Every week, B2B sales teams in the UK receive emails offering contact databases: "10,000 verified decision-makers, GDPR compliant, ready to download." The price is appealing. The promise is speed. The risk is rarely discussed.
Buying contact data is not inherently illegal under UK GDPR. But the gap between legally defensible and practically risky is wide - and most purchased lists sit firmly on the risky side. Here is why, and what the alternative looks like.
The Hidden GDPR Risk in Purchased Lists
UK GDPR requires a lawful basis for processing personal data. For B2B prospecting, the most commonly cited basis is legitimate interest - your business has a legitimate reason to contact someone, and that interest is balanced against the individual's rights.
The problem with purchased lists is provenance. When you buy a list, you are inheriting someone else's data collection practices. And you rarely know what those practices were.
Consent chain breaks: The original data may have been collected under consent - but consent given to Company A does not transfer to Company B. If the data broker collected emails through a webinar registration form, the registrants consented to hear from the webinar host, not from every company that later purchases the list.
Legitimate interest is not transferable. Your legitimate interest in contacting a prospect is specific to your business relationship. You cannot inherit the data broker's legitimate interest assessment. You need your own - and conducting a legitimate interest assessment for 10,000 unknown contacts is impractical at best and a fiction at worst.
Right to erasure complications: If someone on a purchased list has previously exercised their right to erasure with the data broker (or with any company that shared their data upstream), contacting them is a violation. You have no way of knowing this from the list alone.
The ICO's position: The Information Commissioner's Office has been increasingly clear that purchased marketing lists are a compliance risk area. Their guidance states that organisations must "be able to demonstrate that they have a lawful basis for processing" - and "we bought it from a broker" is not a lawful basis.
Scraped Data: A Different Risk Profile
Some data providers do not sell pre-compiled lists. Instead, they scrape data from public sources - LinkedIn profiles, company websites, news articles, and public registers. The GDPR risk profile here is different but not absent.
Public availability does not equal free use. The fact that information is publicly visible does not mean it can be collected and processed without a lawful basis. A person's LinkedIn profile is public, but scraping it into a database for cold outreach still requires a legitimate interest assessment and must comply with data minimisation principles.
LinkedIn's terms of service: Separately from GDPR, LinkedIn prohibits scraping. While this is a contractual rather than a legal issue, it introduces operational risk - accounts get suspended, and data obtained in violation of terms of service may create legal exposure.
Accuracy risk: Scraped data is only as current as the source. A LinkedIn profile last updated 18 months ago may reflect a job the person no longer holds, an email address that no longer works, and a company association that is outdated.
Domain Reputation: The Cost Nobody Mentions
Even if the GDPR risk were zero - which it is not - purchased lists carry a practical cost that directly impacts revenue: domain reputation damage.
When you send outbound emails to a purchased list, a percentage will bounce (because the data is stale), a percentage will mark you as spam (because they did not ask to hear from you), and a percentage will simply ignore you (because the targeting is poor). Each of these signals degrades your sender reputation with email service providers.
Once your domain reputation drops below a certain threshold, your emails start landing in spam folders - not just for the purchased list contacts, but for everyone you email, including existing customers and warm prospects. Rebuilding a damaged domain reputation takes months.
The arithmetic is brutal. A purchased list of 5,000 contacts with a 15% bounce rate and a 2% spam complaint rate does not just waste the money you spent on the list. It degrades the deliverability of every email your company sends for the next 3-6 months.
There is a better approach. Our pipeline build service delivers verified, enriched prospect data sourced through proper research channels - with documented provenance and fresh verification for every record. Learn about GDPR-compliant prospecting.
What "Properly Sourced" Actually Means
Building pipeline data properly is slower and more expensive than buying a list. That is the honest trade-off. But the data you get is fundamentally different in quality, compliance, and effectiveness.
Documented legitimate interest: Each prospect is researched against your ideal customer profile. The legitimate interest basis is specific and documented: you are contacting this person because their company matches your ICP criteria and their role puts them in a position to benefit from your service. This is a defensible position under UK GDPR.
Fresh verification: Email addresses are verified at the point of pipeline delivery, not six months earlier when a broker compiled the list. Bounce rates for properly sourced data typically run below 3%, compared to 10-20% for purchased lists.
Opt-out respect: Properly sourced data can be checked against your suppression lists and the TPS/CTPS (Telephone Preference Service / Corporate Telephone Preference Service) registers before delivery. Purchased lists rarely come with this level of screening.
Research context: A properly built pipeline record includes not just contact details but research context - company background, relevant news, potential pain points, and conversation hooks. This context transforms cold outreach into informed outreach, and the response rate difference is measurable.
Comparing the Numbers
Here is a realistic comparison for a UK B2B company targeting 1,000 accounts:
Purchased list:
- Cost: £500-2,000
- Delivery time: same day
- Email validity rate: 70-85%
- Expected bounce rate: 10-20%
- Expected reply rate: 0.5-1.5%
- GDPR risk: moderate to high
- Domain reputation impact: negative
Built pipeline:
- Cost: £3,000-8,000
- Delivery time: 3-5 weeks
- Email validity rate: 95%+
- Expected bounce rate: 1-3%
- Expected reply rate: 3-8%
- GDPR risk: low (with documented legitimate interest)
- Domain reputation impact: neutral to positive
The cost per contact is higher for built pipeline. The cost per meeting booked is lower - typically by a factor of 3-5x. And the GDPR exposure is in a different category entirely.
For a deeper comparison of the operational differences, see our analysis of data brokers versus data ops agencies. For broader context on GDPR and B2B prospecting, our GDPR guide for B2B prospecting covers the regulatory landscape in detail.
What would it cost your company if your primary email domain ended up in spam folders for three months?
