ColdEmailLegal

Is Buying Email Lists Legal? US, EU, and Canada Rules Explained

Buying an email list is not illegal in the United States — CAN-SPAM is an opt-out regime that doesn't require prior consent. But in the EU and Canada, purchased consumer lists are effectively unusable: GDPR consent and CASL consent attach to the company that collected them and don't transfer with a sale. The meaningful legal line is between consumer lists and properly sourced B2B contact data.

This question gets two confident wrong answers. "It's totally fine" ignores GDPR and CASL. "It's always illegal" isn't true anywhere — no major regime bans the purchase itself. What the law regulates is the sending, and the rules differ sharply by jurisdiction and audience.

United States: legal, regulated at the send

The CAN-SPAM Act doesn't require consent before emailing someone commercially. It requires honest headers and subject lines, a physical address, a working opt-out honored promptly, and no emailing of addresses you obtained through prohibited harvesting methods. Emailing a purchased list can be fully CAN-SPAM compliant — the penalties (up to $53,088 per email; see our penalties breakdown) attach to deceptive practices and ignored opt-outs, not to how you sourced the address.

The real US risk with bought lists is operational: stale addresses, spam traps, and recipients who never engaged tank your deliverability — which is a business problem before it's a legal one.

European Union: consent doesn't transfer

Under GDPR, an email address tied to an identifiable person is personal data, and you need a lawful basis to process it. Purchased consumer lists almost never qualify: the consent the list broker collected (if any) named them, not you — UK and EU guidance is consistent that consent must be specific to the sender. For B2B outreach, many EU member states allow a legitimate-interest basis for relevant, professional communication with corporate contacts — but you still owe transparency, relevance, and easy objection. Our GDPR cold email guide covers the framework in detail.

Canada: the strictest regime

CASL requires express or implied consent before sending a commercial electronic message, and penalties reach $1 million per violation for individuals and $10 million for corporations. Implied consent exists in defined B2B circumstances (a published business address with no no-solicitation notice, an existing business relationship), but a purchased consumer list satisfies none of them. Canada is where bought lists go to become liabilities.

The distinction that actually matters: consumer lists vs. B2B data

  • Consumer email lists (B2C, personal addresses): compliant use is nearly impossible outside the US, and reputationally costly inside it.
  • B2B contact data (business roles, corporate addresses, documented sourcing): lawful under CAN-SPAM, defensible under GDPR legitimate interest when outreach is relevant and respectful, and capable of qualifying for CASL's implied consent categories.
  • Provenance is the whole game: you should be able to answer where every address came from. "A broker sold it to us" is not an answer regulators accept.

That's the standard to hold any data provider to. Platforms like Sales.co exist on the right side of this line: verified B2B contact data with documented, compliant sourcing — not anonymous consumer lists — paired with sending infrastructure that keeps the CAN-SPAM mechanics (opt-out, identification, headers) handled by default.

Get new benchmarks & guides by email

Fresh data and tactical guides as we publish them. Monthly at most, unsubscribe anytime.