Avoid sanctions and misuse: align your contact strategy with the GDPR.
Calculate the quote
Avvocato Arlo Canella
Messages on LinkedIn, WhatsApp, or email are increasingly being used for promotional purposes disguised as networking. But when marketing becomes intrusive, it not only loses effectiveness—it may also cross the line into unlawfulness. This article explores the rise of “digital door-to-door” sales, clarifies the boundaries set by the GDPR (European General Data Protection Regulation), and explains the legal risks faced by companies—and individual sales professionals—when they cross the line between legitimate professional outreach and unlawful conduct. It emphasizes the importance of reassessing contact strategies, prioritizing authentic content and compliance with privacy regulations.
Once upon a time, they were briefcase-carrying salespeople who rang your doorbell and tried to sell you a vacuum cleaner, an encyclopedia, or an insurance policy. Today, the door is digital: it’s called LinkedIn, WhatsApp, Instagram, or email. But the underlying logic remains unchanged. They’re still door-to-door salespeople—only now, they enter your private messages directly, often uninvited.
The difference? Back then, at least the salesperson had to look you in the eye. Today’s salespeople hide behind prewritten messages, often generated by automation software. The script is always the same: a false opening compliment—“I was impressed by your profile”, “congratulations on your career”—followed by a connection request that, in most cases, conceals a commercial agenda. A calculated approach aimed at lowering your defenses, which has nothing to do with genuine interest or building a professional relationship.
This practice, often presented as the “new frontier of relationship marketing”, is in reality a form of systemic intrusion masked as connection. A shell game between networking, spam, and misuse of personal data.
The issue is not selling per se. The issue is doing it uninvited, without creating value, confusing relationship with disruption. Serious professionals and entrepreneurs are becoming more aware: effective marketing isn’t about barging into someone’s life uninvited—it’s about making people want to open the door.
Those using LinkedIn as a cold-calling directory often delude themselves into thinking they operate in a legal gray area. But the right to personal data protection is not suspended merely because one is on a social platform. The Italian Data Protection Authority (“Garante per la protezione dei dati personali”) has clarified that LinkedIn cannot be used to send unauthorized promotional messages.
In an official ruling, the Garante stated that LinkedIn is intended to connect people with shared professional interests, not to build digital door-to-door sales networks. If a message’s purpose is to promote a service, it requires a proper legal basis, such as explicit consent or a documented legitimate interest. It should be noted that the ability to contact a profile does not imply that consent has been given. (Reference: Garante Privacy, Order No. 316/2021).
Article 6 of the GDPR clearly states that all processing of personal data—including collecting and using information from LinkedIn—must be based on legitimate legal grounds. Additionally, Article 21 grants everyone the right to object at any time to the processing of their personal data for direct marketing purposes. Ignoring this right carries a concrete risk of penalties.
The same principle applies to email communications. In a 2023 ruling, the Garante fined a company for continuing to send commercial messages even after the data subject had exercised their right to object and requested data erasure. Notably, the Garante reiterated that including the standard “unsubscribe here” link does not legitimize the communication. Without prior consent, the email is unlawful—regardless of whether the recipient can opt out afterward (Source: Garante Privacy, Order No. 202/2023).
This is not merely a matter of etiquette. It’s a matter of rights. It’s the law. Contacting someone to offer a service without consent—even on LinkedIn—may constitute unlawful processing of personal data. And professionals, increasingly fed up with intrusive tactics, know it. And they act accordingly: they report, they protect themselves, they walk away.
If cold outreach may become unlawful—even when disguised as networking—it’s worth reconsidering what it really means to be “connected” on LinkedIn. Many assume that accepting a connection request opens the door to any kind of interaction: messages, proposals, offers. But even here, connection does not equal consent.
Being “connected” theoretically indicates a shared interest or professional domain. But that alone does not authorize the sending of promotional content. The mistake lies in conflating a willingness to interact with permission to be targeted by commercial campaigns. The GDPR is clear on this as well: a person joining your network does not override the principles of purpose limitation and lawful processing. Consent to interaction is not consent to marketing.
The issue becomes even more serious when the message comes from someone not even in your first-degree network. In such cases, the room for lawful engagement shrinks further. Reaching out to a stranger with a templated message and a promotional link is often perceived as spam—and legally, it is, if there’s no lawful basis for processing that contact data.
Ultimately, LinkedIn is not a mailing list. It’s a relationship space, and it must be treated as such. Every time a connection is turned into a pretext for self-promotion without consent, credibility is lost—and the law may be violated. Because even in digital environments, trust is measured in respect, not in clicks.
If the goal is to sell, then stop disguising sales as relationships. It’s 2025: no one believes “I reached out because your profile caught my eye” anymore. That message has had its time. It no longer works. People want authentic, useful content—something that solves a problem or creates a real opportunity for dialogue. Not a connection request that turns into a sales pitch within two lines.
For those truly interested in doing business, the first step is to abandon disposable marketing logic. A strategic vision is needed: define values, identify the target audience, clarify what you offer and why it matters. Campaigns should be meaningful; content should be well-written, informative, and designed to build trust even before conversion.
And most importantly: stop following so-called marketing gurus—those who sell courses on how to generate leads by mass-messaging strangers on LinkedIn or WhatsApp. That’s not marketing. That’s noise. It’s not innovation. It’s just digital door-to-door selling—except today, the recipient can block you, report you, or even take legal action.
And be warned: it’s not just the company at risk. The individual salesperson may be directly liable if they act outside corporate guidelines or in an inappropriate manner. Article 29 of the GDPR provides that anyone processing data under the authority of the controller must act according to documented instructions. If a salesperson contacts prospects on their own initiative—using LinkedIn, personal lists, or other channels—without a lawful basis, they may be personally liable in disciplinary, civil, or even criminal proceedings in more serious cases.
In the Garante’s aforementioned rulings, sales representatives’ conduct contributed to worsening the legal standing of their companies. A single poorly sent message can jeopardize an entire organization—especially when such conduct is carried out systematically. That is why companies must train their staff, implement clear policies, and stop improvising communication strategies.
Avvocato Arlo Canella
