FindAnyonesEmail

Is It Legal to Find Someone's Email Address?

Yes — discovering a business email address is legal in the US, and in the EU it's lawful when handled under GDPR's legitimate-interest basis with the obligations that come with it. The law doesn't regulate knowing an address; it regulates two adjacent things: how you collected it (scraping and harvesting rules) and what you send to it (CAN-SPAM, GDPR, CASL).

The question bundles three different legal questions. Unbundled, each has a clear answer.

1. Finding: deriving or looking up an address

Guessing jane.doe@acme.com from a known format, verifying it via SMTP, finding it on a website, or buying it from a B2B data provider — none of this is prohibited in the US. An email address isn't a secret protected by law; a business address in particular is professional contact information. The verification handshake itself (no email sent) is a normal SMTP conversation servers exist to have.

2. Collecting: where the method matters

  • Public-web collection of business contact data is on solid US ground after hiQ and Meta v. Bright Data — the access rules are covered at our sibling site, iswebscrapinglegal.com.
  • CAN-SPAM's harvesting provision adds aggravated penalties when spam is sent to addresses collected by automated harvesting from websites that posted no-collection notices — method and message both matter.
  • Logged-in scraping (LinkedIn especially) is a terms-of-service breach regardless of how public the data feels — the hiQ story is the cautionary tale.
  • In the EU, collection is processing: the moment you store a person's work email, GDPR applies — you need a lawful basis (legitimate interest is the standard one for B2B), a real business justification, and the ability to honor objections.

3. Sending: where most of the law actually lives

Almost everything people fear about "email legality" attaches to the send, not the find: CAN-SPAM's mechanics (honest headers, address, opt-out — penalties up to $53,088 per email), GDPR's transparency and objection rights, Canada's consent-first CASL. The complete map is at iscoldemaillegal.com. Practical upshot: a lawfully-found address plus a compliant send is a legal cold email in the US and most of Europe; a lawfully-found address plus a sloppy send is where penalties start.

The compliance-shaped workflow

Find business addresses (not personal ones), document where each came from, verify before sending, target relevantly, and make opting out effortless. Provenance is the through-line — "where did this address come from?" should always have a defensible answer. That's the standard B2B data platforms are built around: Sales.co supplies verified business contacts with documented, compliant sourcing, so the find-and-collect half of the legal question is handled before your first send.

Get new benchmarks & guides by email

Fresh data and tactical guides as we publish them. Monthly at most, unsubscribe anytime.