Features Pricing Demo Documentation Blog Changelog Contact
← Back to blog
Legal 12 min read

GDPR and B2B Prospecting: What You Can Legally Do in 2026

Using a prospecting tool to collect business emails and wondering if it's legal? Good news: B2B cold emailing is still allowed in 2026. But there are rules to follow. This guide covers what's permitted, what's not, and how to prospect in full compliance.

🏢
B2B Prospecting
No prior consent needed
Base légale : legitimate interest
Pro email = OK with conditions
👤
B2C Prospecting
Consent required (opt-in)
Base légale : consent
Personal email = forbidden without consent

1. Does GDPR Apply to B2B Prospecting?

Yes. Even in B2B, behind every company there are real people. A professional email like firstname.lastname@company.com is considered personal data under GDPR because it identifies an individual.

However, a generic address like contact@company.com is not personal data — it refers to the company (legal entity), not an individual. You can freely use it for prospecting.

Generic email
contact@company.com
✅ Not personal data
Named pro email
j.smith@company.com
⚠️ Personal data — regulated
Personal email
john.smith@gmail.com
❌ Opt-in required

2. L'legitimate interest : votre base légale en B2B

Le RGPD prévoit 6 bases légales pour traiter des données personnelles. En prospection B2B, celle qui s'applique est l'legitimate interest (article 6.1.f du RGPD). Concrètement, cela signifie que vous pouvez contacter un professionnel sans son consent préalable, à condition de respecter 3 règles :

🎯 Offer related to their job Professional relevance 📋 Transparent information Who you are + source 🚪 Right to object Unsubscribe link

1. Relevance. Your offer must relate to the prospect's professional activity. Selling accounting software to an accounting firm: OK. Selling diapers to a web developer: out of scope.

2. Transparency. You must clearly state who you are, why you're contacting them, and where you got their details. This is Article 14 of GDPR: when you obtain data from a third-party source (directory, website, scraping), you must inform the person no later than your first contact.

3. Right to object. Chaque email de prospection doit contenir un moyen simple de se désinscrire. Un lien "Se désabonner" en bas du mail suffit.

💡 In practice: add a line like "We are contacting you because our [X] services may interest your [Y] business. Your details were collected from your public website. To stop receiving our messages, click here."

3. Scraping Public Data: Is It Legal?

This is the question every prospecting tool user asks. The answer is nuanced:

Extracting publicly accessible data (Google Maps, business websites, public directories) is not prohibited by GDPR. The regulation doesn't specifically mention scraping. What matters is how you use the data.

✅ Allowed ❌ Prohibited / Risky
Collecting emails from business websitesMass scraping of LinkedIn (prohibited by their ToS)
Extracting Google Maps data (name, phone, address)Collecting personal emails (@gmail, @hotmail)
Using data from public directoriesProspecting without an unsubscribe link
Contacting a professional with a relevant offerKeeping inactive prospect data for more than 3 years
⚠️ LinkedIn Warning: LinkedIn explicitly prohibits automated scraping in its terms of service (section 8.2). The platform regularly sues companies that mass-scrape its data. Stick to public sources: Google Maps, websites, professional directories.

4. Penalties: What You Risk

Data protection authorities across Europe can sanction companies that don't comply with GDPR. Fines can reach €20 million or 4% of annual global turnover — whichever is higher.

20M€
Maximum fine
4%
of annual global turnover
3 ans
Max data retention

In practice, penalties mainly target the absence of opt-out (no unsubscribe link), excessive data retention (beyond 3 years without interaction), and lack of transparency (the prospect doesn't know where their data came from).

5. New in 2026: B2C Phone Canvassing Switches to Opt-in

À partir d'août 2026, le démarchage téléphonique B2C avec intervention humaine nécessitera un consent préalable. C'est un durcissement important pour les entreprises B2C.

Pour le B2B, rien ne change : l'legitimate interest reste la base légale applicable pour la prospection par email et par téléphone. Mais la tendance est claire — les régulations se resserrent progressivement.

6. The 7 Rules for GDPR-Compliant Prospecting

Ne ciblez que des emails professionnels — jamais d'emails personnels (@gmail, @hotmail) sans consent.
Offer something relevant — related to the prospect's professional activity.
Identify yourself clearly — your company name, reason for contact.
State the data source — "details collected from your public website".
Include an unsubscribe link — functional and visible in every email.
Delete data after 3 years — without interaction, anonymize or delete.
Respect opt-out requests — when someone says stop, it's stop immediately.

7. ContactEra and GDPR

ContactEra was designed with GDPR compliance in mind:

Public data only. ContactEra collects publicly accessible information from Google Maps and business websites: names, addresses, phones, contact emails. No private data is extracted.

Data stored locally. Unlike cloud tools, your data stays on your computer. No transfer to third-party servers, no shared database. You are the sole data controller.

Generic emails preferred. ContactEra's email enrichment extracts emails found on business websites — mainly generic addresses (contact@, info@) that are not personal data.

GDPR-compatible export. Exported CSV/XLSX files can be directly imported into compliant emailing tools (Brevo, Lemlist, Mailchimp) that automatically handle unsubscriptions.

💡 ContactEra tip: in the Contacts tab, filter by "found email" (vs "generated email") to keep only emails actually present on websites. This is the cleanest and most compliant collection.

Sources and References

• CNIL — Commercial prospecting by email (cnil.fr)
• RGPD — Article 6.1.f (legitimate interest), Article 14 (information en cas de collecte indirecte), Article 21 (droit d'opposition)
• Alliance Digitale — "Commercial Prospecting & GDPR" infographic 2026 edition
• Leto.legal — "GDPR and B2B prospecting: what rules to follow?"
• Pharow — "B2B Cold emailing & GDPR: Complete Guide"

FAQ

Is B2B cold email legal under GDPR?

Yes, under legitimate interest (GDPR Article 6.1.f). You must identify yourself, include an unsubscribe link, and only contact professionals in a business context.

Recommended articles

Buying email listsDeliverability

Try ContactEra for Free

200 free credits to test Maps targeting and email enrichment.

Download ContactEra