Is Buying B2B Data Legal in the UK?
Is buying B2B data legal in the UK?
It is one of the most common questions asked by founders, sales directors and marketing managers considering outbound lead generation. And it is usually asked with hesitation.
Some have heard that purchased data is automatically non-compliant. Others have been told that cold email is effectively banned. Many simply avoid the topic altogether because the rules feel unclear and the risk feels reputational as much as legal.
The result is uncertainty. And uncertainty often leads to inaction.
In reality, the answer is more nuanced than the rumours suggest. Buying B2B data in the UK is not unlawful in itself. What matters is how that data was sourced, how it is processed, and how it is used within your outreach strategy. Compliance is less about whether you purchase data and more about whether you apply discipline when you use it.
This guide is written for UK SMEs that want clarity rather than opinion. We will explain what counts as B2B data, how UK GDPR and PECR apply in practice, what legitimate interest really means for outbound activity, and what actually creates compliance risk. We will also cover practical steps you can take before buying data and how to structure outreach responsibly once you have it.
By the end, you should have a clear understanding of where the legal boundaries sit, what good practice looks like, and how to approach outbound lead generation with confidence rather than caution.
The Short, Direct Answer
Yes, buying B2B data is legal in the UK.
There is no law that prohibits a business from purchasing contact data relating to other businesses. What the law regulates is how personal data is processed, stored and used. The distinction is important.
Many of the concerns surrounding B2B data come from confusion between consumer marketing and business-to-business marketing. The rules are stricter when communicating with private individuals about personal matters. In a B2B context, the regulatory framework recognises that businesses need to communicate with other businesses in order to trade.
However, legality does not mean freedom to act without structure. If the data identifies an individual within a company, such as a named director or manager, then UK GDPR applies. If you are sending marketing emails or making sales calls, PECR may also apply. The compliance question is not whether you can buy the data, but whether you can justify and document how you use it.
In practical terms, a compliant approach usually involves:
• Ensuring the data was sourced lawfully
• Contacting individuals in roles relevant to your offering
• Having a clear and proportionate business reason for outreach
• Providing a straightforward opt-out mechanism
• Respecting suppression and unsubscribe requests
Where businesses encounter problems, it is rarely because they purchased data. It is because they used it without segmentation, without relevance, or without process discipline.
So the short answer remains yes. Buying B2B data in the UK is legal. The more important question is whether your use of that data is structured, proportionate and commercially sensible.
What Counts as B2B Data?
Before discussing compliance in detail, it helps to clarify what we mean by B2B data.
In simple terms, B2B data refers to information about businesses and the people who work within them. It typically includes:
• Company name
• Company address
• Industry classification
• Company size
• Website
• Telephone number
At this level, we are dealing with company information. Company-level data on its own is not personal data. For example, a registered company name and office address are public facts.
The complexity begins when an identifiable individual is attached to that company record.
Examples include:
• Jane Smith, Finance Director, ABC Engineering Ltd
• john.smith@companyname.co.uk
• Direct dial telephone number linked to a named employee
Even though the context is business-related, the information still relates to a living individual. Under UK GDPR, that makes it personal data.
This is where confusion often arises. Some assume that because the data is “business” data, it falls outside GDPR entirely. That is not correct. If you are holding or using a named person’s contact details, GDPR considerations apply.
However, the fact that it is personal data does not make it unlawful to use. It simply means you must process it lawfully and fairly.
There is also a distinction between generic and named contact details.
For example:
• info@companyname.co.uk
• sales@companyname.co.uk
These generic inboxes are not linked to a specific individual and are therefore less likely to raise personal data concerns. In contrast:
• firstname.lastname@companyname.co.uk
This identifies a specific person and must be treated accordingly.
In practice, most effective B2B outreach involves contacting decision-makers in defined roles. That means working with personal data within a business context. The key question is not whether the data is personal, but whether your use of it is appropriate to the role and proportionate to your purpose.
If you are contacting a Marketing Director about marketing software, that is fundamentally different from sending unrelated promotions to someone whose role has no connection to your product or service.
Relevance is central.
Understanding this distinction between company data and personal data within a business context is the foundation for applying the legal framework correctly. In the next section, we will look at that framework in plain English.
The Legal Framework in Plain English
To answer the question properly, you need a working understanding of two key regulations in the UK:
• UK GDPR
• PECR
You do not need to be a lawyer to apply them sensibly, but you do need to understand what each one governs.
UK GDPR
The UK General Data Protection Regulation governs how personal data is processed. Processing includes collecting, storing, organising, using, sharing and deleting data.
If your B2B dataset includes named individuals and their business contact details, you are processing personal data. That means you must:
• Have a lawful basis for processing
• Be transparent about who you are
• Keep the data secure
• Respect individuals’ rights
• Avoid keeping data longer than necessary
GDPR does not prohibit marketing. It requires that marketing involving personal data is justified, proportionate and transparent.
The Information Commissioner’s Office, known as the ICO, is the UK regulator responsible for enforcing these rules.
PECR
The Privacy and Electronic Communications Regulations sit alongside GDPR and focus specifically on electronic marketing.
PECR covers:
• Email marketing
• SMS marketing
• Telephone marketing
• Cookies and tracking technologies
For B2B email marketing, the rules are different from B2C marketing.
In general:
• You can send unsolicited marketing emails to corporate subscribers, such as limited companies, provided you identify yourself and offer a clear opt-out.
• The rules are stricter for sole traders and partnerships, as they are treated more like individuals.
For telephone marketing, you must consider the Telephone Preference Service and Corporate Telephone Preference Service lists, depending on who you are contacting.
The important point is that GDPR and PECR operate together. GDPR determines whether you are processing personal data lawfully. PECR determines whether your method of electronic communication is permitted.
The B2B vs B2C Difference
Many of the myths around buying B2B data come from confusion between consumer marketing and business marketing.
In consumer marketing, consent is often required before sending promotional emails. In B2B marketing to corporate entities, consent is not always required in the same way.
That does not mean there are no rules. It means the rules are applied differently.
In practice, this means:
• Contacting a Marketing Director at a limited company is treated differently from emailing a private individual at their personal Gmail address.
• Marketing to a sole trader may require greater caution because their business identity and personal identity are legally intertwined.
Understanding this distinction removes much of the fear surrounding B2B data. The law recognises that businesses need to approach other businesses commercially. It simply expects that this is done responsibly and transparently.
In the next section, we will look at the concept that underpins most compliant B2B outreach: lawful basis, and in particular, legitimate interest.
Lawful Basis and Legitimate Interest in Practice
Under UK GDPR, every organisation processing personal data must identify a lawful basis for doing so.
There are six possible lawful bases. In a B2B marketing context, the one most commonly relied upon is legitimate interest.
Understanding legitimate interest properly is critical to answering the question, “Is buying B2B data legal in the UK?” because in most cases, this is the foundation that makes it lawful to use purchased data for outreach.
What Is Legitimate Interest?
Legitimate interest allows a business to process personal data where:
• There is a genuine and lawful business interest
• The processing is necessary to achieve that interest
• The individual’s rights and freedoms are not overridden
In practical terms, this means you can contact a business professional about something relevant to their role, provided your outreach is proportionate and respectful.
For example:
• Contacting a Finance Director about financial software
• Contacting a Head of HR about recruitment services
• Contacting a Marketing Manager about marketing technology
These examples demonstrate role relevance. The communication aligns with the individual’s professional responsibilities.
In contrast:
• Contacting a junior administrator about a complex enterprise solution
• Sending generic promotions unrelated to someone’s function
• Repeatedly messaging the same person after they have shown no interest
These scenarios are harder to justify under legitimate interest.
The Three-Part Test
When relying on legitimate interest, businesses are expected to consider three questions:
-
Purpose test
Is there a legitimate commercial reason for processing this data? -
Necessity test
Is processing this specific data necessary to achieve that purpose? -
Balancing test
Does your interest outweigh any potential impact on the individual?
This does not require a 20-page legal document. For most SMEs, it involves documenting sensible reasoning. If challenged, you should be able to explain why the outreach was relevant and proportionate.
What Proportionate Outreach Looks Like
Proportionate outreach typically means:
• Contacting people whose roles align with your offer
• Sending a limited number of well-targeted communications
• Identifying yourself clearly
• Providing an easy way to opt out
• Respecting requests to unsubscribe immediately
It does not mean:
• Purchasing a broad list and sending mass generic emails
• Ignoring opt-out requests
• Persistently contacting individuals who have shown disinterest
The difference between compliant and non-compliant outreach is often discipline, not legality.
When Legitimate Interest May Not Apply
There are situations where legitimate interest may be weaker:
• Marketing to sole traders where personal and business identities overlap
• Contacting individuals outside their professional remit
• Processing sensitive categories of data
• Using data in ways that individuals would not reasonably expect
This is why relevance and clarity are so important.
If your outreach feels logical, role-specific and commercially relevant, it is usually easier to justify. If it feels opportunistic or excessive, it becomes harder to defend.
In short, buying B2B data can be legal because legitimate interest allows you to contact relevant business professionals. The compliance question is whether your outreach is structured around clear commercial relevance and reasonable expectations.
In the next section, we will address the most common myths that continue to create confusion for UK SMEs.
If you would like a detailed breakdown of how this works in practice, read our guide on what is legitimate interest in B2B marketing.
Common Myths That Cause Confusion
Despite clear regulatory guidance, there is still significant misunderstanding around B2B data in the UK. Much of the hesitation SMEs feel comes from repeated myths rather than the actual wording of the law.
Let’s address the most common ones directly.
Myth 1: “Buying B2B data is illegal”
This is the most persistent misconception.
There is no law in the UK that makes it illegal to purchase B2B contact data. What matters is how that data was sourced and how you use it.
If a data supplier collected information lawfully and you process it under a valid lawful basis, such as legitimate interest, the act of buying the data is not the issue.
Problems arise when businesses:
• Do not check how the data was obtained
• Use it without relevance
• Fail to provide opt-outs
• Ignore compliance responsibilities
The purchase itself is not unlawful. Misuse is where risk emerges.
Myth 2: “Cold email is banned in the UK”
Cold email is not banned.
For corporate subscribers, such as limited companies, unsolicited marketing emails are permitted under PECR, provided you:
• Identify your business clearly
• Provide valid contact details
• Offer a simple opt-out mechanism
The rules are stricter for sole traders and partnerships, which are treated more like individuals. That distinction is often overlooked.
Many SMEs assume that because consumer spam is heavily regulated, B2B outreach must also be prohibited. In reality, the framework recognises commercial communication between businesses.
Myth 3: “You need consent for all B2B marketing”
Consent is one lawful basis under GDPR, but it is not the only one.
In B2B marketing, legitimate interest is commonly used instead of consent. That means you do not always need prior opt-in consent to contact a business professional.
However, this does not mean ignoring fairness or transparency. Legitimate interest requires:
• Relevance
• Proportionality
• Respect for opt-outs
Consent may still be appropriate in certain contexts, but it is not universally required for all B2B outreach.
Myth 4: “If it’s business data, GDPR doesn’t apply”
This is partially true and partially false.
Pure company-level information does not fall under GDPR. However, once you attach a named individual to that company record, you are processing personal data.
For example:
• A company name and office address alone is not personal data.
• A named Operations Director with a business email address is personal data.
GDPR applies to the latter.
Ignoring this distinction can create unnecessary exposure.
Myth 5: “One complaint means you are in breach”
Receiving a complaint does not automatically mean you have broken the law.
In B2B outreach, some recipients will object to unsolicited contact. The key issue is how you respond.
A compliant organisation will:
• Honour opt-out requests immediately
• Maintain suppression lists
• Avoid repeated unwanted contact
Isolated complaints are part of commercial outreach. Systemic disregard for compliance obligations is where enforcement risk increases.
Much of the fear around buying B2B data stems from oversimplified statements and second-hand advice. The regulatory environment is structured, but it is not designed to prevent legitimate business communication.
In the next section, we will move from myths to reality and examine what actually creates compliance risk in practice.
What Actually Creates Compliance Risk
When enforcement action occurs in the UK, it is rarely because a business simply purchased B2B data.
Compliance risk usually arises from behaviour, not the transaction itself.
Understanding what genuinely creates exposure is far more useful than focusing on myths.
1. Poor Targeting and Irrelevance
One of the most common risk factors is contacting individuals whose roles have no logical connection to your product or service.
For example:
• Emailing junior administrative staff about enterprise software
• Contacting operations teams about unrelated marketing services
• Sending generic promotions to entire company databases without segmentation
If outreach lacks relevance, it becomes harder to justify under legitimate interest. Relevance is not just a commercial best practice. It is a compliance safeguard.
2. No Clear Opt-Out or Suppression Process
Under PECR, marketing emails must include a simple and clear way to opt out.
Risk increases when businesses:
• Omit unsubscribe mechanisms
• Make opt-out processes difficult
• Fail to maintain suppression lists
• Continue contacting individuals after an objection
Repeated contact after someone has opted out is one of the clearest red flags.
A structured suppression process is not optional. It is fundamental.
3. Excessive Volume and Frequency
Sending one well-targeted message is very different from repeatedly contacting the same person across multiple channels without response.
Compliance risk grows when outreach becomes excessive.
Proportionate communication usually involves:
• Defined cadences
• Reasonable intervals
• A clear stopping point if there is no engagement
Persistence without discipline increases both reputational and regulatory exposure.
4. Lack of Internal Documentation
Many SMEs operate informally when it comes to compliance reasoning.
If challenged, you should be able to demonstrate:
• Why you believed legitimate interest applied
• Why the individual’s role was relevant
• How you sourced the data
• How opt-outs are handled
This does not require legal complexity. It requires structured thinking.
A short documented legitimate interest assessment can significantly strengthen your position.
5. Over-Reliance on Third Parties Without Due Diligence
Some businesses assume that if they buy data from a supplier, compliance responsibility transfers entirely to that supplier.
It does not.
You remain responsible for how you process and use the data.
Failing to ask basic questions about sourcing, updating processes and opt-out handling increases risk unnecessarily.
6. Keeping Data Indefinitely
GDPR requires that personal data is not kept longer than necessary.
If you purchase B2B data and leave it sitting unused for years without review, that may create avoidable exposure.
Regular review and cleaning of datasets is both commercially sensible and compliance-aligned.
In practice, most compliance issues stem from lack of structure rather than intentional wrongdoing.
Irrelevance.
Excess.
Poor process discipline.
Buying B2B data can be legal and commercially effective. Using it without clear targeting, suppression controls and documentation is where risk begins to grow.
In the next section, we will look at what sensible due diligence looks like before purchasing B2B data in the first place.
Practical Due Diligence Before Buying B2B Data
If buying B2B data can be legal, the next sensible question is: how do you reduce risk before you even start using it?
Due diligence is where compliance and commercial discipline meet. A structured approach at this stage prevents most downstream issues.
Below is a practical checklist SMEs can use before purchasing B2B contact data.
1. Ask How the Data Was Sourced
You should understand, at a high level:
• Where the data originates
• Whether it was collected from public sources, direct research, third-party aggregation or other lawful means
• Whether the supplier has its own compliance processes
You do not need every technical detail, but you should feel confident that the supplier can explain its sourcing approach clearly and consistently.
If a supplier avoids this question or provides vague answers, that is a warning sign.
2. Understand How Often the Data Is Updated
Business data changes constantly. People change roles. Companies close. Email addresses become inactive.
Ask:
• How frequently is the dataset refreshed?
• How are inaccuracies handled?
Outdated data is not only commercially inefficient. It increases the likelihood of contacting irrelevant individuals, which weakens your legitimate interest position.
3. Review the Fields Included
Look carefully at what information is being provided:
• Job title
• Seniority level
• Industry classification
• Company size
• Location
The more structured the dataset, the easier it is to segment properly.
A list that simply provides thousands of names with minimal context encourages broad, unfocused outreach. Structured fields support relevance and proportionality.
4. Clarify Opt-Out and Suppression Handling
Ask the supplier:
- How are opt-out requests managed?
- Is there a suppression mechanism?
- What happens if a contact objects?
Even though you are responsible for your own suppression list, it is helpful to understand how the supplier manages complaints or data corrections.
You should also ensure your own systems can record and honour opt-out requests consistently.
5. Request Sample Data
Before committing to a purchase, request a sample.
Review:
• Data formatting
• Field consistency
• Job role clarity
• Company accuracy
This is not only a commercial check. It allows you to assess whether the data structure supports targeted and proportionate outreach.
6. Avoid Overbuying
Another common mistake is purchasing large, broad datasets without a clear use case.
Instead:
• Define your ideal customer profile first
• Narrow by industry, size and role
• Purchase only what you can realistically use within a defined timeframe
Buying more data than you can use sensibly increases storage and management risk without improving performance.
7. Document Your Reasoning
Finally, document why you are purchasing the data.
For example:
• We are targeting Operations Directors in UK manufacturing firms with 20–200 employees.
• Our service directly supports operational efficiency.
• We will contact each individual no more than three times over a defined period.
This simple written rationale demonstrates structure and intent. It also strengthens your position if questions arise later.
Due diligence does not need to be complex. It needs to be deliberate.
When you approach purchasing B2B data with clarity about sourcing, structure and relevance, you significantly reduce compliance risk before the first message is ever sent.
In the next section, we will look at best practice when actually using purchased B2B data across email, telephone and post.
Best Practice When Using Purchased B2B Data
Once you have purchased B2B data responsibly, the focus shifts to how you use it.
This is where compliance and commercial performance intersect most clearly. A disciplined approach to outreach not only reduces risk, it improves response rates and protects your brand reputation.
Below are best practice principles across email, telephone and postal marketing.
Email Marketing
Email is the channel most commonly associated with compliance concerns. In a B2B context, it can be effective when structured properly.
Best practice includes:
Clear identification
Every email should clearly state who you are, the business you represent and how the recipient can contact you.
Simple opt-out mechanism
Provide a straightforward way to unsubscribe. This can be a link or a clear reply instruction. It must be easy to use.
Role-relevant messaging
Tailor the message to the recipient’s function. A generic message sent to thousands of contacts is far harder to justify than a targeted communication aligned with a specific role.
Reasonable frequency
Avoid excessive follow-up. Define a clear cadence. For example, two or three well-spaced messages rather than daily outreach.
Immediate suppression handling
If someone unsubscribes or objects, record it immediately and ensure they are not contacted again.
Email compliance is less about perfection and more about structure. Clear identity, relevance and respect for opt-outs are fundamental.
If you are specifically asking whether cold outreach is permitted, you can read our detailed guide on is cold emailing businesses legal in the UK.
Telephone Marketing
Telephone outreach can be highly effective in B2B environments, but it requires awareness of preference registers and respectful conduct.
Best practice includes:
Checking relevant registers
Ensure you are not contacting numbers registered with the appropriate preference service without lawful grounds.
Identifying yourself clearly
State who you are and the organisation you represent at the start of the call.
Handling objections professionally
If someone asks not to be contacted again, record it and honour it.
Keeping records
Documenting calls and objections helps demonstrate responsible conduct if needed.
Telephone outreach that is targeted, respectful and well-documented is generally easier to justify than high-volume indiscriminate calling.
Postal Marketing
Postal outreach is often overlooked but can be effective and lower friction in some B2B contexts.
Best practice includes:
Accurate addressing
Ensure the data used for mailing is accurate and relevant to the intended recipient.
Clear business identification
As with other channels, transparency matters.
Controlled volume
Avoid repeated unsolicited mailings to the same recipient without response.
Postal marketing typically attracts fewer regulatory concerns than electronic communication, but proportionality and relevance still apply.
Multi-Channel Discipline
Many SMEs combine email, telephone and post in structured campaigns. This can be effective, but coordination is important.
Avoid:
• Bombarding the same individual across multiple channels in a short period
• Continuing outreach after an opt-out in one channel
• Losing track of communication history
A joined-up system that tracks contact history across channels strengthens both compliance and commercial performance.
Ultimately, the safest and most effective B2B outreach follows the same principles across all channels:
Relevance.
Transparency.
Proportionality.
Respect for objections.
When these principles are embedded in your process, buying B2B data becomes one part of a structured and responsible lead generation system.
In the next section, we will step back from the legal detail and look at the commercial reality facing UK SMEs today.
The Commercial Reality for UK SMEs
The legal discussion is important, but it should not exist in isolation from commercial reality.
Many UK SMEs hesitate to use purchased B2B data not because it is unlawful, but because they are unsure. That uncertainty often leads to over-reliance on a single channel, typically referrals or inbound marketing.
Referrals are valuable, but they are rarely predictable. Inbound marketing can be powerful, but it can also fluctuate with algorithm changes, competition and budget cycles.
When outbound activity is avoided entirely due to compliance fear, pipeline stability suffers.
In practice, the SMEs that generate consistent sales conversations tend to share a few characteristics:
• They understand the rules rather than reacting to rumours
• They define their ideal customer profile clearly
• They contact decision-makers relevant to their offer
• They document their reasoning
• They build structured follow-up processes
Compliance and commercial discipline are closely aligned. Businesses that approach B2B data with structure often see stronger results, not just lower risk.
Avoidance rarely creates stability. Structured action does.
The reality is that business-to-business communication has always been part of commercial life. Companies need to introduce themselves, present solutions and start conversations.
The regulatory framework in the UK does not prevent this. It sets expectations for fairness, transparency and proportionality.
For SMEs willing to understand those expectations and operate within them, purchased B2B data can form part of a balanced and predictable lead generation strategy.
In the final section, we will summarise the key points so you can review the essentials quickly.
Executive Summary: The Key Points in One Place
If you want the essentials without revisiting every section, here is the short version.
Is buying B2B data legal in the UK?
Yes. There is no law that prohibits purchasing B2B contact data. What matters is how you use it.
What the Law Actually Says
• UK GDPR applies when the data identifies a living individual, even in a business context.
• PECR governs electronic marketing, including email and phone.
• Corporate B2B outreach is treated differently from consumer marketing.
• Consent is not always required for B2B marketing. Legitimate interest is commonly relied upon.
What Makes B2B Outreach Compliant
• Contacting individuals whose roles are relevant to your offering
• Having a clear and proportionate commercial reason
• Identifying your business transparently
• Providing a simple and effective opt-out
• Respecting suppression and objection requests immediately
• Keeping records of your reasoning and process
Compliance is about structure and discipline, not avoidance.
What Actually Creates Risk
• Irrelevant mass outreach
• No opt-out mechanism
• Ignoring unsubscribe requests
• Excessive follow-up without engagement
• No internal documentation of legitimate interest
• Purchasing data without basic due diligence
Most enforcement risk stems from poor process, not the act of buying data.
Practical Steps Before You Buy Data
• Define your ideal customer profile clearly
• Narrow by relevant job roles and sectors
• Ask suppliers how the data was sourced and maintained
• Review sample data for structure and relevance
• Document your intended use before launching outreach
The One Rule That Prevents Most Problems
If your outreach is relevant, proportionate and professionally structured, you are operating in line with both the spirit and the letter of UK B2B marketing law.
Buying B2B data in the UK is legal. Using it intelligently is what protects your business and supports predictable lead generation.
If you are unsure about your current approach, review your targeting, messaging and suppression processes before abandoning outbound altogether. Structure is what turns compliance from a concern into a competitive advantage.
