Is it legal to buy B2B data in the US?

The short answer: legal, and the US is the permissive one

There’s no US law against buying, renting or licensing a B2B contact list, and unlike the UK, EU or Canada, US law does not require prior consent to cold-email a business. What it regulates is how you use the data, through three separate regimes that each cover a different channel:

• CAN-SPAM: commercial email.
• The TCPA and the Telemarketing Sales Rule: phone calls and texts.
• State privacy laws, led by California’s CCPA/CPRA: the data subject’s rights.

There is no single federal equivalent of the UK GDPR. Get the channel rules right and a bought B2B list is straightforwardly usable in the US.

CAN-SPAM: opt-out, not opt-in

The FTC’s CAN-SPAM Act is why US cold email is so much easier than European outreach: it never required prior consent and doesn’t ban bought lists. What it demands is honesty and an easy exit. Per the FTC’s compliance guide, every commercial email must:

• use accurate “From,” “To,” routing information and a non-deceptive subject line;
• identify the message as an advertisement;
• include your valid physical postal address; and
• tell recipients how to opt out, and honour opt-outs within 10 business days, without charging a fee or making them do more than reply or visit a single page.

These apply to every recipient: there is no B2B exemption from CAN-SPAM, and you stay responsible even when another company emails on your behalf. The FTC can seek civil penalties of more than $50,000 per offending email, so the cost of getting it wrong is real.

TCPA and Do-Not-Call: calling and texting are stricter

Phone is where the US tightens up. Calls and texts are governed by the Telephone Consumer Protection Act (TCPA) and the FTC’s Telemarketing Sales Rule, not CAN-SPAM. Two things matter for a bought list:

• The National Do Not Call Registry. The TSR makes it illegal to place most telemarketing calls to registered numbers, and the registry now reaches wireless numbers and texts. The DNC rules target consumers and residential lines, so a genuine business-to-business call to a company’s main line sits largely outside them; but that line blurs fast with sole proprietors and personal cell numbers, so screen against the registry wherever there’s doubt.
• Autodialed and pre-recorded calls and texts. Regardless of the DNC list, the FCC requires prior express written consent before an autodialed or pre-recorded telemarketing call or text to a wireless number. Since 27 January 2025 that consent must be “one-to-one” (specific to a single seller), so consent captured on a comparison site can’t be spread across many callers. Recipients can opt out at any time.

In short: manually dialing a business line from a bought list is broadly fine; firing an autodialer or SMS blast at mobile numbers is where you risk per-call TCPA penalties.

CCPA/CPRA: California treats business contacts as consumers

CAN-SPAM and the TCPA are about permission to make contact. California’s CCPA (as amended by the CPRA) is about the data subject’s rights, and it’s the one US regime that reaches B2B data. The B2B exemption that used to shield business-contact data expired on 1 January 2023, so a California resident’s work email, job title and phone number now carry the same rights as any other personal information: notice at collection, access, deletion, correction, and the right to opt out of the “sale” or “sharing” of their data.

If you buy or sell lists that include Californians and you meet the CCPA thresholds, you must give that notice and offer a “Do Not Sell or Share My Personal Information” route. Around twenty other states now have comprehensive privacy laws, but most keep a B2B carve-out. California is the outlier you plan around.

You’re still on the hook, and borders change everything

Buying from a vendor that calls itself “compliant” doesn’t transfer the liability; you’re the one sending, calling or controlling the data. Two practical consequences:

• Do basic due diligence on where the data came from and how fresh it is, the same reason we favour providers that publish their sourcing. See our methodology for how we weigh it.
• The moment you prospect across a border, the stricter regime applies. Emailing a UK or EU contact pulls you into GDPR plus national ePrivacy rules; a Canadian contact into CASL’s opt-in regime. Our guide on whether buying B2B data is legal in the UK covers that side in full.

How the US compares: UK, EU and Canada

The US is the permissive end of the spectrum. Here’s the one-line version for cold-emailing a bought B2B list across the four markets:

Jurisdiction	Cold-email a bought B2B list?	The key condition
US	Yes	CAN-SPAM is opt-out: honest headers, an ad disclosure, a physical postal address, and honour opt-outs within 10 business days. No prior consent needed
UK	Yes for corporate subscribers; generally no for individuals	Identify yourself + opt-out, pass the UK GDPR test, and inform people within one month (Article 14)
EU	Depends on the member state	No single rule: the ePrivacy Directive is national law (France allows legitimate interest, Germany leans opt-in), plus GDPR everywhere
Canada	Generally no	CASL is opt-in; a bought list isn’t a lawful basis on its own

CAN-SPAM’s permissiveness is the genuine US advantage, but it stops at the channel and the border. The TCPA still gates calls and texts, California’s CPRA gives business contacts full data rights, and the moment you email into the UK, EU or Canada the stricter regimes take over.

A note on currency

Federal email rules (CAN-SPAM) have been stable since 2003, but the telemarketing and state-privacy layers are moving: the TCPA’s one-to-one consent rule took effect in 2025, and new state privacy laws come online most years. The position above was current as of June 2026; check the cited FTC, FCC and California sources before you rely on it, which is exactly why we date and source every claim.