Is cold email to EU prospects illegal?

Not automatically. Cold email to EU work addresses can be compliant under legitimate interest with documented balance between business need and recipient privacy. The message must include clear sender ID, easy opt-out, and data basis.

Does the hiQ vs LinkedIn ruling make scraping legal?

No. The ruling narrowed CFAA interpretation around unauthorized access to public data. It did not override LinkedIn's terms of service or data-protection obligations.

If I buy a list from a data broker, am I covered?

Only if the broker warrants compliant collection and your use case is licensed. Many brokers make such warranties; some do not. Always read the data-use terms before buying.

Should sales teams worry about this, or is it legal's problem?

Sales teams should own execution details (suppression list hygiene, opt-out handling, documented basis) even if legal owns policy. Failures happen at execution, not policy.

Compliance-Friendly Prospecting: What Your Team Should Never Scrape

Scraping is the automated extraction of data from sources not designed to be bulk-extracted. Even public data requires a legal basis to process at scale under GDPR, CCPA, UK DPA, and CASL.

Never scrape

LinkedIn behind login, premium data providers, competitor customer pages, paywalled publications. All trigger ToS claims, data-protection issues, or trade-secret exposure.

Generally OK

Public company sites, regulatory filings, press releases, public social posts, licensed providers within their terms.

Legal basis

GDPR requires documented legitimate interest. Found-online is not a basis. Opt-outs must be honored same day.

Workflow

Licensed providers, documented basis per segment, suppression list that survives tool changes, 24-hour opt-out propagation, quarterly audit.