Live Direct Marketing
HomeBlogCompliance

Handling B2B Contact Data Without Building a Compliance Liability

July 7, 2026 · 11 min read · Guide: Compliance

A B2B outreach list is not a spreadsheet you own outright — it's a set of records about real people, most of whom never asked to be on it. That's legal under most B2B outreach regimes, but only if the data is handled a specific way from the moment it enters your CRM. Teams that skip this treat every list the same way and eventually get burned by a regulator complaint, a blacklisting, or a prospect who screenshots a sloppy footer. Here's what handling the data correctly actually involves.

Key takeaways
  • B2B cold outreach is legal in most jurisdictions without prior consent, but it runs on a legal basis that has to be documented, not assumed.
  • Provenance matters more than the data itself — know exactly where every record came from and be able to say so if asked.
  • Record source, acquisition date and opt-out status per contact; this is the minimum audit trail a regulator or an angry prospect will ask for.
  • Purchased and scraped lists decay fast — stale records are both a deliverability problem and a compliance problem.
  • An opt-out is permanent and applies to the person, not the list — suppress it everywhere, forever, regardless of source.

Where the data actually comes from

Every contact record in an outreach system traces back to one of a handful of sourcing methods, and the method determines what obligations attach to the record. Manually researched contacts — a rep finding a name and business email on a company site or LinkedIn and entering it by hand — carry the fewest complications because the data is self-published by the person or their employer for a business purpose. Enrichment-tool records, pulled from a vendor API by job title and company, inherit whatever the vendor's own sourcing practice was, which you usually can't fully verify. Purchased lists sit furthest from the source; you're trusting a broker's word on how the data was collected and whether it was maintained.

Scraped data deserves its own line, because 'scraped' covers a wide range of practice. Pulling a business email and title from a company's public staff page is materially different from scraping personal social profiles for a mobile number or a home address — the first is business contact information published for exactly this kind of use, the second reaches into personal data that most legal bases won't cover for cold outreach purposes.

The practical implication: don't treat your list as one undifferentiated pool. Tag every batch with its sourcing method at import. When a compliance question comes up — and eventually one will — 'we don't know where this came from' is the answer that turns a minor incident into a real problem.

The legal basis you're actually relying on

Under GDPR, business-to-business outreach to a named professional at a company, about something relevant to their role, is commonly run on legitimate interest rather than consent — but legitimate interest is not a blanket permission, it's a balancing test you're supposed to have actually performed. That means being able to articulate, per campaign, why the outreach serves a legitimate business purpose, why it's proportionate, and why the recipient's interests don't override it — typically satisfied when the message is relevant to the person's professional role and easy to opt out of.

In the US, CAN-SPAM takes a different approach: no consent requirement for commercial email, B2B included, but a set of mechanical requirements — accurate header and sender information, a working opt-out mechanism, honored promptly, and no deceptive subject lines. The legal basis question barely arises; the compliance burden is almost entirely about honest identification and a functioning unsubscribe.

Other jurisdictions split the difference or go further — Germany and a few EU member states apply a stricter reading of legitimate interest for cold B2B email than the GDPR baseline suggests, and Canada's CASL requires either consent or a narrower set of implied-consent conditions than the EU legitimate-interest model. If you send outside your home market, don't assume your domestic basis travels with the email; check the destination country's specific rule before scaling volume there.

What to record about every contact

Compliant data handling isn't really about the data — it's about the metadata around the data. For every contact record, the minimum audit trail is: source (which sourcing method, ideally which specific list or vendor batch), acquisition date, the legal basis you're relying on for that source type, and current opt-out status. This doesn't need to be elaborate; a handful of extra fields on the contact record, populated at import, covers it.

This record does double duty. It's what you'd produce if a regulator or a prospect's legal team asked how you got their information, and it's also what lets you make sane operational decisions — a record acquired eighteen months ago from a vendor that's since had a data-quality scandal is a candidate for re-verification or removal, and you can only make that call if the acquisition metadata survived the import.

Keep this metadata attached to the contact, not floating in a separate spreadsheet that drifts out of sync. When contacts move between lists, get merged, or get re-imported from a refreshed enrichment pull, the provenance fields should travel with the record, not reset to blank.

Retention, hygiene and the cost of hoarding data

Old contact data is a liability that compounds quietly. A record that's two years stale is more likely to be wrong — the person changed roles or companies — which drags down deliverability when it bounces or gets marked as unrecognized. It's also a bigger compliance exposure the longer it sits unused for no clear business reason, since most legal bases for holding data assume you're doing something with it.

Set a practical retention rhythm: contacts that have never engaged after a defined number of outreach attempts over a defined window get archived out of active sending, not deleted outright if you have a legitimate record-keeping reason, but removed from anything that touches a send queue. Before reactivating an archived list for a new campaign, re-verify emails and re-check opt-out status rather than assuming the old data is still accurate.

Purchased and scraped lists decay faster than manually built ones because nobody on your team vetted them contact by contact. Treat any list older than a few months from acquisition as needing a freshness pass — email verification at minimum — before it goes into a live campaign.

Opt-outs and suppression that actually hold

An opt-out attaches to the person, not to the list, the campaign, or the sending domain. Once someone unsubscribes or asks to be removed, they need to be suppressed permanently, across every list and every future import that might reintroduce their address — including if that same email address reappears in a fresh purchased list six months later.

The practical fix is a single global suppression check that every import and every send routes through, keyed on email address, checked before a contact ever reaches a send queue. Teams that suppress only inside individual lists or campaigns will eventually re-contact someone who already opted out, usually through a new list that doesn't know about the old suppression — and that's the single fastest way to turn a minor compliance gap into a formal complaint.

Honor opt-out and removal requests immediately, not on a batch schedule. Both CAN-SPAM and GDPR expect prompt action, and a delayed unsubscribe reads to the recipient as ignored, which is worse for the relationship than the original cold email.

Vetting vendors and a working checklist

When buying a list or subscribing to an enrichment tool, ask the vendor directly how they source their data, how often it's refreshed, and whether they can point to the legal basis they rely on for including a given contact. A vendor that can't answer these questions in specific terms is a red flag regardless of how clean the sample data looks. For EU-relevant data, a data processing agreement with the vendor is standard practice and worth insisting on before a first purchase.

None of this needs to slow a team down once it's built into the intake process. The goal is a handful of habits — tag the source, log the date, run a freshness check on anything older than a few months, suppress opt-outs globally and immediately — that turn compliance from a reactive scramble into a normal part of how contact data enters and moves through the system.

FAQ

Is it legal to cold email a business contact without their consent?

In most jurisdictions, yes, provided the outreach is relevant to the person's professional role, identifies the sender honestly, and includes an easy opt-out. GDPR typically allows this under legitimate interest rather than consent; CAN-SPAM doesn't require consent at all but imposes mechanical requirements like honest headers and a working unsubscribe. Some countries, including Germany and Canada, apply stricter rules, so check the destination market before scaling.

How long can I keep a B2B contact record that never replies?

There's no fixed legal number, but holding data indefinitely with no clear business purpose weakens your legitimate-interest justification and increases risk for no benefit. A common practical approach is to archive contacts out of active sending after a defined number of unanswered attempts over a set window, and delete or fully anonymize records that have sat inactive for a long period with no legitimate reason to retain them.

Do I need to track where every contact in my CRM came from?

Yes, at minimum the sourcing method and acquisition date. This is what lets you answer a compliance question quickly, decide when data needs re-verification, and avoid treating a two-year-old purchased list the same as a contact a rep manually verified last week.

What happens if a contact opts out but reappears in a new purchased list?

They need to be suppressed regardless — the opt-out belongs to the person, not the original list. This only works reliably if suppression checks run globally across every import and send, keyed on email address, rather than being scoped to individual lists or campaigns.

Is scraping LinkedIn or a company website for contact data compliant?

Scraping a company's own staff page for business emails and titles is generally treated as gathering business contact information published for that purpose, which is lower risk. Scraping personal profile details beyond business context — personal phone numbers, home addresses, personal social activity — moves into personal data that's harder to justify under a B2B legitimate-interest basis and should be avoided for cold outreach purposes.

Do I need a data processing agreement with every list vendor?

For vendors supplying data on EU-based contacts, yes — a DPA is standard practice and most reputable vendors will have one ready. For non-EU data the requirement is less universal, but asking about sourcing method and refresh cadence is worth doing with any vendor regardless of region.

Important: this is not bulk email and not spam. We run targeted outreach: every message goes to a specific representative of a specific company for a legitimate business reason, in small daily volumes, personalised to the recipient. Every email identifies the sender and includes one-click opt-out; unsubscribes and stop-lists apply to all future campaigns without exception. Companies that ask not to be contacted are excluded permanently.

Want to apply this to your outreach?

We will map it to your segment and product — before any work starts.

Talk to us