Is Email Scraping Legal? Real Fines, Real Rules, Real Answers
In April 2022, the Ninth Circuit said scraping public web data probably doesn't violate the Computer Fraud and Abuse Act. Two years later, France's CNIL slapped Kaspr with a €240,000 fine for scraping professional contact details. So which is it?
The answer hinges on a distinction most people skip: collecting emails and using them are governed by entirely different laws. Conflating the two is how companies end up writing six-figure checks to regulators.
The Short Version
- US: CAN-SPAM doesn't ban scraping or require opt-in. But ToS violations and contract claims will still get you sued - and your domain torched.
- EU: Public visibility isn't a defense. Kaspr was fined for scraping contact details users had restricted. "I found it online" doesn't fly under GDPR.
- The real risk: Scraped lists routinely produce 5%+ bounce rates that destroy sender reputation. The law might not catch you. Your inbox placement will.
Collecting vs. Using: Two Separate Legal Problems
Scraping is a collection method. Cold emailing is a use. Different laws govern each, and the penalties come from different directions entirely.
You can legally collect data in one jurisdiction and still violate sending laws in another. You can scrape without breaking the CFAA and still get sued for breach of contract. Treating this as a single yes/no question is the mistake that leads to fines, injunctions, and burned domains - and the broader question of lead generation legal compliance, covering everything from collection to outreach, is what actually matters for your business.
Email Scraping Laws by Region
US: CAN-SPAM, CFAA, and the hiQ Myth
Here's the thing: CAN-SPAM is an opt-out framework. You don't need prior consent to send a commercial email in the US. You need accurate headers, a physical address, honest subject lines, and a working opt-out mechanism honored within 10 business days. That's it.
The hiQ v. LinkedIn case gets cited constantly as proof that scraping is legal. It's not that simple. The Ninth Circuit held that accessing publicly available data likely doesn't trigger CFAA's "without authorization" clause. But hiQ still paid $500,000 in damages, accepted a permanent injunction, and deleted all scraped data. The killing blow wasn't CFAA - it was breach of contract and ToS enforcement.
In our experience, the real threat for most B2B teams isn't computer fraud statutes. It's contract claims, trespass to chattels, and tortious interference.
EU/UK: GDPR, PECR, and Harvesting Rules
The Kaspr case is the clearest enforcement example in B2B data - and the clearest answer to whether email harvesting is illegal under EU law. CNIL found that Kaspr's database of roughly 160 million contacts included details from users who'd restricted their contact info visibility to 1st/2nd-degree connections. Scraping that data violated users' reasonable expectations of privacy. Kaspr also failed on GDPR Article 14 transparency: they didn't inform data subjects until 2022, four years after launch.
In the UK, PECR creates a B2B exception. You can send unsolicited marketing emails to corporate subscribers - limited companies, LLPs, government bodies - without prior consent, provided the content's relevant and you include a clear opt-out. Sole traders and partnerships don't get this exception. Even with the PECR carve-out, UK GDPR still requires a Legitimate Interest Assessment before you hit send.
Canada and Australia
Canada's CASL is consent-first, with penalties up to CAD $10 million per violation. Australia's Spam Act follows a similar model. Neither country gives you a free pass to scrape and send.
Kaspr got fined €240K for scraping. Verkada paid $2.95M for bad sending practices. Prospeo gives you 143M+ lawfully sourced, verified emails at 98% accuracy - with GDPR compliance, opt-out enforcement, and a 7-day refresh cycle that kills spam traps before they kill your domain.
Skip the legal risk. Start with data that's already verified and compliant.
Real Fines and Consequences
| Company | Penalty | What They Did | Law |
|---|---|---|---|
| Kaspr | €240,000 | Scraped restricted-visibility contacts | GDPR |
| Verkada | $2.95M | 30M+ marketing emails; missing/broken unsubscribe handling | CAN-SPAM |
| hiQ | $500K + injunction | ToS-violating scraping | Contract/tort |
Kaspr got hit for how they collected. Verkada got hit for how they sent. hiQ got hit for violating a platform agreement. Each represents a different legal vector, and scrapers are exposed to all three simultaneously.
The Deliverability Risk Nobody Warns About
Look, forget the legal risk for a moment. The deliverability math alone should scare you off scraped lists.
Cold email operators on r/coldemail consistently report that a 0.2% spam complaint rate triggers ESP warnings. Hit 0.3% and you risk suspension. Scraped lists routinely produce bounce rates above 5% because they're full of outdated addresses, spam traps, and honeypots. Google now rejects non-compliant traffic outright rather than just filtering it.
We've seen teams spend months warming domains, perfecting copy, and building sequences - only to watch deliverability crater because the underlying list was scraped garbage. One outbound agency we spoke with burned through three domains in a single quarter before switching to verified data.
If your average deal size is under five figures, you almost certainly can't afford the domain damage from a single bad scraped list. The math doesn't work. One burned domain costs more in lost pipeline than a year of verified data.
Building a Compliant Prospect List
Use a verified B2B database
Prospeo covers 143M+ verified emails at 98% accuracy with a 7-day data refresh cycle. It's GDPR compliant with opt-out enforcement built in, and the 5-step verification process handles catch-all domains, spam traps, and honeypots before you ever export a list. Free tier available, no contracts, roughly $0.01 per email. If the emails are verified and lawfully sourced, the rest of your outreach workflow sits on solid ground.
Try permission-first outreach
Scrape to identify prospects, then send a single permission email asking if they'd like to hear about your solution. Only pitch the people who respond. It's slower, but your domain stays clean and reply rates climb dramatically.
Build manually for high-value accounts
For enterprise deals where you're targeting 50-100 accounts, manual research paired with an email verification tool beats any bulk approach. We've tested this with outbound agencies - the time investment pays off when a single deal is worth six figures.
Scraped lists produce 5%+ bounce rates and burn domains in weeks. Prospeo's 5-step verification - catch-all handling, spam-trap removal, honeypot filtering - keeps bounce rates under 4%. At $0.01 per email, verified data costs less than a single burned domain.
One bad list costs more than a year of Prospeo. Do the math.
FAQ
Can I scrape emails if they're publicly visible?
Public visibility doesn't equal consent. Kaspr was fined €240,000 for scraping contact details users had restricted to 1st/2nd-degree connections. Regulators evaluate reasonable expectations of privacy, not technical accessibility. If you need compliant B2B data, use a verified provider with opt-out enforcement instead.
Is cold email illegal in the US?
No. CAN-SPAM is opt-out - you can email someone without prior consent if you identify yourself, include a physical address, use honest headers, and honor opt-out requests within 10 business days. Verkada's $2.95M fine came from ignoring unsubscribes, not from sending cold email itself.
What's the safest way to build a B2B email list?
Start with a verified database that includes GDPR compliance and spam-trap removal baked in. Pair it with permission-first outreach for the cleanest sender reputation. Starting with lawfully sourced, verified data means you won't spend months retroactively cleaning up fines or blacklisted domains.