TL;DR – not a good idea to buy or use mailing lists that have been scraped…:
On April 30, 2020, the French data protection authority, the CNIL, published a guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes. The guidance is significant in two respects. First, it speaks to the CNIL’s view of this activity in the context of the GDPR and privacy concerns. Second, beyond the context of direct marketing related privacy issues, the guidance lays out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data.