email to a junior associate won't close a deal; you'll need to engage multiple stakeholders over longer sales cycles. Don't expect the same conversion rates you see in North America.

English works fine in B2B outreach, so translation isn't the issue. The issue is that most US-optimized sequences ignore Indian time zones. Sending at 10AM Eastern hits Mumbai at 8:30 PM. Your open rates will tank not because of spam filters, but because you're pinging inboxes during dinner.

The UK's PECR: Where "Soft Opt-In" Gets Tricky

The UK operates under UK GDPR plus PECR (Privacy and Electronic Communications Regulations). Post-Brexit, these rules are similar to EU GDPR but with some flexibility. The key difference from US law: the UK distinguishes between "named individuals at corporate addresses" and "generic email addresses."

Under PECR, cold email to a named individual at a corporate address ([email protected]) is generally allowed without prior consent, provided you have a legitimate interest basis. But email to generic aliases like info@, sales@, or contact@ requires active consent. Same goes for personal email addresses (gmail.com, yahoo.com) and sole trader addresses. The UK treats sole traders as individuals, not businesses. You cannot cold email them without explicit consent.

There's also the soft opt-in rule: you can email existing customers or recent contacts about similar products without explicit opt-in. But "similar" is narrowly defined—if your customer bought accounting software, you can't pitch office furniture. And you must have given them the chance to unsubscribe during the original interaction.

ICO Enforcement: The Real Teeth

The UK's ICO can fine up to £17.5 million or 4% of global revenue—whichever is higher. That's not theoretical. The ICO actively pursues cold email violations, especially when complainants pile up. One complaint? Often dismissed. Twenty complaints in a month? Expect a call.

For US senders, the trap is subtler. You might have a clean, targeted list of UK corporate prospects. You've checked they're named individuals at corporate emails. But if your unsubscribe link isn't functional—meaning it doesn't process within 24 hours and show a confirmation message—you're already in violation. Many US platforms handle unsubscribes with a lag; that lag is illegal under PECR.

What to Do About It: A Practical Checklist

If you're running cold email campaigns targeting India or the UK, here's your step-by-step remediation:

  • Audit your prospect lists for jurisdiction. Separate Indian and UK contacts from US ones. They need distinct compliance paths.
  • Document legitimate purpose for Indian prospects. For each contact, record: why this role, why this company, and what business interest justifies the outreach. Store this in your CRM or a simple spreadsheet.
  • Add a privacy notice URL to every Indian-targeted email. This is not optional. Link to a clear page explaining how you handle personal data and how recipients can exercise rights.
  • Check sender identification. Your email footer must include real name, title, and business address—not just a P.O. Box.
  • Review generic email addresses in UK lists. Remove or obtain consent for info@, sales@, and similar aliases. Only named individuals at corporate domains are safe.
  • Test your unsubscribe flow. One-click, immediate processing, confirmation message. No delays, no bouncing. Run a test from a receiving inbox.
  • Adjust sending volume. For India, cap at 500 emails per day for typical operations. For the UK, lower volumes are safer—200-300 per day—to match iInbox warming and reduce complaint risk.
  • Time zone map your sends. Use local time zones for each market. For India, aim for 10AM-2PM IST for opens. For UK, 9AM-11AM GMT/BST works best.

The Unresolved Tension

Here's the problem no one has solved yet: DPDP enforcement is still ramping up, and PECR violations are often triggered by recipient complaints rather than automated sweeps. You could be non-compliant for months without knowing. When enforcement hits, it'll hit retroactively. And blacklists don't care about your good intentions—they only care about complaint rates.

Most email platforms are not helping. They focus on deliverability infrastructure, not legal compliance. You can't just buy a "DPDP-compliant" sending tool; you have to change your outreach process. That's a team-level shift, not a tech fix.

So the real question isn't whether you can send cold email to India or the UK. It's whether you can do it while documenting every step, managing consent across jurisdictions, and building a defense that holds up under audit. Most US shops can't. If you can, you'll have a market advantage in two of the fastest-growing economies on earth—assuming the regulators don't change the rules again.

Keep building your outbound system