GDPR, HIPAA & CAN-SPAM: The B2B Data Buyer’s Compliance Checklist (2026)

A CMO at a mid-size SaaS company recently received a legal notice from a European supervisory authority. The campaign in question was a standard cold outreach sequence — 12,000 contacts, professionally written emails, clean unsubscribe link. The problem was not the email. It was the data. The provider had not documented a lawful basis for processing under GDPR. The CMO had no way to prove compliance. The fine was €85,000.

Blog Type: Educational / Compliance  |  11 min read  |  Last updated: March 2026

What is B2B data compliance? B2B data compliance is the set of legal obligations that govern how businesses collect, store, process, and use contact data for marketing purposes. The three frameworks that matter most for B2B marketers are GDPR (European data protection), HIPAA (US healthcare data), and CAN-SPAM (US commercial email). Each covers different geographies and data types — and the rules are not interchangeable. Understanding which framework applies to your campaign, your data source, and your target audience is the starting point for any compliant B2B outreach programme.

This guide translates the key legal requirements into plain-English marketing decisions. Practical steps first. Regulatory detail second.

The Three Frameworks Every B2B Data Buyer Must Understand

Before any checklist, you need a clear map of which law applies to which situation. Most compliance problems start with a marketer assuming the wrong framework covers their campaign.

GDPR — European Data Protection

The General Data Protection Regulation applies to any organisation that processes personal data of individuals located in the European Union — regardless of where the organisation itself is based. A US company emailing a prospect in Germany is subject to GDPR. A UK company emailing a prospect in France is subject to GDPR. Geography of the data subject, not the sender, determines applicability.

Under GDPR, personal data includes professional email addresses and direct phone numbers when they identify a specific individual. Emailing [email protected] is processing personal data under GDPR. Emailing [email protected] is not — because it does not identify a specific individual.

For a full breakdown of lawful basis options under GDPR, the GDPR.eu lawful basis guide is the most accessible reference for non-legal teams.

CAN-SPAM — US Commercial Email

CAN-SPAM is a federal law that governs all commercial email sent to recipients in the United States. It does not require prior consent for B2B email. It sets rules for how commercial emails must be structured and how opt-out requests must be handled.

The four core CAN-SPAM requirements are: a physical mailing address in every email, a clear and working unsubscribe mechanism, a subject line that accurately reflects the email content, and honouring opt-out requests within 10 business days. There is no requirement to prove a lawful basis for emailing. No prior opt-in is required for B2B outreach.

The FTC’s CAN-SPAM compliance guide is the definitive reference for US senders. It is written in plain English and worth reading in full before launching any outbound programme.

HIPAA — US Healthcare Data

HIPAA governs the use and disclosure of protected health information (PHI) by covered entities — healthcare providers, health plans, and their business associates. It does not regulate marketing communications sent to healthcare professionals in their professional capacity, provided those communications do not use or reference patient data.

A pharma company emailing a cardiologist about a new drug is not covered by HIPAA. A health insurer emailing a patient about their claim history is covered by HIPAA. The distinction is whether the communication involves patient data, not whether the recipient is a healthcare professional.

The HHS HIPAA guidance for covered entities defines who HIPAA applies to and what obligations it creates.

GDPR and B2B Email: The Plain-English Rules

GDPR is the framework most B2B marketers get wrong — usually because they assume it works like CAN-SPAM. It does not.

Does Cold B2B Email Require Consent Under GDPR?

Not necessarily — but it does require a lawful basis. Consent is one lawful basis. Legitimate interest is another. Most B2B cold outreach operates under legitimate interest, not consent.

Legitimate interest applies when you have a genuine business reason to contact someone, the contact is relevant to their professional role, and the individual’s interests do not override yours. Emailing a Head of Procurement at a logistics company about a relevant supply chain solution can qualify under legitimate interest. Emailing the same person about an unrelated product almost certainly does not.

Three questions determine whether legitimate interest applies. Does your organisation have a real business reason to contact this person? Is the communication relevant to their professional function? Would a reasonable person in their position expect this type of contact? If you can answer yes to all three, legitimate interest is a defensible lawful basis.

The ICO’s legitimate interest guidance is the most practically useful reference for marketers running cold outreach to EU contacts.

What GDPR Requires Even Under Legitimate Interest

Even when legitimate interest applies, GDPR creates obligations. You must document your legitimate interest assessment before sending — not after a complaint arrives. Plus, you must give recipients a clear way to opt out of further contact. You must honour those opt-outs promptly and maintain a suppression list to prevent re-contacting opted-out individuals. Adding transparency about who you are and why you are contacting the recipient.

You do not need a cookie banner. Not even a double opt-in. You DO not need prior consent. But you do need documentation and a functioning opt-out process.

Cross-Border Data Transfers Under GDPR

If you transfer personal data of EU residents to a country outside the EU — for example, storing EU contact data on a US server — you must use a legal transfer mechanism. Standard Contractual Clauses (SCCs) are the most commonly used mechanism. Your data provider should be able to confirm whether they use SCCs or an equivalent mechanism for any EU data they supply.

Want to see how SparkDBI sources and documents GDPR-ready B2B data?
SparkDBI provides full sourcing documentation and lawful basis records with every EU data delivery.
See How SparkDBI Sources GDPR-Ready B2B Data

The B2B Data Compliance Checklist

Apply this checklist before purchasing data, before launching a campaign, and before expanding into new geographies.

Before You Buy Data

Ask your data provider to confirm the lawful basis under which they collected the data. For EU records, this must be consent or legitimate interest — and they must be able to document which one. A provider who cannot answer this question clearly has not completed the necessary compliance work.

Confirm that the provider maintains an opt-out or suppression list. Any contact who has previously opted out of marketing should not appear in data you purchase. Ask how frequently the suppression list is updated and how they handle opt-out requests from contacts already in their database.

Confirm the data transfer mechanism for any EU or UK records. Ask whether the provider uses SCCs or an adequacy decision to cover cross-border transfers. Get this in writing before signing a data purchase agreement.

Check the provider’s data retention policy. GDPR requires that personal data is not kept longer than necessary. A provider selling you records that are three years old with no refresh cycle is creating a data minimisation risk.

Before You Send Your Campaign

Complete a legitimate interest assessment (LIA) for any EU outreach. Document your business purpose, the relevance to the recipient’s role, and your balancing test. Keep this documentation on file — supervisory authorities request it during investigations.

Build your suppression list before sending. Export all previous opt-outs from your CRM and email platform. Cross-reference them against your purchased list before any contact goes into a sequence.

Ensure every email includes a physical mailing address, a working one-click unsubscribe link, and an accurate subject line. These are CAN-SPAM requirements for US recipients and good practice everywhere.

For healthcare campaigns targeting EU practitioners, apply GDPR rules even if HIPAA does not directly apply. EU healthcare professionals are natural persons covered by GDPR regardless of whether their data involves PHI.

After Your Campaign Launches

Process opt-out requests within 10 business days for CAN-SPAM compliance. Process them within 30 days for GDPR compliance. Add opted-out contacts to your suppression list immediately — do not wait for the batch processing window.

Monitor bounce rates. A hard bounce rate above 2% signals data quality problems that may also indicate compliance risks — contacts who no longer work at the listed company may mean the data was not recently verified, which creates a data accuracy obligation under GDPR’s accuracy principle.

Retain your legitimate interest assessments and consent records for as long as you use the data plus a reasonable period after. If a supervisory authority opens an investigation, your documentation is your defence.

How These Frameworks Apply to Specific Situations

Cold Emailing EU Business Contacts

GDPR applies. You need a lawful basis — legitimate interest for most B2B outreach. Document your LIA before sending. Include a clear opt-out in every email. Do not email role-based addresses like info@ or legal@ where the individual cannot be identified. Use SCCs if your data is stored outside the EU.

Cold Emailing US Business Contacts

CAN-SPAM applies. No prior consent required. Include your mailing address, a working unsubscribe link, and an accurate subject line. Honour opt-outs within 10 business days. State-level laws (CCPA in California, others in Virginia, Colorado, Connecticut) may add requirements depending on your data use. Check state-level rules before targeting specific states.

Emailing US Healthcare Professionals

CAN-SPAM applies to the email itself. HIPAA applies only if you use patient data in your targeting or messaging. Standard professional outreach to physicians, nurses, or pharmacists using NPI-verified contact data does not involve PHI and is not restricted by HIPAA. Follow CAN-SPAM rules. For California-based practitioners, apply CCPA considerations.

Emailing EU Healthcare Professionals

GDPR applies. Healthcare professionals are natural persons covered by GDPR. Apply the same legitimate interest framework as any other EU B2B outreach. Note that some EU member states have additional national regulations on marketing to healthcare professionals — check country-specific rules for Germany, France, and Italy in particular, where additional restrictions apply.

How SparkDBI Supports Compliant B2B Data Use

SparkDBI’s data licensing framework is built around the compliance requirements that B2B marketers actually face.

GDPR-Ready Sourcing Documentation

Every EU record in SparkDBI’s database comes with sourcing documentation that identifies the lawful basis under which the data was collected. Clients receive this documentation as part of their data delivery — so their legal teams have the evidence they need without conducting their own audit.

Opt-Out and Suppression List Management

SparkDBI maintains a global suppression list updated in real time. Any contact who has opted out of marketing through SparkDBI’s network is excluded from all future data deliveries automatically. Clients can also submit their own suppression lists for cross-referencing before delivery.

HIPAA-Aligned Healthcare Data Sourcing

SparkDBI’s healthcare HCP database sources all records through licensed partnerships and public registries. No PHI is included in any SparkDBI healthcare data product. All HCP data sourcing agreements include explicit data sharing consent from practitioners or comply with public registry terms of use.

Cross-Border Transfer Compliance

SparkDBI uses Standard Contractual Clauses (SCCs) for all EU and UK data transfers. Clients operating under EU or UK GDPR receive a Data Processing Agreement (DPA) covering their specific data use as part of every enterprise contract. The DPA documents the transfer mechanism, data categories, retention periods, and sub-processor relationships.

Key Takeaways

Three frameworks govern most B2B data compliance situations: GDPR for EU data subjects, CAN-SPAM for US commercial email, and HIPAA for US healthcare data involving PHI. They cover different geographies and data types. Applying the wrong one to your campaign creates compliance gaps that are not visible until an investigation starts.

GDPR does not ban cold B2B email — it requires a lawful basis. Legitimate interest covers most professional outreach when properly documented. Document your LIA before sending, not after a complaint arrives.

CAN-SPAM does not require consent. It requires structure: mailing address, working unsubscribe, accurate subject line, and 10-day opt-out processing.

HIPAA applies to patient data. Standard professional outreach to physicians using NPI-verified contact data does not involve PHI and is not restricted by HIPAA.

Before buying data: confirm lawful basis documentation, suppression list management, data transfer mechanisms, and refresh frequency. These four questions separate compliant providers from risky ones.

Frequently Asked Questions

Is B2B email marketing legal under GDPR?

Yes, with a documented lawful basis. GDPR does not prohibit cold B2B email — it requires that you process personal data under one of six lawful bases. For most professional outreach, legitimate interest is the applicable basis. To rely on legitimate interest, you must document a genuine business purpose, confirm the communication is relevant to the recipient’s professional role, and determine that their privacy interests do not override yours. This assessment must be documented before you send. You must also provide a clear opt-out in every email and honour opt-out requests promptly.

Do you need consent for B2B cold email under GDPR?

No — consent is one lawful basis under GDPR, but it is not the only one. Most B2B cold email operates under legitimate interest rather than consent. Consent-based marketing requires a prior opt-in, which is impractical for cold outreach. Legitimate interest allows professional outreach without prior consent, provided you complete a legitimate interest assessment and document it. The ICO and most EU supervisory authorities accept legitimate interest for B2B cold email where the communication is genuinely relevant to the recipient’s professional function.

What are the CAN-SPAM requirements for B2B email?

CAN-SPAM requires four things from every commercial email sent to US recipients. First, a physical mailing address must appear in the email. Second, a clear, working unsubscribe mechanism must be present — one click should be sufficient to opt out. Third, the subject line must accurately reflect the content of the email. Fourth, opt-out requests must be honoured within 10 business days and the opted-out address must not receive further commercial email. CAN-SPAM does not require prior consent for B2B outreach and does not restrict the content of commercial messages beyond the subject line accuracy rule.

Is HIPAA applicable to B2B marketing?

HIPAA applies to covered entities — healthcare providers, health plans, and their business associates — when they use or disclose protected health information. It does not regulate standard B2B marketing communications sent to healthcare professionals in their professional capacity, provided those communications do not involve patient data. A pharmaceutical company emailing a physician about a drug is not covered by HIPAA. A health insurer sending a patient their claims history is covered by HIPAA. If your outreach to healthcare professionals does not reference or use patient data, HIPAA does not restrict it.

What is legitimate interest under GDPR?

Legitimate interest is one of six lawful bases for processing personal data under GDPR. It applies when your organisation has a genuine purpose for processing the data, that purpose is necessary for the processing you are doing, and the individual’s interests and rights do not override your legitimate purpose. For B2B cold outreach, legitimate interest typically applies when you are contacting someone in their professional capacity about something relevant to their role. You must document a legitimate interest assessment (LIA) before processing. If the individual objects to processing, you must stop unless you can demonstrate compelling legitimate grounds that override their interests.

How do I ensure my B2B data is GDPR compliant?

Four steps cover the core requirements. First, confirm that your data provider has documented the lawful basis under which they collected EU records — ask to see this documentation before purchase. Second, cross-reference your purchased list against your existing suppression list before any contact enters a campaign sequence. Third, complete and document a legitimate interest assessment for your specific campaign before sending. Fourth, ensure every email includes a clear opt-out mechanism and that opt-outs are processed within 30 days and added to your suppression list immediately. For data stored outside the EU, confirm your provider uses SCCs or an equivalent transfer mechanism.

Written by the SparkDBI Compliance and Data Licensing Team
Our contributors work directly with legal and compliance teams at pharma brands, enterprise SaaS companies, and global B2B sales organisations. This article provides general guidance on data compliance frameworks and does not constitute legal advice. Always consult qualified legal counsel for your specific compliance situation. SparkDBI data licensing documentation is available on request for legal review.