Most B2B marketers still believe CCPA does not apply to them.
They are wrong, and the gap between that belief and reality has been growing since January 1, 2023.
The California Consumer Privacy Act contained a specific exemption for business-to-business contact data. That exemption was always temporary. The California legislature extended it twice. In August 2022, the legislature adjourned without extending it a third time. The exemption expired automatically on January 1, 2023.
Since then, California business contact data has been fully covered under the same privacy law that governs consumer data. A California resident’s work email address, direct phone number, and job title are now legally protected personal information. If you buy a B2B contact list containing California residents and you qualify as a covered business, CCPA applies to what you do with that data.
This guide explains what changed, who it affects, what the practical obligations are, and what it means for marketers buying business contact lists in 2025 and beyond.
This is not legal advice. If you have specific compliance concerns, speak with a qualified privacy attorney.
What Changed and Why It Matters
The original CCPA took effect January 1, 2020. When it was written, the legislature included temporary exemptions for two categories of data: employee data and B2B contact data. Both were seen as needing more time before being brought into full compliance scope.
The B2B exemption covered personal information collected in the context of providing or receiving products or services between businesses. Under this exemption, businesses did not have to provide the full range of CCPA notices to B2B contacts, and those contacts did not have the right to access, delete, or opt out of the sale of their information.
The exemption was extended in 2020 and again in 2021. In 2022, two bills were introduced to extend it further. Neither passed before the legislature adjourned. The exemption expired on January 1, 2023, alongside the California Privacy Rights Act amendments that strengthened the original CCPA.
What this means in plain terms: a sales manager in San Francisco whose work email and direct line appear on a B2B contact list now has privacy rights over that data. Your right to collect, store, use, and sell that data is no longer automatically permitted just because the purpose is B2B marketing.
Who Is Covered
CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:
Annual gross revenue exceeding $25 million. Data on 100,000 or more consumers, households, or devices per year. More than 50 percent of annual revenue from selling or sharing consumer personal information.
Businesses that do not meet any of these thresholds are not currently subject to CCPA. If your company is small and your contact database is limited, you may fall outside the law’s reach entirely.
But there is a common misconception worth addressing directly. You do not have to be based in California to be covered. You need to do business in California and meet one of those thresholds. A company headquartered in Texas that sells software to California businesses, markets to California contacts, and generates over $25 million in revenue is a covered business under CCPA.
What Rights California B2B Contacts Now Have
When the exemption expired, B2B contacts who are California residents gained the same rights that consumer contacts already had.
The right to know. A California resident can request disclosure of what personal information you hold about them, where it came from, who it has been shared with, and what it is being used for.
The right to delete. They can request deletion of their personal information, subject to certain exceptions where retention is legally required or operationally necessary.
The right to opt out of sale or sharing. They can request that you stop selling or sharing their personal information to third parties. This right was not included in the original B2B exemption and applied even before the exemption expired. It was always in effect for B2B contacts.
The right to correct. They can request correction of inaccurate personal information you hold about them.
The right to limit use of sensitive personal information. Certain categories of sensitive data have additional restrictions on how they can be used.
For B2B marketers, the most operationally significant of these is the right to opt out of sale. When a California business contact requests that their information not be sold or shared with third parties, that request must be honored within 15 business days.
What This Means When You Buy a B2B Contact List
Here is the part most marketers do not think about until they are already in a position of liability.
When you purchase a B2B contact list, you do not just receive data. You inherit compliance obligations for every California resident on that list.
Specifically:
If the list provider sold you that data, you as the buyer have received personal information that was sold. If any California contacts on that list previously submitted opt-out requests to the provider, those opt-outs should have been honored before the data was transferred to you. If they were not, your use of that data continues a chain of non-compliance.
When a California contact on your purchased list submits an opt-out or deletion request to you, you must act on it within 15 business days. The fact that you obtained the data from a third party does not limit your obligation to honor the request.
You are required to enter into a Data Processing Agreement with any provider who supplies you with personal information of California residents. This agreement defines the legal basis for the data transfer, the permitted uses, and the security and deletion obligations of each party.
The practical implication: ask your list provider directly whether the California contacts in their database have submitted opt-out requests and how those are managed. Ask whether they provide a Data Processing Agreement. If a provider cannot answer these questions clearly, they may not be managing their California compliance obligations, which means the risk transfers to you.
The Penalty Structure
Current CCPA penalties are $2,663 per unintentional violation and $7,988 per intentional violation, per the California Privacy Protection Agency’s 2025 schedule.
In September 2025, the California Privacy Protection Agency approved a $1.35 million penalty against Tractor Supply Company. The largest CCPA fine to date is a $2.75 million settlement involving Disney. Both demonstrate that enforcement is active and extending beyond the largest technology companies.
The penalty structure is per violation. A campaign sent to 10,000 California contacts whose opt-out rights were not properly honored is not one violation. Each contact is a separate potential violation.
California Is Not the Only State Watching
CCPA is the most significant state privacy law affecting B2B contact data. But it is not the only one to understand.
Twenty US states now have comprehensive privacy laws in effect. Most of these laws exclude B2B contact data from their coverage, which is why California remains distinct. But the trend is clear. The assumption that business contact data is a privacy-free zone has been eroding consistently since 2020.
Marketers who build compliant data practices now, including opt-out management, Data Processing Agreements, and contact-level deletion capability, are not just addressing today’s California requirements. They are building the infrastructure that additional state laws will likely require in the coming years.
PI’s direct marketing regulations resource covers the compliance landscape across channels and jurisdictions includi’ng CAN-SPAM and Do Not Call requirements alongside state privacy law developments.
Four Practical Steps for List Buyers
These are the operational steps to reduce exposure when buying B2B contact lists that include California residents.
Ask your provider for a Data Processing Agreement before purchase. A compliant provider should produce a DPA without significant delay. If the conversation stalls when you raise this, treat it as a signal about how they manage compliance overall.
Request confirmation of opt-out management practices. Ask how the provider tracks and honors California opt-out requests. Ask how frequently their suppression list is updated. If opt-outs are not being tracked and applied before list delivery, the data you receive may already be non-compliant.
Build an internal process for handling data subject requests. When a contact on a purchased list submits an access, deletion, or opt-out request to your company, you need a process to receive it, verify it, and act on it within the required timeframe. This process should exist before you run any campaign to a list containing California contacts.
Maintain a suppression file. Any contact who has requested opt-out or deletion should be added to your suppression file and excluded from all future campaigns. This file needs to be applied against any new list before deployment.
The B2B verified business database from Prospects Influential is built with compliance infrastructure in place, including opt-out management and data provider agreements that address California requirements.
Frequently Asked Questions
Did the CCPA B2B exemption expire? Yes. The CCPA B2B exemption expired on January 1, 2023. The California legislature adjourned in August 2022 without extending it. Business contact data for California residents is now fully covered under the same CCPA/CPRA framework that governs consumer data.
Does CCPA apply to B2B email marketing? Yes, for covered businesses. If you are a for-profit company doing business in California with over $25 million in annual revenue or data on over 100,000 consumers, CCPA applies to your use of business contact data for California residents, including email marketing.
What B2B contact data is now protected under CCPA? A California resident’s work email address, direct phone number, job title, and other personal identifiers collected in a B2B context are now protected personal information under CCPA. The expiration of the B2B exemption removed the previous exclusion for this category of data.
What happens when I buy a B2B list with California contacts? When you buy the list you inherit compliance obligations. You must honor opt-out and deletion requests from California contacts. You should have a Data Processing Agreement with the provider. You must process opt-out requests within 15 business days. The provider’s compliance practices do not eliminate your own obligations as the data buyer.
What is the penalty for violating CCPA on B2B contact data? Current penalties are $2,663 per unintentional violation and $7,988 per intentional violation. Each affected individual is a separate potential violation. The California Privacy Protection Agency has demonstrated active enforcement, including a $2.75 million settlement and a $1.35 million penalty approved in 2025.
Are other states creating similar B2B contact data laws? Currently California is the only state with a general privacy law that explicitly covers B2B contact data. Most other state privacy laws exclude B2B context data. However, 20 states now have comprehensive privacy laws in effect, and the trend toward broader coverage is consistent.
Build Your List Buying on Compliant Data Practices
The assumption that B2B marketing exists outside privacy law is no longer accurate for California, and the direction of US privacy legislation suggests other states may follow. Marketers who treat contact data compliance as a box to check after the campaign launches are accumulating risk with every list they buy.
Compliant data starts with a provider who manages opt-out records, produces Data Processing Agreements, and sources contacts through documented processes.
Prospects Influential’s B2B contact database provides verified business contacts with compliance infrastructure designed for US marketing requirements. For broader direct marketing regulation context, visit the direct marketing regulations resource page.
Call 800 352 2282 to speak with a list specialist about building a compliant B2B contact list for your next campaign.
