CCPA, LGPD and Global Data Privacy Laws: The Complete B2B Guide

You’ve got your GDPR process down. You understand legitimate interest, you have an unsubscribe link in every email, you don’t store data for more than three years. You’re good.

Then a California-based VP pops up in your pipeline. Followed by a CTO in São Paulo. And a potential enterprise deal out of Shanghai. And suddenly you’re wondering: do the rules change depending on where your prospect lives?

They do — significantly.

Since GDPR came into force in 2018, nearly every major economy has passed its own data protection law. CCPA in the US, LGPD in Brazil, PIPL in China, POPIA in South Africa — each with its own definitions, thresholds, penalties, and take on what “consent” actually means. For sales, marketing, and growth teams running high-volume B2B data enrichment workflows, ignoring this regulatory landscape is an increasingly expensive gamble.

This guide breaks down every major global data privacy regulation, with the specific implications for your B2B prospecting — no legal jargon, just what you actually need to know.

Enrich your B2B leads compliantly

Derrick finds verified professional emails and phone numbers directly in Google Sheets — no sensitive data handled outside a professional context.

Try for free →

Chapter 1: Why Global Regulations Apply to Every B2B Team

The “we only use professional data” myth

A lot of sales teams assume they’re in the clear because they only use work emails and office phone numbers. That assumption is getting more dangerous — and more expensive — by the year.

The reality: in virtually every major data protection law worldwide, an email like firstname.lastname@company.com is personal data. It identifies a natural person. And it’s that person who’s protected by GDPR, CCPA, LGPD and their global equivalents.

The only partial exception covers generic corporate emails (info@company.com, sales@business.com) which, in some jurisdictions, are not treated as personal data. But the moment you have a name in the address, you’re in scope.

Extraterritoriality: the concept that changes everything

The most surprising principle for many US and European teams is extraterritoriality: these laws don’t just apply to companies based in the regulated country. They apply to any company, anywhere in the world, that processes data of people located in the covered territory.

A SaaS startup in Austin prospecting French decision-makers? GDPR applies. A London agency enriching Brazilian contacts? LGPD is relevant. A Paris scale-up cold-emailing California executives? CCPA needs to be on your radar.

This single principle turns data compliance from a domestic checkbox into a genuine global operations concern.

The financial stakes in 2026

Fines are no longer theoretical:

Beyond the numbers: in B2B, where trust is your primary asset, the reputational damage of a public compliance failure often far outweighs the fine itself.

Key takeaway: Extraterritoriality makes global regulations relevant for any team prospecting across borders — not just the multinationals.

Chapter 2: GDPR — The Benchmark You Already Know (With a Few Surprises)

What GDPR actually says about B2B prospecting

The EU’s General Data Protection Regulation, in force since May 2018, is the baseline most international teams reference. But some important nuances remain widely misunderstood.

For B2B outreach, GDPR permits legitimate interest as a legal basis (Article 6.1.f) — meaning you don’t need prior consent to contact a professional whose role is relevant to your offer. This is the fundamental difference from B2C, where opt-in consent is the default.

But legitimate interest is not a blank check. It comes with strict obligations:

• Inform the prospect on first contact: where you got their data, your commercial purpose, and their rights
• Provide a clear opt-out in every communication — one click, no justification required
• Target relevantly — only people whose job function is genuinely related to what you’re selling
• Limit retention — the ICO and most European DPAs recommend a 3-year maximum from last meaningful contact

3 compliance pressure points in 2026

Recent enforcement across EU member states has concentrated on three practices:

1. Missing opt-out links in prospecting emails — the most cited violation in DPA sanctions
2. Excessive data retention — keeping contacts active for more than 3 years without re-engagement
3. Out-of-scope targeting — contacting people whose function has no clear connection to your product

GDPR applies across all 27 EU member states. Post-Brexit, the UK runs its own UK GDPR, supervised by the ICO (Information Commissioner’s Office) rather than a national DPA — same principles, separate enforcement authority.

For a deep dive into cold email compliance specifically, check out our guide on cold emailing and GDPR.

Key takeaway: In European B2B, legitimate interest removes the need for opt-in consent — but it doesn’t remove your obligation to be transparent and make opting out trivially easy.

Chapter 3: CCPA/CPRA — California’s Law With Global Reach

What CCPA is and who it actually covers

The California Consumer Privacy Act (CCPA), effective January 2020 and significantly expanded by the CPRA (California Privacy Rights Act) from January 2023, is the most impactful US regulation for international B2B teams.

Contrary to what many assume, CCPA doesn’t just apply to California companies. It covers any for-profit business that meets at least one of these thresholds:

• Annual gross revenue over $25 million
• Buys, receives, or sells personal information of 100,000+ California consumers annually (threshold raised in 2023)
• Derives 50% or more of annual revenue from selling consumers’ personal information

The 2023 turning point: the B2B exemption is gone

This is the single most important update many B2B teams missed: the CCPA’s B2B exemption expired on January 1, 2023.

Before that date, business contacts in California had a lighter-touch regime. Since 2023, California-based employees and professional contacts have the same privacy rights as individual consumers — including the right to access their data, request deletion, correct inaccuracies, and opt out of data sales or sharing.

If your team has been operating on the assumption that B2B contacts in California are automatically exempt, that assumption is no longer valid.

What CCPA compliance looks like in practice

The $7,500 per intentional violation ceiling sounds manageable in isolation. But each individual contact represents a separate violation. A cold email campaign to 10,000 California contacts without a proper opt-out mechanism starts to look very different at that math.

CCPA vs GDPR: the key differences

Key takeaway: Since January 2023, CCPA fully applies to California B2B contacts. If you’re prospecting in the US, assess your exposure — especially if your volume exceeds 100,000 California records annually.

Chapter 4: LGPD — Brazil’s Data Law and Its B2B Gray Areas

Scope and applicability

Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), in force since August 2020, is closely modeled on GDPR — but with its own characteristics worth understanding.

LGPD applies to any organization that processes personal data of individuals located in Brazil, regardless of where the organization is based. In 2025, Brazil’s ANPD (National Data Protection Authority) tightened enforcement by requiring foreign companies to appoint a local representative.

A notable threshold difference: LGPD sets no minimum revenue or size threshold. It applies to all entities, except for journalistic, artistic, academic, and public security purposes.

LGPD’s 10 founding principles

Every data processing activity under LGPD must respect 10 core principles:

1. Purpose — processing must have a legitimate, specific objective
2. Adequacy — activities must match the purposes disclosed
3. Necessity — only the minimum required data may be processed
4. Free access — individuals can consult their data at no cost
5. Data quality — information must be accurate and current
6. Transparency — organizations must be clear about their practices
7. Security — data must be protected against unauthorized access
8. Prevention — risks must be anticipated before they materialize
9. Non-discrimination — data cannot be used to discriminate
10. Accountability — demonstrate compliance when challenged

LGPD and B2B prospecting: the current gray area

One significant point for commercial teams: LGPD does not explicitly cover B2B marketing activities in its current form, according to several legal interpretations. However, the ANPD has signaled it is monitoring this space and guidance may evolve.

The most widely used legal basis in B2B contexts under LGPD is legitimate interest — analogous to GDPR’s approach. Unlike GDPR though, LGPD also recognizes credit protection and compliance with public policies as legal bases, with no direct European equivalent.

Practical recommendation: If you’re prospecting in Brazil, default to GDPR-equivalent practices. It’s the safest approach while ANPD develops more specific B2B guidance.

Key takeaway: LGPD is GDPR-inspired but has no size threshold and currently leaves B2B marketing in a legal gray zone. Play it safe — treat Brazilian contacts the same way you’d treat European ones.

Chapter 5: Other Major Regulations to Understand

PIPL — China’s law with no equivalent for “legitimate interest”

China’s Personal Information Protection Law (PIPL), effective November 1, 2021, is often called the “Chinese GDPR.” That shortcut obscures some critical differences.

Similarities with GDPR:

• Extraterritorial reach (covers processing of Chinese residents’ data from abroad)
• Individual rights: access, correction, deletion, portability
• DPO requirement for large-scale data processors
• Strict cross-border transfer rules

Critical differences:

• No legitimate interest: PIPL’s recognized legal bases don’t include this concept central to GDPR B2B practice. This makes cold outreach to Chinese prospects significantly more complex
• Data localization: sensitive data categories must be stored on Chinese territory
• Separate consent required for certain high-risk processing, even if general consent already exists
• Local representative mandatory for foreign companies processing Chinese residents’ data

Penalties reach 50 million yuan (approximately $7 million) or 5% of annual revenue — and can personally target executives.

Practical recommendation: Prospecting in China requires local legal counsel before any data enrichment campaign. Don’t try to map your GDPR playbook directly onto PIPL.

POPIA — South Africa’s GDPR-adjacent framework

South Africa’s Protection of Personal Information Act (POPIA), fully enforceable since July 1, 2021, is clearly GDPR-inspired with some notable distinctions:

• Age of majority at 18 (GDPR uses 16) for children’s data
• Criminal penalties: beyond financial fines (up to 10 million rand), POPIA includes potential imprisonment of up to 10 years for the most serious violations
• Information Officer: every organization must designate one — by default, the CEO or executive head
• Legitimate interest recognized: like GDPR, POPIA permits this basis for relevant processing

For B2B prospecting in South Africa, the principles largely mirror GDPR: transparency, easy opt-out, proportionate data, documented legitimate interest.

Asia-Pacific: PDPA frameworks across the region

Thailand (PDPA — Personal Data Protection Act): Fully in force since June 2022. Thailand’s PDPA follows a GDPR-style opt-in approach for most data processing. A dedicated Personal Data Protection Committee oversees cross-border transfers.

Singapore (PDPA — Personal Data Protection Act): One of the region’s oldest frameworks (2012, amended 2020), Singapore’s approach introduces an organisational legitimate interest concept closely aligned with GDPR. It’s widely considered the most business-friendly framework in the region.

Australia (Privacy Act): Regularly amended, the Australian Privacy Act imposes Australian Privacy Principles (APP) on government agencies and private entities with annual revenue above AU$3 million.

India — The DPDPA, a law in motion

India enacted the Digital Personal Data Protection Act (DPDPA) in 2023. With 1.4 billion people and a rapidly expanding B2B tech sector, it deserves attention:

• Applies to digital personal data of individuals in India, processed in India or abroad
• Consent as the primary legal basis (opt-in model)
• Penalties up to ₹250 crore (approximately $30 million)
• Full implementation rules and supporting regulations are still being finalized

The DPDPA’s practical impact on B2B prospecting will become clearer once implementing regulations are published — but teams building large Indian contact databases should be monitoring developments closely.

Key takeaway: The global regulatory map has expanded dramatically. Here’s the quick-reference comparison.

Chapter 6: Global Comparison Table — The B2B Essentials

Two clear regulatory families emerge:

• Legitimate interest / opt-out model: GDPR, UK GDPR, LGPD, POPIA — more conducive to proactive B2B outreach
• Consent / opt-in model: PIPL, PDPA, DPDPA — require a more cautious approach before any first contact

Key takeaway: International B2B prospecting requires a geo-segmented compliance strategy. A single universal process won’t cover all markets.

Chapter 7: Practical Implications for Your B2B Prospecting Workflow

Building a compliant database from the ground up

Your first line of defense against regulatory risk is data quality and traceability. According to Experian, roughly 30% of B2B data becomes outdated every year — meaning contacts who’ve changed company, role, or country may now fall under a different jurisdiction than when you first acquired them.

For every contact in your database, best practice means documenting:

• Acquisition source (LinkedIn import, web form, Sales Navigator, data enrichment…)
• Acquisition date
• Legal basis used for processing
• Geographic location of the contact (to determine which regulation applies)

B2B data enrichment tools can automate much of this contextual data capture, making compliance documentation significantly less painful.

The four obligations shared by every major regulation

Despite their differences, all major global frameworks share a common baseline. Memorize these once:

1. Full transparency Tell the contact that their data is being processed, why, and what their rights are. In practice: a brief disclosure in your outreach email — who you are, why you’re reaching out, how to opt out.

2. Easy opt-out/deletion Every regulation provides a mechanism to object or request removal. In practice: a visible unsubscribe link in every email, with deletion requests actioned within the required timeframe (45 days for CCPA, 30 days for GDPR).

3. Data proportionality Only collect and process what’s strictly necessary for your stated purpose. For B2B prospecting: professional email, phone number, name, company, and title — not personal life details.

4. Data security Protect stored data from unauthorized access. Store contacts in secured tools with access restricted to authorized team members.

Segment your outreach by regulatory zone

Mark, VP of Sales at a Series B SaaS company, runs a team of 12 SDRs prospecting simultaneously across the EU, the US, Brazil, and Southeast Asia. His operational rule: one compliance playbook per regulatory zone.

In practice, this means a Google Sheets dashboard segmented by country, with dedicated columns for legal basis, first contact date, and opt-out status. This kind of structure is both compliant and operationally efficient — the two aren’t mutually exclusive.

Handling deletion requests at scale

One of the most common operational headaches for growth teams running high-volume enrichment workflows is managing rights requests at scale. When a contact asks to be removed, that removal needs to happen everywhere their data lives — CRM, Google Sheets, email tool, enrichment database.

Best practices:

• Set up a dedicated email address or form for rights requests
• Log every request received and actioned in a simple register
• Enforce deletion across every tool in your stack
• Run regular email verification sweeps to remove bounced or previously deleted addresses before re-enrichment

Key takeaway: A rights request process isn’t optional — it’s a legal requirement in every major regulation. Build it early and make it systematic.

Chapter 8: Data Enrichment and Compliance — Making Them Work Together

Is B2B data enrichment legal?

It’s the question growth teams using enrichment tools ask most often. The answer is: yes, with conditions.

B2B data enrichment — adding professional information (email, phone, company, title) to existing contact records — is generally legal in frameworks that recognize legitimate interest, provided you respect a few core principles:

• Strictly professional data only: enrich with job-related information, not personal life details
• Traceable sources: be able to justify where enriched data came from
• Clear commercial purpose: enrichment must serve a defined B2B prospecting goal, not data hoarding
• Opt-outs respected: if a contact previously requested removal, don’t re-add them through an enrichment workflow

What Derrick enables within a compliant framework

Derrick App, which runs natively inside Google Sheets, is built around professional data enrichment:

• The Lead Email Finder searches for verified professional emails in real time, based on publicly available professional signals (name, surname, company domain)
• The LinkedIn Profile Scraper extracts data from public LinkedIn profiles — information people have actively made available in a professional context
• The Email Verifier cleans your list before sending, reducing the risk of hitting deleted or invalid addresses

These approaches — centered on verified, professional, publicly accessible data — fit squarely within the legitimate interest doctrine recognized by GDPR, LGPD, and POPIA. For more detail on enrichment methodology, see our guide on B2B database enrichment.

Data categories you should never enrich without explicit consent

All major global regulations define sensitive data categories that require explicit consent regardless of jurisdiction:

• Health data
• Political or religious opinions
• Trade union membership
• Biometric data
• Data about sexual orientation or behavior

In B2B prospecting, these categories have no business relevance. If an enrichment tool offers access to this type of information, treat it as an immediate red flag.

Key takeaway: B2B data enrichment is compliant when it stays within professional data, uses traceable sources, and respects individual rights. Compliance and ambitious prospecting aren’t opposites — they make your operation more durable.

Key Takeaways

• GDPR is the global baseline, but CCPA, LGPD, PIPL, and POPIA impose their own rules the moment you prospect contacts in those jurisdictions
• The CCPA’s B2B exemption expired in January 2023 — California business contacts now have the same rights as individual consumers
• PIPL in China does not recognize legitimate interest: prospecting Chinese contacts requires a fundamentally different approach
• Opt-out frameworks (GDPR, UK GDPR, LGPD, POPIA) are more conducive to proactive B2B outreach than opt-in frameworks (PIPL, Thai PDPA, India DPDPA)
• Four obligations are universal across every major regulation: transparency, easy opt-out, data proportionality, and security
• B2B data enrichment is legally defensible when it stays within professional data and respects individual rights

Conclusion: Prospecting Internationally Without the Regulatory Headaches

The explosion of global data privacy laws isn’t a threat to serious sales teams — it’s a filter. Teams that build compliant, well-documented data processes earn the trust of prospects who increasingly scrutinize how their information is handled, especially at the enterprise level.

Staying compliant internationally means:

• Geo-segmenting your database and applying the right legal framework per territory
• Enriching with verified, professional, traceable sources
• Building opt-out and rights management processes that actually work at scale
• Documenting your data treatments in a simple but rigorous register

For B2B lead generation teams running Google Sheets as their central hub, Derrick App enriches professional data in a way that aligns with the core principles shared across GDPR, LGPD, and POPIA — keeping your pipeline moving without the compliance guesswork.

Clean, verified B2B data — starting today

Find professional emails and phone numbers for your prospects without leaving Google Sheets. Built for compliant, high-volume prospecting.

Try for free →

FAQ

Does CCPA apply to a French company prospecting in the US? Yes, if you meet the CCPA thresholds — notably processing data of more than 100,000 California residents annually, or exceeding $25M in annual revenue. CCPA’s extraterritorial scope means it follows the data, not the company’s location.

Do you need consent to prospect B2B contacts internationally? It depends on the jurisdiction. Under GDPR, UK GDPR, LGPD, and POPIA, legitimate interest removes the need for prior consent — but you must inform the contact and make opting out effortless. Under PIPL (China), Thailand’s PDPA, and India’s DPDPA, consent is generally required before first contact.

What’s the biggest practical difference between GDPR and CCPA? GDPR requires a documented legal basis for every data processing activity and centers on legitimate interest for B2B. CCPA operates on an opt-out model focused specifically on the sale and sharing of personal data. GDPR is more granular on legal bases; CCPA is more direct on consumer rights. Neither recognizes the other’s framework, so they must be addressed separately.

Does a startup prospecting in Brazil need to appoint a DPO? Not automatically. LGPD requires a data protection officer for organizations processing large volumes of sensitive data. For standard B2B prospecting with professional contact data, the obligation isn’t automatic — but designating an internal owner for compliance is strongly recommended regardless.

Is enriching LinkedIn data legal across these frameworks? Enrichment based on public LinkedIn profiles — information people have voluntarily made accessible in a professional context — is generally defensible in frameworks that recognize legitimate interest: GDPR, LGPD, POPIA. In China under PIPL, the approach is more restrictive. Stick to strictly professional, publicly available data and document your sourcing methodology.