Most SMBs land in one of two camps on data compliance. The first camp ignores the rules entirely — they buy lists from questionable brokers, fire off mass cold emails, and assume nothing will happen to them because they're small. The second camp reads one alarming article about GDPR fines and becomes so paralysed they won't touch outbound at all, convinced that any unsolicited email is a lawsuit waiting to happen.
Both camps are wrong. And both are leaving money on the table.
The rules for B2B data — what you can collect, store, contact, and share — are specific and knowable. They are not a minefield if you understand the actual framework. Most legitimate B2B outreach is legal under GDPR. Most B2B data collection in the US is compliant under CCPA if you do one or two things correctly. The risk comes from the edges: scraping without disclosure, buying lists without vetting provenance, sending to lists you can't defend.
Here's what the regulations actually say, what the common myths get wrong, and where the real compliance line sits.
Myth 1: GDPR Bans Cold Email to Business Contacts
This is the most damaging myth in B2B sales. Teams read "GDPR requires consent" and conclude that sending any unsolicited email to a prospect in the EU is illegal. It is not.
GDPR provides multiple lawful bases for processing personal data. For B2B prospecting, the relevant one is legitimate interest — and it explicitly covers direct marketing.
GDPR Recital 47 states: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." The UK ICO's own guidance confirms that under PECR (the UK's electronic communications regulation), emails sent to corporate subscribers — employees at limited companies — do not require prior consent. You need to identify yourself, offer an opt-out, and ensure the message is relevant to their professional role.
The practical test for legitimate interest has three parts:
- Purpose test — Do you have a genuine business reason to contact this person?
- Necessity test — Is email the appropriate way to reach them, or is it unnecessary?
- Balancing test — Does your interest in reaching them override their privacy interest? For relevant B2B outreach, it generally does.
Where legitimate interest breaks down: mass, untargeted emailing with no relevance to the recipient's role. If you're selling logistics software to a marketing manager with no procurement authority, the balancing test fails. If you're selling logistics software to a Head of Supply Chain at a company in your ICP, it passes cleanly.
What you must do under GDPR legitimate interest:
- Conduct and document a Legitimate Interest Assessment (LIA) per campaign
- Include a clear opt-out mechanism in every email
- Identify yourself and explain how you obtained the contact's information if asked
- Honor opt-out requests promptly (within 30 days under UK GDPR)
The documentation requirement is where most small teams fall short. A brief written record of why you're reaching out, to whom, and how you sourced the data is all you need — but you need it.
Myth 2: The CCPA Doesn't Apply to B2B Data
This one was true until January 1, 2023. The original California Consumer Privacy Act included a B2B exemption — business contact information used purely for B2B transactions was excluded from consumer rights protections. That exemption expired.
The CCPA's B2B exemption ended in January 2023, and the California Privacy Rights Act (CPRA) now applies to California residents' contact data regardless of whether it's being used in a B2B context. A prospect's work email, direct phone number, and job title are personal information under California law.
What this means practically:
- California residents have the right to opt out of the sale of their personal information, including their business contact data
- If you purchase a contact list that includes California residents, you inherit the seller's "Do Not Sell" obligations
- You must maintain a privacy notice that discloses your data practices
- You must honor deletion requests within 45 days
The critical nuance: CCPA regulates sales and sharing of data, not contact for outreach. You can email California-based prospects without consent — CCPA is not an opt-in regime. What you cannot do is sell or share their data without honoring opt-out rights, or collect it deceptively.
As of 2026, 20 US states have comprehensive privacy laws in effect. Virginia, Colorado, Connecticut, Texas, Florida, and others have passed their own frameworks. Most follow the CCPA model: opt-out rather than opt-in, with disclosure requirements and data subject rights. If you're running any meaningful US outbound campaign, assume multi-state compliance applies.
Myth 3: Buying a Contact List Makes Compliance Someone Else's Problem
This myth is expensive. Teams buy lists from vendors, assume the vendor handled compliance, and proceed without checking. The vendor's compliance practices do not transfer to you.
When you acquire contact data from a third party:
- You become a data controller for that data the moment you use it
- You inherit any "Do Not Sell" or opt-out obligations tied to that data
- If the vendor scraped the data without disclosure, using it exposes you to the same risk as having scraped it yourself
- Under GDPR, you must be able to demonstrate the lawful basis for your use of that data — "I bought it" is not a lawful basis
The right questions to ask any list vendor:
- How was this data collected? Was there disclosure at point of collection?
- Do you maintain a suppression list for opt-outs and honor them before delivering records?
- Can you provide a data processing agreement (DPA) for GDPR compliance?
- When was this data last verified for accuracy and opt-out status?
Reputable providers — Cognism, ZoomInfo, and Apollo — have compliance programs and honor GDPR data subject requests. Lower-cost list vendors often do not. The price difference is partly compliance infrastructure.
Myth 4: Scraping LinkedIn Is Fine Because the Data Is Public
It is public in the sense that anyone can view it. It is not public in the sense that LinkedIn permits automated extraction of it.
LinkedIn's terms of service prohibit scraping. The US Ninth Circuit ruled in HiQ v. LinkedIn (2022) that scraping publicly accessible data is not automatically a Computer Fraud and Abuse Act violation — but that ruling is about federal law, not LinkedIn's contractual rights. LinkedIn continues to enforce its terms aggressively against large-scale scrapers.
More relevantly for GDPR: "publicly available" does not mean freely processable. Under GDPR, data doesn't need to be secret to be personal data. If someone's LinkedIn profile lists their employer and job title, that is personal data, and you still need a lawful basis to process it. The lawful basis exists for targeted B2B prospecting under legitimate interest — but it doesn't exist for bulk extraction and sale.
For market research and prospecting purposes, the compliant approach uses LinkedIn's official tools — Sales Navigator's export functions, LinkedIn's API with appropriate terms compliance — rather than third-party scrapers that violate the platform's agreements.
Where the Real Risk Sits
The headlines about GDPR fines involve large enterprises — Meta's €1.2 billion fine, Google's multiple hundred-million-euro penalties. Small B2B teams are not the regulators' primary targets. But enforcement has expanded significantly, and the risks for SMBs are real:
ICO complaints from prospects. If a prospect in the UK receives an email that feels intrusive or irrelevant, they can file an ICO complaint. The ICO typically sends a warning letter first, but repeat violations lead to formal investigation.
Data breach liability. Holding unprotected contact lists in unsecured spreadsheets, shared drives, or unencrypted email attachments is a GDPR violation regardless of whether a breach occurs. A breach of an improperly stored prospect list creates liability exposure.
List broker liability inheritance. Buying a list from a non-compliant vendor and using it means you're operating on a foundation that could collapse under a data subject access request.
The practical risk for most SMBs is not a seven-figure fine. It is wasted outreach to bad data, domain reputation damage from high bounce rates, and the operational chaos of handling a data subject request on a spreadsheet you've never properly maintained.
What Compliant B2B Data Practice Actually Looks Like
The correct approach is not paranoid compliance that kills your sales operation. It is disciplined practice that protects you, maintains deliverability, and ensures your data is actually useful.
For outreach under GDPR:
- Document your Legitimate Interest Assessment per campaign — it can be a one-page template
- Use professional, role-relevant messaging — this is both good practice and the relevance test for legitimate interest
- Include an opt-out in every email and process removals within 30 days
- Only contact roles where outreach is professionally appropriate — senior individual contributors and above in relevant departments
For data storage:
- Maintain a single CRM or data store for contacts — not spreadsheets scattered across team members' drives
- Set data retention policies: delete or re-verify contacts who haven't engaged in 18–24 months
- Log where each contact record came from and when
For list acquisition:
- Vet vendors for compliance infrastructure before purchasing
- Request a data processing agreement if the vendor is processing EU personal data on your behalf
- Run purchased lists through suppression checks before loading into sequences
For US multi-state compliance:
- Post a privacy notice that covers CCPA/CPRA disclosure requirements
- Maintain an opt-out mechanism on your website
- Honor deletion and opt-out requests regardless of which state the requestor is in
None of this is complicated. The compliance burden for legitimate B2B outreach is not heavy — it's mostly documentation and process. The companies that treat it as heavy are usually the ones trying to run outreach they can't defend in the first place.
The Bottom Line on B2B Data Compliance
GDPR does not ban cold email. CCPA does not ban B2B contact. Neither regulation exists to prevent legitimate B2B sales activity — they exist to prevent the most predatory data practices and to give individuals control over their personal information.
The line between compliant and risky is clearer than most people think:
Compliant: Professionally relevant outreach to business contacts, documented lawful basis, opt-out honored, data from disclosed sources, stored securely with a retention policy.
Risky: Scraped lists from undisclosed sources, no opt-out mechanism, bulk unsegmented blasting, purchased data from vendors with no compliance program, storing contact data in unsecured shared drives.
If you're running your outbound operation correctly, you're already on the right side of most of these rules. If you're not, the fix is operational, not legal — it's building the process discipline that makes compliance automatic.
Our data research team sources and enriches B2B contact data with compliance built in — documented provenance, verified deliverability, and suppression list management handled before your team ever touches a record.