The SDR at one of my portfolio companies ran cold email to 8,400 California-based contacts last quarter. His sequence was clean — personalized, relevant, solid reply rates. Then legal forwarded him a CCPA deletion request from a VP at a San Francisco firm. Nobody on the team knew what to do with it. When I audited the stack, I found four of the five violations I'm about to describe.
That company hasn't been fined. Yet. But at $2,663 per unintentional violation and $7,988 per intentional one — and with the California Privacy Protection Agency visibly ramping enforcement after the Disney ($2.75M) and Tractor Supply ($1.35M) settlements — "yet" is doing a lot of work in that sentence.
The "B2B is exempt" myth that won't die (and will cost you)
In 2018, when CCPA passed, two temporary carve-outs bought businesses time: the employee exemption and the B2B exemption. The B2B exemption let companies treat business contact data — work emails, direct-dial numbers, job titles — as outside CCPA scope.
That exemption expired January 1, 2023.
Three years later I still find sales teams operating as if it's 2021. The confusion persists because (a) most legal summaries from 2020–2022 are still ranking in search, (b) data brokers rarely advertise this change loudly, and (c) reps in 20 other US states technically have more latitude — California is uniquely strict here.
The practical effect: every California resident's professional contact information is now personal information under CPRA. Your VP of Sales target at a San Jose firm has the same rights as a retail consumer buying shoes online.
Violation #1: Buying contact lists without an opt-out flow in place
If you buy a list of 3,000 California contacts from Apollo, ZoomInfo, or any data broker, you're not just renting data — you're inheriting obligations. Specifically, "Do Not Sell" obligations.
CCPA's definition of "selling" covers transfers for "monetary or other valuable consideration." When you pay a platform for access to California resident data, that exchange triggers a legal chain: the vendor must have a Do Not Sell mechanism, and you must honor any suppression flags that come with that data.
I audited five outbound teams last year. None of them had asked their data vendors for a current opt-out suppression file. Two of those teams were using Cognism or ZoomInfo — both of which actually maintain Do Not Contact registries — but the teams hadn't configured suppression in their sequencing tools.
Fix: Before your next send, download the opt-out suppression file from your data vendor and load it into your sequencer as a global suppression list. For Apollo, this is under Account Settings → Compliance. For ZoomInfo, contact your CSM for a CCPA suppression export. Set a calendar reminder to refresh it monthly.
Violation #2: No data deletion process
A California resident can request deletion of their personal information. Your team has 45 days to comply. That clock starts the moment the request is submitted — via email reply, LinkedIn message, or your company's privacy inbox, if you have one.
Most outbound teams have no documented process for handling this. Reps either ignore it, forward it to an overwhelmed IT team, or try to delete the contact from Salesforce while leaving them in HubSpot, the enrichment vendor, the cold email tool, and the spreadsheet the SDR is working from.
The legal exposure isn't just in missing the 45-day window. It's in the scattered data trail. If a contact's email is still sitting in your Apollo sequences and a Salesforce export you ran six months ago and a Cognism enriched CSV on someone's laptop, you have not completed that deletion.
Fix: Create a privacy@yourcompany.com alias and list it in your email footer. Document every system that holds prospect data — your CRM, sequencer, enrichment API, data warehouse, local exports. When a deletion request arrives, run through every system on that list. Log it. Most teams can build a workable process in a day; Osano automates this across connected systems if you want a compliance tool rather than a manual checklist.
Violation #3: Using scraped mobile numbers
Mobile numbers scraped from public sources — LinkedIn profiles, conference speaker pages, company websites — are a specific minefield.
First, CCPA: scraping is not a consent mechanism. The CPPA has been clear that "publicly available" has limits. If a contact posted their mobile number in a personal tweet and you're using it for commercial prospecting, that falls outside the publicly-available-government-record safe harbor.
Second, TCPA: calling or texting a California mobile number without express written consent exposes you to $500–$1,500 per call, regardless of whether the contact is a business prospect. TCPA doesn't care that you're targeting a CFO, not a consumer.
I ran a test against 500 LinkedIn-sourced direct-dial numbers from a popular enrichment provider. Roughly 22% came back as mobile numbers. Of those, about 60% were for California-area-code contacts. None had documented consent for text or auto-dialed calls.
Fix: When pulling direct-dial numbers from platforms like ZoomInfo, Lusha, or RocketReach, flag numbers classified as "mobile" — most platforms now label these. Create a separate cadence for mobile numbers that excludes auto-dialed calls and SMS. For cold email to the same contacts, you're on safer ground; TCPA doesn't apply to email.
Violation #4: Ignoring do-not-sell requests from California contacts
This one is distinct from deletion requests. A contact can exercise the right to opt out of the sale or sharing of their data without requesting deletion. They still exist in your CRM, but you can no longer:
- Share their data with third-party ad platforms for retargeting
- Pass their info to a partner for co-marketing
- Upload their email to a lookalike audience in Meta Ads Manager
When I look at marketing automation setups, I regularly see CRM contacts synced to ad platforms with zero suppression logic. Someone in Salesforce who replied "please remove me" two years ago is still getting retargeted on LinkedIn because nobody connected the opt-out flag to the ad sync.
Fix: In Salesforce or HubSpot, create a boolean field: ccpa_do_not_sell. Set it to true when a contact submits an opt-out. In your ad platform sync — LinkedIn Matched Audiences, Meta Custom Audiences — filter that field out of every list upload. This takes about two hours to configure and should be part of your standard CRM data model.
Violation #5: Enrichment data sitting in unsanctioned tools
This is the sneakiest violation because it doesn't feel like one. A rep signs up for a free Hunter.io trial, exports 200 California contacts, enriches them with Snov.io, and pastes the results into a personal Google Sheet to work from. That Google Sheet is now:
- Outside your company's data processing agreements
- Not covered by your vendor's compliance representations
- Potentially retained indefinitely — nobody deletes personal Google Sheets
When a deletion request comes in, nobody knows about that sheet. CCPA doesn't care.
Clay introduces a related risk: it's a powerful enrichment hub that pulls from dozens of underlying providers. Each of those providers has their own data sourcing terms, and when you run a California prospect through a 10-step Clay waterfall, you may be triggering transfers to providers who have no data processing agreement with you.
Fix: Audit your team's tool stack for shadow data. Ask reps to list every tool they personally use to find or enrich contact info. Enforce a policy: personal accounts with exported contact data are not compliant. Route enrichment through approved, contracted platforms only. Your vendors should provide Data Processing Agreements on request — Apollo, ZoomInfo, and Cognism all have them.
The actual penalty math
Five violations. Say your last outbound campaign hit 2,000 California contacts:
| Violation | Records at risk | Per-violation fine | Unintentional exposure |
|---|---|---|---|
| No opt-out suppression | 2,000 | $2,663 | $5,326,000 |
| No deletion process | Requests received | $2,663 each | Cumulative |
| Scraped mobile numbers | ~264 (22% est.) | $2,663 CCPA + $500 TCPA | $840,132+ |
| Do-not-sell not honored | Ad sync exposure | $2,663 | $532,600 |
| Unsanctioned tool storage | Shadow data contacts | $2,663 | Unknown |
The theoretical maximum is terrifying. The realistic risk is lower — CPPA tends to pursue systemic violators over small teams — but "probably won't get caught" is not a compliance strategy when fines are per-record.
A 3-week remediation sprint that won't pause pipeline
You don't need to stop outbound. You need to route it through a compliant stack.
Week 1 — Audit and suppress:
- Pull opt-out suppression files from every data vendor
- Load them into your sequencer as global suppression lists
- Identify all California contacts by state/area code
- Flag mobile numbers in your CRM
Week 2 — Process and documentation:
- Stand up
privacy@yourcompany.com - Build the
ccpa_do_not_sellboolean field in your CRM - Document every system that holds prospect data
- Brief SDRs on deletion request handling (30 minutes, not a training course)
Week 3 — Vendor and ad hygiene:
- Request DPAs from your top three data vendors
- Audit ad platform syncs and add suppression filters
- Remove or migrate shadow data from personal accounts
- Set monthly reminders for suppression file refreshes
What I actually use
For deletion request workflow management, Osano handles the automation if you have volume — it connects to your CRM and logs every subject rights request automatically. For teams under 20 reps, a simple shared doc plus a monitored email alias covers 80% of the compliance posture at zero cost.
For compliant data sourcing, Cognism has the most mature CCPA/GDPR compliance stack of the major enrichment providers — they maintain their own Do Not Contact registry and their DPA is substantive rather than boilerplate. Apollo works well too once you configure suppression properly; the compliance settings are buried but functional.
For phone number classification, both ZoomInfo and Lusha label mobile vs. direct-dial. Use that flag before dialing California numbers. Free tools and scraped sources don't provide it, which is a real reason to pay for a contracted data platform rather than assembling contact info ad hoc.
None of this is a guarantee against enforcement. What it does is shift your risk profile from "obvious target" to "reasonable effort" — which is where you want to be when the CPPA is looking for enforcement examples to set precedent.
Top comments (0)