The pitch for buying email lists is tempting in its simplicity: pay a vendor, receive a spreadsheet of addresses, start sending. Skip the months of slow audience-building. Skip the conversion-rate optimization on the signup form. Skip the work, get to the part where money happens. The reality is that purchased lists are one of the fastest ways to destroy a sending program β financially, legally, and reputationally β and the damage often outlasts the campaign that caused it.
This article explains why purchased lists fail in practice, what current regulations actually say about them, what the alternatives look like, and how to build a list that produces results worth keeping.
Why Companies Still Buy Email Lists
Despite the well-documented risks, the market for purchased B2B email lists is still active. Demand comes from a few recurring scenarios:
- Pressure for fast growth. Startups and new marketing programs face quarterly targets that don't match the slower curve of organic list building.
- Misleading vendor claims. List sellers commonly advertise "opt-in," "GDPR-compliant," "verified," or "double opt-in" lists. The claims are almost never independently verifiable, and the addresses themselves rarely behave like real opted-in contacts.
- Targeting promises. Vendors pitch lists filtered by industry, role, company size, and location. The filters may even be technically accurate β but the contacts didn't consent to your specific outreach.
- Pattern-matching to past behavior. Teams that succeeded with bought lists 10β15 years ago, before reputation-based filtering took over, sometimes assume the playbook still works. It doesn't.
Is Buying Email Lists Legal?
The answer depends on the jurisdiction and what you do with the list:
- United States (CAN-SPAM). Buying a list is not itself illegal under CAN-SPAM, but sending unsolicited commercial email that violates the law's content and identification requirements is. CAN-SPAM penalties currently run up to $51,744 per violation, with each individual recipient counting as a separate violation. A 10,000-name bought list with multiple violations can produce six- or seven-figure liability quickly.
- European Union (GDPR). Stricter. GDPR requires a lawful basis for processing personal data (which an email address typically is), and the legitimate-interest basis used for B2B email becomes very weak when the contact never had any prior relationship with your business. Fines under GDPR can reach 4% of global annual revenue or β¬20 million, whichever is higher. Regulators have enforced this for bought-list email programs.
- Canada (CASL). Stricter still. CASL requires explicit or implied consent before sending commercial email, and "implied consent" is narrowly defined (existing business relationship, public conspicuous publication of contact info). Sending to a purchased list typically fails both tests. Penalties run up to CAD $10 million per violation.
- UK (PECR). Similar in spirit to GDPR; sending unsolicited marketing email without consent invites enforcement.
- Australia (Spam Act 2003). Requires consent and an unsubscribe mechanism; bought lists typically lack the former.
The trend across major jurisdictions has been toward stricter rules, not laxer. Buying a list and sending without consent is no longer just an ethics question β it's a legal exposure that scales with the list size.
Ten Reasons to Stop Buying Email Lists
- Deliverability collapses immediately. Purchased lists produce hard bounce rates of 20β40%, well above the 2% threshold that triggers ISP reputation penalties. The bad reputation then drags down deliverability for your transactional and opt-in email too.
- Spam complaints come fast. Recipients who didn't sign up mark messages as spam. Once your complaint rate crosses roughly 0.1% (one in a thousand emails), Gmail and other major mailbox providers start routing all your mail to spam β including the addresses that didn't complain.
- ESPs will terminate your account. Every major ESP (Mailchimp, Klaviyo, SendGrid, HubSpot, ActiveCampaign, Constant Contact) prohibits purchased lists in their terms of service. Account suspension is routine, and reapproval after a suspension is difficult.
- Engagement metrics will be terrible. Open rates on purchased lists typically land below 5%, click rates below 0.5%. Those numbers don't just hurt the current campaign β they're permanent baseline signals that ISPs use to rank your sender reputation.
- The same list is sold many times. Email lists aren't physical inventory; they can be sold to dozens of buyers in parallel. Recipients on heavily-sold lists may receive a dozen similar pitches in a week, hardening them against engaging with any of them.
- List quality is unverifiable. Even "verified" lists from reputable-seeming vendors typically contain a high share of role-based addresses (info@, sales@), spam traps planted by ISPs to catch unauthorized senders, and addresses harvested from public sources.
- Spam traps destroy sender reputation. Purchased lists frequently contain spam traps β addresses created by ISPs specifically to identify senders who didn't earn their list. Hitting even a few traps is sufficient to trigger blocklists like Spamhaus, which take weeks or months to clear.
- The contacts don't fit your offer. Bought lists are filtered by superficial demographics, not by buying intent or current need. The contacts may technically match your ICP but have no reason to engage with your specific message at the moment you reach them.
- Legal exposure scales with volume. A small test campaign rarely attracts regulatory attention. A successful program at scale does. By the time bought-list sending is producing meaningful revenue, the legal exposure is also meaningful.
- It permanently damages your domain. Reputation damage from a bought-list send affects every email your domain sends afterward β transactional, opt-in marketing, internal β for weeks to months. The "quick start" that buying a list promises often costs a year of slower growth from a damaged domain.
What Actually Works Instead
The alternatives produce slower initial growth but compound far faster, because every contact added is real:
Build the list through your own properties
Signup forms on the website, lead magnets gated behind email capture, content upgrades inside blog posts, and webinar registrations are the workhorses of organic list growth. They produce contacts who chose to hear from you β the only kind that consistently convert. For the practical mechanics of collecting these addresses cleanly, see how to get email addresses.
Use double opt-in
Confirmation links sent after signup verify the address belongs to a real person who actually wanted to subscribe. Double opt-in cuts initial list size by 20β30%, but the addresses that remain produce 2β3Γ the engagement of single-opt-in lists. For details, see how to use double opt-in.
Run targeted outreach on a separate domain
If you need cold-contact volume, run outreach as outreach β from a dedicated subdomain, with personalization, low daily volume, and warm-up. Don't blend it with marketing email from your primary domain. See effective email outreach tactics for the cadence and structure that work.
Validate every address before sending
Whether the list came from your signup form or a campaign import, run it through a verifier before the first send. Free email checker handles single-address checks; for larger lists, the bulk email verification service processes batches and exports clean results in minutes. Verification catches typos, expired addresses, and known spam traps before they become a deliverability problem. Both run on the same Proofy account β see verification pricing for volume tiers from a $4 trial to enterprise packages.
Re-engage and prune regularly
Lists decay at 2β3% per month even without any acquisition issues β people change jobs, abandon addresses, lose interest. Quarterly re-engagement campaigns surface inactive contacts; addresses that don't respond within 6β12 months should be removed rather than kept inflating the total. For the structure that works, see effective re-engagement emails.
Common Mistakes Around List Acquisition
- Treating "enriched" data like bought lists. Some teams convince themselves that data enrichment is different from buying a list. It can be β but if the enriched record never opted in to hear from you, sending marketing to it carries the same risks. Enrichment is for contacts who already chose to engage.
- Trusting "GDPR-compliant" labels on bought lists. The label is a vendor claim, not a legal certification. If you can't independently verify that each contact gave specific consent for your sending, the compliance claim is unreliable.
- Sending the first campaign to the full list. Even legitimate lists need warm-up. Sending 50,000 cold emails on day one is a deliverability self-destruct sequence regardless of where the addresses came from.
- Treating role-based addresses (info@, sales@) as real contacts. They're shared inboxes monitored by rotating staff, with much higher complaint rates and zero relationship to your message. Most professional lists exclude them; bought lists are typically loaded with them.
- Ignoring the suppression list when buying. Recipients who unsubscribed from you previously may show up on a new bought list. Sending to them again creates a CAN-SPAM violation (failure to honor unsubscribe) on top of everything else.
- Confusing "data brokers" with "email vendors." Buying enriched firmographic data about companies is fundamentally different from buying contact lists for direct mailing. The first is generally fine for sales research; the second is the problem.
FAQ
Are any purchased email lists actually safe to use?
In practice, no β not at scale and not for direct sending. Some specialized B2B databases (ZoomInfo, Apollo, Cognism) blur the line because they include some contact information alongside firmographic data, but using them for direct marketing email rather than informed sales outreach carries similar risks. The safer pattern is: use such databases to identify accounts and contacts, then run targeted, personalized outreach from a dedicated sending domain.
Can I rent a list instead of buying one?
Rented lists have the same problems as purchased lists from a deliverability and consent perspective β the contacts didn't sign up to hear from you. The one practical difference is that the list provider sends on your behalf, which keeps the deliverability damage on their domain rather than yours. The consent and legal issues remain.
What if the list vendor guarantees opt-in?
Vendor guarantees are not the same as documentation a regulator would accept. If the consent records can't be produced for each individual contact, the guarantee is marketing language. Treat any vendor claim with skepticism proportional to the volume you'd be sending.
How fast can I grow my list organically?
Most B2B sites with active content and a clear value proposition grow at 50β500 new subscribers per month in the early stages, accelerating as content compounds. A combination of paid acquisition (search and social ads to lead magnets) plus organic content typically gets a healthy list to 10,000 engaged subscribers within 12β18 months.
What happens if I already bought a list?
Don't send to it from your primary domain. The legal exposure remains, but the deliverability damage at least becomes containable: contact the most plausibly relevant subset manually using normal outreach practices (personalized, dedicated outreach domain, careful warm-up), and dispose of the rest. Sending bulk to a bought list rarely survives the first campaign anyway, so the practical loss is the price of the list, not the list itself.
How do I tell if a list I inherited was bought?
Signals include: bounce rate above 10% on first send, complaint rate above 0.3%, very low open rates, and addresses showing patterns that suggest harvesting (heavy share of role-based addresses, addresses on domains with obvious typo patterns, addresses showing no behavioral history). Running the list through verification surfaces some of these issues; sending to a small test segment surfaces the rest before damage scales.
Are there industries where bought lists are still common practice?
A few β particularly real estate, financial services, and some segments of B2B SaaS β still see bought-list use. The same legal and deliverability risks apply regardless of industry norms. Common practice is not the same as low risk.
