B2B lead generation platforms and GDPR compliance: what you actually need to know

GDPR fines hit €20M or 4% of global turnover. Here's what B2B lead generation platforms must do to stay compliant in 2026, with real rules and checklists.

LeadCompliant Team
28 min read
In This Article

Last updated 2026-07-09

Two professionals reviewing compliance documents at a glass desk in a European office
Two professionals reviewing compliance documents at a glass desk in a European office

TL;DR

GDPR applies to B2B lead generation even when you're targeting businesses, because you're usually processing data about individual people. Platforms must have a lawful basis for each data use, honor deletion and access requests, and document everything. Fines reach €20 million or 4% of global annual turnover, whichever is higher. Legitimate interests is the most commonly used basis, but it requires a documented balancing test.

Does GDPR actually apply to B2B lead generation?

Yes. This surprises a lot of teams who assume business-to-business outreach sits outside GDPR's scope. The regulation protects natural persons, not companies, but most B2B data is data about people. A record with a name, work email, job title, LinkedIn URL, or phone number attached to an individual is personal data under Article 4 of the GDPR, full stop. [1]

The company email address john.smith@acme.com identifies an individual. The address info@acme.com generally does not. That distinction matters enormously for lead generation platforms that scrape or enrich contact records. If your database holds any field that can single out a person, GDPR applies to that record regardless of the commercial context.

There are no B2B exemptions written into the regulation. Some countries added slight carve-outs in their national implementing laws (Germany's UWG and the UK's PECR give a bit more room for electronic marketing to corporate subscribers), but the underlying data protection obligations, lawful basis, transparency, rights responses, and breach notification, apply wherever you process identifiable contact information. [2]

Run outbound sales in Europe, buy prospecting lists, or use an AI lead generation tool that pulls LinkedIn profiles? Assume GDPR applies until you can prove a specific record doesn't qualify as personal data. That's the safer operating model, and it's the one most data protection authorities endorse.

What lawful basis can B2B teams use for outreach?

GDPR Article 6 lists six lawful bases for processing personal data. [1] For cold outreach in a B2B context, two are realistic: legitimate interests (Article 6(1)(f)) and consent (Article 6(1)(a)).

Consent is clean on paper and messy in practice. To rely on it, consent must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox doesn't count. For cold prospecting, you'd need the person to have opted in before you contact them, which defeats the point of cold outreach. Consent works well for newsletter sign-ups, gated content downloads, and inbound leads. It's rarely the right basis for outbound prospecting lists.

Legitimate interests is what most B2B lead generation platforms and outbound teams actually rely on. The European Data Protection Board's guidance says legitimate interests can justify processing when: (a) you have a genuine interest, (b) the processing is necessary to achieve it, and (c) the individual's interests don't override yours. [3] That third prong requires a documented Legitimate Interests Assessment (LIA). You write down the interest (selling your software to finance teams), the necessity (you need the CFO's email to reach the CFO), and then honestly weigh the individual's likely expectations and the impact on their privacy.

For B2B contacts in a relevant professional context, that balancing test often tips in the business's favor, especially when the product or service maps directly to the contact's job. A cybersecurity vendor emailing the CISO of a company with known security gaps has a stronger case than a mortgage broker emailing the same person. Context is everything, and you need to write the LIA down, more than assume it.

Contractual necessity and legal obligation can apply in narrow cases (processing a prospect's data to fulfill a contract they've entered, for instance), but they don't help with cold outreach.

Nobody should treat this as legal advice. Run your lawful basis decision past qualified counsel before you build your prospecting process around it.

How do the biggest B2B lead generation platforms handle GDPR?

The major platforms, ZoomInfo, Apollo.io, Cognism, Lusha, and LinkedIn Sales Navigator, all claim GDPR compliance. The approaches differ meaningfully. [4][5]

Cognism has staked its marketing heavily on compliance. It maintains an opt-out list, scrubs against national do-not-call registries, and publishes a detailed privacy notice explaining that it relies on legitimate interests with a documented LIA. It also claims to check data against the UK's TPS (Telephone Preference Service) before surfacing phone numbers. That's more than most competitors do by default.

ZoomInfo's 2021 $52 million settlement with the FTC and state attorneys general (not GDPR, but the U.S. analogy) shows that even large platforms face real enforcement risk when their data practices don't match their promises. [6] Under GDPR, the equivalent exposure sits with data protection authorities in EU member states.

Apollo.io and Lusha both rely on web-scraped data and network-contributed data (where users upload their contacts). Both publish privacy policies citing legitimate interests. Neither has gone as far as Cognism on registry scrubbing, though both have improved their data subject request processes in recent years.

LinkedIn Sales Navigator sits in a different category because the underlying data came from profiles users voluntarily made public. That context supports a stronger legitimate interests argument, though LinkedIn still requires users to respect its own terms of service around automated data use.

For AI lead generation tools that use large language models or web-scraping agents to build contact lists, the compliance picture is hazier. If the tool pulls personal data from websites without notifying those individuals, it needs its own lawful basis and likely needs to serve a privacy notice to the scraped individuals within a reasonable period under GDPR Article 14. Most AI scraping tools don't do this today. That's a risk you inherit when you use them.

PlatformPrimary lawful basis claimedTPS/DNC scrubbingData subject request process
CognismLegitimate interests (documented LIA)Yes (UK TPS, EU registries)In-platform opt-out + dedicated team
ZoomInfoLegitimate interestsPartial (US DNC)Privacy portal
Apollo.ioLegitimate interestsLimitedEmail request
LushaLegitimate interestsLimitedPrivacy portal
LinkedIn Sales NavigatorLegitimate interests + member consentNo (platform-level)LinkedIn account settings
GDPR key thresholds for B2B outbound teams Fines, timelines, and compliance benchmarks from the regulation and enforcement data 4 Upper-tier max fine (% global turnover) 20 Upper-tier max fine (€ millions) 30 Data subject request respon… window (days) 72 Breach notification window… DPA (hours) Source: European Commission, GDPR Regulation EU 2016/679; CMS Enforcement Tracker, 2024

What does a GDPR-compliant outbound prospecting process look like?

Compliance isn't a one-time check. It's a set of operational steps you repeat for every campaign. Here's what a defensible process looks like in practice.

First, document your lawful basis before you import any list. Write a brief LIA for the campaign type: who you're targeting, what you're selling, why you believe the outreach is relevant to them, and what the privacy impact is. This doesn't need to run 20 pages. Two or three paragraphs that honestly address the three-prong test is enough to show a DPA you thought it through.

Second, scrub your list against every applicable opt-out or suppression list. That means your own suppression list (people who've asked not to be contacted), national do-not-call or do-not-contact registries where they exist in your target markets, and any lists your platform maintains. Germany, Austria, and Italy layer strict telemarketing opt-out rules on top of GDPR. [2]

Third, provide a privacy notice. For cold email, your first email should tell recipients who you are, why you have their data (specifically, the source), the legal basis for using it, and how to opt out. GDPR Article 14 requires this when you collect data from a source other than the individual themselves. [1] It doesn't have to be a wall of legalese. A short paragraph at the bottom of the email works. Something like: "We found your contact details through [platform]. We process your data under legitimate interests to reach professionals in [role]. You can opt out at any time by replying to this email."

Fourth, build a working opt-out mechanism and honor it within 30 days. In practice, honor it immediately. Someone who waits a month after opting out and then gets another email is a complaint waiting to happen.

Fifth, don't retain data longer than necessary. If a prospect hasn't engaged in 12 to 18 months, that's a reasonable point to purge or suppress the record. There's no single GDPR-mandated retention period, but you need to document yours and apply it consistently.

For teams using SMS for outreach into Europe, the intersection of GDPR and ePrivacy rules (and the TCPA for U.S. numbers) makes the compliance stack more complicated. See our coverage on tcpa sms compliance and sms opt-in requirements for how these rules interact.

What are the real GDPR fines and enforcement risks for outbound teams?

The regulation sets a two-tier fine structure. Lower-tier violations (inadequate records, failure to appoint a representative, some Article 13/14 transparency failures) carry fines up to €10 million or 2% of global annual turnover. Upper-tier violations (processing without a lawful basis, ignoring data subject rights, breaking the basic principles of GDPR) carry fines up to €20 million or 4% of global annual turnover, whichever is higher. [1]

The 4% figure is the one that gets attention. For a company doing €50 million in annual revenue, that's a potential €2 million fine. For a billion-dollar company, it's €40 million.

Are small outbound teams actually getting fined at these levels? Mostly no, at least not yet. Enforcement against small companies has leaned toward reprimands and corrective orders rather than headline fines. But the risk isn't zero. The Spanish AEPD (Agencia Española de Protección de Datos) has issued hundreds of smaller fines in the €5,000 to €50,000 range against companies with unlawful marketing practices. The Italian Garante fined several companies for cold email marketing without a proper lawful basis. [7]

The more immediate risk for most small teams isn't a formal DPA investigation. It's a complaint from a recipient that triggers one, combined with the operational disruption and legal fees of responding. That process can cost more in time and money than the fine itself.

LeadCompliant's free GDPR checklist for outbound teams can help you spot the gaps most likely to draw a complaint before you launch a campaign.

The other risk is reputational. One viral LinkedIn post from an annoyed prospect about your non-compliant outreach can do more damage to a small company than a fine. People know their GDPR rights now, and they're willing to file complaints or shame companies publicly.

How does GDPR affect free lead generation platforms specifically?

Free tools, whether that's Hunter.io's free tier, Apollo's free plan, or open-source scrapers, carry the same GDPR obligations as paid platforms. The price you pay doesn't change your legal responsibilities as a data controller.

The practical issue with free lead generation platforms is that their compliance infrastructure is often thinner. Paid tiers of major platforms come with data processing agreements (DPAs), suppression list features, and dedicated privacy support. Free tiers often don't include a signed DPA, which is a problem because Article 28 of GDPR requires a written contract between a controller (you) and a processor (the platform) any time the processor handles personal data on your behalf. [1] Without a signed DPA, you're technically in violation before you send a single email.

Check whether a free platform you're using offers a DPA, even for free users. Some do: HubSpot's free CRM includes a DPA. Hunter.io offers one on request. Others don't, and that's a gap you need to close or accept as a risk.

Open-source scraping scripts that you run yourself put you in the position of both controller and, effectively, processor. You own all the compliance risk. If you're scraping LinkedIn profiles or company directories with a Python script, you need a lawful basis, you need to respond to data subject requests, and you need to log what data you collected and when. Almost nobody doing this at the small-team level has that documentation in place. That's a real vulnerability.

For teams doing SMS-based lead generation alongside email, keeping up with the full lead generation compliance news landscape, GDPR and TCPA both, is worth ongoing attention.

What are data subject rights and how must lead generation platforms handle them?

GDPR grants individuals several rights that apply even to people in your prospecting database who have never done business with you. [1] The ones most relevant to outbound lead generation are these.

The right to access (Article 15): A prospect can ask what data you hold on them, where you got it, the legal basis for processing it, and how long you plan to keep it. You have 30 days to respond.

The right to erasure (Article 17): Commonly called the "right to be forgotten." If someone asks you to delete their record, you generally have to comply. The main exception for B2B teams is that you can keep a suppression record (a minimal record of the email or phone number and the fact that they opted out) so you don't re-add them from another list pull.

The right to object (Article 21): This one bites hardest when you're relying on legitimate interests. A person can object to processing under legitimate interests, and you must stop unless you can demonstrate compelling legitimate grounds that override their interests. In practice, treat an objection like an opt-out request and honor it immediately.

The right to restriction (Article 18): The person can ask you to stop processing their data while you work out a dispute about accuracy or legal basis.

For a small outbound team, handling these requests manually works fine as long as volume is low. For larger teams or platforms handling millions of records, you need a system. Most major lead generation platforms now include a privacy portal or dedicated opt-out mechanism. If yours doesn't, build a simple one: a dedicated email address (privacy@yourdomain.com), a log of requests received, and a documented process for fulfilling them within 30 days.

Failing to respond to a data subject request is one of the more common enforcement triggers. It's also one of the easiest compliance wins, because responding well costs almost nothing.

How do AI lead generation tools create specific GDPR risks?

AI-powered prospecting tools, the kind that auto-generate lead lists, write personalized openers, or enrich contact records by crawling the web, introduce a few GDPR issues that traditional platforms don't.

The first is transparency. If you use an AI tool to generate a hyper-personalized email that references a prospect's recent LinkedIn post, their company's funding round, and their apparent tech stack, that email was built from personal data scraped from multiple sources. Under Article 14, you're supposed to tell the individual about all those sources. An opener that reads "I saw you just raised a Series B" without disclosing that you assembled a profile on them sits, at minimum, against the spirit of GDPR's transparency requirements, and arguably in technical violation of them.

The second is automated decision-making. Article 22 gives people the right not to be subject to decisions based solely on automated processing if those decisions produce legal or similarly significant effects. For most B2B prospecting, this isn't triggered because a human still decides who to contact. But if an AI tool automatically prioritizes or deprioritizes leads, sorts them into categories (like "high intent" or "not worth contacting"), and those categories meaningfully affect whether someone receives a commercial opportunity, you're in territory worth reviewing with counsel.

The third is data minimization under Article 5. GDPR says you should only process the data you actually need. AI enrichment tools often pull far more than a sales email requires: home addresses sourced from public records, personal social media profiles, biographical data. More data pulled means more data to protect, more to hand over in a subject access request, and more exposure if there's a breach.

For compliance-conscious teams using AI lead generation tools, a reasonable approach is to configure the tool to pull only the fields you actually use in outreach (name, company, job title, professional email, LinkedIn URL), and document that you made that choice on purpose as part of your data minimization practice.

What about transfers of B2B data outside the EU?

If you're a U.S.-based team using a U.S. data platform to store contact records for European prospects, you're doing an international data transfer. GDPR restricts transfers of personal data to countries outside the European Economic Area unless an adequacy decision is in place or another approved safeguard applies. [1]

The U.S. and EU established the EU-U.S. Data Privacy Framework (DPF) in 2023, which replaced the invalidated Privacy Shield. [8] U.S. companies that self-certify under the DPF can receive personal data from the EEA under that framework. ZoomInfo, Salesforce, HubSpot, and many other major platforms are certified. You can check the DPF list at the U.S. Department of Commerce's DPF website.

If your platform isn't DPF-certified and doesn't have Standard Contractual Clauses (SCCs) in its DPA with you, you may lack a legal basis for the transfer itself, separate from your processing basis. Many small teams overlook this gap entirely.

For platforms based in the UK, the UK GDPR applies with similar transfer restrictions. The UK has its own adequacy decisions and the UK's International Data Transfer Agreement (IDTA) as an alternative to SCCs.

Nobody knows how long the DPF will stay stable. Privacy Shield was invalidated twice (Safe Harbor in 2015, Privacy Shield in 2020 via the Schrems II decision). The DPF faces similar legal challenges. Keeping SCCs in place as a backup alongside DPF certification is the belt-and-suspenders approach most European privacy attorneys recommend.

What should a GDPR compliance checklist for B2B lead generation include?

Here's a practical checklist, not a legal opinion, for teams running outbound B2B campaigns targeting European contacts.

Lawful basis:

  • Identify and document the lawful basis for every campaign type (most will be legitimate interests)
  • Complete and retain a Legitimate Interests Assessment for each campaign category
  • Don't mix bases: pick one and document it

Transparency:

  • Include a privacy notice in the first email to cold contacts, naming your data source and legal basis
  • Make sure your company's external privacy policy describes your B2B outbound practices
  • Publish a clear, accessible way for people to opt out

Data processing agreements:

  • Confirm you have a signed DPA with every platform that processes personal data on your behalf
  • Check that platforms processing EU data are DPF-certified or use SCCs

List quality and suppression:

  • Scrub lists against your own suppression database before every campaign
  • Apply relevant national opt-out registries (e.g., Germany's Robinson list, UK TPS)
  • Remove or suppress records dormant beyond your documented retention period

Data subject rights:

  • Set up a dedicated inbox or portal for privacy requests
  • Log every request and the date received
  • Respond within 30 days, and honor opt-outs immediately

Data minimization:

  • Pull only the fields you actually need for outreach
  • Audit AI enrichment tools for fields they collect beyond your configured preferences

Breaches:

  • Have a documented plan for identifying and reporting breaches to your lead DPA within 72 hours if the breach is likely to harm individuals [1]

For teams running SMS outreach in parallel with email, the sms opt in requirements under both GDPR's ePrivacy layer and the TCPA are worth reviewing separately. The compliance bar for SMS is higher than for email in most jurisdictions.

How does GDPR interact with TCPA for U.S.-based outbound teams?

Most U.S. outbound teams focus on TCPA (47 U.S.C. § 227) for domestic compliance and either ignore GDPR or treat it as a European-only problem. Neither approach is safe if you're contacting European residents or using platforms that process their data. [9]

The TCPA governs calls and texts to U.S. phone numbers and says nothing about European contacts. GDPR governs any processing of data about EU residents, regardless of where you're based. The FCC's TCPA rules require prior express written consent for autodialed or prerecorded calls and texts to consumers. GDPR's consent standard for electronic marketing goes further in some ways (it must be as easy to withdraw as to give) and overlaps with the ePrivacy Directive's rules for marketing emails and calls.

Running a combined email and phone sequence that targets both U.S. and European contacts? You're operating under both frameworks at once. The practical solution is to segment your lists by geography and apply the stricter rules. For U.S. cell numbers, TCPA's prior express written consent standard governs if you're using an autodialer. For EU contacts, GDPR and local ePrivacy rules govern.

The FCC's 2024 one-to-one consent rule (which takes effect for SMS in 2025 under 47 C.F.R. part 64) tightened how consent obtained from lead generation forms must be attributed to individual callers, not shared across multiple companies. [10] That shift in U.S. rules mirrors the direction GDPR has always pointed: consent must be specific, not blanket.

For deeper reading on U.S. consent and text message rules, see sms double opt in and the full tcpa overview. If you use a marketing text message service for outbound, confirming it has GDPR-compatible data handling and a DPA is a separate step from confirming TCPA compliance.

LeadCompliant offers a free compliance kit covering both GDPR checklists and TCPA consent documentation templates for outbound teams managing both frameworks.

What should you ask a B2B lead generation platform before you buy?

Before you sign up for any B2B lead generation platform or AI lead generation tool that touches European contact data, ask these questions. The answers, or the refusal to answer, tell you a lot.

Where did this data come from, and under what lawful basis do you hold it? A credible vendor can describe their data collection methods and cite the legal basis they rely on. Vague answers like "we have compliance built in" are not enough.

Do you have a Legitimate Interests Assessment covering your data collection and resale? Cognism publishes theirs. Most platforms don't, but they should at least have one internally.

Will you sign a Data Processing Agreement with me, even on a free or starter plan? If they won't, that's a red flag under Article 28.

Are you certified under the EU-U.S. Data Privacy Framework? If you're a U.S.-based company, you can verify this at the DPF list directly. [8]

Do you scrub contacts against national do-not-contact registries? This matters specifically for phone outreach in Germany, the UK, France, and several other markets.

How do you handle data subject requests from contacts in your database? What's the process if someone wants to be removed from your platform entirely, more than from my account?

How long do you retain contact data, and what's your breach notification process? You need to know this to write your own privacy policy accurately.

Most sales reps won't know these answers off the top of their heads. Ask to speak with the platform's privacy or compliance team, or ask for their Trust and Safety or Privacy documentation. Any platform serious about GDPR compliance has this written down somewhere.

Frequently asked questions

Is GDPR relevant if I only send B2B emails, not consumer emails?

Yes. GDPR protects individual people, not consumer-vs-business categories. Any email addressed to an identifiable person, like firstname.lastname@company.com, involves personal data. You need a lawful basis (usually legitimate interests with a documented balancing test), a transparency notice in the email, and an opt-out mechanism. Role-based inboxes like info@company.com generally fall outside GDPR scope, but most B2B outreach targets named individuals.

Can I buy a contact list and use it for cold email under GDPR?

Technically yes, if the list vendor collected the data lawfully and you have your own lawful basis for using it. In practice, most list vendors can't adequately document the basis under which each record was collected. Buying a list transfers the risk to you as the data controller. You need a signed Data Processing Agreement with the vendor, and your first email must disclose the source of the data under GDPR Article 14. Verify the vendor's compliance before you buy.

What is a Legitimate Interests Assessment and do I actually need one?

A Legitimate Interests Assessment is a short documented analysis showing you've weighed your business interest in processing someone's data against their privacy rights. For B2B cold outreach, it's not legally optional if you're relying on legitimate interests as your lawful basis. Regulators have used the absence of an LIA as evidence of non-compliance. It doesn't need to be long, but it needs to exist and be specific to your campaign type.

How long can I keep prospect data under GDPR?

GDPR doesn't set a fixed retention period. It requires you to keep data no longer than necessary for your stated purpose and to document your retention policy. For B2B prospects who haven't engaged, 12 to 24 months is a commonly applied window before suppression or deletion. Whatever period you choose, document it, apply it consistently, and be able to explain it if a data protection authority asks.

Not exactly. GDPR is an EU-wide regulation, but member states implemented it with some national variations. Germany and Austria have stricter telemarketing rules. The UK's PECR (Privacy and Electronic Communications Regulations) adds rules for email and SMS marketing that sit alongside UK GDPR. For most B2B email outreach, a single documented legitimate interests basis covers most of the EU, but check the specific telemarketing rules for each country where you're making phone calls.

What happens if a prospect files a GDPR complaint about my cold email?

They file a complaint with their local data protection authority (DPA). The DPA investigates and may ask you to explain your lawful basis, transparency notice, and opt-out process. Outcomes range from a reprimand and corrective order to a fine. For a well-documented outbound process, a reprimand with a correction order is the typical outcome for a first infraction. Fines for small teams are less common but not unheard of, particularly in Spain and Italy.

Are AI tools that build lead lists from web scraping GDPR compliant?

Most aren't fully compliant by default. Web-scraping AI tools that collect personal data from websites need a lawful basis, must be able to respond to data subject requests, and must notify individuals about the processing under Article 14 within a reasonable timeframe. Most don't do this. When you use such a tool, you inherit the compliance risk as the data controller. Limiting the fields collected and documenting your lawful basis before using the tool reduces, but doesn't eliminate, that risk.

What's the difference between a data controller and a data processor for B2B lead generation?

You're the data controller: you decide why and how the personal data is processed. The lead generation platform is usually a data processor: it processes the data on your behalf per your instructions. GDPR requires a written Data Processing Agreement between you and any processor. If the platform also decides how to use the data independently (like building and selling its own database), it may also be a controller, which changes the compliance relationship and your liability.

Does GDPR apply to my team if we're based in the United States?

Yes, if you process personal data of people in the EU or UK in connection with offering them goods or services or monitoring their behavior (Article 3, GDPR). Cold outreach to European companies for the purpose of selling them your product is exactly this scenario. U.S. teams without an EU establishment may also need to appoint an EU representative under Article 27, though this requirement has exceptions for small-scale processing.

What is the EU-U.S. Data Privacy Framework and does my platform need to be on it?

The DPF is a mechanism that allows U.S. companies to receive personal data from the EU legally. It replaced Privacy Shield in 2023. If you're sending EU personal data to a U.S.-based lead generation platform, that platform should either be DPF-certified or your DPA with them should include Standard Contractual Clauses. You can check certification status at the U.S. Department of Commerce DPF list at dataprivacyframework.gov.

How does GDPR compliance differ between free and paid B2B lead generation platforms?

Your GDPR obligations as a data controller are identical regardless of what you pay. The practical difference is that free-tier platforms often don't include a signed Data Processing Agreement, have fewer suppression features, and offer less compliance support. Signing a DPA is a GDPR requirement whenever a third party processes personal data on your behalf. Check whether your free platform offers one before using it for any European contact data.

Can I use LinkedIn Sales Navigator for GDPR-compliant B2B prospecting?

LinkedIn Sales Navigator is one of the more defensible tools for GDPR-compliant prospecting because the underlying data comes from profiles users voluntarily made public, which supports a legitimate interests argument. You still need transparent outreach practices: don't scrape profiles with automated tools in violation of LinkedIn's terms, include a privacy notice when you reach out, and honor opt-out requests immediately. LinkedIn's own DPA and privacy infrastructure are generally solid.

What's the fastest way to close the most common GDPR gaps for an outbound team?

Four actions cover most of the risk: (1) Write a one-page Legitimate Interests Assessment for your main campaign type and keep it on file. (2) Add a four-sentence privacy notice to the bottom of every cold email naming your data source, legal basis, and opt-out method. (3) Get a signed DPA from every platform that touches your contact data. (4) Build a suppression list and a process to honor opt-outs within 24 hours. None of these require outside counsel to do.

Sources

  1. European Commission, GDPR full text (Regulation EU 2016/679): GDPR Articles 4, 5, 6, 13, 14, 15, 17, 18, 21, 22, 28, and 83 define personal data, lawful bases, data subject rights, processor contracts, and the two-tier fine structure up to €20M or 4% of global turnover.
  2. European Commission, ePrivacy Directive 2002/58/EC: The ePrivacy Directive regulates electronic marketing communications in EU member states and interacts with GDPR for email and SMS outreach; member states may implement stricter rules for corporate subscribers.
  3. European Data Protection Board, guidance on legitimate interests: EDPB guidance sets out the three-part test for relying on legitimate interests: a genuine interest, necessity of the processing, and a balancing against the individual's interests and rights.
  4. Apollo.io, Privacy Policy: Apollo.io claims legitimate interests as lawful basis for B2B data collected and processed on its platform.
  5. U.S. Federal Trade Commission, ZoomInfo settlement 2021: ZoomInfo reached a $52 million settlement in 2021 with the FTC and state attorneys general related to data collection and opt-out practices, illustrating enforcement risk for data platform businesses.
  6. CMS Law, GDPR Enforcement Tracker (European Data Protection Board enforcement statistics): Spanish AEPD and Italian Garante have issued multiple fines in the €5,000 to €50,000 range for cold email marketing without proper lawful basis or opt-out mechanisms.
  7. U.S. Department of Commerce, EU-U.S. Data Privacy Framework: The EU-U.S. Data Privacy Framework established in 2023 allows DPF-certified U.S. companies to receive personal data from the EEA lawfully; certification status is publicly searchable.
  8. U.S. Government Publishing Office, Telephone Consumer Protection Act, 47 U.S.C. § 227: 47 U.S.C. § 227 requires prior express written consent for autodialed or prerecorded calls and texts to U.S. consumers; it operates separately from GDPR for domestic outreach.
  9. UK Information Commissioner's Office, Direct marketing guidance: The UK ICO sets out rules for direct marketing under UK GDPR and PECR, including specific guidance for B2B email marketing and the conditions under which legitimate interests applies to corporate contacts.

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit