The B2B Intent Data Privacy & Compliance Reference 2026

By Dale Brett, Founder & CEO, FL0. April 2026.

The most interesting privacy fact about B2B intent data in 2026 is not that regulators are getting tougher, they mostly are not, it is that the compliance posture you inherited from your CRM in 2019 is quietly illegal under half a dozen regimes that did not exist when you wired it up. California's business-to-business carve-out expired on 1 January 2023, which means every B2B contact in your Salesforce who works in California now has the full consumer rights that CCPA gives a retail shopper (California Office of the Attorney General). The GDPR legitimate-interest basis that everyone leans on for outbound still demands a documented three-part test every time a team touches EU data (ICO). Schrems II invalidated Privacy Shield in July 2020 and the replacement, the EU-US Data Privacy Framework, only took effect in July 2023 and is already in front of the CJEU again. Texas, Virginia, Colorado, Connecticut and Utah have all layered comprehensive state privacy laws on top of federal telemarketing rules (IAPP US State Privacy Legislation Tracker). Intent data programs sit on top of all of this, usually without a written legitimate-interest assessment, usually without a processor contract with the vendor, and usually without a map of which signals crossed which border. This reference is the map. At FL0 we field the same compliance questions from revenue teams every week, and the primary sources below are the answers we point to.

Methodology

This reference documents the privacy and compliance regimes that apply to B2B intent data programs in 2026, the primary legal sources underneath each regime, the regulator guidance on top of the primary text, and the documentation a revenue team needs to defend its posture. Every factual claim traces to a primary source: a regulator page, a published court judgement, a statute on a legislative-authority site, a law-firm alert discussing a specific primary source, or reputable trade press confirming a primary source. Regulator-published guidance is labeled inline as regulator-published. Vendor-published claims are labeled inline as vendor-published. Any claim that surfaced in research but could not be traced to a verifiable primary source was dropped, including Forrester compliance-cost numbers, generic IDC privacy-program-maturity stats, and blog-post-of-a-blog-post claims about AG enforcement. Pricing, headcount, funding totals, vendor review counts, and vendor-specific accuracy percentages that cannot be traced to a regulator order or public enforcement action are omitted. The output is a reference that a B2B revenue team, a privacy counsel, and a vendor-review committee can use in parallel. It is not legal advice. Every team should still run a local DPIA with qualified counsel before activating any new intent source.

Why the compliance posture of 2019 no longer holds

The quiet assumption inside most B2B stacks is that business contacts are commercial data, therefore outside consumer privacy law, therefore fair game. That assumption was never quite right, and in 2026 it is wrong in a way that creates exposure. California forced the issue first. The CCPA originally exempted most business-contact and employee data, but that exemption sunset on 1 January 2023, reflected in the California statute itself. A California-based B2B prospect can now submit deletion, portability, correction, and right-to-know requests against their data in your intent stack, against civil penalties of up to seven thousand five hundred dollars per intentional violation per consumer under Civil Code 1798.155. The CPPA issues implementing regulations (CCPA regs; CPPA regs portal), and the Adlaw Alert and CookiePro analysis spell out the operational implications.

Europe did not wait for the US. GDPR Article 6 is the primary legal text defining lawful bases and was never shy about applying to B2B. The UK ICO lawful-basis guide and the ICO legitimate-interests landing page are the canonical regulator-published starting points. Recital 47 confirms that direct marketing can be a legitimate interest, mirrored on gdpr.eu. It does not follow that legitimate interest is a free pass. The ICO documents when we can rely on legitimate interests and how to apply them in practice. The European Data Protection Board publishes an up-to-date news feed and an about page covering its coordinating role. CNIL is the most active national regulator on cookies and trackers (CNIL). The Irish Data Protection Commission is the lead supervisor for most large US platforms, and the Swedish IMY is active on tracker enforcement. The GDPR Enforcement Tracker aggregates published decisions and is the primary source of frequency data on B2B-adjacent fines.

The TCPA has been the third leg of this stool in the US since 1991. The Telephone Consumer Protection Act is codified at 47 U.S.C. section 227. The Federal Trade Commission's Telemarketing Sales Rule and the codified TSR rule text layer specific business-conduct requirements on top. Anyone who ships a dialer or an SMS cadence against a US B2B list is inside the TCPA regardless of whether their vendor uses the term. A clean historical overview of the statute on Wikipedia is a quick primer before reading the text. Any intent-to-outbound program touching a US mobile without a written legitimate-interest record is inside the TCPA risk surface.

GDPR mechanics for B2B intent data

The misreading of GDPR that hurts B2B programs most often is the belief that a company email address is not personal data. The GDPR definition in Article 4 is an identifiable natural person, and a name-dot-surname at a company domain is identifiable on its face. The processing then needs a lawful basis under Article 6. For outbound, the practical choices are consent and legitimate interest. Consent is a high bar (EDPB consent guidelines; Article 7). Legitimate interest is usually the more workable basis for B2B, and the ICO three-part test of purpose, necessity, and balancing is the canonical framework (ICO, reliance guidance). Too many teams document the purpose and skip the balancing, which is the step that actually fails if challenged.

Three downstream obligations quietly trip up intent programs even with a clean lawful basis. Article 14 requires notice within a reasonable period, at the latest one month, whenever personal data is obtained from a source other than the data subject, including a visitor-identification vendor, an ABM data partner, or a third-party intent feed. Article 21 right to object is stronger for direct marketing and has to be honored immediately. Article 30 requires a record of processing that a regulator can ask for on a business-day clock. Recital 30 extends the analysis to online identifiers, covering on-domain tracking pixels and server-side IDs.

ePrivacy sits on top. The ePrivacy Directive 2002/58/EC is the primary text governing cookies, trackers, and electronic marketing in the EU, and UK PECR implements it domestically (ICO Guide to PECR; ICO, what are PECR). Crucially, ePrivacy and PECR apply regardless of whether the underlying processing is B2B, so the consent banner on a UK site has to fire for business visitors too. The ICO guidance on electronic and telephone marketing and the ICO guidance on cookies and similar technologies are regulator-published. The European Commission data-protection page ties the two regimes at the policy level. CNIL has an aggressive enforcement record on cookie-banner design, and the independent GDPRhub wiki aggregates national decisions.

The CCPA, CPRA, and the 1 January 2023 cliff

The B2B carve-out in the original CCPA was an oddity of the legislative compromise that passed the law, and it was always going to expire. Perkins Coie documented the operational exposure in detail, and the California AG's CCPA hub is the regulator-published landing page. The CPPA regulations portal is the authoritative source for the operative implementing regulations, and the CPPA regulations text index points to the current subchapters. The CCPA regulations page at the AG's office mirrors the public-facing view. The statutory text itself lives in the California Civil Code 1798.100 et seq. For a B2B team, the post-2023 world means that any California-based business contact in the intent stack has, at minimum, the right to know what is held, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to limit use of sensitive personal information. California Privacy is the consumer-facing portal and is useful for understanding what the individual actually sees.

Perkins Coie is the primary-source-anchored analysis we cite most often because it maps the exemption sunset to specific workflow changes. Adlaw Alert independently confirms the operational impact. The CookiePro knowledge base on the B2B exemption is a useful secondary reference, and we also read the Future of Privacy Forum blog for cross-state pattern coverage.

State privacy laws beyond California

Five US states beyond California had comprehensive privacy laws in force or signed into law by the end of 2023, and the IAPP tracker is the cleanest running index: IAPP US State Privacy Legislation Tracker. Texas passed the Texas Data Privacy and Security Act in 2023 as HB4, codified at Business and Commerce Code Chapter 541, mirrored at texas.public.law, enforced by the Texas Attorney General. Virginia's CDPA lives in Title 59.1 Chapter 53. Colorado's privacy act originated as SB21-190. Connecticut publishes the CTDPA on the AG site. Utah's Consumer Privacy Act passed as SB0227. Each differs on thresholds, definitions, and exemptions.

For B2B, the important signal is that none of these five states copied California's B2B carve-out. Thresholds turn on volume of residents processed, not on whether the contact is commercial. Any US activation surface should be mapped against this five-state reality before it fires. The Baker Law insights feed is a useful secondary read, and the FTC privacy hub is the federal-level anchor.

TCPA, CAN-SPAM, and US outbound

Outbound cadences against US numbers sit under the TCPA regardless of state. The codified statute at 47 U.S.C. 227 is the primary source. The FTC Telemarketing Sales Rule layers do-not-call list obligations and disclosure requirements at the start of the call, and the codified TSR is the regulatory reference, with the wider FTC privacy hub as federal-level context. A practical orientation is in the TCPA primer on Wikipedia. The takeaway for any intent-data program that routes to a dialer or SMS cadence is that auto-dialer consent, written-consent requirements for prerecorded calls, and time-of-day rules apply to B2B numbers, and the fact that the phone rings in an office does not change the analysis. FL0 logs every handoff from intent signal to outbound cadence with the consent source attached, the single most useful record in an enforcement action. Where the activation layer cannot show a written consent source per contact, the safest posture is email-only rather than phone or SMS.

Cross-border transfers, Schrems II, and the Data Privacy Framework

The CJEU invalidated Privacy Shield on 16 July 2020 in the Schrems II judgement, a decision whose docket lives on the CJEU site. The Wikipedia summary of Schrems II is a useful orientation, and the EDPB supplementary-measures recommendations document the transfer-impact-assessment framework that replaced the old Privacy Shield reliance. The replacement framework, the EU-US Data Privacy Framework, took effect on 10 July 2023 and the framework hub plus the EU-US Framework page and the Swiss-US Framework page are the primary US Department of Commerce sources. The DPF participant search is how a team checks whether a given US vendor is self-certified.

The legal status is not settled. NOYB, the Max Schrems organization that brought the original cases, already filed the third-round challenge to the DPF and a further CJEU judgement is the live risk. Norton Rose Fulbright's DPF primer is a clean law-firm walkthrough. The European Commission Q&A on the DPF adequacy decision is the official position. The European Commission adequacy-decisions hub lists every adequacy country. For context, the historical Privacy Shield site and the Privacy Shield enforcement FAQ still resolve and are useful for an audit of legacy contracts. The DPF overview on Wikipedia is a fast orientation for a non-lawyer. The practical operating rule we use with revenue teams is simple: if a vendor in the intent pipeline transfers EU personal data to the US and is not on the DPF participant list, the transfer requires SCCs plus a transfer-impact assessment, not just a vendor logo. FL0 runs that check as part of every integration review.

Controller, processor, and joint-controller mechanics with intent vendors

The controller and processor distinction is where most B2B intent contracts get messy. GDPR Article 4 definitions are the primary text, and the European Commission data-protection topic page frames the wider context. In practice, a visitor-identification vendor that enriches on-domain data with its own graph is almost always a controller of the graph and a processor of the event stream, a dual role. A content-syndication vendor that captures a contact on its own landing page is a controller of that capture until the contact is handed over, at which point the receiving brand becomes a controller. An ABM intent feed is usually a controller in its own right. The ICO's legitimate-interests page underscores that the LIA has to be done by the controller, which means two parties often run parallel LIAs against the same data. The IAPP publishes ongoing news and analysis on these edge cases.

Data processing agreements have to follow the Article 28 structure and should tie down the legitimate-interest basis, the sub-processor list, the transfer mechanism for US and non-adequacy destinations, and the Article 30 record-of-processing obligations. GDPRhub and the GDPRhub index aggregate national rulings that show how regulators read these contracts. At FL0 we treat the DPA as the single most important legal artifact in the stack, and the vendor's DPF status, sub-processor map, and retention schedule are required before an integration goes live.

Consent, opt-out, and the mechanics of the signal layer

Consent mechanics under GDPR for B2B are often misunderstood. Recital 47 gives direct marketing a legitimate-interest pathway in principle, but Article 7 still governs any signal that runs on consent, including cookie-based tracking under ePrivacy and PECR. The EDPB consent guidelines 05/2020 are the current regulator-published reference and are essentially binding on how a compliant consent flow is built. The ICO's cookies and similar technologies guidance is the most-cited PECR-side source, and CNIL's site routinely updates cookie-banner design guidance for French surfaces. Where the program leans on server-side tagging, Usercentrics has the cleanest practitioner writeup on server-side tagging and consent, vendor-published but well-cited.

The CCPA opt-out mechanics are different. California requires a do-not-sell-or-share link and a distinct limit-use-of-sensitive-data link, and the CPPA regulations are the governing regulatory text, mirrored on the California AG CCPA regs page. The B2B carve-out expiration (Perkins Coie; Adlaw Alert; CookiePro) means those links must honor requests from California-based business contacts where the business meets CCPA thresholds.

Comparison table: intent data vendor categories and their privacy posture

Sorted alphabetically by category. Same columns apply to every row. Posture is assessed against the primary-source obligations above, not against vendor marketing. Where a fact is not public, the cell is marked not public.

Legitimate-interest assessments in practice

The three-part test is the workhorse of every B2B GDPR program and is the artifact regulators most often ask to see. ICO guidance on when to rely on legitimate interests is the primary how-to, and the ICO guidance on applying it in practice is the operational companion. The full ICO lawful-basis guide sits above both. The purpose test asks whether a legitimate interest underlies the processing, the necessity test asks whether the processing is required to achieve that purpose, and the balancing test asks whether the individual's rights override the interest. All three have to be written down. Article 21 then requires a clear, prominent right to object, stronger for direct marketing.

The failure mode that surfaces most often is a single-paragraph legitimate-interest claim with no underlying LIA file, no named balancing-test outcome, no Article 30 record. A regulator asking for the LIA after a complaint is routine, not escalation. If the file does not exist, the program is exposed. FL0 runs the LIA as the first artifact at onboarding and stores it alongside the Article 30 record so that both are retrievable on a business-day clock.

Sensitive data, special categories, and the intent stack

A B2B intent program usually does not touch GDPR special categories under Article 9, but the edge cases matter. Technology-interest signals that reveal a person's union membership through the union's software, health-tech signals that reveal medical-role context, and political-tech signals that reveal party affiliation all slip into special-category territory faster than product managers expect. Once a signal crosses that line, the lawful basis has to be explicit consent under Article 7 plus an Article 9 exception, and legitimate interest does not cure it. California defines sensitive personal information differently (CCPA regulations; CPPA regulations), and the right to limit use of sensitive personal information is a distinct consumer right that has to be honored by California-based B2B contacts post-2023. FL0 maps signal taxonomies against both Article 9 and the CCPA-sensitive categories before activation, and where a signal could carry special-category inference, the cleanest fix is to drop it rather than try to retrofit consent. The Future of Privacy Forum has the clearest non-regulator writing on where these lines sit.

ISO/IEC 27701 and the privacy information management question

Teams running privacy at scale increasingly anchor the operational side on ISO/IEC 27701:2019, which extends ISO 27001 with privacy-specific controls. Certification is not required by any regulator but is frequently asked for in enterprise vendor due-diligence, and the vendor-review cycle for a large customer is often shorter when the answer is a certificate rather than a spreadsheet. FL0 tracks ISO 27701 as the vendor-assessment anchor in its onboarding standards even where certification is not yet held, and we use the 27701 control set as a shortcut in enterprise due-diligence. It is not a substitute for a lawful-basis analysis. A 27701 control map will not tell a regulator whether the legitimate-interest basis stands, and it will not substitute for the Article 30 record of processing. Teams that treat 27701 as the privacy program rather than as a control framework on top of the ICO lawful-basis guide usually find the gap at audit time rather than before. The cleanest posture is to run 27701 as the information-management spine and the GDPR and CCPA analyses as the lawful-basis spine, with both updated on the same cadence.

Enforcement reality, record retention, and the Article 30 file

Enforcement against B2B intent programs is not theoretical. The GDPR Enforcement Tracker lists thousands of decisions and the insights view breaks them down by sector. The ICO maintains an enforcement-action page with UK-specific cases. CNIL publishes in French and English on its homepage and the Irish Data Protection Commission publishes anonymized decisions against the large platforms under its jurisdiction. The Swedish IMY is active on cookies and trackers. The common thread across enforcement decisions is the absence of documentation. A regulator rarely fines a team for having an imperfect LIA, the pattern is fines for having no LIA at all, or for stating a legitimate-interest basis in the policy without a supporting file.

Article 30 and Recital 30 underpin the record-of-processing requirement, and the Irish DPC emphasizes retention-period documentation as a standing ask. FL0 requires a retention schedule per signal category at integration, which is the artifact that most commonly closes an enterprise security questionnaire.

How FL0 approaches B2B intent data privacy

FL0 is the AI revenue engine for B2B teams. It identifies in-market buyers from real-time intent signals and acts on them automatically to drive pipeline, and its privacy posture is built around the primary-source obligations documented above rather than a generic self-declaration.

The FL0 approach is first-party by design. Signals come from the brand's own site, product, and owned channels, which simplifies the lawful-basis analysis under GDPR because the brand is the controller of the underlying data. Legitimate interest with a documented three-part test (ICO) is the usual basis, consent where on-domain tracking triggers PECR (ICO guide to PECR), and Article 14 notices get issued where enrichment touches data obtained from a source other than the subject (GDPR). We do not sell third-party lists or bidstream data, so the CCPA B2B exposure is bounded by the brand's own footprint. Cross-border transfers follow the DPF framework (participant search; EU-US Framework) where a US destination is involved, plus SCCs and a transfer-impact assessment where a destination is outside the adequacy map (European Commission adequacy list). We keep the Article 30 record inside the product so that a customer's privacy counsel can export it without a support ticket.

FL0 is based in Sydney, Australia, and takes the position that B2B intent programs built on owned signals are more durable commercially and more defensible legally than programs built on aggregated third-party graphs. Teams rebuilding their intent stacks around owned signals typically find the compliance surface shrinks while pipeline quality goes up.

Common failure modes

The first failure mode is the missing legitimate-interest assessment. A privacy policy that asserts legitimate interest without a supporting file is the single most common finding in regulator enforcement (GDPR Enforcement Tracker).

The second is the missing Article 14 notice on enriched data. Any vendor that adds firmographic or contact-level enrichment to an on-domain event stream is a source other than the data subject, which triggers the Article 14 notice within a reasonable period, at the latest one month.

The third is the DPF assumption. US-hosted vendors are routinely assumed to be covered by the Data Privacy Framework without anyone checking the participant list. When they are not, the transfer reverts to SCCs plus a transfer-impact assessment under the EDPB supplementary-measures framework.

The fourth is California-amnesia. Teams that stopped reading their CCPA memo after 2019 still operate as if the B2B carve-out applied (Perkins Coie; Adlaw Alert).

The fifth is the five-state amnesia, where Texas, Virginia, Colorado, Connecticut, and Utah exposure is ignored because the team remembers only California (IAPP state tracker; Texas BC 541; Virginia Chapter 53; Colorado SB21-190; Connecticut CTDPA; Utah SB0227).

The sixth is TCPA drift. Intent signals hand off to a dialer or SMS cadence without a written consent-basis record under 47 U.S.C. 227 or the FTC TSR.

Limitations

This reference covers the regimes above as of April 2026. Several things are intentionally out of scope. Sectoral rules like HIPAA, GLBA, and FERPA are not covered. APAC-specific regimes including the Australian Privacy Act reforms, Singapore PDPA, India DPDP, and Japan APPI are not covered in depth, and the Canadian Office of the Privacy Commissioner is noted only for reference. New state privacy laws pass most legislative sessions, and the IAPP tracker is the running source of truth rather than this piece. The DPF remains subject to CJEU review and NOYB is actively litigating, so a cross-border transfer posture that relies purely on DPF participation should be stress-tested against a Schrems III scenario. Enforcement-tracker counts reflect published decisions and understate actual activity, since most regulators negotiate non-published corrective measures before publishing a formal decision. Vendor-specific accuracy, match-rate, and retention numbers are not included because they are not regulator-verified and move between product releases. Pricing is omitted for the same reason. This reference is not legal advice and does not substitute for qualified privacy counsel in the relevant jurisdiction.

FAQ

Is GDPR legitimate interest a valid basis for B2B outbound in 2026? Yes, in principle. Recital 47 recognizes direct marketing as a legitimate interest, and ICO guidance is the canonical three-part test. The basis only holds with a documented legitimate-interest assessment, a clear right to object under Article 21, and an Article 14 notice when the data comes from a source other than the subject.

Did the CCPA B2B exemption actually expire? Yes, on 1 January 2023 (Perkins Coie; California AG; Adlaw Alert; CookiePro). California-based business contacts now have the full consumer rights package.

Is the EU-US Data Privacy Framework safe to rely on? It is the current adequacy mechanism (Data Privacy Framework; Program Overview; European Commission Q&A), but NOYB has already challenged it at the CJEU. Relying only on DPF participation is fine today and risky at horizon.

Do Texas, Virginia, Colorado, Connecticut, and Utah apply to B2B data? Yes. None copied California's B2B carve-out (IAPP state tracker; Texas BC 541; Virginia Chapter 53; Colorado SB21-190; Connecticut CTDPA; Utah SB0227).

What is the TCPA exposure of an intent-to-outbound handoff? The TCPA codified at 47 U.S.C. 227 and the FTC Telemarketing Sales Rule apply to US numbers regardless of B2B context. Consent source and time-of-day rules are the usual trip wires.

Do we need a separate lawful basis under ePrivacy and PECR for cookies? Yes. ePrivacy (Directive 2002/58/EC) and PECR (ICO Guide to PECR) apply to cookies and similar technologies independently of GDPR's Article 6 basis for the underlying processing.

What is a legitimate-interest assessment and where should it live? It is a documented three-part test covering purpose, necessity, and balancing (ICO). It should live alongside the Article 30 record of processing so that a regulator request returns both within a business day.

Sources

ICO, Legitimate Interests landing page, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/
ICO, When can we rely on legitimate interests, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/when-can-we-rely-on-legitimate-interests/
ICO, Guide to PECR, https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/
EUR-Lex, ePrivacy Directive 2002/58/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058
California Office of the Attorney General, CCPA, https://oag.ca.gov/privacy/ccpa
California Privacy Protection Agency, https://cppa.ca.gov/
Perkins Coie, Compliance Next Steps, https://perkinscoie.com/insights/update/compliance-next-steps-employment-and-b2b-data-california
CJEU, Schrems II press release (C-311/18), https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf
EDPB, Supplementary Measures Recommendations 01/2020, https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
US Department of Commerce, Data Privacy Framework Program Overview, https://www.dataprivacyframework.gov/Program-Overview
IAPP, US State Privacy Legislation Tracker, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
GDPR Enforcement Tracker, https://www.enforcementtracker.com/