Is buying email lists legal? The honest B2B answer

Short version: a purchased B2B list is not automatically illegal, but it is almost never worth it. Here is what GDPR and CAN-SPAM actually allow, the risks brokers never mention, and the legal way to build a list instead.

Cold Email · · 6 min read
The verdict

Is buying email lists legal for B2B?

Buying a B2B email list is not automatically illegal, but how you use it is heavily regulated, and bought lists rarely pay off. In the EU, GDPR requires a lawful basis and an easy opt-out. In the US, CAN-SPAM bans deceptive headers and demands a working unsubscribe. Consumer lists are far riskier than verified business data.

The honest answer to "is it legal to buy email lists" is: it depends on the data, the jurisdiction and what you do next. A list of publicly listed business contacts used for a relevant B2B offer sits in a very different place than a scraped batch of personal consumer addresses. The legal question is real, but it is the smaller half of the problem. The bigger half is that purchased lists almost always perform badly.

Key takeaways
  • Not automatically illegal: GDPR and CAN-SPAM regulate how you use a list, not whether you can own one
  • You become the data controller the moment you buy: the broker rarely passes you a valid lawful basis
  • Bought lists decay 20 to 30 percent a year and carry spam traps that can blacklist your domain in days
  • The legal, durable route is to generate your own list from public, verified business data and stay controller from the start
Europe

GDPR: legitimate interest, not a free pass

The GDPR never says "thou shalt not buy a list." What it says is that any processing of personal data needs a lawful basis, and that you are responsible for it. The moment you import a purchased file, you become the new data controller, inheriting every obligation and none of the broker's excuses.

For B2B outreach, the usual basis is legitimate interest. Recital 47 of the GDPR explicitly recognizes direct marketing as a possible legitimate interest, provided the recipient's rights do not override yours. In practice that means the offer must be relevant to the person's professional role, you must inform them their data came from a third party, and you must give them a frictionless way to object. Our GDPR guide for B2B sales teams walks through the full lawful-basis test, and the consent vs legitimate interest breakdown shows when each applies.

Here is the catch most broker pitches skip: a purchased consumer list rarely survives the legitimate-interest balancing test, and a broker cannot transfer a lawful basis you never had. That is why European regulators have, on multiple occasions, fined the buyer for using bought data, not only the seller.

A broker can sell you the data. A broker cannot sell you a lawful basis. Under GDPR, the obligation to justify the processing always lands on the company that hits "send".
United States

CAN-SPAM: conduct rules, not consent

The US takes a different angle. The CAN-SPAM Act does not require prior consent, so cold email to a bought US list can be perfectly legal. What it regulates is conduct. Per the FTC's CAN-SPAM compliance guide, every commercial message must:

  1. Use accurate "from", "to" and routing information, never deceptive headers.
  2. Avoid misleading subject lines that misrepresent the content.
  3. Identify the message as an advertisement where it is not obvious.
  4. Include a valid physical postal address for your business.
  5. Offer a clear opt-out and honor it within 10 business days.

Penalties are not trivial: the FTC can levy fines per individual email that violates the rules, and the figure is inflation-adjusted upward every year. So a purchased US business list can be compliant, but one sloppy campaign multiplies a single mistake across thousands of recipients.

22.5%
average annual decay of B2B email data as people change roles and companies (industry benchmark)
10-20%+
typical bounce rate on bought lists, high enough to trigger blocklisting
#1
most-prospected categories on Vonsel are restaurants and dentists, both generated, never bought (internal data, 2026)
The hidden cost

Why bought lists rarely pay off, even when legal

Set the law aside for a moment. Even a perfectly compliant purchased list tends to lose money, because of four problems brokers do not put on the invoice.

Spam traps

Mailbox providers and blocklists plant spam trap addresses to catch senders who do not collect data cleanly. Bought lists are full of them. A few hits can flag your domain.

Hard bounces

Static lists decay fast as people move jobs. High bounce rates tell inbox providers you are not a careful sender, and reputation drops for every email you send next.

Zero exclusivity

The same file is resold to dozens of buyers. By the time it reaches you, the best contacts have already been pitched, marked as spam and worn out.

No context

You get a name and an address, nothing to personalize with. Generic blasts get ignored, and sales data shows buyers reward relevance, not volume.

Add it up and the math is brutal. A list that costs cents per record can cost you your whole sending domain, and that is far more expensive than any subscription. The legal risk is real, but the deliverability risk is what actually empties the pipeline.

Skip the bought list, build a clean one
Generate verified B2B contacts from public business data in minutes, with a clear, documentable source and no spam traps.
Start Free Trial
Before / after

Bought list vs generated list

DimensionPurchased broker listList generated from public data
Lawful basis (EU)Inherited, often invalid for consumer dataYou are controller from the start, B2B legitimate interest
Data sourceOpaque, resold, hard to documentPublic business listings, clear and verifiable
Email accuracy60-80%, decaying monthly85-95% verified at generation
Spam trapsCommonAvoided: real, live businesses only
ExclusivitySold to dozens of buyersBuilt for your exact search

The difference is not just compliance, it is control. When you generate a list yourself, you can show exactly where each contact came from, which is precisely what a regulator asks for and what a broker can never give you.

The legal route

3 legal alternatives to buying email lists

1

Generate from public business data

Pull live business listings (name, address, phone, website, rating, email) for a category and city. You stay the controller, the source is documentable, and the data is fresh. This is the cleanest way to find business emails at scale.

2

Build a permission-based opt-in list

Lead magnets, webinars and gated content collect contacts who actively agreed to hear from you. Slower to grow, but ideal for nurture and the safest basis of all. Pair it with a compliant B2B email database for outbound reach.

3

Run compliant cold email on self-sourced data

With a list you built and can defend, run outreach that respects the rules: relevance, identification, opt-out, records. Our guide on cold email without breaking GDPR law covers the playbook end to end.

The safest list is the one you can explain. Buy data and you inherit someone else's risk; generate it and the trail is yours.
How Vonsel helps

How Vonsel replaces the bought list

Vonsel's Business Finder does not sell you a recycled file, it generates a fresh one from public, verified business data across 120+ countries. Search a category plus a city and get every company with name, address, phone, website, Google rating and a verified email, at 85-95% email accuracy and 90%+ phone accuracy, GDPR compliant on EU servers. Because the source is public business listings rather than a broker's mailing file, you stay the data controller, the trail is documentable, and you sidestep the spam traps that sink purchased lists. Plans on the pricing page start at €17.99/month, and you get 20 verified leads when you start the free plan.

In short:

  • Buying a B2B list is not automatically illegal, but it almost never pays off.
  • You become the controller on purchase: GDPR and CAN-SPAM duties are yours, not the broker's.
  • Generate from public, verified business data to stay compliant and protect deliverability.
A list you can stand behind, generated in minutes
Search any city, export verified business emails and phones with a clear public source, and skip the broker entirely. See plans.
Start Free Trial

Frequently asked questions

Is buying email lists legal?
Buying a B2B email list is not automatically illegal, but how you use it is heavily regulated. In the EU, GDPR requires a lawful basis (usually legitimate interest), transparency and an easy opt-out. In the US, CAN-SPAM allows cold email but bans deceptive headers and requires a working unsubscribe. Consumer (B2C) lists are far riskier than business contact data.
Is it legal to buy email lists under GDPR?
GDPR does not ban purchased lists outright, but a broker rarely transfers a valid lawful basis to you. You become the new data controller and must justify your own legitimate interest, inform people their data was obtained from a third party, and honor objections. Most bought consumer lists fail this test, which is why fines target the buyer, not just the seller.
Does CAN-SPAM allow purchased email lists in the US?
CAN-SPAM permits unsolicited commercial email, including to bought lists, as long as you do not use false headers or misleading subject lines, identify the message as an ad where required, include a valid physical address, and provide a working opt-out honored within 10 business days. It regulates conduct, not consent, so a purchased US business list can be compliant if used correctly.
Why are purchased email lists a bad idea even when legal?
Bought lists are resold to many buyers, decay 20 to 30 percent per year, and often contain spam traps, dead mailboxes and recycled addresses. High bounce rates and spam complaints damage your sender reputation, can blacklist your domain within days, and rarely produce a positive return. The legal risk is only part of the problem.
What are spam traps and why do bought lists contain them?
Spam traps are email addresses created or recycled by mailbox providers and blocklists specifically to catch senders who do not collect data properly. Because purchased lists are scraped or recycled rather than permission-based, they frequently include traps. Hitting even a few can get your domain flagged and tank deliverability for every email you send.
What is the legal alternative to buying email lists for B2B?
Generate your own list from public, verified business data instead of buying recycled records. Tools that pull live business listings give you each company's name, address, phone, website and a verified email, with a clear and documentable source. You stay the data controller from the start, rely on legitimate interest for relevant B2B offers, and avoid spam traps and decayed records.
Recommended for you
Legal GDPR Guide for B2B Sales Lawful bases, opt-outs and records: stay compliant while prospecting. Legal Consent vs Legitimate Interest Which lawful basis applies to your B2B outreach, and when. Database B2B Email Database How to build a compliant, verified database instead of buying one.
Discover more
Legal Cold Email Without Breaking GDPR The compliant way to run cold outreach in Europe. Database Find Business Emails Every method to find verified business emails at scale. Product Vonsel Features Business Finder, Smart Reviews, Smart Emails and more.