"Is buying B2B data even legal?" is one of the most common questions in outbound, and the honest answer is: it depends entirely on how the data was sourced and how you use it. GDPR-compliant B2B data is absolutely allowed. Scraped-and-sold personal mailboxes with no lawful basis are not. The gap between those two is where most teams get nervous and where a few get into real trouble.
This guide walks through what the rules actually say, how to vet a vendor, and a practical do/don't list for cold outreach. It is written for agencies, freelancers, and lean outbound teams who want to prospect aggressively without playing fast and loose.
One caveat up front: this is practical guidance, not legal advice. If you operate at scale or in a sensitive sector, run your process past a qualified data-protection lawyer.
The laws that actually apply
There isn't one rulebook. B2B prospecting touches several regimes at once, and they govern different things.
- GDPR (EU/UK) governs how you collect, store, and process personal data. A work email like
jane.doe@acme.comis still personal data, so GDPR applies even though it's a business address. - ePrivacy / PECR (EU/UK) governs electronic marketing specifically: who you can email or call, and when consent is required.
- CAN-SPAM (US) governs commercial email: it does not require prior consent, but it does require honest headers, a valid physical address, and a working unsubscribe that you honor promptly.
- CASL (Canada) is stricter and consent-based, with limited exemptions for existing business relationships.
- CCPA/CPRA (California) gives consumers rights over personal information; for pure B2B contacts the practical obligation is honoring deletion and opt-out requests.
The takeaway: GDPR decides whether you may hold and use the data. ePrivacy/PECR, CAN-SPAM, and CASL decide whether you may send the message. You need both halves right.
Legitimate interest and the balancing test
Under GDPR you need a lawful basis to process personal data. For cold B2B outreach, the workable one is legitimate interest under Article 6(1)(f), not consent. (Consent before contact is a chicken-and-egg problem for cold outreach, which is why legitimate interest exists.)
Legitimate interest is not a free pass. It requires a documented balancing test, often called an LIA (Legitimate Interest Assessment), with three parts:
- Purpose test — is there a genuine, legitimate interest? Marketing a relevant B2B product to the right role at a relevant company usually qualifies.
- Necessity test — is the processing actually needed to achieve it, or could you do it a less intrusive way?
- Balancing test — do your interests override the individual's rights and reasonable expectations? A senior buyer at a company in your target market reasonably expects relevant supplier outreach. A junior employee's personal-sounding inbox, contacted about something irrelevant, does not.
Relevance is the hinge. The more tightly your message matches the recipient's role and company, the stronger your legitimate-interest footing. This is one more reason a sharp ideal customer profile isn't just a marketing nicety; it's part of your compliance posture.
A worked example helps. Say you sell roofing-CRM software. Emailing the owner of a registered roofing company about software for roofing companies is squarely defensible: relevant product, relevant role, reasonable expectation of supplier contact. Emailing that same owner's personal Gmail about an unrelated crypto offer is not, even if you found the address publicly. Same person, completely different balancing-test outcome, because relevance and expectation flipped. Write your LIA down, keep it short, and revisit it whenever you change what you sell or who you target.
Business data vs. personal data
A useful mental model: the more business and role-based a contact is, the safer it is to process and contact.
| Contact type | Example | Risk level |
|---|---|---|
| Generic business inbox | info@, sales@, hello@ | Low (often not personal data at all) |
| Role-based individual | marketing.director@acme.com | Low–medium |
| Named individual, work domain | jane.doe@acme.com | Medium |
| Personal-style or freelancer inbox | janedoe@gmail.com | Higher; treat with care |
| Special-category context | health, finances, etc. | High; avoid for cold outreach |
None of these are automatically off-limits, but they sit at different points on the risk curve. Targeting roles at registered businesses keeps you firmly in the defensible zone.
Lawful sourcing from public business data
Where the data comes from matters as much as how you use it. Compliant B2B databases are built from publicly available business information: company websites, business directories, professional listings, public registries. The processing is transparent, records carry provenance, and the dataset is maintained, not bought once and left to rot.
That's the model Leadriv uses. Contacts are sourced from public business data and processed under GDPR legitimate interest, with verified emails and phone checks layered on top so the data is both lawful and accurate. The two go together: stale data isn't just bad for deliverability, it also weakens your "we only hold relevant, current business contacts" story.
Data-subject rights and honoring opt-outs
Legitimate interest comes with a built-in obligation: the individual can object. Under GDPR people have the right to access, rectify, and erase their data, and the right to object to direct marketing is absolute, no balancing test, no negotiation. When someone says stop, you stop, and you remove them.
In practice this means three things:
- Make opt-out easy and obvious in every message.
- Process objections and removal requests fast (Leadriv honors opt-out and removal requests within 24 hours).
- Keep a suppression list so a removed contact never re-enters your sends, even if they reappear in a future data pull.
Speed here is reputational as well as legal. A buyer who asks off your list and keeps hearing from you is a complaint waiting to happen, and complaints wreck deliverability.
It also helps to know what a valid request looks like. You don't need a formal "I invoke my Article 21 rights" email; a plain "take me off your list" counts as an objection to direct marketing, and a "delete my data" counts as an erasure request. Treat both at face value. Confirm the action, suppress the contact, and don't ask the person to jump through hoops to be left alone, which itself reads as bad faith to a regulator.
How to vet a data vendor's compliance
Most of your compliance risk is inherited from your data source. Vet it before you buy. Ask directly: where does the data come from, what's your lawful basis, and how do you handle removal requests? Vague answers are a red flag.
Here's a quick "compliant vs. risky" signal table:
| Signal | Compliant ✅ | Risky ⚠️ |
|---|---|---|
| Source | Public business data, stated clearly | "Proprietary" / won't say |
| Lawful basis | Legitimate interest, documented | None mentioned |
| Data type | Business/role contacts | Bulk personal/consumer emails |
| Opt-out handling | Honored within days, suppression list | No process, or "not our problem" |
| Freshness | Continuously verified and refreshed | Static dump, unknown age |
| Provenance | Records traceable to a source | Mystery origin |
| Transparency | Clear privacy policy and DPA | No privacy info |
A vendor that scores in the left column is doing the hard compliance work before the data reaches you, and these signals are exactly what to weigh when you choose a provider.
Two extra documents are worth asking for. The first is a Data Processing Agreement (DPA): if a vendor can't produce one, that tells you how seriously they take their obligations. The second is their privacy notice, specifically the part that explains the lawful basis and how individuals can object. Read it. A clear, specific notice signals a vendor who has thought this through; a generic copy-paste policy that never mentions B2B sourcing or legitimate interest is a quiet warning. You inherit their posture, so you want it documented, not assumed.
Practical do/don't for cold outreach
The rules become simple once they're operational. Here's the short version.
Do:
- Target roles at relevant companies, not random individuals.
- Keep messages relevant to the recipient's actual job. Relevance is your legitimate-interest defense.
- Include a clear way to opt out in every email.
- Authenticate your domain and follow the bulk-sender rules (see our guide to email deliverability in 2026).
- Maintain a suppression list and honor removals immediately.
- Keep records of your sourcing and your LIA.
Don't:
- Email special-category or clearly personal inboxes for cold pitches.
- Ignore or slow-walk opt-out requests.
- Buy a static list of unknown origin and blast it.
- Use deceptive subject lines or hide who you are (illegal under CAN-SPAM, and a fast track to spam folders).
- Assume one country's rules cover everyone; segment by region where it matters.
Done right, compliant outreach and effective outreach are the same thing. The discipline that keeps you legal (relevance, freshness, clean removals) is the same discipline that gets replies. For the copy side of this, see our guide to B2B cold email, and for sourcing, how to find B2B leads.
Frequently asked questions
Is it legal to buy B2B email lists under GDPR?
It can be, if the data was lawfully sourced (typically from public business data under legitimate interest), the contacts are genuine business/role addresses, and you honor objections. A static list of unknown origin with no lawful basis is the risky kind. The sourcing is what determines legality, not the act of buying itself.
Do I need consent to send cold B2B emails in the EU?
Usually not consent, but legitimate interest under Article 6(1)(f), backed by a documented balancing test. Note that ePrivacy/PECR rules vary by country and can be stricter for certain channels, so check the specific markets you're targeting.
What's the difference between business and personal data here?
A generic inbox like info@company.com often isn't personal data at all. A named work address like jane.doe@acme.com is personal data, so GDPR applies even though it's a business context. The more role-based and business-tied the contact, the safer it is to process and contact.
How fast do I have to honor an opt-out?
Promptly, and the right to object to direct marketing is absolute. There's no fixed universal number, but treat it as immediate. Leadriv processes opt-out and removal requests within 24 hours and suppresses those contacts going forward.
Does this apply to US prospecting too?
Different rules apply (CAN-SPAM, plus CASL in Canada and CCPA/CPRA in California), and CAN-SPAM doesn't require prior consent. But the operational habits are nearly identical: be honest, stay relevant, and honor opt-outs fast.
Leadriv is built so the compliant path is the default: contacts sourced from public business data under GDPR legitimate interest, verified emails and phones, opt-outs honored within 24 hours, and one-click export to your own sequencer, all self-serve from $29/month. You filter, score, and export clean leads; we handle the lawful sourcing underneath.
