Intent data is the foundation of modern ABM, but teams face growing tension between using buyer signals to identify and reach target accounts versus complying with privacy regulations (GDPR, CCPA, PIPEDA) that restrict how companies can use personal data and behavioral information to target individuals. Leading platforms like Abmatic, 6sense, Bombora, and G2 have evolved their privacy models to separate account-level intelligence (compliant) from contact-level targeting (requires consent), allowing teams to use intent data for account selection while respecting individual privacy boundaries.
Intent data comes from two sources, with vastly different privacy implications:
Account-level intent signals (compliant): - Which accounts are visiting your website (via IP matching) - Which accounts are downloading content (consent-based) - Which accounts are showing buying signals (Bombora keyword research, job changes) - Account engagement patterns without individual contact identification
Legal basis: Account-level data is often legitimate business interest (knowing if company is evaluating solutions) and doesn't require contact-level consent.
Contact-level intent signals (complex): - Which individual at account X visited pricing page - Which person downloaded your whitepaper - Which specific contact engaged with content - Individual behavioral tracking via email, ads, website tracking pixels
Legal basis: Contact-level behavioral data often requires explicit consent under GDPR Article 6(1)(a) or legitimate interest demonstration. Email/behavioral tracking triggers ePrivacy Directive implications.
The tension: account-based marketing wants to identify specific stakeholders and reach them with intent-based outreach, which requires contact-level data. But GDPR restricts how and when you can use contact data, especially without consent.
Abmatic's approach: - Account-level intelligence is primary (account fit, buying stage, intent signals without contact identification) - Contact data only collected with consent or from existing relationships - Transparent about which signals require contact-level consent - Stores contact data separately from behavioral signals - Only surface contact recommendations when consent exists
6sense's approach: - Two data models: account-level (compliant) and contact-level (with appropriate consent) - Account-level buying stage and intent data is primary, requires no contact consent - Contact discovery only triggered by account-level signals - Clear distinction in interface between "account insights" (always available) and "contact insights" (consent-dependent)
Bombora's approach: - Keyword research data is account-level (which companies are researching topics) - No contact-level personal data (only company context) - Intent signals are behavioral at company level (not individual tracking) - Compliant under legitimate business interest (knowing if company is in-market)
G2's approach: - Review and adoption data tied to accounts (which companies are researching products) - Contact information only released with explicit request/consent - Separate "G2 Buyer Intent" (account-level) from "G2 Contact Insight" (requires consent) - GDPR compliant for account-level, requires separate consent for contact data
LinkedIn's approach: - Professional data (job titles, roles, companies) is GDPR-compliant as long as consent/legitimate interest is demonstrated - Behavioral data (which profiles viewed what) is more restricted - Sales Navigator data is primarily professional directory (less privacy-sensitive)
1. Separate your data models
Build account-based targeting on account-level intent (no personal data required): - Which accounts match your ICP via firmographic data - Which accounts show buying signals (keyword research, job changes, content engagement) - Account engagement history
Then layer in contact data only when consent exists: - Which individuals at target accounts should you reach - Do those contacts have existing business relationship (consent basis: legitimate interest) - Have they consented to marketing? (consent basis: explicit consent)
2. Establish consent basis
For contact-level intent data, clarify your legal basis: - Existing customer: Legitimate interest (contact your existing customer about related solution) - Website visitor who consented: Explicit consent (via opt-in, cookie banner acceptance) - Event attendee who shared email: Explicit consent (via event registration) - LinkedIn connection: Legitimate interest + contractual (LinkedIn's terms allow messaging connections) - Unknown contact at target account: No consent - avoid unsolicited outreach
The key distinction: account-level buying signals are often legitimate interest (knowing if company is buying). Contact-level targeting usually requires consent.
3. Use account context to drive contact targeting
Let account intelligence guide which contacts you reach: - Only reach contacts at accounts showing buying signals - Only reach contacts in buying-related roles (decision-makers, not random employees) - Only reach contacts via channels with explicit consent (email addresses they provided, LinkedIn)
4. Respect consent hierarchy
For account targeting (compliant without contact consent):
Use Bombora, 6sense, G2 account-level data to: - Identify accounts in-market for your solution - Rank accounts by buying signal strength - Understand account buying stage and stakeholder roles - Plan account coverage strategy
Data flow: Intent signal -> Account targeting -> Determine stakeholders
For contact targeting (requires appropriate basis):
For multi-channel orchestration:
Don't do this:
Buying signal + cold email: "We saw your account downloaded 10 pieces of content about ABM, so we found your email (without consent) and sent you a cold email." Non-compliant. Buying signal is legitimate, but cold contact without basis violates GDPR.
Behavioral tracking without consent: Install tracking pixel on website, track all visitors, email unknown prospects about their behavior. GDPR violation.
Assume consent from account-level signal: "We know your company is in-market, therefore we can email you without consent." Non-compliant. Company signal =/= individual consent.
Repurpose old contact lists with intent data: "We have old email list from 2019. We know those accounts are now in-market. Let's message them again." Likely violation if contacts didn't opt-in recently.
Use third-party contact enrichment without consent basis: "We bought contact data from vendor, and now we'll email them because they match intent signals." Contact data purchase doesn't create consent.
Abmatic: Strong GDPR focus, separates account from contact, transparent about consent. Recommended for EU-focused teams.
6sense: Good compliance, offers both account-only and contact-based models. Good for tiered targeting.
Bombora: Account-level only (no contact data), highest compliance. Limited contact enrichment.
G2: Account-level signals compliant, separate consent model for contacts. Good for tech companies.
Apollo.io: Contact-data first platform, compliant if you manage consent properly. Best for existing relationships.
LinkedIn Sales Navigator: Contractual basis (LinkedIn's terms), compliant for B2B outreach to professionals. Good for research and connection-based outreach.
Q: Can I use intent data for account selection if I don't have contact consent? A: Yes. Account-level intent (which companies are in-market) is usually legitimate interest. You don't need individual contact consent to know "that company is evaluating solutions." But you need consent to email individuals.
Q: Is buying signal data personal data? A: Depends on context. "Company X is researching ABM" is not personal data. "John at Company X visited your pricing page" is personal data. Use the first without consent. For the second, get consent.
Q: Can I cold email if I know the account is in-market? A: Only if: (1) contact has consented to marketing, (2) contact is existing customer (legitimate interest), or (3) contact provided email via opt-in. Buying signal alone doesn't justify cold email.
Q: Is LinkedIn messaging compliant without consent? A: Contractual basis exists (LinkedIn's terms allow connection messaging). But it's a gray area legally. European regulators scrutinize LinkedIn; US is less restrictive. Safer: only message existing connections or use in-network messaging.
Q: How do I handle consent for account-level targeting across multiple contacts at one account? A: Different consent basis for each contact. John (existing customer): legitimate interest. Sarah (event attendee): event consent. Mike (unknown): no messaging. Use account-level insights to target the consented individuals.
Q: What's the difference between Bombora intent data and email list enrichment? A: Bombora shows which companies research topics (account-level, no contact data). Email enrichment adds contact info to your list. Bombora is compliant. Enrichment is compliant if used on consented list.
Q: Do I need consent for account-based ads (LinkedIn, Google)? A: No. Account/company-level targeting doesn't require contact consent. Advertising is contractual (platform terms). Use account intent to target ads, no email consent needed.
Q: How do I explain intent data to my GDPR-concerned contacts? A: "We use account-level data to understand which companies are evaluating solutions like ours. We only message individuals who have consented to marketing, are existing customers, or connected with us on LinkedIn."
Q: Is GDPR compliance worth the complexity for my mid-market team? A: Yes. GDPR fines reach 20 million euros or 4% of revenue. Data breach lawsuits are increasing. Starting compliant is easier than fixing violations later. Build compliant from day one.
Self-assessment questions:
Do you know what legal basis you have for each contact on your email list? (consent, legitimate interest, contract, obligation) - If "no": not compliant. Audit list immediately.
Have you updated your privacy policy to explain how you use intent data and behavioral signals? - If "no": not compliant. Update today.
Can you prove consent for behavioral tracking (website visit, content download, email open)? - If "no": may not be compliant. Review with legal.
Do you have a data processing agreement (DPA) with each vendor (Bombora, 6sense, Apollo, LinkedIn)? - If "no": not compliant. Request DPA from each vendor.
Can you fulfill a data subject access request (GDPR Article 15) within 30 days? - If "no": not compliant. Build process today.
Do you have documented retention periods for contact data? - If "no": not compliant. Set and document retention policy.
Can you delete all data for a contact if they request it (right to be forgotten)? - If "no": not compliant. Build deletion process today.
Scoring: - 6-7 "yes" = likely compliant - 4-5 "yes" = partially compliant, gaps exist - <4 "yes" = not compliant, significant risks
Week 1-2: Audit and assessment - Review all contact data sources (email lists, web forms, event signups, third-party data) - Classify each contact by consent status (opted-in, existing customer, event, LinkedIn, purchased list, unknown) - Identify non-compliant practices (cold email to unknown prospects, purchased lists without consent) - Document current state
Week 3-4: Policy and governance - Update privacy policy to explain intent data usage - Document legal basis for each contact segment - Create data retention schedule (delete cold contact data after 1 year if no engagement) - Establish data processing agreements with vendors
Week 5-6: Operational changes - Stop any non-compliant outreach (cold email to unknown contacts) - Implement consent management in marketing automation - Create data subject request process (can you delete all data for person X?) - Set up contact deletion workflows
Week 7-8: Vendor review - Audit all vendors for GDPR compliance - Obtain DPA from each (Bombora, 6sense, Apollo, LinkedIn, etc.) - Review data subprocessing (who does each vendor share data with?)
Week 9-12: Testing and documentation - Test GDPR request fulfillment (can you delete all data for one contact in <30 days?) - Document all compliance processes - Train team on compliant outreach practices - Schedule annual audit (compliance is ongoing, not one-time)
For each type of outreach, document your legitimate interest:
Example: Cold email to prospect based on buying signals
Q: What is your legitimate interest? A: "We have a legitimate interest in identifying companies actively evaluating our solution category. Buying signal (keyword research, content download) indicates active interest. Email address was found via public sources (LinkedIn, company directory)."
Q: Is this interest balanced against prospect's privacy rights? A: "Prospect may not welcome unsolicited email. But our interest (identifying potential customer) outweighs their interest (not receiving marketing email), especially if email clearly identifies who we are and includes unsubscribe option."
Q: Have you documented this assessment? A: "Yes, we have a Legitimate Interest Assessment document stored with legal."
Result: Document this and you can defend sending one email. Send 10 emails to someone who didn't respond? Harder to defend.
Immediate (this week): - [ ] Review your top 100 cold email addresses: is each person on your list likely to welcome the email? - [ ] If 20%+ don't have clear consent/legitimate interest basis, audit your entire list - [ ] Stop any clearly non-compliant practice (e.g., bought list + cold email without consent)
Short-term (this month): - [ ] Update privacy policy to disclose intent data usage - [ ] Implement consent management in marketing automation tool - [ ] Obtain DPA from each third-party vendor (Bombora, 6sense, etc.) - [ ] Document legitimate interest assessment for each outreach type
Medium-term (this quarter): - [ ] Segment contact list by consent status - [ ] Build process to handle "right to be forgotten" requests - [ ] Train team on compliant outreach practices - [ ] Audit vendor compliance (are they GDPR-compliant?)
Long-term (ongoing): - [ ] Annual compliance review (did we maintain compliance?) - [ ] Quarterly consent refresh (update lists for contacts who unsubscribed) - [ ] Vendor audit (if vendor is acquired or changes privacy practices)
GDPR (Europe, broad scope): - Applies to any company processing data of EU residents - Fines: 20M euros or 4% revenue (whichever is larger) - Definition of personal data: broad (includes IP addresses, contact info, behavior) - Consent: explicit opt-in required for marketing - Right to erasure: must delete upon request
CCPA (California, narrower scope): - Applies to for-profits processing California residents' personal info - Fines: up to $7,500 per violation - Definition of personal data: narrower (primary identification data) - Consent: opt-out is default (disclosure required, consent not always required) - Right to deletion: must delete upon request (some exceptions)
UK DPA (UK, similar to GDPR): - Similar to GDPR with minor variations - Applies to UK data protection - Similar consent and deletion rights
Intent data implication: - GDPR: strict (consent required for marketing to EU residents) - CCPA: more flexible (disclosure + opt-out often sufficient) - UK DPA: GDPR-equivalent (strict)
If you target EU + US customers: build for GDPR compliance, CCPA compliance comes easier.
Before using any intent data vendor, verify:
Red flags: - Vendor won't provide DPA - Vendor won't disclose data sources - Vendor doesn't have privacy policy - Vendor claims data is "100% opt-in" (unlikely, claims transparency instead)
Most reputable vendors (6sense, Abmatic, Bombora, Apollo) pass all these checks. Cheaper vendors or data brokers may not.