What Data Protection Law Actually Requires of a B2B Prospect Database
A B2B lead database is not just a sales asset — under both GDPR and CCPA it is a repository of personal data, and that classification comes with obligations regardless of how narrowly you use it. Cold outreach to a named decision-maker at a legal entity sits in a different legal position than bulk consumer email marketing, but B2B has never meant exempt. This guide covers what data protection law requires of a prospect database used for addressed, low-volume outreach: the basis that lets you hold and email the data, the records that prove it, and where GDPR and CCPA actually diverge.
- Business contact data on a named individual is personal data under both GDPR and CCPA — being a B2B company doesn't exempt a lead record from data protection law.
- GDPR typically lets addressed B2B cold outreach to a professional email proceed on a legitimate interest basis rather than consent, provided you can show a balancing rationale and offer an easy opt-out.
- CCPA's earlier carve-out for business-to-business and employment-related contact data has expired, so California business contacts now carry access, deletion and opt-out rights much like consumer data.
- A defensible lead database needs a documented source and date for every record, a suppression list checked at send time, and a retention policy — an accurate email field alone proves nothing.
- The most common compliance failure isn't the legal basis, it's operational: opt-outs that aren't honored across tools, no record of where a lead came from, and contacts kept indefinitely after they've gone cold.
Why B2B cold outreach still falls under GDPR and CCPA
Personal data is defined by whether information relates to an identifiable individual, not by who owns the CRM it sits in. A named contact's business email, direct phone number and job title are personal data even though the record exists to support a sale to their employer. The company name, industry and revenue band around that contact are not personal data on their own — the individual-level fields are what trigger the law.
What data protection law regulates is not whether you may contact a business decision-maker, but how you collect, store, use and eventually delete their data. GDPR and CCPA don't ban cold outreach to a named professional; addressed B2B prospecting to a role-relevant contact, with an identifiable sender and a working opt-out, is a normal and lawful activity in both jurisdictions. What isn't lawful is treating the database as exempt from the rest of the framework — access requests, deletion requests, retention limits and breach notification all still apply.
The gap that gets companies in trouble is the assumption that B2B equals compliance-free. It surfaces the first time a prospect files a subject access request, or a company files a complaint with a data protection authority, and the business realizes it has no source record, no suppression mechanism and no process to respond within the required timeframe.
The lawful basis for holding and emailing a prospect's contact data
Under GDPR, addressed B2B cold outreach to a professional email address typically relies on legitimate interest rather than consent. That basis requires a genuine balancing test: your company's interest in reaching a role-relevant contact about something plausibly useful to their job, weighed against the individual's privacy interest in not being contacted. The test doesn't need to be an elaborate legal filing, but it does need to exist somewhere in writing, and it needs three things to hold up — the contact was targeted for their professional role and not scraped indiscriminately, the sender is clearly identified, and there's a straightforward way to object and stop future contact.
Consent is generally not required for a first cold email to a business contact under this reasoning, but the picture isn't uniform across EU member states — some national interpretations and case law around unsolicited business email are stricter than others, particularly for phone and SMS channels. If your named-account outreach reaches EU companies at meaningful volume, it's worth having someone confirm local practice for the countries you target most, rather than assuming one EU-wide rule.
CCPA doesn't have an equivalent legitimate-interest concept — it isn't built around a basis for contacting someone in the first place. Instead it requires a privacy notice at the point of collection for California residents and gives them rights to know what's held, request deletion, and opt out of sale or sharing of their data. In practice that means the CCPA compliance question for cold outreach isn't 'can I send this email' but 'can I show what I collected, why, and how someone stops it.'
A one-paragraph legitimate interest note kept per campaign type covers most of what an audit asks for: 'Outreach targets the VP Marketing or equivalent role at companies matching our ICP (mid-market SaaS, 50-500 employees). Contact data sourced from company sites, LinkedIn and a licensed B2B data provider. Interest: introducing a relevant product to a role with decision authority over it. Mitigations: sender clearly identified, one-line opt-out honored within 48 hours, no data used outside the CRM and sending platform.'
What a compliant lead record actually needs to capture
A lead database that would survive a real audit tracks more than name, title and email. The single most common finding when reviewing a B2B lead list is that nobody can say where half the records came from — which makes it impossible to demonstrate a lawful basis for any of them.
The fields below don't need a dedicated compliance tool; they fit as extra columns in most CRMs, including LDM. What matters is that they're populated at import time, not reconstructed later from memory.
- Source of the lead: company website, LinkedIn, referral, licensed data provider, inbound form
- Date the record was obtained and, if purchased or licensed, from which vendor
- Basis relied on: legitimate interest, consent, or existing business relationship
- Opt-out or suppression flag, synced across every tool that can send to this contact
- Date of last outreach and last engagement, to support retention decisions
- Any objection or deletion request received, with the date it was actioned
Where GDPR and CCPA diverge for a B2B list
The two laws differ in scope and mechanics, and treating them as interchangeable creates gaps. GDPR applies based on the residency of the data subject — if you're processing personal data of someone located in the EU, GDPR applies regardless of where your company is based or how small your list is. CCPA applies based on the residency of the individual (California) and a set of thresholds on the business itself, such as revenue or the volume of personal information processed, so a very small outreach operation may fall outside CCPA's scope entirely even while remaining fully subject to GDPR for its EU contacts.
The rights each law grants also differ in shape. GDPR gives data subjects the right to access, rectify, erase and object to processing, and objections to direct marketing specifically must be honored without a balancing test — an objection to marketing overrides legitimate interest automatically. CCPA gives California residents the right to know what's held, request deletion, correct inaccuracies, and opt out of sale or sharing, plus a right to limit use of sensitive personal information.
One change worth flagging explicitly: CCPA originally carved out an exemption for business-to-business and employment-related personal information, which let companies treat B2B contact data more loosely. That exemption expired, and business contact data on California-based individuals is now generally in scope the same as consumer data. Companies that built their compliance posture around the old exemption need to revisit it. The practical fix for most teams is to build one request-handling process that satisfies the stricter of the two laws — usually GDPR's tighter deadlines and objection rules — rather than running two separate systems.
Common compliance mistakes in a B2B lead database
The failures that show up repeatedly in practice are operational, not conceptual — teams generally understand that data protection law applies, but the database itself doesn't reflect that understanding.
- Treating anything found on LinkedIn or a company site as automatically fair game, with no review of whether the targeting is role-relevant
- No opt-out honored consistently across every sending tool and campaign — a suppression added in one platform doesn't block a send from another
- Merging lead lists from multiple sources during a CRM migration without preserving source and date fields
- Keeping contacts with years of no engagement indefinitely, on the theory that deleting data is wasteful
- Ignoring an access or deletion request because the sender assumes B2B data isn't covered
- No documented legitimate interest reasoning anywhere, so there's nothing to produce if a data protection authority asks
- Reps sending outreach from personal email accounts outside the CRM, so opt-outs there never sync back to the suppression list
Operational checklist for a defensible outreach program
None of this requires a legal department if the program is small. It requires a handful of habits enforced consistently.
- One central suppression list, checked before every send, synced across CRM, sequencing tool and any manual sending
- Opt-outs honored within a fixed window (48-72 hours is a reasonable practical target) and confirmed, not just silently applied
- Source and date logged for every lead at the moment it enters the database, not backfilled later
- A retention rule — for example, review or purge contacts with no engagement after 12-24 months
- A named owner and a target turnaround (commonly 30 days) for access and deletion requests
- Legitimate interest reasoning documented once per campaign type or ICP segment, not per individual contact
- Any enrichment or data-append vendor checked for how they sourced the data before it's imported
FAQ
Is cold emailing a business contact illegal under GDPR?
No. Sending a relevant, identified email to a named professional at a company, with a working opt-out, is generally permitted under the legitimate interest basis. What GDPR requires is that the sender is identifiable, the targeting is tied to the person's professional role, and any objection is honored promptly.
Does CCPA apply to B2B contact data?
Yes, in most cases now. The earlier temporary exemption for business-to-business and employment-related data has expired, so a California business contact's name, email and job title generally carry the same access, deletion and opt-out rights as consumer data under CCPA.
Do I need consent to add someone to my lead database?
Under GDPR, you typically don't need consent to add and initially contact a business professional if you rely on legitimate interest — but you do need a lawful basis, transparency about how the data was obtained, and to stop on objection. CCPA doesn't require consent to collect data but requires disclosure at collection and honoring opt-out rights.
What counts as personal data in a B2B lead record?
Anything relating to an identifiable individual counts: name, business email, direct phone, job title, LinkedIn URL. The firmographic data around them — company size, industry, revenue — is not personal data on its own, but the person-level fields are what bring the record under GDPR and CCPA.
How long can I keep a lead who never responded?
There's no fixed number set by either law, but keeping contacts indefinitely with no basis review doesn't hold up in an audit. Most defensible programs purge or re-verify the basis for contacts with no engagement after 12-24 months.
What's the fastest fix if we've never handled this formally?
Build one central suppression list that every sending tool checks before dispatch, and start logging source and date on every new lead going forward. Those two changes close the two gaps auditors find most often.
Want to apply this to your outreach?
We will map it to your segment and product — before any work starts.
Talk to us