Privacy Best Practices for Using Email to Search for People

For B2B, legitimate interest usually applies. Document a one-page Legitimate Interest Assessment (LIA): who you're contacting, why the message is relevant to their role, how you balance their rights against your interest, and how they can opt out. Store the LIA somewhere you can produce on request — that's the document a regulator asks for first.

Only keep the fields you actually use: name, work email, role, company, and one personalization hook. Skip phone, home address, personal social profiles, and any sensitive category (health, religion, political affiliation) unless you genuinely need them. Minimum data = minimum liability.

Identify yourself, say briefly where you got the email ("public LinkedIn / company website / business contact database"), and include a one-click unsubscribe. This single line satisfies CAN-SPAM, CASL, the Australian Spam Act, and most GDPR Article 14 transparency duties simultaneously.

Maintain a global suppression list. If someone unsubscribes from one campaign, never email them from another — not next quarter, not from a new domain, not from a different team. This is the single highest-leverage practice for protecting deliverability and avoiding regulator complaints. Most reputational damage in outbound comes from re-emailing people who said no.

Auto-delete or anonymize records after a defined inactivity window (12–24 months is the B2B standard). Document the policy in your privacy notice. Run a quarterly cron job that purges everything past the threshold. "We didn't know we still had that data" is not a defense — it's an aggravating factor.

• Where does the data come from? (Licensed? Scraped? Both?)
• Do they honor takedown and deletion requests across all customers?
• Do they offer a Data Processing Agreement (DPA)?
• Do they disclose sub-processors?
• What's their breach-notification commitment?
• Are they registered as a data broker in California and Vermont if applicable?

Cheap data with no DPA is a liability, not a bargain. The vendor's compliance posture becomes your compliance posture.

• US: CAN-SPAM + state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, plus newer laws in TX, OR, MT, IA)
• EU/UK: GDPR / UK GDPR — lawful basis + transparency + DSARs + ePrivacy / PECR
• Canada: CASL — implied or express consent
• Australia: Spam Act 2003 — consent + identification + unsubscribe
• Brazil: LGPD — GDPR-aligned, ANPD enforcement
• India: DPDP Act 2023 — consent-led, fiduciary obligations

Someone will reply asking how you got their address. Have a templated, honest, friendly answer ready, and a one-step deletion process the rep can trigger without a ticket. Turning a complaint into a closed loop within an hour is the difference between a happy ex-prospect and a regulator complaint.

The privacy notice on your website must describe: what data you collect, where you get it, how you use it, who you share it with, how long you keep it, the lawful basis, and how to exercise rights. Update it whenever any of those changes — not annually.

Once a quarter, pull a random sample of 20 contacts from your CRM and verify: (a) you have a documented source for each, (b) none has unsubscribed, (c) none is past retention. Twenty minutes of work that protects the entire program.

The fastest way to break privacy posture is a new rep exporting a CSV to their personal laptop. Make the training a one-page document and a 10-minute Loom. Repeat it every six months.

If a breach occurs — laptop lost, third-party vendor compromised, data exfiltrated — you have 72 hours under GDPR to notify regulators. Write the plan now; do not improvise it during the incident.