Is it legal to buy B2B data in the UK?

The short answer: buying is legal, using it is where the rules live

There is no law against buying, renting or licensing a B2B marketing list in the UK. The Information Commissioner’s Office (ICO) treats it as a normal commercial activity, noting that many organisations, including data brokers, offer information for direct marketing for sale, rent or on licence.

The legal weight falls on what you do next. Two regimes apply at once:

• UK GDPR governs whether you can lawfully hold and process the personal data (a named work email like jane@company.com is personal data).
• PECR (the Privacy and Electronic Communications Regulations) governs whether you can send marketing by email, text or phone.

Get both right and a bought B2B list is perfectly usable. Get either wrong and the list becomes a liability.

UK GDPR: you’re the controller now

The moment you buy a list, you become the data controller and are accountable for it. The ICO is blunt that a seller’s compliance does not transfer to you: it is not enough to simply accept a third party’s assurances that the information they are supplying to you is compliant.

You need a lawful basis before you obtain the data. For prospecting, that’s almost always legitimate interests under Article 6(1)(f), which requires a three-part test: purpose, necessity, and a balancing test against the individual’s rights. The ICO warns that the balancing test is harder to pass for bought data, because people are less likely to reasonably expect what you want to do with it when it wasn’t collected from them directly. Document it in a Legitimate Interests Assessment.

The Article 14 trap most buyers miss. When you obtain personal data indirectly, you must proactively tell people you hold it. Under Article 14 that means within a reasonable period and at the latest one month, or at your first communication with them, whichever comes first. You also have to tell them the categories of data you hold and where it came from.

PECR: the corporate vs individual subscriber split

This is the rule that decides who you can email, and the distinction the vendors selling you lists rarely explain.

• Corporate subscribers: limited companies, PLCs, LLPs, Scottish partnerships and government bodies. An employee’s work address counts as corporate because the subscriber is the employer. The ICO confirms the PECR rule on direct marketing email does not apply to corporate subscribers, so you do not need prior consent to email them.
• Individual subscribers: sole traders and ordinary (non-LLP) partnerships. PECR treats them like consumers, so the consumer email rule in Regulation 22 applies and you generally need consent.

Crucially, the “soft opt-in” exception that lets you email existing customers does not apply to prospective customers or new contacts such as bought-in lists. So a bought list of individual subscribers is, in practice, off-limits for cold email. If you can’t tell which a contact is, the ICO says treat it as an individual.

Even when you’re emailing corporate subscribers without consent, you must not disguise your identity, you must give a valid opt-out address, and (because the data is still personal data) the UK GDPR right to object to direct marketing is absolute.

Phone calls: screen against TPS and CTPS

Before making live marketing calls you must screen numbers against the Telephone Preference Service (TPS) and its corporate equivalent (CTPS). The ICO requires that you check phone numbers against these registers before you make the calls. For B2B you should screen against both, because some businesses register with one and some the other, and registrations take 28 days to take effect. Automated (recorded) marketing calls need consent even from corporate subscribers.

Do your due diligence before you buy

Because you carry the liability, the ICO expects you to vet the source before using it: who compiled the list, where the data came from, what people were told (including whether you were named as a recipient), how old it is, and whether it’s been screened against suppression lists. If a provider can’t evidence that, the ICO’s position is that you should not use the data. This is the single best reason to favour providers that publish their sourcing and compliance posture; see our methodology for how we weigh it.

How the UK compares: US, EU and Canada

The rules change sharply across borders. If you’re prospecting internationally, here’s the one-line version for cold-emailing a bought B2B list:

Jurisdiction	Cold-email a bought B2B list?	The key condition
UK	Yes for corporate subscribers; generally no for individuals	Identify yourself + opt-out, pass the UK GDPR test, and inform people within one month (Art 14)
EU	Depends on the member state	No single “PECR”; the ePrivacy Directive is national law (France allows legitimate interest, Germany leans opt-in) plus GDPR everywhere
US	Yes	CAN-SPAM is opt-out: honest headers, an ad disclosure, a physical postal address, and honour opt-outs within 10 business days
Canada	Generally no	CASL is opt-in; a bought list isn’t a lawful basis on its own, narrow “conspicuous publication” implied consent aside

The US is the permissive outlier: CAN-SPAM never required prior consent and doesn’t ban bought lists. The EU is generally stricter and less uniform than the UK, and in California the B2B exemption from the CCPA expired at the end of 2022, so business contacts there now have full consumer data-rights. Canada’s CASL is the strictest of the four.

A note on currency

UK direct-marketing guidance is in flux: following the Data (Use and Access) Act 2025, several ICO pages now carry an “under review” banner, and Regulation 22 itself has been amended. The principles above were current as of June 2026, but check the cited ICO and legislation.gov.uk pages before you rely on them, which is exactly why we date and source every claim.