As a US-based company with primarily US-based clients, our compliance content tends to focus on federal and state regulations here in the US. GDPR comes up in those articles, but usually in the context of how it compares to domestic frameworks. The conversation around international compliance is important both for practical compliance and in how it informs regulatory patterns and attitudes across borders.
More than 170 countries have enacted data privacy regulations, and the number continues to grow. In the US alone, 20 states had comprehensive privacy laws in effect by January 2026. Internationally, these regulations each carry their own legal basis, jurisdictional reach, and compliance requirements.
According to the European Data Protection Board's 2025 Annual Report, European authorities issued over €1.14 billion in fines across more than 330 penalties. That total includes fines imposed under both the GDPR and national laws implementing the ePrivacy Directive. Those two laws are often discussed as one. They are not, and preparing for one does not cover the obligations of the other.
The €1.14 billion in European fines were split between two separate laws. The largest penalty was €530 million imposed on TikTok by Ireland's Data Protection Commission for transferring the personal data of European users to China without adequate protections (May 2025). That was a GDPR fine. GDPR governs how organizations collect, process, store, and transfer personal data.
Several of the other major fines fell under different authorities. France's CNIL fined Google a combined €325 million (€200 million against Google LLC and €125 million against Google Ireland Limited) for displaying advertisements in Gmail's Promotions and Social tabs without user consent and for placing advertising cookies during account creation without valid consent (September 1, 2025).
SHEIN was fined €150 million by the same authority for similar cookie consent failures (CNIL, September 1, 2025). These fines were imposed under French law implementing the ePrivacy Directive, which governs electronic communications, cookies, tracking technologies, and direct marketing. The ePrivacy Directive and the GDPR are separate laws with separate requirements, even though the same authorities enforce both.
The practical difference is that an organization can be fully compliant with one and in violation of the other. GDPR compliance addresses data processing: consent to collect, lawful basis to use, rights to access, and delete. ePrivacy compliance addresses how organizations communicate electronically with individuals and what tracking technologies they deploy on their websites and apps. A consent flow that satisfies GDPR requirements for data collection may still violate ePrivacy rules if it does not separately address cookie placement and electronic marketing consent. An organization building its compliance program around GDPR alone will have obligations it has not accounted for.
GDPR and the ePrivacy Directive are two laws among many. Several major privacy regulations are now in effect across jurisdictions, and each carries its own requirements.
The General Data Protection Regulation (GDPR) applies to any organization that processes the personal data of individuals in the European Economic Area, regardless of where the organization is based. GDPR applies based on whose data is being processed, not where the processing takes place. A US company with no European offices or infrastructure is subject to GDPR if it processes the data of EU residents.
The ePrivacy Directive, as discussed above, governs electronic communications, cookies, device tracking, and direct marketing across EU member states. Each member state implements it through its own national law, which means specific requirements and enforcement vary by country. A proposed ePrivacy Regulation would replace the directive with a single directly applicable law across the EU, but it has not been finalized.
The UK General Data Protection Regulation (UK GDPR) diverged from the EU GDPR after Brexit. It maintains a similar structure but operates under its own enforcement body, the Information Commissioner's Office, and has introduced its own interpretive guidance. The EU and UK frameworks have already diverged on certain points of enforcement and interpretation, and organizations processing data of both EU and UK residents need to account for both independently.
Brazil's Lei Geral de Proteção de Dados (LGPD) took effect in 2020 and applies to organizations processing the personal data of individuals in Brazil, regardless of where the organization is headquartered. It shares similarities with the GDPR, including requirements for lawful basis, data subject rights, and cross-border transfer restrictions.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs commercial data processing involving Canadian residents. It requires consent, purpose limitation, and accountability. Provincial privacy laws in Alberta, British Columbia, and Quebec add requirements that vary by jurisdiction and data type.
US state privacy laws now exist in more than a dozen states. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), established consumer data rights including the right to know, delete, and opt out of the sale or sharing of personal information. Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others have enacted their own privacy legislation, each with variations in scope, enforcement, and definitions. We cover US state and federal privacy law in detail in our Lead Compliance Hub and 2026 Guide to TCPA, One-to-One Consent, CAN-SPAM and State Regulations.
These laws differ in terminology, mechanics, and enforcement, but they share common requirements: consent, data minimization, purpose limitation, transparency, retention limits, and individual rights appear in nearly every one. That shared foundation is what makes a principles-based approach to compliance practical across jurisdictions.
GDPR, LGPD, and PIPEDA all apply based on whose data is being processed, not where the company processing it is located. A US company collecting or handling the personal data of EU residents is subject to GDPR, whether it has a European presence or not.
Direct fines from foreign regulators against mid-market US companies are uncommon today, but new regulations are being enacted each year, fine amounts are increasing, and cross-border enforcement agreements between regulators are becoming more common. Enforcement has historically started with the largest companies and expanded outward, and there is no indication that pattern has stopped. Organizations that wait until enforcement reaches them directly will find themselves building compliance programs under pressure rather than on their own terms.
Many US companies are already encountering these requirements through their business relationships. Partners include data protection requirements in their contracts and procurement terms. Vendor questionnaires ask about consent documentation, data handling, and cross-border transfer safeguards. Insurance underwriters evaluate data protection practices when pricing coverage. These requirements routinely reference GDPR and equivalent international standards, regardless of whether the parties involved are in Europe.
In lead distribution, a buyer operating under GDPR or state privacy obligations needs to document the consent provenance of every lead they act on. That requirement flows upstream to the provider, regardless of where the provider is based. What we see in LeadExec is that compliance expectations move through the supply chain, from buyer to provider, through contractual terms and operational requirements. A provider that cannot demonstrate consent documentation, data handling practices, and revocation processes will lose business before a regulator ever gets involved.
For most US companies, foreign regulators' fines are less of a concern than whether their data practices meet the standards their own partners, platforms, and insurers are applying.
Tracking every regulatory body, every amendment, and every new law across jurisdictions is not realistic for most organizations. In the US alone, when federal privacy legislation stalls or gets struck down, state laws often fill the void. Multiply that pattern across every country with its own privacy regulations, and the task of monitoring each one becomes impractical.
Understanding the intent behind these laws makes the task more manageable because they are not arbitrary. They exist because consumers demanded them. People across the political spectrum and across the globe don't want to be harassed by marketers or have their personal data mishandled. The regulations reflect that demand. Regulators also watch what regulators in other jurisdictions are doing. The GDPR influenced the structure of Brazil's LGPD, California's CCPA, and many of the state laws that followed. When a regulatory approach works, other jurisdictions adopt and adapt it, which is why the principles across these laws look so similar.
Organizations still need to understand the specific regulations that apply to them, including jurisdiction-specific requirements like CPRA opt-out signal recognition, GDPR Data Protection Impact Assessments, or LGPD legal basis classifications. But an organization that builds its practices around the intent of the strictest standards will have a strong foundation when new regulations appear. The underlying principles are consistent: know what personal data the organization holds, document the lawful basis for processing it, implement appropriate security measures, honor consent and revocation, limit data retention to what is necessary, and maintain visibility from acquisition through disposition.
An organization that already documents consent provenance, maintains retention schedules, and controls access at the data level is well-positioned for GDPR, LGPD, CCPA/CPRA, and UK GDPR compliance before it maps any specific regulation. New laws require adjustments, not overhauls.
The benefits go beyond avoiding fines. Strict consent and data-handling practices foster stronger consumer relationships. In lead generation and distribution, they produce higher-quality leads with fewer unqualified contacts, because consent reflects intent. A lead who has consented to be contacted about a specific service has expressed interest in it. A lead without verified consent has not. The first converts at a higher rate because the consumer is engaged. The second is rejected both on compliance grounds and because the likelihood of conversion is low. What we see in LeadExec is that providers with strong consent documentation and data-handling practices are more valuable to buyers because their leads are better.
These regulations also do not stop at data collection. They cover storage, access, retention, and the ability to respond to data subject rights requests. What we see in SalesExec is that how sales teams manage data after acquisition determines whether an organization can answer the question regulators and business partners are both asking: what do we hold, why do we have it, who can access it, and how long are we keeping it?
More countries are enacting privacy legislation. Existing laws are being amended to expand scope and increase penalties. The EU's AI Act, of August 2024, is being enforced in phases: prohibited AI practices were banned as of February 2025, general-purpose AI transparency requirements took effect in August 2025, and high-risk AI system obligations take effect in August 2026, with full implementation by August 2027. This affects any marketing technology that uses algorithmic decision-making, lead scoring, or behavioral profiling. Similar AI governance legislation is under development in other jurisdictions.
None of this is slowing down, and none of it is reversing. Organizations that apply regulatory intentions as a methodology, rather than just responding to specific regulations, will better adapt to future legislation.
Under GDPR, consent for data processing covers the collection and use of personal data. Under the ePrivacy Directive, consent for cookies and tracking technologies is a separate requirement governed by a separate law. These are distinct legal obligations. An organization can have valid GDPR consent to process a contact's personal data and still be in violation of ePrivacy rules if it placed tracking cookies without separate, specific consent for that activity. Both consent flows need to exist independently.
Yes. GDPR protects the personal data of natural persons, not organizations. A business email address like john.smith@company.com is personal data because it identifies a natural person. B2B marketing that involves collecting, storing, or processing individual contact information falls within GDPR scope. The common assumption that GDPR only covers consumer data is incorrect.
In EU law, a regulation applies directly and uniformly across all member states. The GDPR is a regulation, which means its requirements are the same in France, Germany, Ireland, and every other EU country. A directive sets objectives that each member state must achieve through its own national legislation. The ePrivacy Directive is a directive, which is why its implementation varies by country. France's ePrivacy rules differ from Germany's, because each country wrote its own law to meet the directive's requirements. This is part of why enforcement under the ePrivacy Directive looks different from one country to the next.
If an organization collects email addresses, phone numbers, names, IP addresses, or any other personal data from individuals located in the EU, it is processing EU residents' data under GDPR's definition. This includes data collected through website forms, email signups, lead generation campaigns, CRM entries, and analytics tools. Organizations that operate websites accessible from the EU, sell products or services to EU-based customers, or receive leads that originate from EU sources are likely processing EU personal data, whether or not that was the intention.
Ignoring a fine does not make it disappear. Cross-border enforcement mechanisms include mutual legal assistance treaties, and EU regulators can pursue recognition of judgments in other jurisdictions. More practically, an unresolved regulatory action can affect an organization's ability to do business with European partners, pass vendor compliance reviews, maintain insurance coverage, or complete acquisitions and partnerships where data governance is part of due diligence. The commercial consequences often arrive before any legal enforcement does.
Under GDPR, organizations are required to appoint a Data Protection Officer if their core activities involve large-scale systematic monitoring of individuals or large-scale processing of special category data (health, biometric, racial, or ethnic data, for example). Most mid-market lead generation and marketing companies do not meet that threshold. However, appointing a DPO or designating someone responsible for data protection oversight is a sound practice regardless of whether it is legally required, because it centralizes accountability for the kinds of decisions these regulations address.
This article is for general informational purposes only and does not constitute legal advice. ClickPoint Software is not a law firm and does not provide legal counsel. International privacy regulations vary by jurisdiction and change frequently. Organizations should consult qualified legal and compliance professionals to assess obligations specific to their business, data practices, and the jurisdictions in which they operate.
We’ll send you practical tips and ideas that we use ourselves and show you how to apply them to your sales and marketing workflow
