Short answer: in most cases, no. The longer answer is messier, because different jurisdictions draw the line in different places, and between "clearly illegal" and "fully compliant" there is a wide grey zone where roughly half the B2B market operates every day.
I am not a lawyer, and none of this is legal advice. But I have seen enough companies burn themselves on bought and scraped lists to speak concretely about what actually happens.
What the laws say
GDPR (European Union)
GDPR requires a lawful basis for processing personal data. An email address is personal data. For marketing, the standard basis is consent: explicit, informed, and documented. Scraping addresses from websites, forums, or LinkedIn means collecting data without the subject's consent. Full stop.
There is an alternative basis called legitimate interest, and B2B senders cite it constantly. The argument goes: the person publicly listed a work email, so they expect business contact. GDPR technically allows this, but with conditions. You need to run a balancing test, weighing your interest against the data subject's rights. You need an easy opt-out mechanism. And you need to be able to show you actually ran that test, not just dropped a boilerplate phrase into your privacy policy.
In practice, EU regulators are skeptical of legitimate interest as a basis for email marketing, particularly when sends are mass and untargeted.
CAN-SPAM (United States)
The US approach is the outlier. CAN-SPAM does not require prior consent for commercial email. You can send a cold message to a stranger, as long as you follow the formal requirements: an honest subject line, a physical sender address, a working unsubscribe mechanism, and opt-out processing within 10 days.
That sounds permissive. The catch: CAN-SPAM is a federal floor, not a ceiling. States can add their own rules. More practically, what the law allows and what mailbox providers will deliver are two separate things. Gmail, Outlook, and Yahoo will route you to spam based on engagement metrics regardless of your legal compliance. A CAN-SPAM-clean campaign with poor open rates still ends up in junk.
Real fines are not hypothetical
A few examples to put the numbers in perspective:
- CNIL (France), 2020 — startup Nestor fined €20,000 for collecting email addresses from LinkedIn without consent and then mailing to them. Small by GDPR standards, but painful for an early-stage company, and the reputational hit was a separate cost.
- ICO (UK), 2022 — Tuckers Solicitors fined £98,000 for insufficient personal data protection. Not a scraping case directly, but it shows how seriously regulators treat email as personal data.
- FTC (USA), 2024 — Experian sanctioned for consumer data processing violations. CAN-SPAM is the lenient law on the books, but the FTC has other enforcement tools and uses them.
- CAN-SPAM per-email penalty — as of January 2025, $53,088 per individual email in violation. The statute is permissive in structure but the penalties for breaking its rules are not small.
Fines have grown every year. Regulators worldwide are tightening data protection enforcement, and email marketing is one of the most visible targets.
The B2B grey zone
This is where most of the arguments happen. Is a work address like alex@company.com personal data? Formally, yes, if it identifies a specific person. It almost always does.
Even so, B2B practice has settled into something you might call tolerated non-compliance. Companies scrape contacts from industry conferences, public registries, and corporate websites. They send cold emails. Usually nothing happens, because recipients either do not complain or just unsubscribe.
"Nothing has happened so far" is not a legal argument. It is a statistic that holds until someone files a complaint. One unhappy recipient, one report to a data protection authority, and you have to prove your list is lawful. You probably cannot.
If you are working with B2B scraping anyway, at least limit the exposure: write only to genuinely relevant contacts, honor opt-outs immediately, do not follow up with anyone who did not respond, and never buy a "one million addresses for $50" list. That last one is a guaranteed path to spam blacklists and possibly to court.
When scraping is defensible
There are scenarios where collecting email addresses from public sources creates minimal legal risk:
- The address was published for business contact purposes (a company Contact page), and you are reaching out about a specific business matter, not sending bulk advertising.
- You are collecting data for research or journalism. Most jurisdictions treat this as a separate lawful basis.
- You operate in an opt-out jurisdiction like the US and comply fully with CAN-SPAM requirements.
Everything else — which is about 90% of typical scraped-list usage — puts you in risk territory.
Where validation fits in
Email validation does not make an illegal list legal. No amount of syntax checking or mailbox verification fixes the absence of consent.
What validation does fix is a technical problem. Scraped lists typically contain 20 to 40% dead addresses. Sending to non-existent mailboxes generates hard bounces, which destroy the sending domain's reputation. Once that happens, even emails to your opted-in subscribers start landing in spam.
If you are knowingly accepting the legal risks of a scraped list (that is your call), validation is still a required technical step. It will not remove your legal liability, but it prevents the technical collapse: domain blocks, blacklist entries, deliverability loss.
In uChecker you can check a list before sending to remove invalid addresses, spam traps, and disposable mailboxes. It is hygiene, not absolution.
The bottom line
A scraped email list is a high-legal-risk tool. In the EU and under most consent-based frameworks, mass-mailing from one is illegal without qualification. In the US it is technically permitted but practically self-destructive without careful preparation.
B2B cold email lives in a grey zone that exists because enforcement is sporadic, not because the law supports it. As long as no regulator has knocked on your door, things feel fine. The trend toward stricter enforcement is clear, and building a business process on the assumption that "we won't get caught" is a fragile strategy.
Build your list legally. If you are already working with scraped data, validate it, segment it, make opt-out effortless, and expect the rules to get tighter.