GDPR

Cold marketers have AI. So do we.

How I dismantled my cold-email pipeline in an afternoon, using GDPR and Claude.

The first email I see when I open my inbox in the morning is a cold pitch from someone I don't know. About five of them land every day. Sales pitches from companies I'd never heard of, recruiting outreach for jobs I don't want, conference invitations I never asked for, "influencer marketing" offers (I run an AI consulting firm for industrial SMEs; influencers are not in my buyer journey).

Each email personalized. Each one automated. None of them with my consent.

My LinkedIn settings are locked tight. I've been disciplined about not posting my email publicly for years. Doesn't matter. The mail kept coming.

So I spent an afternoon trying to understand why — and to build a defense that scaled.

The asymmetry

Cold outreach today is fully automated. The stack is mature:

Data brokers scrape LinkedIn, business registries, and public sources to build B2B contact databases. The big ones — Apollo, ZoomInfo, Cognism, Lusha, Kaspr, Dropcontact — collectively hold profiles on tens of millions of European professionals.
Sequencers like Lemlist, Smartlead, Instantly, La Growth Machine plug into those databases and orchestrate multi-touch email campaigns.
Open-source mail-merge tooling does the same thing for solo prospectors at near-zero cost.

Total operating cost per cold email: under €0.01. Volume per operator: thousands per week.

The defense, until very recently, was entirely manual. Click each unsubscribe link. Reply to each sender. Block each domain. Hours per week, just to claw back signal from noise.

That asymmetry is what made cold outreach work as a category. The senders' time is cheap because it's automated; your time is expensive because it isn't.

Until now.

Why LinkedIn settings don't save you

Before I get to the playbook, it's worth understanding why "lock down your LinkedIn" — sensible as it is — doesn't actually stop the problem.

Most scrapers don't read the email displayed on your LinkedIn profile. They take your name + your company domain (yourname.com), then run pattern-guessing: firstname.lastname@, f.lastname@, firstname@, and so on. They verify each guess with an SMTP probe or a tool like NeverBounce. Whatever pattern resolves on your mail server gets added to their database, regardless of what your LinkedIn says.

This is also why I keep receiving cold mail on my legacy domain (c.bernet@cynapps.ai) — Cynapps rebranded to Araïko months ago, but every database that scraped me in 2024 still has the old address indexed. The scrapers' world doesn't update; it accumulates.

LinkedIn is the seed for these databases. It's not the source of delivery. Locking down LinkedIn slows new exposure. It does not retract existing exposure.

You need a different lever for that. The lever is GDPR.

The playbook

What follows is exactly what I did in one session. Three phases, in order.

Phase 1 — Lock down the source

Five minutes of LinkedIn settings clicks. This won't undo what's already in databases, but it stops fresh exposure.

Settings → Visibility:

Discoverability by email → Nobody
Discoverability by phone → Nobody
Email visibility → 1st-degree connections only
Off-LinkedIn visibility → Off

Settings → Data privacy:

Permitted services → revoke every OAuth grant you don't use this week. Old apps from 2018 are still authorized to pull your data via the API. Cut them.
Data for Generative AI improvement → Off
Policy and academic research → Off

Settings → Data privacy → Who can reach you:

Allow others to send you InMail → No
Invitations to connect → restrict to "Only people who know your email address" if you want to get serious

Five minutes. Done.

Phase 2 — Cut the supply

The data brokers most likely to hold your professional data, weighted toward the French B2B market:

Broker	Origin	Privacy contact
Kaspr	FR	privacy@kaspr.io
Dropcontact	FR	data@dropcontact.io
Pharow	FR	dpo@pharow.com
Apollo.io	US	privacy@apollo.io
Lusha	IL/US	privacy@lusha.com
Cognism	UK	privacy@cognism.com
ZoomInfo	US	privacy@zoominfo.com
ContactOut	US	privacy@contactout.com
RocketReach	US	support@rocketreach.co
Seamless.AI	US (via EU rep)	eurep@itgovernance.eu

These ten cover roughly 80% of cold-email prospecting volume in France. The rest is a long tail you can handle reactively.

Each broker is legally obligated, under GDPR Article 17, to delete your personal data on request within 30 days. The French ones usually comply within hours. EU/UK brokers within a few days. US brokers are slower but, if they have an EU customer base, they comply — the deliverability and audit risks of being flagged by the CNIL aren't worth fighting.

Claude drafted the template. I edited a few lines and sent it:

Hello,

I am an EU resident (France) exercising my rights under the EU GDPR (Regulation 2016/679).

I request:Article 17 — Right to erasure: deletion of all personal data you hold about me from your database and from any list shared with customers, partners, or processors.Article 21 — Right to object: cessation of any further processing of my personal data for prospecting, marketing, or sales-enablement purposes, on any legal basis (including legitimate interest).Article 15 — Right of access: a copy of the personal data you currently hold about me, and the source(s) from which my data was collected (Article 14).Confirmation in writing within 30 days that this request has been executed, including suppression in any downstream system (CRM exports, customer-side caches, third-party integrations).

My identifying details:Full name: [your name]Professional email (current): [current email]Professional email (legacy domain, if applicable): [old email]Personal email: [personal email]Company: [your company]LinkedIn URL: [your profile URL]

Failure to comply within the statutory window will result in a complaint to the CNIL.

One letter. Ten sends. Two minutes total.

I tagged them with a Gmail label called GDPR opt-outs 2026 so every response, follow-up, and the inevitable 30-day deadline-tracker queries cluster automatically.

A side note: the Article 12 weapon

Several brokers replied pointing me to a web form. "Please use our Privacy Center / Removal Page to submit your request." They will all do this. It is the standard hostile-compliance move: friction the opt-out to make it not worth doing.

This is itself a GDPR violation. Article 12(2) of the regulation requires controllers to facilitate the exercise of data subject rights and forbids them from imposing a specific procedure as a precondition. The European Data Protection Board has stated this explicitly in its Guidelines 01/2022. The CNIL has stated it. A direct email to a published privacy contact is a valid exercise of your rights — and the 30-day clock starts when you send that email, not when you fill out their form.

I pushed back on the two who tried this with a one-paragraph reply citing Article 12, EDPB Guidelines, and the CNIL. Both stopped insisting.

If you only remember one thing from this entire piece: you do not have to use their form.

Phase 3 — Counter what's already in your inbox

This is where it stopped feeling like admin and started feeling like leverage.

Phase 1 stops new exposure. Phase 2 cuts off the upstream supply. But the senders who already have you in their databases — the Justines and the Toms and the Apollo-using SDRs from Belgium — are going to keep emailing you for weeks while the broker deletion propagates.

You handle those one at a time, as they arrive. The old way: open the cold email, write a reply, send, label, move on. Ten to fifteen minutes per email.

The new way: you point Claude at that one message and it does the rest.

I connected Claude to my Gmail through Anthropic's MCP (Model Context Protocol), which lets the model read a message and create a draft directly in my inbox. So when a cold pitch lands, I give it one instruction:

Draft a GDPR opposition reply to this email, threaded under the original, citing Articles 13/14/21 and warning of CNIL escalation at day 31.

Claude doesn't run a hard-coded ruleset. It reads that one thread and writes a reply that addresses the actual sender, names their actual company, cites the actual articles, and threads under the actual conversation — in my voice. No taxonomy, no regex, no fingerprinting. I read it for a few seconds and hit send.

Ten to fifteen minutes of work becomes ten seconds. That's the asymmetry collapsing, one email at a time — which is the only way you should let it happen. More on that next.

Practical note: the Gmail connector requires a paid Claude.ai plan (Pro / Team / Enterprise) with the Gmail integration explicitly enabled. The ChatGPT and Gemini equivalents are functionally similar; the playbook is the same, only the prompt changes.

Don't let it read the whole inbox

The obvious next thought is: why one at a time? Why not point Claude at the whole inbox — "find every cold email from the past month and reply to all of them" — and clear the backlog in one sweep?

Don't. This is the part of the playbook that matters most, and it's the part the AI-productivity crowd skips.

To find the cold emails, an assistant has to read everything else first: the client thread under NDA, the HR message about someone's sick leave, the lawyer's letter, the deal you can't discuss, the thing a friend forwarded in confidence. The cold pitches might be a couple of dozen messages — buried in the several hundred others that aren't spam, every private thread in between. You've just handed an AI system far more than the task required, and on a work inbox you may have broken a confidentiality obligation the people in those threads never agreed to. GDPR calls this a failure of data minimization (Article 5(1)(c)); your clients call it a breach of their NDA.

A DPA with the vendor — Anthropic, OpenAI, Google — doesn't save you here. It governs how they handle the data you send. It says nothing about whether you had the right to send it.

The one-at-a-time rule sidesteps all of this, because a cold pitch from a stranger is the one category of mail that carries no one's secrets. You decide what the AI sees; it sees one piece of spam. Keep it that way — and it holds for every assistant, not just Claude. The trap is the batch, not the brand.

The honest limits

I want to be straight about what this does and doesn't do.

It is maintenance, not a cure. Data brokers re-aggregate from public sources continuously. A one-shot opt-out has a half-life. Set a calendar reminder for six months out to repeat the broker sweep. French brokers tend to actually maintain suppression lists; US brokers re-add you. This is a tax you pay forever to the broker industry, until the regulatory landscape changes more than it already has.

Some senders will ignore you. The compliant ones — anyone with a DPO, anyone with EU customers, anyone selling into regulated industries — will respect the opposition. The non-compliant tail (solo scrapers, gmail-address operators, offshore lead-gen shops) won't reply. For them, the value of your opposition email is the audit trail it creates if you ever escalate to the CNIL. The volume from these operators is also lower, because they don't have the infrastructure to sustain real sequencing.

The CNIL has finite capacity. Filing a complaint is a meaningful escalation — not something to do casually. But threatening it in your opt-out emails costs you nothing, and the threat alone produces 80% of the compliance you'd get from actually filing.

LinkedIn lockdown trades reach for noise. Setting "Discoverability by email → Nobody" means people who actually have your email can't find you on LinkedIn. That's almost always what you want, but it does cost you some legitimate inbound — a former colleague trying to reconnect, a journalist looking to fact-check, an inbound buyer who Google'd you. Decide based on your role.

What to do tonight

I spent an afternoon working this out. Executing it, once you know the moves, took about an hour:

10 minutes — Phase 1. Lock the LinkedIn settings. I had Claude walk me through each toggle. No email to send, no language to draft — just the clicks. If you do nothing else, do this.

30 minutes — Phase 2. Send the ten GDPR letters using the template above. Tag them with a label so responses cluster.

20 minutes — Phase 3. Work through the cold emails already sitting in your inbox, one at a time, to get the workflow into your hands. If you don't have Claude connected to your Gmail yet, set it up first — it's worth it beyond this, for the whole recurring class of tasks where the work is reading a thread and drafting in your voice, not just firing off a reply.

Coda

What changed isn't the law. GDPR has been in force since 2018. Your right to opt out of prospecting has been enforceable for eight years. Most of us simply didn't exercise it, because the cost of exercising rights one email at a time was higher than the cost of just deleting the emails.

What changed is that the cost is now near-zero on the defense side too. Cold outreach was asymmetric warfare for as long as the offense had tools and the defense didn't. With AI co-pilots connected to your inbox, the asymmetry collapses. The legal framework is yours. The typing is automated. The audit trail is yours.