GDPR vs CPRA: What B2B Marketing Teams Need to Know

GDPR at a glance

The General Data Protection Regulation (GDPR) has been in effect across the EU and EEA since May 2018. It applies to any organization — regardless of where it's based — that processes the personal data of EU/EEA residents. If your B2B site has visitors from Germany, France, or anywhere else in the EU/EEA, GDPR applies to how you handle their data.

Under GDPR, "personal data" is broadly defined as any information relating to an identified or identifiable natural person. IP addresses, cookie identifiers, and email addresses are all personal data. Processing this data for analytics or marketing purposes requires a lawful basis — and for most marketing activities, that basis is consent.

GDPR consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. Burying consent in terms of service doesn't count. The user must take an active, affirmative step to consent, and they must be able to withdraw consent as easily as they gave it.

Enforcement has teeth: fines up to €20 million or 4% of global annual turnover, whichever is higher. High-profile fines — Meta €1.2 billion, Amazon €746 million, Google €150 million — have made clear that DPAs (Data Protection Authorities) are willing to go after large organizations. Smaller organizations aren't immune, but enforcement is more typically triggered by complaints than proactive auditing.

CPRA at a glance

The California Privacy Rights Act (CPRA) amended and significantly strengthened the California Consumer Privacy Act (CCPA), with the new provisions effective January 2023. CPRA applies to for-profit businesses that:

• Have annual gross revenues exceeding $25 million, OR
• Buy, sell, or receive for commercial purposes the personal information of 100,000 or more California consumers or households annually, OR
• Derive 50% or more of annual revenues from selling consumers' personal information

This threshold means many smaller B2B companies don't technically fall under CPRA. But companies that are growing, have significant web traffic, or are targeting the California market should evaluate carefully.

CPRA's core rights for California residents include: the right to know what personal information is collected and how it's used; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right to limit the use of sensitive personal information.

Key differences between GDPR and CPRA

Consent model: GDPR generally requires opt-in consent for processing personal data for analytics and marketing. CPRA uses an opt-out model — you can collect and use data by default, but must give consumers the ability to opt out of the sale or sharing of their data. In practice, a consent banner that works for GDPR (opt-in) is more than sufficient for CPRA (opt-out), but CPRA-only compliance doesn't satisfy GDPR.

Scope of "personal information": Both laws define personal information broadly. CPRA adds a specific category of "sensitive personal information" (SSI) — Social Security numbers, financial account information, health data, precise geolocation, racial or ethnic origin, etc. — which has stricter treatment requirements and specific opt-out rights.

Enforcement: GDPR is enforced by national DPAs, with cross-border cases often going through the Irish DPA (many US tech companies are EU-headquartered there). CPRA is enforced by the California Privacy Protection Agency (CPPA) and by private litigation. Both are actively enforced as of 2026.

B2B exemptions: CPRA has a B2B exemption that limits some of its provisions when personal information is collected in a strictly business-to-business context (employee data, business contact information). GDPR has no comparable exemption — business email addresses are personal data under GDPR.

What practical compliance looks like

For most B2B marketing sites, practical compliance with both laws involves:

• A consent banner that defaults to denied. GDPR requires opt-in, so your default state must be non-consented. This satisfies both laws.
• Granular consent options. GDPR requires that consent be specific — users should be able to consent to analytics separately from advertising cookies. A single "Accept All / Decline All" approach is increasingly non-compliant with EU guidance.
• A privacy policy that discloses what you collect, why, and who you share it with. Both laws require this disclosure.
• A mechanism for data subject requests. Under both laws, users can request access to, deletion of, or correction of their data. You need a process to fulfill these requests — typically a contact form or email address dedicated to privacy requests.
• Vendor due diligence. Any third party that processes personal data on your behalf (GA4, Formspree, HubSpot, etc.) needs either a Data Processing Agreement (GDPR) or a similar contractual arrangement (CPRA).

The consent banner as compliance infrastructure

A properly configured consent management platform — CookieYes, Cookiebot, OneTrust — is the practical foundation of compliance for most B2B marketing sites. It handles consent collection, preference storage, and the signals that integrate with Google Consent Mode and other martech. It doesn't handle everything — you still need a privacy policy, a data subject request process, and vendor agreements — but it handles the hardest part: the technical implementation of consent collection and storage.

The CMP choice matters less than the configuration. A poorly configured OneTrust installation is less compliant than a well-configured CookieYes installation. Pay attention to the default consent states, the granularity of consent options, and the integration with your analytics and advertising tools.