← Back to Blog
Data Quality

GDPR & CCPA Compliance for B2B Prospecting Data

LeadsApp Team·

GDPR & CCPA Compliance for B2B Prospecting Data

GDPR & CCPA Compliance for B2B Prospecting Data

Most sales teams handle data privacy law one of two ways: ignore it and hope nothing happens, or overcorrect and convince themselves cold outbound is now illegal. Neither is right.

GDPR and CCPA create real obligations. They also leave real room for legitimate B2B prospecting — if you understand what the law actually says versus what compliance vendors want you to fear. This guide covers what each law requires, where B2B data sits specifically, and how to build a workflow that holds up.

What GDPR actually says about B2B prospecting

GDPR (the EU's General Data Protection Regulation, in force since May 2018) applies any time you process personal data of people in the European Economic Area. The key phrase is personal data — information that identifies or can identify a natural person.

Here's where B2B gets nuanced: a business email like sarah.chen@acmecorp.com is personal data. A generic role address like info@acmecorp.com typically isn't. That distinction matters for how you handle your contact list.

The six lawful bases — and why legitimate interest matters

GDPR doesn't require consent for every data interaction. It defines six lawful bases for processing. For B2B prospecting, the relevant one is legitimate interest (Article 6(1)(f)).

Legitimate interest allows you to process personal data if:

  1. You have a genuine business purpose
  2. That purpose is necessary and proportionate
  3. It doesn't override the individual's rights and interests

Cold email to a VP of Sales about a sales tool they might actually use? Passes the three-part test in most interpretations. Cold email to a private individual with no relevant role? Much harder to justify.

The EU's own guidance and enforcement history confirm this. The UK ICO has explicitly stated that direct marketing can constitute a legitimate interest. Multiple EU data protection authorities have upheld B2B cold outreach as compliant when it's targeted, relevant, and includes an easy opt-out.

What you actually must do under GDPR

  • Provide a privacy notice: When you first contact someone, tell them who you are, why you're reaching out, and how they can opt out. A one-line footer in your cold email covers this.
  • Honor opt-outs immediately: Someone unsubscribes, they come off your list. No 10-day processing windows.
  • Keep a suppression list: Don't just delete unsubscribes — maintain a list of opted-out contacts so you don't accidentally re-import them.
  • Know where your data came from: If a regulator asks, you need to show your data was obtained lawfully. Your data provider's documentation becomes your documentation.
  • Don't over-retain data: If a prospect never responds after a reasonable sequence, you shouldn't hold their data indefinitely. Most teams purge cold contacts after 6-12 months of no engagement.

What CCPA says — and how it differs

The California Consumer Privacy Act (and its 2020 extension, CPRA) is narrower in scope but still has teeth. Key differences from GDPR:

Factor GDPR CCPA/CPRA
Geographic scope EEA residents California residents
Applies to Any org processing EEA personal data Businesses above revenue/data thresholds
Lawful basis required Yes — must identify one No — opt-out model, not opt-in
B2B exemption Partial (employee data had temporary exemption, now expired) B2B contacts had a partial exemption through 2022; now covered
Individual rights Access, erasure, portability, objection Access, deletion, opt-out of sale/sharing
Consent model Opt-in for sensitive data; legitimate interest for cold outreach Opt-out (you can contact unless they say stop)

CCPA is structurally more permissive for B2B outbound than GDPR. You don't need to identify a lawful basis before contacting someone. You need to honor deletion requests and not sell data without opt-in. But standard prospecting — emailing a California-based CMO about your product — is not a CCPA violation on its face.

The "sale" definition is where it gets tricky. CCPA defines "sale" broadly, including sharing data for commercial benefit. If you're buying lists from a data broker and that broker sells your usage data onward, that chain can create liability. Another reason to understand your vendor's data practices.

The practical compliance workflow for outbound teams

Here's how to build a prospecting operation that's defensible under both frameworks without paralyzing your outbound.

Step 1: Know your data supply chain

Before you send a single email, understand where your contact data came from and how the provider handles it. Questions to ask any data vendor:

  • What's your legal basis for holding this data under GDPR?
  • Do you have a Data Processing Agreement (DPA) available?
  • How do you handle opt-out and deletion requests from contacts in your database?
  • How frequently is data re-verified?
  • Are you registered with relevant data protection authorities?

A reputable provider will answer these directly. If they deflect or point you to a 40-page generic privacy policy, that's a red flag — their exposure becomes your exposure.

Platforms like LeadsApp publish their data handling and compliance posture openly. You can review the specifics at /security. That documentation matters when you need to demonstrate due diligence.

Step 2: Build your suppression infrastructure

This is the most underrated compliance step. You need three lists:

  1. Global opt-out/unsubscribe list — anyone who has asked not to be contacted
  2. Domain suppression list — companies who've asked you not to contact any of their employees (common in enterprise deals)
  3. Competitor/partner suppression — contacts you're contractually restricted from emailing

Load these into your sequencing tool (Outreach, Salesloft, Apollo, Instantly, etc.) as suppression lists and sync them against every new upload. Most tools support this natively. If yours doesn't, that's a tooling problem worth solving.

Step 3: Build GDPR/CCPA disclosures into your templates

For EU contacts especially, your first outreach should include:

  • Your company name and country
  • A brief statement of why you're reaching out (the legitimate interest connection — e.g., "I reach out to [role] at companies your size who are dealing with [problem]")
  • A one-line opt-out: "If you'd prefer not to hear from me, reply with 'unsubscribe' and I'll remove you immediately."

This doesn't need to be a legal disclaimer block. A two-sentence footer is enough and won't kill your reply rates.

Step 4: Implement a data retention policy

This is where most teams are non-compliant without realizing it. Holding cold prospect data indefinitely violates the GDPR principle of storage limitation.

A workable policy:

  • Active sequence: data retained while in a sequence
  • Finished sequence, no response: purge after 6 months unless re-engaged
  • Opted out: move to suppression list, delete the full record
  • Customer/warm contact: governed by your CRM retention policy, not cold outreach policy

Document this somewhere. A one-page internal policy the team actually follows is enough to demonstrate intent. You don't need 20 pages.

Step 5: Honor rights requests within the required timeframes

Both GDPR (30 days) and CCPA (45 days) give individuals the right to request access to their data or deletion. For a sales team, this almost always means deletion. Build a simple intake process:

  • A monitored inbox or form for privacy requests
  • A checklist: CRM, sequencing tool, enrichment tools, any local spreadsheets
  • A log showing the request date and completion date

You're unlikely to get many of these — most people just reply "unsubscribe" and move on. But when a formal request comes in, you need to handle it cleanly.

Common myths that are slowing your team down

Myth: Cold email is illegal under GDPR. It isn't. Cold B2B email is legal under legitimate interest in the EU and UK. The restriction is that it must be targeted, relevant, and include an opt-out. Spray-and-pray campaigns to scraped lists are risky. Targeted outreach to relevant buyers is not.

Myth: You need explicit consent from every contact. Consent is one of six lawful bases under GDPR, and it's the hardest to maintain — people can withdraw it at any time. Most B2B practitioners don't use consent; they use legitimate interest. If someone told you that you need opt-in consent for every cold email, they were confused or selling you something.

Myth: CCPA protects business contacts the same way GDPR does. CCPA is an opt-out framework. You can contact California residents without prior consent — you just have to stop when asked and honor deletion requests. GDPR requires more proactive documentation of your lawful basis.

Myth: Buying a list from a broker automatically makes you compliant. It doesn't. If the vendor collected that data illegally, you're still processing it. The vendor's DPA covers their liability, not yours for using the data. Understand your source.

A note on CASL (Canada) and the ePrivacy Directive

If you're prospecting into Canada, CASL (Canada's Anti-Spam Law) is stricter than both GDPR and CCPA for cold email — it requires implied or express consent before sending commercial electronic messages. B2B exceptions exist (existing business relationships, publicly disclosed contact info used for a relevant message), but they're narrower than GDPR's legitimate interest framework.

The EU's ePrivacy Directive (and its proposed replacement, the ePrivacy Regulation) adds a layer on top of GDPR specifically for electronic communications. It's been in negotiation for years. Current national implementations vary — Germany and France are stricter than Ireland or Sweden. If you're doing significant volume into specific EU countries, a 30-minute call with a local privacy attorney is worth it.

What enforcement actually looks like

GDPR fines get headlines — €20M or 4% of global annual revenue, whichever is higher. But enforcement against small B2B sales teams for cold email is rare. Most GDPR enforcement actions have targeted large data processors, healthcare providers, and tech companies for systematic violations: inadequate consent mechanisms, data breaches, unlawful tracking.

That said, GDPR has a complaint-driven enforcement mechanism. A single irritated recipient can file a complaint with their national data protection authority. Most authorities will first try to resolve it with an informal warning. Persistent, egregious behavior is what triggers formal investigation.

Practical risk picture: a documented prospecting operation with suppression lists, clear opt-out mechanisms, and a known data source sits at very low risk. An undocumented operation mass-emailing scraped EU lists with no opt-out mechanism is genuinely exposed.

Building the audit trail

If you're ever asked to demonstrate compliance — by a prospect's legal team, an enterprise customer during a security review, or a regulator — you want to be able to show:

  1. Where your contact data came from (vendor name, their DPA)
  2. What lawful basis you used for processing
  3. That you provide opt-out in every outreach
  4. That you honor opt-outs and maintain a suppression list
  5. That you have a data retention policy

None of this requires a dedicated privacy attorney or a compliance platform. A shared document, a suppression list in your sequencing tool, and a DPA from your data vendor covers the basics.

For teams doing high-volume EU outreach or operating in regulated industries, bring in a privacy attorney for a one-time review of your workflow. It's a few hundred dollars and it buys you a documented, defensible position.

Frequently Asked Questions

Is cold B2B email legal under GDPR?

Yes, under the legitimate interest lawful basis (Article 6(1)(f)). The requirement is that the outreach is targeted, relevant to the recipient's role, proportionate, and includes an easy opt-out. Generic mass email to scraped lists is harder to defend. Targeted outreach to role-appropriate buyers, with clear identification of who you are and why you're contacting them, is consistently upheld as compliant by EU data protection authorities.

Do I need a Data Processing Agreement with my contact data vendor?

Yes. Under GDPR, if a vendor processes personal data on your behalf or provides you with personal data, you need a DPA. This document establishes each party's obligations and limits your liability if the vendor's data collection practices are later found non-compliant. Most reputable B2B data platforms provide a standard DPA on request. If a vendor won't sign one, treat that as a significant red flag.

How does CCPA differ from GDPR for B2B outreach?

CCPA is an opt-out framework — you can contact California residents without prior consent, as long as you honor requests to stop and handle deletion requests within 45 days. GDPR requires you to identify a lawful basis (usually legitimate interest) before processing EU personal data. GDPR places more documentation and accountability requirements on you. For pure cold outbound, CCPA is structurally more permissive than GDPR.

What counts as a GDPR-compliant opt-out mechanism in a cold email?

A simple, clearly stated option in the email is sufficient. Something like: "If you'd prefer I don't reach out again, just reply with 'unsubscribe' and I'll remove you immediately." You don't need an unsubscribe link (though many sequencing tools provide one automatically). What matters is that the mechanism is present, clear, and that you actually act on it promptly.

How long can I keep cold prospect data under GDPR?

GDPR's storage limitation principle says you shouldn't hold personal data longer than necessary for the purpose you collected it. For cold outreach, a common defensible practice is: purge unresponsive contacts 6-12 months after your last outreach attempt, and move opted-out contacts to a suppression list (rather than full deletion) so you can prevent re-importing them. Document your retention policy even if it's brief.

Does using a third-party data platform transfer compliance responsibility to them?

No. Buying or accessing contact data from a platform doesn't eliminate your obligations as a data controller. The vendor is responsible for how they collected and stored the data; you're responsible for how you use it. A DPA allocates liability between you and the vendor, but it doesn't make you exempt from your own compliance obligations. Understand your data source and use it within the lawful basis you've identified.

B2B data privacy
cold email compliance
GDPR legitimate interest outbound