Privacy laws every marketer needs to know
Privacy compliance has become a non-negotiable part of modern marketing operations. This guide covers the full regulatory landscape, GDPR, CCPA, CAN-SPAM, CASL, and the growing stack of US state privacy laws, so you can assess which obligations apply to your campaigns before they launch, not after.
According to ZoomInfo's analysis of prospect call transcripts via Chorus, the words "GDPR" and "Marketing" were mentioned together over 30,000 times on prospect calls in the past year alone. That volume reflects something real: marketers are still navigating the compliance terrain with more uncertainty than they should have to. And the scope of that terrain keeps expanding.
Most compliance guides focus on EU law and stop there. But compliance obligations follow the customer's location, not the company's. A US-based marketer targeting EU residents must comply with GDPR regardless of where the company is incorporated. A campaign targeting California consumers triggers CCPA obligations even if your headquarters is in New York. Understanding which laws apply to which audiences is the starting point for any workable compliance program.
The organizations that treat privacy compliance as a competitive advantage, not just a legal obligation, consistently see higher data submission rates and better campaign ROI. Privacy-respecting brands build more trust with prospects, which translates directly into better engagement across every channel.
What the regulatory landscape looks like today
The global marketing privacy landscape is fragmented by design. The EU has harmonized under GDPR, with the ePrivacy Directive layered on top governing outbound communications. The US, by contrast, has no comprehensive federal privacy law and none is expected in the near term, which means marketers operating across state lines face a permanently patchwork compliance environment.
The table below gives you a fast-reference view of the laws most relevant to B2B marketing programs. This is a starting point for your legal review, not a substitute for qualified counsel.
Law | Jurisdiction | Who it applies to | Key marketing obligation | Consent model |
|---|---|---|---|---|
GDPR | EU / EEA | Any org processing EU residents' data | Lawful basis required for all data processing; transparency and individual rights | Opt-in (consent or legitimate interest) |
ePrivacy Directive | EU (country-level implementations) | Any org sending commercial communications to EU contacts | Prior consent required for most electronic marketing; B2B exemptions vary by country | Opt-in (prior consent default) |
CCPA / CPRA | California, USA | Businesses meeting revenue or data volume thresholds, including B2B | Right to opt out of sale or sharing of personal data; disclosure requirements | Opt-out (right to opt out) |
CAN-SPAM | USA (federal) | Any sender of commercial email to US recipients | Opt-out mechanism required; no deceptive headers; physical address required | Opt-out (honor opt-out within 10 days) |
CASL | Canada | Any sender of commercial electronic messages to Canadian recipients | Express or implied consent required; identification and unsubscribe mechanism | Opt-in (express consent default) |
Virginia VCDPA | Virginia, USA | Controllers and processors meeting data volume thresholds | Consumer rights to access, delete, and opt out of targeted advertising | Opt-out (sensitive data requires opt-in) |
Colorado CPA | Colorado, USA | Controllers meeting data volume thresholds | Opt-out rights for targeted advertising and sale of personal data | Opt-out (universal opt-out mechanism required) |
A note on California: CCPA is one layer of a much larger compliance stack. California alone has more than 25 state privacy and data security laws (per DLA Piper's state-by-state tracker), making it the most complex single-state jurisdiction for US marketers.
Scope note: Compliance obligations follow the customer's location, not the company's. Targeting EU residents? GDPR applies. Targeting California consumers? CCPA applies. Build your compliance program around your audience geographies, not your company's headquarters.
What is the GDPR?
Adopted in 2016 and enacted in 2018, the GDPR was created to improve data collection, processing, and usage across the EU. For marketers, it governs three core areas that touch nearly every campaign decision: the legal basis for processing contact data, what you must disclose to individuals, and what rights those individuals can exercise against you. In practice, this means GDPR shapes how you build email lists, fire retargeting pixels, and handle consent in web forms.
Lawful Basis Requirement (Article 6). The GDPR lists six lawful bases under which data may be processed, including consent and legitimate interests. At least one lawful basis must be documented and relied upon before processing any personal data. For B2B marketing, consent and legitimate interests are the most commonly used bases.
Transparency Requirement (Articles 13-14). Your business, as a data controller, must provide individuals with information including who you are, what types of data you collect and process, what you plan to do with the data, and who you may share the data with. This applies to both inbound form fills and outbound prospecting sequences.
Rights of the Individual (Articles 15-21). Individuals have the right to request access to, correction of, or erasure of their personal data. Additional rights include data portability, the right to object, and the right to restrict processing. GDPR requires such requests to be processed within 30 days of receipt.
GDPR applies to any organization targeting EU residents, regardless of where the company is headquartered. A US-based SaaS company with a European campaign is subject to GDPR for every EU contact in its outreach sequences. Following the UK's exit from the EU, provisions of the EU GDPR have been incorporated into UK law as the UK GDPR, so UK contacts carry their own compliance obligations as well.
For a deeper walkthrough of GDPR obligations, see ZoomInfo's GDPR compliance guide.
What is the ePrivacy Directive?
The ePrivacy Directive, passed in 2002, was created to reinforce privacy by protecting the confidentiality of communications and establishing rules for tracking and monitoring data subjects. Specifically, the ePrivacy Directive covers:
The security of networks and services
The confidentiality of communications
Access to stored data
Processing of traffic and location data
Calling line identification
Public subscriber directories
Unsolicited commercial communications
All countries in the EU have adopted their own version of the ePrivacy Directive, collectively referred to as "EU marketing laws," which include requirements and restrictions for launching marketing campaigns in the EU using email, text messaging, and certain types of phone calls.
CCPA and US state privacy laws: what B2B marketers often miss
The most common compliance blind spot for B2B marketers operating in the US is the assumption that CCPA doesn't apply to them because they market to businesses, not consumers. That assumption is wrong, and it's expensive to discover after the fact.
B2B Marketers: CCPA Applies to You Too
The CCPA explicitly covers personal data in both B2B and HR contexts. Business contact data used for outbound prospecting, including names, email addresses, job titles, and phone numbers, is not exempt from CCPA's scope. For B2B marketers, this means three things:
You must provide opt-out mechanisms for the sale or sharing of business contact data, including a "Do Not Sell or Share My Personal Information" link where required.
You must disclose in your privacy policy what categories of personal data you collect and how they are used.
When sourcing contact data from third-party vendors, you must perform due diligence on their compliance posture: require data processing agreements, confirm they have representations on consent, and document your vendor review process.
CAN-SPAM. The US federal CAN-SPAM Act applies to all commercial email sent to US recipients. Key obligations for marketers: every commercial email must include a clear opt-out mechanism, the opt-out must be honored within 10 business days, the message must include a valid physical postal address, and the "From," "To," and routing information must be accurate. CAN-SPAM does not require prior consent, but it does require you to stop emailing anyone who opts out.
CASL. Canada's Anti-Spam Legislation is significantly stricter than CAN-SPAM. CASL requires express or implied consent before sending commercial electronic messages to Canadian recipients. Express consent means the recipient actively opted in. Implied consent applies in limited circumstances, such as an existing business relationship within the past two years. CASL also requires clear sender identification and an unsubscribe mechanism in every message.
Because no comprehensive federal privacy law is expected in the US in the near term, marketers cannot wait for harmonization. The practical path forward is building a compliance program that scales across state requirements rather than treating each new state law as a one-off project. For guidance on building a modern privacy compliance function that holds up across jurisdictions, ZoomInfo's compliance resource covers the operational framework in detail.
How are the GDPR and EU privacy laws related?
The GDPR focuses on data collection and processing, whereas the ePrivacy Directive focuses on how a business communicates with existing and potential customers.
Protecting personal data is critical for GDPR compliance. Under the GDPR, businesses must handle data securely by implementing appropriate technical and organizational measures. Technical measures include two-factor authentication; organizational measures include extensive staff training. GDPR compliance also requires businesses to establish data processing agreements with any vendors that will process data on their behalf. This binding agreement outlines the rights and obligations of each party when it comes to the protection of personal data.
For marketers evaluating data vendors as part of their compliance stack, ZoomInfo holds ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR and CCPA certifications, providing an auditable compliance foundation for organizations that need to demonstrate due diligence on their data supply chain.
Channel-by-channel compliance: email, paid ads, web analytics, and CRM
The safest default across every marketing channel is a "notice and consent" framework: provide clear notice of how you use personal data and obtain explicit consent wherever possible. This approach covers the vast majority of compliance scenarios across GDPR, CCPA, CASL, and US state laws without requiring you to memorize every jurisdiction's specific requirements. The channel-level details below explain where that default applies cleanly and where the mechanics get more specific.
Email marketing
Email is the channel with the most layered compliance requirements because three separate regulatory frameworks can apply simultaneously. CAN-SPAM sets the US federal floor: every commercial email must include a valid physical address, accurate sender identification, and a functioning opt-out mechanism honored within 10 business days. CASL raises the bar for Canadian recipients by requiring express or implied consent before the first send, not just after an opt-out request. GDPR applies the highest standard for EU contacts: informed consent or a documented legitimate interest basis, a clear description of how the data will be used, and the ability for recipients to exercise their rights at any time. For any campaign targeting a mixed international audience, design your consent and preference management to the strictest applicable standard.
Paid advertising
Cookie consent requirements under GDPR directly affect when you can fire tracking pixels and retargeting tags. In most EU jurisdictions, consent must be obtained before any non-essential cookies are set, which means your consent management platform must gate pixel firing until a user accepts. For lookalike audience campaigns, the source audience must itself be built from data collected with appropriate consent. CCPA adds a layer for California: if your ad targeting involves sharing personal data with third-party ad platforms, that sharing may constitute a "sale" under CCPA, triggering opt-out requirements. Review your data sharing agreements with ad platforms to confirm whether a data processing addendum or opt-out mechanism is required.
Web analytics
GA4's consent mode allows you to configure your analytics implementation so that measurement continues in a privacy-preserving way when users decline cookies, using modeled data rather than individual tracking. Implementing consent mode is now a practical requirement for EU-facing properties that want to maintain measurement continuity without violating GDPR. Server-side tagging is an increasingly common approach for organizations that need more control over what data leaves the browser: by routing tag execution through a first-party server rather than directly from the user's browser, you reduce the surface area of third-party data sharing and gain more granular control over what is collected and when.
CRM and data enrichment
Legitimate interest is the most commonly used lawful basis for B2B prospecting data under GDPR, but it is not a blanket exemption. To rely on legitimate interest, you must document a genuine business purpose, confirm the processing is necessary for that purpose, and conduct a balancing test to ensure the processing does not override the individual's rights. Data minimization applies here too: collect only the fields you actually need for your stated purpose, and review your enrichment processes to confirm you are not accumulating data that serves no documented use case. When sourcing enriched data from third-party vendors, require a data processing agreement, ask for representations on how the underlying data was collected and consented to, and document your vendor review as part of your compliance records.
Privacy considerations for B2B marketing in Europe
Once your team adopts a GDPR-compliant data collection and processing strategy, you can apply this process to any European country where you plan to launch marketing campaigns.
While there is a lot to consider when it comes to compliance for international markets, implementing a modern privacy compliance function will help your business in the long run. Make sure you carefully review the laws and seek counsel to understand all of your obligations.
Privacy considerations for marketing lists
The same goes for inbound contacts you gather from webpage forms. Not everyone who fills out a form is interested in receiving future marketing communications, making it important to include an opt-in field in any form fill. Unless explicitly expressed, contacts should not be automatically included in marketing outreach. The opt-in notice should clearly outline how information collected may be used for marketing purposes so individuals can easily opt-in or opt-out depending on their preferences.
Connecting and updating these various preference settings is a challenge, as many organizations continue to struggle with siloed tech stacks that are filled with incorrect or outdated information. This data challenge has only grown, with regulations like the GDPR and EU marketing laws drastically reducing the breadth of data organizations can collect on people and how that data can be used.
Privacy considerations for direct marketing
Direct marketing is a tactic that's typically deployed to encourage prospects to take the next step in their buying journey, such as setting up a demo call or purchasing a product. For direct marketing, the simplest way to ensure you abide by EU marketing laws is to secure explicit consent from anyone who might receive your direct marketing messages.
An individual might click a box to consent to sales and marketing communications, submit a form on your website to learn more, or double opt-in through email verification and check a box to receive marketing communications. While some countries have exemptions for getting prior consent, this varies country by country, so it's important to check the local legislation. Marketers should also document their lawful basis choice for each jurisdiction where they run direct marketing programs, since the "prior consent" default is not uniform across EU member states.
Privacy considerations for email marketing
To send marketing emails that are compliant with EU marketing laws, informed consent must be gathered from all recipients. In particular, there are three main aspects email marketers need to focus on:
Developing consumer opt-in permission rules
Being able to show and store proof of consent
Establishing clear methods through which data subjects can ask for their information to be removed from your database
As you expand into new regions, look into the specifics of each communication channel you plan to use and make sure that you understand how the rules vary by country.
To determine if your business activities will be compliant with local regulations, ask these four questions:
Prior consent: Is prior consent required in order to send emails or text messages?
Cold calling: Are you allowed to cold-call prospects in this country?
Prior relationship: Does the country have a prior relationship exception?
B2B exemption: Is there an exemption for B2B activities?
When it comes to marketing in new regions, always be sure to consult with your legal counsel to better understand the local laws and regulations.
How ZoomInfo helps marketers stay compliant and campaign-ready
Compliance infrastructure and campaign execution are often treated as separate problems. ZoomInfo's all-in-one AI GTM Platform is built to close that gap, starting with a data foundation that makes compliance a property of the data itself rather than a retrofit applied after the fact.
ZoomInfo's data platform spans 500M contacts and 200M+ verified business emails, maintained under ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR and CCPA certifications. For marketers navigating GDPR and CCPA obligations, working from a verified, consent-aware data foundation reduces the compliance burden at the source. When your prospecting data is built with compliance at its core, you spend less time auditing vendor representations and more time building campaigns that can actually reach the right people.
The GTM Context Graph processes 1.5B+ data points daily, fusing verified contact data with behavioral signals so marketers can build compliant, consent-aware audiences without sacrificing targeting precision. Rather than relying on broad intent topics that inflate lead counts and create buying-committee blind spots, the GTM Context Graph reasons across signals to surface the right contacts at the right accounts. The result is audience segments that are both tighter and more defensible from a data minimization standpoint: you're targeting the people most likely to be in the buying committee, not everyone who touched a topic cluster.
That intelligence is accessible through GTM Studio, ZoomInfo's marketer and RevOps-facing product, which lets teams build and launch compliant audience segments without engineering tickets or manual list pulls. For demand gen teams that have lost automated workflows and reverted to weekly manual downloads, GTM Studio restores the automation layer so compliance and campaign execution work from the same verified data foundation. Audience segments stay current, consent signals stay attached to the data, and campaigns launch on the timeline the market requires, not the timeline the ticket queue allows.
Ready to see how ZoomInfo's compliance-first data platform supports your campaigns? Request a demo.
Frequently asked questions
What is the difference between GDPR and the ePrivacy Directive?
GDPR governs how personal data is collected, stored, and processed, it applies to any organization handling EU residents' data and covers lawful basis, transparency, and individual rights. The ePrivacy Directive governs how businesses communicate with individuals, setting rules for email, text, and phone outreach across EU countries. Think of GDPR as the data governance layer and the ePrivacy Directive as the outbound marketing layer. Both apply simultaneously to most B2B marketing programs targeting European audiences. For a deeper reference, see ZoomInfo's GDPR compliance guide.
Does GDPR apply to B2B marketing emails in Europe?
Yes. GDPR applies to any organization sending marketing emails to EU residents, including B2B contacts. Marketers must have a lawful basis for processing the recipient's data, typically consent or legitimate interest, and must provide clear opt-out mechanisms. The ePrivacy Directive adds a layer on top: most EU countries require prior consent for commercial email, though some have B2B exemptions. Always check the specific country's implementation before launching campaigns.
Does CCPA apply to B2B marketers using contact lists?
Yes, and this surprises many B2B marketers. Unlike most other US state privacy laws, the CCPA explicitly covers personal data in both B2B and HR contexts, meaning business contact data used for outbound prospecting is not exempt. This guide to privacy laws for marketers covers the CCPA's scope in detail, but the practical takeaway is this: B2B marketers must provide opt-out mechanisms for the sale or sharing of business contact data and should perform due diligence on any third-party data vendors to confirm their compliance posture.
What is a lawful basis for processing data under GDPR?
GDPR lists six lawful bases under which data may be processed: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For B2B marketing, the most commonly relied-upon bases are consent, where the individual has actively opted in, and legitimate interests, where the processing is necessary for a genuine business purpose and does not override the individual's rights. At least one lawful basis must be documented before processing any personal data. ZoomInfo's GDPR compliance guide walks through how to document your lawful basis choice for common marketing use cases.
Will a single federal privacy law replace US state privacy laws?
Not in the near term. Bipartisan federal privacy bills including the American Privacy Rights Act of 2024 have stalled due to political and industry dynamics. Marketers should plan for a permanently fragmented state-by-state compliance landscape rather than waiting for federal harmonization. Building a scalable compliance program that covers CCPA, Virginia VCDPA, Colorado CPA, and other state laws is the practical path forward. ZoomInfo's resource on building a modern privacy compliance function covers the operational framework for scaling across jurisdictions.
ZoomInfo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of US or international laws, rules, or regulations. To understand how the GDPR, EU marketing laws, or any other laws impact you or your business, you should seek independent advice from qualified legal counsel.

