Compliant B2B Prospecting: What You Need to Know

Depending on where your prospects are based (and where their customers are), different laws apply. Europe (GDPR): Regulates how personal data may be collected and stored. Business email addresses like firstname.lastname@company.com count as personal data under the GDPR, so they fall within scope. Germany / DACH (UWG): The Act Against Unfair Competition governs how you may approach people—cold calling, cold emailing, and similar outbound activities. It applies in addition to the GDPR when you prospect in the DACH region. International: If you target prospects in the United States, be aware of the CAN-SPAM Act (federal) and, for California residents, the CCPA. Requirements differ from the GDPR (e.g. opt-out and identification in commercial emails); ensure your process and content comply with the relevant jurisdiction.

Sales teams need contact data, but where it comes from and how you store it matters. Legitimate interest (Art. 6(1)(f) GDPR): In many B2B contexts you may store and use contact data without prior consent if you have a “legitimate interest” (e.g. B2B direct marketing) and the data subject’s interests do not override yours. You must still comply with transparency and other GDPR obligations. Information duty (Art. 14 GDPR): If you did not obtain the data directly from the person (e.g. you scraped it, bought it from a data vendor, or received it from a partner), you generally must inform them within a reasonable time (often within 30 days) that you hold their data and what you do with it. This applies to B2B contact data as well when it is personal data. Data vendors: Providers such as Cognism, ZoomInfo, Lusha, or Apollo need to be checked carefully. Not every US or international vendor is automatically GDPR-compliant. Verify their legal basis, data sources, and whether they support your information and opt-out obligations.

This is where theory meets practice for DACH-based prospecting. Cold email: In Germany, cold B2B email without prior express consent (e.g. double opt-in) is generally prohibited under § 7 UWG—even in B2B. The US-style “just send and add an opt-out link” approach can lead to cease-and-desist letters and fines. If you email prospects in the DACH region, ensure you have a valid legal basis (e.g. legitimate interest, where applicable) and respect opt-outs and transparency. Cold calling (phone): In B2B, cold calling is often permissible if there is a presumed relevance to the recipient’s professional role—e.g. HR software for an HR manager. The product or service should be obviously relevant to the person you are calling in their job function. Social selling (LinkedIn and similar): This sits in a grey area. Sending a connection request is usually fine; sending clearly promotional InMails or messages without prior relationship can be treated as spam or unfair advertising. Platform terms of service also apply and may restrict commercial messaging.

Transparency and opt-out: Every message should clearly state who is contacting the prospect and why. There must be a simple way to unsubscribe or ask not to be contacted again (e.g. “Unsubscribe” or “Please do not contact me again”). Honour these requests promptly. Blocklists and CRM: If someone opts out or asks not to be contacted, record that reliably in your CRM (e.g. do-not-contact flag, suppression list). If a colleague calls or emails the same person again two weeks later, you risk complaints and legal exposure. Hybrid approaches (inbound and outbound): The safest way to build a compliant pipeline is to generate leads who raise their hand (e.g. whitepaper downloads, webinars, demo requests) and thus give you a clear, documented opt-in. Combine that with outbound where you have a solid legal basis and consistent processes for consent, legitimate interest, and opt-out.

Know which laws apply (GDPR in Europe, UWG in DACH, CAN-SPAM/CCPA if you target the US). Source and store data with a valid legal basis; inform people when you did not get the data from them. In DACH, cold email without consent is risky; cold calling in B2B is often possible when relevant to the role. Be transparent, offer an easy opt-out, keep blocklists, and prefer opt-in where you can.