Is Conference & Event Outreach Legal?

There are two distinct legal questions, and people constantly conflate them:

1. Is it legal to scrape the public conference website? (Data collection question.)

2. Is it legal to email or message the people you found? (Outreach question.)

The answers come from completely different bodies of law. Get them straight before you read anything else.

In the US, the foundational case is hiQ Labs v. LinkedIn (9th Circuit, affirmed 2022). Scraping publicly available data — data anyone with a browser can see without logging in — is not a Computer Fraud and Abuse Act violation. Conference speaker pages clearly qualify: they're published by the conference for public consumption.

In the EU, scraping public data isn't itself prohibited by GDPR — but processing personal data extracted from those pages is regulated (see the next section). The act of fetching the page is fine; what you do with the names afterward is where the rules apply.

What is not generally allowed: scraping behind a login, bypassing technical access controls, or violating a site's enforced terms of service after a takedown notice. Conference speaker pages have none of those issues.

If you contact someone in the EU/UK, GDPR applies regardless of where you're based. You need a lawful basis for processing their personal data (their name, email, role). For B2B cold outreach, the workable bases are:

Legitimate interest (Art. 6(1)(f)) — the most common B2B basis. You must (a) have a real business interest, (b) show the processing is necessary for that interest, and (c) balance it against the person's rights. Document your LIA (Legitimate Interests Assessment). Outreach to a public-facing conference speaker about a problem related to their talk passes this test cleanly; cold blasting 50,000 random emails does not.

Consent — rarely workable for cold outreach because the person hasn't opted in yet.

On top of GDPR, the ePrivacy Directive (and the upcoming ePrivacy Regulation) governs marketing emails specifically. For B2B, most member states allow unsolicited email if the recipient is a corporate role-holder and the message is relevant to their work — but Germany and Austria are stricter (closer to opt-in required). When in doubt, ask local counsel before campaigning at scale into DE or AT.

Whatever your lawful basis, the email itself needs:

A clear identification of the sender (your real name and company), a postal address, an explanation of where you got their data ("I saw your talk at X conference" — be specific), and an obvious opt-out mechanism (a one-line "reply STOP and I won't contact you again" counts; a formal unsubscribe link is safer).

You also need to honor data-subject rights on request — access, deletion, objection. In practice this means keeping a simple suppression list and a record of where each contact came from.

CAN-SPAM permits unsolicited commercial email as long as you (1) don't use deceptive headers or subject lines, (2) identify the message as commercial, (3) include a valid physical postal address, and (4) provide a working opt-out and honor it within 10 business days.

That's it. There's no opt-in requirement, no lawful-basis test, no special rule for B2B vs B2C. Cold outreach to US-based conference speakers is squarely permitted under CAN-SPAM as long as you respect those four rules.

Canada's Anti-Spam Legislation requires consent (express or implied) before sending a Commercial Electronic Message. For cold conference outreach, the workable path is implied consent based on conspicuous publication — CASL allows you to email a person whose work email is publicly published in connection with their business role, as long as your message is relevant to that role.

A speaker bio that lists a corporate email address and a job title meets that bar; a personal Gmail you scraped from a side project does not. Always include clear sender identification and an unsubscribe in CASL-bound messages.

LinkedIn messages are governed by LinkedIn's User Agreement, not by CAN-SPAM or CASL (those cover "electronic messages" defined in ways that mostly exclude in-platform DMs). What this means in practice:

LinkedIn aggressively rate-limits and bans accounts that send mass connection requests or use automation tools to scale messaging. The legal risk is low, the platform-enforcement risk is high. Stay under ~50 connection requests/week, personalize, and never use a stealth automation extension.

Regulators almost never come after a small B2B outreach campaign. Real enforcement targets: (a) consumer-grade spam at huge scale, (b) impersonation or phishing, (c) ignoring opt-out requests, (d) breach of an ePrivacy authority after a complaint.

The realistic risk for normal B2B cold outreach is reputational, not legal: a recipient complains to your email provider, your sender domain gets flagged, deliverability tanks. That's the actual loss function. Stay relevant, stay personal, honor opt-outs, and you'll be fine in every jurisdiction discussed here.

SayIntel only processes publicly available information published by the conference itself: name, title, company, talk abstract, public LinkedIn URL. No data is collected from behind logins or paywalls.

Under GDPR, the customer is the controller (you decide who to contact and why) and SayIntel is the processor. That means you're responsible for the lawful basis of your outreach — but the platform is designed so the message you send always references the speaker's actual talk, which is the cleanest possible legitimate-interest case.

Full subprocessor list and data-handling terms are in the Privacy Policy.

This page is general information about commonly-cited rules in 2026. It is not legal advice. Outreach laws vary by jurisdiction and change; consult counsel licensed in the markets you sell into before launching a large campaign.