CCPA and CPRA: A Brief Orientation

The California Consumer Privacy Act took effect in January 2020 and gave California residents the right to know what personal information businesses collect about them, the right to request deletion, and the right to opt out of the sale of their information. The California Privacy Rights Act, which amended and expanded CCPA and became fully enforceable in 2023, added new rights (including the right to correct inaccurate data) and created the California Privacy Protection Agency as a dedicated enforcement body with rulemaking and investigative powers.

For the purposes of B2B outreach, the most operationally significant provisions are the data broker registration requirement, the opt-out obligations, and the rules around selling or sharing personal information. These apply regardless of whether you are based in California. If you handle data about California residents, you are in scope.

Important

This article provides general educational information, not legal advice. The regulatory landscape continues to evolve at the state and federal level. Consult qualified legal counsel before making compliance decisions for your organization.

Who Counts as a Data Broker Under California Law

California's data broker registration law defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The threshold is low: if your organization buys contact lists that include California residents and uses them for outreach, the data vendor in that chain may qualify as a registered data broker, and your procurement team should be confirming that status before signing a data contract.

As of 2024, California-registered data brokers are required to offer a single opt-out mechanism through the California Privacy Protection Agency's Delete Request and Opt-Out Platform (DROP). This means consumers can submit a single request to opt out of data broker sales rather than contacting each broker individually. Organizations that purchase data from registered brokers need to understand whether and how the brokers honor these opt-outs in the records they deliver.

The B2B distinction matters here but is narrower than many assume. A contact list of business professionals still contains personal information (names, email addresses, phone numbers, employer details) that belongs to California residents who have privacy rights under CCPA. The business-to-business context does not create a general exemption, though there are nuances in how certain business contact information is treated.

The Consumer vs. Business Contact Distinction

One of the most frequently misunderstood aspects of CCPA in the B2B context is the scope of what counts as covered personal information. CCPA's definition of personal information is intentionally broad: it includes any information that identifies, relates to, or could reasonably be linked to a particular individual or household.

A business email address (jane.smith@acmecorp.com) is personal information about Jane Smith, a California resident, even if it is also a work contact. The same applies to her direct office line, her LinkedIn profile, and any behavioral data collected about her as she navigates websites in her professional capacity. The original CPRA included a temporary business-to-business exemption, but that exemption has expired and business contact data is now subject to the same rules as consumer data.

What this means practically: data vendors who supply B2B contact records to your sales team are operating as data brokers in the CCPA sense, and the records they supply may include individuals who have exercised their opt-out rights. A compliant sales program needs a mechanism to suppress those individuals before outreach begins.

Opt-Out Obligations in Practice

The right to opt out of sale under CCPA means that if a California resident has submitted an opt-out request to a covered data broker, that broker cannot sell or share their personal information for the purposes of targeted advertising, profiling, or cross-context behavioral tracking. When a data buyer receives a list from that broker and uses it for outreach, they are the downstream recipient of potentially tainted records.

This creates a practical obligation for B2B sales programs: you need to know whether your data vendors honor opt-out suppression before delivering records to you. A reputable data provider will maintain a suppression file of opted-out individuals and exclude them from delivered lists. Asking for documentation of this process is a reasonable due-diligence step, and a growing number of enterprise procurement teams are requiring it.

Opt-out suppression also applies to email. CAN-SPAM requires that unsubscribe requests be honored within ten business days and that suppression lists be maintained and honored by any downstream sender using the same list. If you purchase a contact list and begin emailing it, you inherit the obligation to honor any unsubscribe requests you receive going forward, and to suppress against any opt-outs the original list provider has on file for shared contacts.

CAN-SPAM: The Federal Baseline for Email

The CAN-SPAM Act sets the federal minimum requirements for commercial email in the United States. Unlike GDPR's opt-in requirement, CAN-SPAM is fundamentally an opt-out regime: you can email someone who has not consented, but you must make it easy to opt out and you must honor those opt-outs promptly.

The key requirements that matter for B2B outreach are:

  • Clear identification: The from name and email address must accurately identify the sender. Using a misleading display name or a spoofed domain is a violation regardless of the message content.
  • Subject line honesty: Subject lines cannot be deceptive. "Following up on our meeting" when there was no meeting is a CAN-SPAM problem, not just a trust problem.
  • Physical address: Every commercial email must include a valid physical postal address for the sending organization. A P.O. box registered with the USPS qualifies.
  • Opt-out mechanism: Every message must include a clear, functional way to opt out. The opt-out mechanism must work for at least 30 days after the message is sent, and requests must be processed within 10 business days.
  • No re-engagement after opt-out: Once someone opts out, you cannot email them again based on the same list or campaign, and you cannot sell or transfer their address to another sender for the purpose of circumventing the opt-out.

CAN-SPAM applies to commercial messages sent to business addresses as well as personal ones. The business context does not create a separate set of rules. The same obligations apply to a cold outreach email sent to a CDO's work inbox as to a promotional email sent to a consumer's personal account.

TCPA: Phone Outreach and Its Risks

The Telephone Consumer Protection Act governs phone calls and text messages in ways that are frequently underestimated by B2B sales teams. The TCPA's consent requirements are most demanding for autodialed calls and prerecorded messages, but even manual dialing to mobile phones carries obligations under some state laws that layer on top of the federal baseline.

For B2B outreach programs, the most significant TCPA risk areas are:

  • Mobile numbers: Calling a person's mobile number (even manually, even for a legitimate business purpose) can create TCPA exposure if the person has registered on the National Do Not Call Registry and the caller lacks an established business relationship or prior written consent. The TCPA's private right of action, with statutory damages of $500–$1,500 per violation, makes this a high-stakes area.
  • Reassigned numbers: If a phone number has been reassigned to a new subscriber since the last time your data was refreshed, calling that number reaches the wrong person and may violate TCPA restrictions on calling registered DNC numbers if the new subscriber is registered. The TCPA Reassigned Numbers Database, maintained by the FCC, exists specifically to address this. Compliant programs check against it before dialing.
  • Known litigators: A small subset of individuals actively file TCPA suits as a business model. Data vendors who maintain litigator suppression lists provide meaningful protection against the highest-risk contacts entering a calling program.

How TechySales Builds Compliance In

Compliance is not a checkbox we add at the end of a campaign setup. It is built into how we source, verify, and deploy contact data.

Privacy-by-design sourcing: We source contact records from data providers who are registered California data brokers and who maintain documented opt-out suppression processes. We require contractual representations from vendors that delivered records are suppressed against known opt-out requests before delivery.

Phone validity and DNC screening: Every phone number in our pipeline is checked against the National Do Not Call Registry, the FCC Reassigned Numbers Database, and our own litigator suppression file before being assigned to a calling sequence. Numbers that fail these checks are removed outright, not flagged for later review.

Email suppression management: We maintain a unified suppression list across all email programs. Unsubscribe requests are processed within 24 hours, well inside the CAN-SPAM ten-business-day window, and suppression applies globally across campaigns sharing the same contact base.

Legal counsel: Our compliance practices are reviewed by counsel with specific expertise in TCPA, CAN-SPAM, and state privacy law. As the regulatory landscape evolves (new state privacy laws, FTC rulemaking, CPPA enforcement actions), we update our practices accordingly rather than relying on guidance that may be a year out of date.

What Data Buyers Should Look For in a Compliant Partner

If you are evaluating a data vendor or a sales partner who will run outreach on your behalf, the compliance questions to ask are specific. A vendor who cannot answer them clearly is a liability, not a resource.

  • Are you a registered California data broker? If not, have you confirmed that you are not required to register?
  • How do you handle opt-out suppression? Are opted-out individuals excluded before delivery or after?
  • Do you screen against the National Do Not Call Registry and the FCC Reassigned Numbers Database?
  • Do you maintain a litigator suppression file for phone outreach?
  • What is your unsubscribe processing SLA for email campaigns?
  • Has your compliance program been reviewed by legal counsel in the past 12 months?
  • If you run email outreach on our behalf, who is the CAN-SPAM sender of record: your entity or ours?

TechySales on compliance

We are happy to walk through our compliance documentation with any prospective client. If you are running a data provider sales program and want to understand how we handle regulatory risk, contact our team. Compliance diligence is a standard part of our onboarding conversation.

The regulatory environment for B2B data and outreach will continue to tighten. More states are passing comprehensive privacy laws modeled on CCPA. The FTC has signaled increased interest in data broker practices. Organizations that build compliant processes now (rather than retrofitting them after an enforcement action) are better positioned to scale their outreach programs without exposure. For TechySales' full compliance commitments, see the Privacy & Security section on our main site, or read the full privacy policy and terms.

Related reading

How B2B Lead Scoring Works →
The five dimensions behind TechySales' 70-point CRM delivery threshold
What CDOs Ask Before Signing →
Eight due-diligence questions data buyers raise before committing