The US has no single national privacy law, but a growing patchwork of state laws led by California’s CCPA and CPRA increasingly affects how businesses handle data, including B2B contacts. For data buyers, understanding the basics is now part of operating responsibly. Here’s a plain-English overview.
The US Privacy Landscape
Unlike the EU’s single GDPR, the US regulates privacy state by state. California has led with the strongest framework, and many other states have since passed their own laws. The result is a patchwork: which rules apply depends largely on where your contacts reside, not just where your business is based.
What CCPA and CPRA Cover
The California Consumer Privacy Act (CCPA), expanded by the California Privacy Rights Act (CPRA), gives California residents rights over their personal information including rights to know, delete, and opt out of the “sale” or “sharing” of their data. The laws apply to businesses that meet certain thresholds related to size, revenue, or the volume of personal information they handle.
How They Apply to B2B Contacts
Importantly, a previous exemption that largely excluded B2B and employee data from California’s rules has expired. As a result, the personal information of California residents in a B2B context is now generally covered, meaning business contacts may have the same rights as consumers. Buyers handling data on Californians should account for this.
The Growing Patchwork of State Laws
Beyond California, a growing number of US states have enacted their own privacy laws, each with its own thresholds, definitions, and rights. While they share common themes transparency, access, deletion, and opt-out rights the details differ. If you target contacts across multiple states, you may need to account for several frameworks at once.
Practical Compliance Steps
Sensible steps include: knowing which state laws apply based on where your contacts live, providing clear privacy notices, honoring access, deletion, and opt-out requests, offering an opt-out of data “sale/sharing” where required, and buying from vendors who can document lawful sourcing. Given the moving landscape, periodic legal review is wise.
Key Takeaways
US privacy law is a state-by-state patchwork led by California’s CCPA and CPRA, and the prior B2B exemption in California has expired so business contacts on US residents increasingly carry consumer-style rights. Track which state laws apply to your contacts, honor data-subject rights, and consult an attorney as the landscape keeps shifting.
Frequently Asked Questions
Do CCPA and CPRA apply to B2B data?
Increasingly yes. A previous exemption that largely excluded B2B data in California has expired, so personal information of California residents in a B2B context is now generally covered.
Is there a single US privacy law?
No. The US regulates privacy state by state, creating a patchwork. Which rules apply depends largely on where your contacts reside.
What rights do CCPA/CPRA give people?
Rights to know what data is held, to delete it, and to opt out of the sale or sharing of their personal information, among others, subject to business thresholds.
What should B2B buyers do about US privacy laws?
Identify which state laws apply, provide privacy notices, honor data-subject requests, offer opt-outs where required, and buy from vendors who document lawful sourcing. Review with counsel as laws evolve.
How can I determine whether a state privacy law applies to my business?
Many state privacy laws apply based on factors such as business size, revenue, the volume of personal information processed, or activities involving residents of that state. Organizations should review the specific thresholds that apply to their operations.
What questions should I ask a B2B data vendor about US privacy compliance?
Ask how the data is sourced, whether privacy rights requests are supported, what documentation is available, how opt-outs are handled, and whether the vendor monitors changes in state privacy regulations.
Do privacy laws affect how I use purchased B2B data?
Yes. Compliance obligations often focus on how personal information is processed, stored, shared, and used after acquisition. Purchasing data is only one part of the compliance picture.
Why is vendor transparency important under US privacy laws?
Transparent vendors can explain where their data originates, how it is maintained, and how privacy requests are managed. This helps buyers assess compliance risk and demonstrate responsible data practices.
Should I maintain processes for handling privacy requests?
Yes. Organizations that use B2B data should have procedures for responding to requests such as access, deletion, correction, and opt-out requests where required by applicable laws.
How can I reduce privacy risk when buying B2B data?
Work with reputable vendors, understand the laws that apply to your target markets, maintain clear privacy policies, honor consumer rights requests, and periodically review your data handling practices as regulations continue to evolve. 
