What happened with Jessica Moore's AI link building campaign?

The campaign utilized automated AI outreach at scale, which resulted in 47 GDPR complaints due to improper data handling and lack of consent in the outreach process.

Can AI outreach violate GDPR?

Yes, if AI outreach tools process personal data of EU citizens without a legal basis or fail to provide opt-out mechanisms, they can be in direct violation of GDPR regulations.

How can SEOs avoid GDPR issues in link building?

SEOs should ensure they have 'Legitimate Interest' documented, maintain clean email lists, provide clear unsubscribe options, and verify that AI tools are compliant with data privacy laws.

Home

Expert Insights (Interviews)

Link Building at Scale: When Jessica Moore’s AI Outreach Got 47 GDPR Complaints | Interview

byMorgan H

December 23, 2025

Link Building at Scale: When Jessica Moore’s AI Outreach Got 47 GDPR Complaints

Jessica: —okay, can you hear me now?

Morgan: Yeah, you’re good. Audio’s perfect.

Jessica: Great. Sorry, I had to switch rooms. My roommate’s blasting music.

Morgan: No worries. So, I heard you got threatened with GDPR lawsuits?

Jessica: [groans] Oh god, yes. That was the worst three months of my life.

Morgan: Start from the beginning. What do you do?

Jessica: I’m a link building specialist. Been doing it for about eight years. I help companies get high-quality backlinks through outreach— guest posts, resource page links, that kind of thing. It’s tedious work, but it works.

Morgan: And you decided to automate it?

Jessica: Yeah. In early 2024, I was drowning in work. I had twelve clients, and each one needed like 20-30 new links per month. I was sending hundreds of outreach emails manually every week, and it was killing me.

Morgan: So you built an AI system?

Jessica: I didn’t build it myself. I found this tool— I’m not gonna name it— that promised to automate the entire outreach process. It would find prospects, scrape their contact info, personalize the emails using AI, and send them automatically. It was like a dream come true.

Morgan: When did you start using it?

Jessica: March 2024. I signed up for their premium plan, which was like $400 a month but totally worth it if it saved me 20 hours a week. The first week, I set up campaigns for three clients. The tool found prospects, generated personalized emails, and sent them. I barely had to do anything.

Morgan: Did you get responses?

Jessica: Yeah! That’s the crazy thing. The response rate was actually higher than when I did manual outreach. Like, I was getting 15-20% response rates when my manual rate was usually around 8-10%. I thought I’d found the holy grail.

Morgan: What was different about the AI emails?

Jessica: They were really personalized. Like, the AI would mention specific articles the person had written, reference their social media posts, even bring up their hobbies or interests. It felt hyper-targeted.

Morgan: That should have been a red flag.

Jessica: [laughs] Yeah, in retrospect, I should have asked how the AI was getting all that information. But I didn’t. I was just happy it was working.

Morgan: When did you scale it up?

Jessica: April. I rolled it out to all twelve clients. I set up campaigns targeting like 50,000 email addresses across different niches. Tech blogs, marketing sites, health and wellness, travel— everywhere my clients needed links.

Morgan: 50,000 emails?

Jessica: Yeah. The tool said it could handle high volume, and I figured more emails meant more links. So I just… went for it.

Morgan: When did things go wrong?

Jessica: May 3rd. I get this email from someone in Germany— a marketing director at some mid-sized company. The subject line was “GDPR Violation – Legal Action Pending.” And my stomach just dropped.

Morgan: What did the email say?

Jessica: Basically, “How did you get my personal email address? How do you know where I went to university? How do you know about my daughter’s soccer team? You’ve violated GDPR by processing my personal data without consent, and I’m reporting you to my country’s data protection authority.

Morgan: Oh shit.

Jessica: Yeah. And I’m reading this, and I’m like, “What the fuck is he talking about? Daughter’s soccer team?” So I pull up the email my AI tool had sent to him, and sure enough, there’s this line like, “I see your daughter plays for FC München’s youth team— that’s amazing! I actually coach youth soccer myself.”

Morgan: The AI mentioned his daughter?

Jessica: The AI mentioned his daughter. And I never gave it that information. I didn’t even know this guy had a daughter.

Morgan: How did the AI find that out?

Jessica: [pause] I still don’t fully understand how. But my lawyer later explained that the tool was probably scraping social media profiles, LinkedIn activity, maybe even public records. And then using all that scraped data to create “personalized” emails.

Morgan: That’s… that’s really invasive.

Jessica: It’s beyond invasive. It’s illegal in Europe. GDPR has really strict rules about processing personal data, and you can’t just scrape someone’s social media and use it for marketing without their consent.

Morgan: What did you do when you got that first complaint?

Jessica: I panicked and sent an apology email immediately. I said it was an automated system and I’d remove him from our list. But that just made it worse because then he knew I was using automation, which made the whole thing seem even more sketchy.

Morgan: Did he drop it?

Jessica: No. He forwarded my response to his lawyer and to Germany’s data protection authority. And then… [pause] …then the floodgates opened.

Morgan: What do you mean?

Jessica: Over the next two weeks, I got 46 more GDPR complaints. From people in the UK, France, Netherlands, Sweden— all over Europe. Some were polite, like “Please delete my data.” Others were threatening legal action. One person’s lawyer sent me a cease and desist letter.

Morgan: Holy shit.

Jessica: Yeah. And I’m just sitting there in my apartment losing my mind because I don’t know anything about GDPR. I’m in the US. I’d never even thought about European privacy laws.

Morgan: What did you do?

Jessica: I hired a lawyer. An expensive one who specializes in data privacy. First consultation was like $500 an hour, and she basically said, “You’re in serious trouble. GDPR fines can be up to 4% of global revenue or €20 million, whichever is higher.”

Morgan: But you’re not a big company.

Jessica: Doesn’t matter. The fines are calculated based on the severity of the violation. And scraping personal data without consent and using it for unsolicited marketing? That’s pretty severe.

Morgan: How much did the lawyer cost you?

Jessica: [pause] $28,000. That’s what I paid her over three months to respond to complaints, work with data protection authorities, and make sure I didn’t get sued into oblivion.

Morgan: Jesus. Did you get fined?

Jessica: Not yet. The lawyer managed to resolve most of the complaints by showing that I’d immediately stopped the outreach, deleted all the data, and implemented privacy policies. But there are still two cases pending with data protection authorities in Germany and France.

Morgan: What happens if they fine you?

Jessica: I could owe anywhere from €10,000 to €100,000 depending on what they decide. My lawyer thinks it’ll be on the lower end since I’m a small operation and I cooperated fully, but we won’t know for months.

Morgan: Are you still doing link building?

Jessica: Yeah, but way differently. I’m doing everything manually now. No automation, no AI, no scraped data. Just old-fashioned research and personalized outreach written by an actual human.

Morgan: That must be so much slower.

Jessica: It’s incredibly slower. I can only handle like four clients now instead of twelve. My income’s dropped by like 60%. But at least I’m not getting legal threats.

Morgan: Did you lose clients over this?

Jessica: Three of them. As soon as they heard I was dealing with GDPR complaints, they bailed. They didn’t want to be associated with the liability.

Morgan: Did you tell your other clients what happened?

Jessica: I had to. I sent an email to everyone explaining the situation and assuring them that their campaigns had been stopped immediately. Most of them were understanding, but I could tell they were nervous.

Morgan: What about the AI tool company? Did they help you?

Jessica: [laughs bitterly] No. I reached out to them immediately when the complaints started coming in, and they basically said, “Our terms of service state that users are responsible for compliance with local laws.” And then they ghosted me.

Morgan: Did you try to get a refund?

Jessica: Yeah. They ignored me. I even threatened to sue them, and my lawyer said it wasn’t worth it because they’re based overseas and the legal costs would be more than I’d recover.

Morgan: That’s infuriating.

Jessica: It really is. Like, they built a tool that’s clearly designed to violate privacy laws, but they’ve structured everything so they’re not liable. It’s all on the user.

Morgan: Do you think you should have known better?

Jessica: [long pause] Yes. I should have. I should have asked how the personalization worked. I should have read the terms of service more carefully. I should have researched GDPR before sending emails to Europeans. But I didn’t because I was focused on scaling and making money.

Morgan: That’s understandable though.

Jessica: Maybe. But it’s not an excuse. I was processing people’s personal data without their consent. That’s wrong, legally and ethically.

Morgan: How do you feel about AI outreach now?

Jessica: I think it’s dangerous. Not because AI is inherently bad, but because it makes it too easy to cross lines you shouldn’t cross. Like, when I was writing outreach emails manually, I’d never mention someone’s kids or dig into their personal life. But the AI did it automatically because it was trained to be “highly personalized.”

Morgan: Do you think the AI tool should be banned?

Jessica: I don’t know about banned, but there should definitely be more regulation. Right now, these companies can build tools that violate privacy laws and then just say “Not our problem” when users get in trouble.

Morgan: Have you warned other link builders about this?

Jessica: Yeah, I’ve posted about it in a few communities. Some people thanked me for the warning. Others said I was just trying to scare people away from automation. You can’t win.

Morgan: What did the people who were skeptical say?

Jessica: Things like “GDPR is overblown” or “You just didn’t use the tool correctly.” One guy said I was “fear-mongering” and that he’d been using AI outreach for years with no problems.

Morgan: What did you say to that?

Jessica: I said, “Cool, good luck. Hope you have $30,000 saved for a lawyer.” [laughs] I know that sounds bitter, but I’m tired of people acting like this isn’t a real risk.

Morgan: It sounds like you’re still processing the trauma.

Jessica: I am. Like, I wake up every few nights panicking about the pending cases. What if they fine me €50,000? I don’t have that kind of money. I’d have to declare bankruptcy.

Morgan: That’s a lot of stress.

Jessica: It’s constant. My therapist says I have anxiety now from all this. Which is fun.

Morgan: You’re in therapy for it?

Jessica: Yeah, started in June. My lawyer actually recommended it because I was having panic attacks during our calls.

Morgan: That’s really hard. I’m sorry.

Jessica: Thanks. It’s… [pause] …it’s been a rough year. But I’m trying to rebuild and be smarter this time.

Morgan: What does “smarter” look like?

Jessica: Manual outreach only. No scraped data. I only contact people whose email addresses are publicly listed on their websites for business inquiries. And I never, ever mention personal information. Just straight business.

Morgan: Is that effective?

Jessica: It’s less effective than the AI approach, but it’s legal and ethical. And I can sleep at night.

Morgan: That’s worth something.

Jessica: It’s worth everything, honestly.

Morgan: [pause] Okay, last question. What would you tell someone who’s considering using AI for outreach?

Jessica: I’d say, “If the tool is doing things you couldn’t do manually— like accessing private social media data or scraping non-public information— it’s probably illegal. Don’t use it.”

Morgan: That’s good advice.

Jessica: It’s advice I wish someone had given me.

Morgan: Alright, I should let you go. Thanks for being so open about all this.

Jessica: Thanks for listening. It actually feels good to talk about it with someone who’s not my lawyer or therapist.

Morgan: [laughs] Happy to be the cheap alternative.

Jessica: [laughs] Exactly. Alright, take care Morgan.

Morgan: You too, Jessica. Good luck with those pending cases.

Jessica: Thanks. I’m gonna need it.

[end]

Table of Contents

Key Lessons Learned

“AI makes it too easy to cross lines you shouldn’t cross. When I was writing emails manually, I’d never mention someone’s kids. But the AI did it automatically because it was trained to be ‘highly personalized.'”

1. “Personalization” Can Mean Privacy Violation

The AI achieved 15-20% response rates (vs. Jessica’s manual 8-10%) by referencing personal details like children, hobbies, and university history. This data was scraped without consent, making the personalization both effective and illegal under GDPR.

2. GDPR Applies to US Companies Targeting Europeans

Jessica assumed GDPR didn’t apply to her because she’s US-based. Wrong. If you process personal data of EU residents—even through marketing emails—you’re subject to GDPR regardless of your location.

3. Automated Scale Amplifies Legal Risk

Sending 50,000 emails manually would have been impossible, naturally limiting Jessica’s exposure. Automation let her violate 50,000 people’s privacy simultaneously, turning individual complaints into a systemic legal crisis.

4. The First Complaint Triggers an Avalanche

One German marketing director complained on May 3rd. Within two weeks, 46 more Europeans filed GDPR complaints. Once the pattern became visible, coordinated action followed quickly.

5. AI Tools Deflect Liability to Users

The tool’s terms of service stated “users are responsible for compliance with local laws.” When Jessica faced $28K in legal fees, the company ghosted her. They designed the tool, but structured liability to fall entirely on customers.

6. Legal Defense Is Expensive Even When You Win

Jessica hasn’t been fined yet—her lawyer resolved most complaints by demonstrating good faith—but the defense still cost $28,000. Two pending cases could add €10,000-€100,000 in fines. Compliance failure is costly regardless of outcome.

7. “How Does It Know That?” Is the Right Question

When AI mentioned prospects’ daughters, universities, and hobbies, Jessica should have immediately asked: “Where is this data coming from?” She didn’t because the results were good. Effectiveness masked illegality.

“I should have asked how the personalization worked. But I didn’t because I was focused on scaling and making money.”

8. Client Loss Is Secondary to Liability

Three clients left after learning about GDPR complaints, but that was minor compared to legal fees, pending fines, anxiety-induced therapy, and 60% income reduction from switching to manual outreach. Reputation damage compounds financial impact.

9. Scraped Social Media Data ≠ Public Business Information

Just because someone posts about their daughter on Facebook doesn’t mean you can use that information for B2B marketing outreach. GDPR distinguishes between publicly available and legitimately obtainable for commercial use.

10. Manual Work Is Slower But Sustainable

Jessica went from twelve clients to four, with 60% income loss. But manual outreach using only publicly listed business emails keeps her legal, ethical, and able to sleep at night. Sustainability trumps scale when legal risk is existential.

About Jessica Moore

Jessica Moore is a link building specialist with eight years of experience helping companies acquire high-quality backlinks through strategic outreach and relationship building. She works primarily with B2B tech companies, SaaS platforms, and digital marketing agencies.

In March 2024, facing overwhelming workload from twelve simultaneous clients, Jessica adopted an AI outreach tool that promised to automate prospect research, email personalization, and sending. The tool achieved impressive 15-20% response rates by incorporating hyper-personal details scraped from social media profiles, public records, and online activity—without recipients’ consent.

After sending 50,000 automated emails in April 2024, Jessica received 47 GDPR complaints from European recipients in May, including formal complaints to data protection authorities in Germany and France. The AI had referenced recipients’ children, educational backgrounds, hobbies, and personal interests—data it had scraped illegally under European privacy law.

“How did you get my personal email address? How do you know where I went to university? How do you know about my daughter’s soccer team?”

Jessica paid $28,000 in legal fees over three months to respond to complaints and avoid prosecution. Two cases remain pending with European data protection authorities, with potential fines ranging from €10,000 to €100,000. She lost three clients immediately and reduced her client load from twelve to four to manage manual outreach only.

The experience triggered anxiety and panic attacks, requiring ongoing therapy. Jessica now conducts all outreach manually using only publicly listed business contact information, never mentioning personal details. Her income dropped 60%, but she prioritizes legal compliance and ethical practice over scale.

Jessica lives in Portland and has become an advocate for privacy-conscious link building practices within the SEO community.

This interview was conducted via video call in November 2025. Jessica was candid about both the legal consequences and emotional toll of automated outreach violations. The conversation has been edited for clarity while preserving her emphasis on the real risks of AI tools that operate in legal gray areas.