Buying an Email List: Is It Legal? (And Why It's Almost Always a Bad Idea)

Buying a professional email list isn't illegal in itself in B2B, but you're the one who inherits GDPR liability for the file: data origin, disclosure to data subjects, lawfulness of collection. Beyond the legal side, a purchased list almost always destroys your domain's deliverability. Here are the exact rules, the real risks, and the alternative that actually works.
- Not illegal in itself in B2B, but the buyer becomes responsible for the file's GDPR compliance (origin, disclosure to data subjects, opt-out).
- In B2C, it's a flat no: opt-in is mandatory.
- The real hidden cost: outdated addresses and spam traps that burn your domain within a few sends.
- The alternative: build your own list (LinkedIn + verified enrichment), more compliant, cleaner, and more effective.
Is It Legal to Buy an Email List?
In B2B, yes, under conditions: the trade in professional contact lists exists legally, but GDPR doesn't vanish once you've bought the file. By using it, you become a data controller: you must be able to prove the data's origin, confirm that data subjects were informed their data could be shared with partners, inform recipients on first contact, and honor any opt-out request immediately. In practice, very few low-cost list vendors provide these documented guarantees, which means you're the one carrying the risk.
In B2C, the answer is simply no: without valid, traceable opt-in collected for YOUR specific use, prospecting individuals from a purchased list is a violation. The general framework is covered in Is Cold Email Legal?
Why Purchased Lists Destroy Your Deliverability
Even when fully compliant, a purchased list is still technical poison. These files circulate among dozens of buyers: addresses get over-solicited, a share are outdated (10 to 30% bounce rates are common on cheap lists), and some are spam traps, decoy addresses created specifically to catch spammers. It only takes a few sends for your bounce rate to spike, for filters to flag you as a suspicious sender, and for all your emails, including the legitimate ones, to land in spam. A burned domain reputation takes months to rebuild, if it rebuilds at all. Deliverability fundamentals are covered in our complete cold email guide.
Purchased List vs. Built List: The Comparison
| Criteria | Purchased list | Built list (LinkedIn + enrichment) |
|---|---|---|
| Legality | Possible in B2B, inherited liability | Fully controlled end to end |
| Data freshness | Unknown, often outdated | Verified at the time of collection |
| Bounce rate | 10 to 30% common | Under 3% with verification |
| Targeting precision | Generic (thousands of unsorted contacts) | Custom-built (role, industry, size, region) |
| Exclusivity | Shared with every buyer | 100% yours |
| Real performance | Very low reply rates | 5 to 15% replies with targeted multichannel |

How to Build a Clean List Yourself (The Alternative)
The standard method comes down to three steps: identify the right decision-makers via LinkedIn Sales Navigator (filtering by role, industry, size, region), enrich with a reliable tool (Apollo, Kaspr, Lusha...) that finds the professional email address, then verify every address before sending to keep your bounce rate under 3%. The result is a list that's fresh, exclusive, targeted, and fully documentable, exactly what GDPR expects. It's the first step of any serious automated prospecting system, and it's included in our offer: the list we build for you belongs to you.
Key Takeaways
- B2B: buying isn't illegal in itself, but the file's GDPR liability becomes yours.
- B2C: never, without valid opt-in it's a violation.
- The hidden cost is technical: bounces and spam traps burn your domain within a few sends.
- Building your own list (Sales Navigator + enrichment + verification) is more compliant, cleaner, and significantly more effective.
FAQ: Buying Email Lists
Are tools like Apollo or Kaspr the same as buying a list?
No: these are on-demand enrichment tools. You select specific profiles and get their verified professional email address, backed by contractual compliance guarantees. Nothing like a 50,000-row file sold in bulk.
What about business directories (Kompass, [sociétés.com](http://xn--socits-evab.com/)...)?
Company data (registered name, generic contact@ address) isn't personal data: it's free to use. The caution applies to named individual contacts.
I've already bought a list, what should I do?
Don't send to it as-is from your main domain. At minimum: run a full address verification, filter for genuine relevance to your offer, send from a dedicated domain, and remove any contacts unrelated to your business. Honestly, rebuilding cleanly is often cheaper than fixing it.
Can I use a trade show or event attendee list?
Only if attendees were told their details would be shared with exhibitors or partners. Ask the organizer for proof of that disclosure before sending anything.
Article written by Kevin Sazarin, Growth Marketer and founder of Skalia (Toulouse). Parent guide: Cold Email from A to Z.
