TL;DR
Only partially. RocketReach claims compliance with GDPR by offering data subject access and deletion tools, opt-out mechanisms, and strong security certifications. However, it does not have an EU representative as required under Article 27 of the GDPR, and European regulators have had difficulty enforcing privacy rights against it.
RocketReach’s GDPR Posture
1. Legal Basis and User Rights
RocketReach states that it processes data under the legal basis of legitimate interest. It offers mechanisms for users to:
- Request access to their data
- Request deletion of personal data
- Opt out of data processing or email lookup
However, user reports indicate these processes can be difficult, often requiring users to create an account just to request deletion, an approach inconsistent with GDPR’s intent of easy and free access to data rights.
2. Data Security and Certifications
RocketReach maintains several industry-standard security certifications:
- ISO 27001
- SOC 2
- PCI DSS
Data is encrypted both in transit and at rest. Access controls, regular audits, and monitoring are in place as part of their security posture.
3. International Data Transfers
As a U.S.-based company, RocketReach processes EU data outside of the European Economic Area. However, there is no clear documentation that it uses Standard Contractual Clauses (SCCs) or participates in the EU-U.S. Data Privacy Framework.
4. EU Representative and Enforcement
RocketReach does not list an Article 27 EU representative, a key requirement for non-EU entities targeting the EU. This gap has made it difficult for EU regulators to enforce the GDPR against the company.
For example:
- The Luxembourg DPA declined to act on a complaint against RocketReach because the company had no legal presence in the EU.
- Activist groups such as noyb (None of Your Business) have highlighted this as a loophole being exploited by U.S. data brokers.
5. Regulatory Complaints and Public Criticism
- Multiple GDPR complaints have been filed against RocketReach in various EU countries.
- Users and privacy advocates criticize the service for scraping and selling personal data without direct consent.
- Reddit and GDPR forums include anecdotal reports of users struggling to remove their profiles or personal information.
Who Should Care?
- EU Individuals: May find their information listed on RocketReach without consent, with limited recourse to enforce removal.
- Businesses: Must be cautious when using RocketReach for B2B lead generation, particularly if targeting EU residents.
- Privacy and Legal Teams: Should evaluate whether RocketReach aligns with corporate data protection policies and assess associated legal risks.
General Caveat
This assessment is based on publicly available information and should not be considered legal advice. While RocketReach claims alignment with GDPR principles, the lack of an EU representative and weak regulatory enforcement present significant compliance concerns. Organizations should consult a legal expert before using RocketReach to handle EU personal data.
Final Thoughts
RocketReach provides some tools and policies that suggest a degree of GDPR alignment, particularly in data access, deletion, and security. However, without full adherence to structural GDPR requirements—especially EU representation and enforceability—it falls short of being a reliable GDPR-compliant vendor for organizations handling EU data.