The Complete 2026 Guide to B2B Data Compliance: GDPR, CCPA, and 19 New State Laws

The Privacy Law Explosion of 2023-2026

In 2020, California stood alone with the CCPA as the only comprehensive state privacy law in America. By March 2026, 19 states have enacted comprehensive data privacy legislation, with at least 7 more actively debating bills. For B2B sales teams that collect and use business contact data, the landscape has never been more complex — or more important to understand.

The good news: most of these laws follow a similar pattern and include critical exemptions for publicly available information and B2B communications. The bad news: "most" is not "all," and the differences matter. This guide breaks down every law that affects B2B email outreach, so you can prospect confidently in any state.

Federal Framework: Where CAN-SPAM Still Rules

At the federal level, CAN-SPAM remains the primary law governing commercial email in the United States. Its requirements are straightforward: include a physical address, provide an unsubscribe mechanism, use honest subject lines, and process opt-outs within 10 days. For a detailed CAN-SPAM compliance walkthrough, see our Cold Email Compliance Checklist.

CAN-SPAM preempts most state email laws, meaning states cannot impose requirements that conflict with it. However, state privacy laws that address data collection (not email sending per se) can layer additional obligations on top of CAN-SPAM. This is where it gets nuanced.

State-by-State Breakdown

California: CCPA/CPRA (Effective January 2020 / January 2023)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, is the most comprehensive and well-known state privacy law. Key provisions for B2B:

• B2B exemption status: The B2B exemption expired on January 1, 2023. Business contact information is now covered by CCPA if it belongs to a California resident.
• Publicly available information exemption: CCPA explicitly exempts "publicly available information" from its definition of personal information. Business emails published on company websites qualify.
• Right to know and delete: California residents can request to know what data you hold and demand its deletion.
• Right to opt out of sale: If you share contact data with third parties, you must provide opt-out mechanisms.
• Practical impact: If you scrape business emails from public websites for your own B2B outreach (not resale), the publicly available information exemption likely applies. Document your data sources carefully.

Virginia: VCDPA (Effective January 2023)

• B2B scope: Applies to consumers acting in an individual capacity. Business contacts acting in a professional capacity have limited protection.
• Publicly available data exemption: Yes. Information available from government records or widely distributed media is exempt.
• Practical impact: Low risk for standard B2B email outreach using publicly available business data.

Colorado: CPA (Effective July 2023)

• B2B scope: Applies to Colorado residents as consumers. B2B contacts have some protections.
• Publicly available data exemption: Yes, with conditions. Data must be made available by the individual or from widely distributed media.
• Unique feature: Universal opt-out mechanism requirement — Colorado residents can use browser-based signals to opt out of data collection.
• Practical impact: Moderate. Respect universal opt-out signals and document your publicly available data sources.

Connecticut: CTDPA (Effective July 2023)

• B2B scope: Covers consumers acting in individual or household context. Professional B2B interactions have limited coverage.
• Publicly available data exemption: Yes. Lawfully made available through government records or widely distributed media.
• Practical impact: Low risk for B2B outreach with properly sourced data.

Utah: UCPA (Effective December 2023)

• B2B scope: Narrowest scope of any state law. Applies only to consumers, not business contacts.
• Publicly available data exemption: Yes, broad exemption.
• Practical impact: Minimal impact on B2B email outreach.

Texas: TDPSA (Effective July 2024)

• B2B scope: Applies to consumers acting in individual capacity. No revenue threshold — applies to all businesses except small businesses (as defined by SBA).
• Publicly available data exemption: Yes. Covers information lawfully available through government records or media.
• Unique feature: No revenue or data volume threshold, meaning even small companies must comply if they process Texas consumer data.
• Practical impact: Low for B2B outreach, but ensure you have opt-out mechanisms in place.

Oregon: OCPA (Effective July 2024)

• B2B scope: Covers consumers, including some B2B scenarios where data is used beyond the business relationship.
• Publicly available data exemption: Limited. The definition is narrower than other states.
• Practical impact: Moderate. Be more careful with Oregon-based contacts — document your data source and purpose clearly.

Montana: MCDPA (Effective October 2024)

• B2B scope: Applies to consumers as individuals. Limited B2B application.
• Publicly available data exemption: Yes. Standard exemption for government records and publicly distributed information.
• Practical impact: Low for standard B2B outreach.

Other States with Active Laws (2024-2026)

Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island have all enacted privacy legislation with varying effective dates through 2026. While each has unique nuances, they share common characteristics:

• Most include publicly available data exemptions
• Most focus on consumer (B2C) scenarios with limited B2B application
• Most require some form of right to access, delete, and opt out
• None outright ban B2B cold email using publicly sourced data

GDPR: The International Standard

If you email prospects in the EU or EEA, GDPR applies regardless of where your business is based. The key requirements for B2B email outreach are:

• Lawful basis: Use legitimate interest (Article 6(1)(f)) — not consent — as your basis for processing B2B contact data.
• Documentation: Conduct and document a Legitimate Interest Assessment.
• Transparency: Tell recipients who you are, why you are contacting them, and how they can exercise their rights.
• Data subject rights: Honor access, erasure, and objection requests within 30 days.

For the complete GDPR breakdown, see our guide on whether scraping business emails is legal in 2026.

Practical Compliance Strategy for Multi-State Outreach

If you are prospecting across multiple states (which most B2B companies do), the most efficient approach is to follow the strictest applicable standard across all your communications. Here is a five-step strategy:

• Step 1: Source data from public business sources only. This satisfies the publicly available information exemption in every state law. Tools like Easy Email Finder collect emails exclusively from business websites, providing a documented public source for every contact.
• Step 2: Maintain a global suppression list. Every unsubscribe, opt-out, and deletion request gets added to a single master list that is checked before every campaign.
• Step 3: Include full compliance elements in every email. Physical address, unsubscribe link, sender identification, and a brief purpose statement. This covers CAN-SPAM, GDPR, CASL, and every state law simultaneously.
• Step 4: Honor all data subject requests within 30 days. Access requests, deletion requests, and opt-out requests should be processed regardless of the requester's state or country.
• Step 5: Document everything. Keep records of your data collection methods, compliance procedures, suppression list management, and any data subject requests you receive.

The Federal Privacy Bill: What to Watch

Congress has been debating a federal privacy law (most recently the American Privacy Rights Act, or APRA) that could preempt state laws and create a single national standard. As of March 2026, no federal bill has passed, but the conversation is advancing. If enacted, a federal law would likely simplify the current patchwork of state regulations.

Until then, the multi-state compliance strategy above provides the most practical protection. By defaulting to the strictest standard (document your sources, honor all requests, include all required elements), you build a compliance posture that works regardless of which state your prospects are in.

Tools and Resources for Staying Compliant

• IAPP Privacy Tracker: The International Association of Privacy Professionals maintains an updated tracker of all state privacy legislation.
• FTC CAN-SPAM Guide: The official compliance guide from the Federal Trade Commission.
• ICO GDPR Guidance: The UK Information Commissioner's Office publishes detailed guidance on GDPR compliance for B2B marketing.
• Easy Email Finder: Built with compliance in mind — every email is sourced from public business websites with documented provenance.

The privacy landscape is complex but navigable. Start with public data, include all required elements in every email, honor every opt-out, and document your processes. For more compliance guidance, see our full CAN-SPAM, GDPR, and CASL checklist and our guide to ethical email scraping.