Privacy law is no longer a single rulebook — it's a patchwork
GDPR was the law that made the world pay attention, but it's one entry in a fast-growing list. If your GTM stack touches contacts in more than one country, you're very likely already operating under several privacy regimes at once, whether anyone mapped that out or not.
The EU has GDPR. Brazil has the LGPD. California has the CCPA/CPRA, with Virginia, Colorado, and other US states running their own versions. China has the PIPL. South Korea has PIPA. Singapore, Malaysia, Thailand, and the Philippines each have their own PDPA or DPA. Nearly all of them share a common ancestor in spirit — individual rights over personal data, limits on collection and use, and penalties for getting it wrong — but the mechanics differ enough that a single global playbook has to work at the level of principles, with a market-by-market layer underneath.
Every regime asks the same three questions, differently
Strip away the country-specific language and most data privacy laws are answering the same three questions for any GTM record: what's the legal reason it exists, what does the person get to do about it, and what happens if it's mishandled.
- Lawful basis — GDPR names six (consent, contract, legal obligation, vital interest, public task, legitimate interest). The CCPA/CPRA instead frames things around notice and an opt-out right for "sale" or "sharing" of data. The PIPL leans heavily on consent, often separate consent per purpose.
- Individual rights — access, correction, deletion, and portability show up in nearly every regime, though the exact scope and exceptions vary by law.
- Accountability — breach notification windows, required documentation, and regulator cooperation duties exist almost everywhere, but the clock and the threshold for "reportable" differ by jurisdiction.
Designing GTM systems around these three questions — rather than around any one law's specific article numbers — is what makes a compliance program portable across markets instead of rebuilt every time you enter a new one.
Consent and opt-out rules don't travel the same way across borders
One of the more expensive assumptions in global GTM is treating "compliant" as a single setting. In reality, the acceptable pattern for contacting a purchased or sourced record shifts meaningfully by market — some jurisdictions expect opt-in before first contact, others allow opt-out after notice, and a few require dual, documented consent before any commercial use.
| Region / Law | Typical pattern | Operational note |
|---|---|---|
| European Union — GDPR | Explicit opt-in | Consent must be specific per purpose — no bundled checkboxes. |
| California — CCPA/CPRA | Notice + opt-out | Right to opt out of "sale/sharing" must be easy to exercise, e.g. a clear link. |
| Brazil — LGPD | Dual opt-in | Vendors should be able to produce proof of consent on request. |
| China — PIPL | Separate consent | Often requires distinct consent for cross-border transfer specifically. |
| Argentina / Peru / Chile | Notice + opt-out | Check numbers against national do-not-call registries before dialing. |
| Singapore — PDPA | Notice + opt-out | Public business data can be used, but do-not-call screening still applies. |
| South Korea — PIPA | Dual opt-in | Purchased data is high-risk; many teams avoid third-party sourcing entirely. |
| Malaysia / Thailand | Dual opt-in | Written notice may need to be provided in the local language as well as English. |
The practical upshot: your data vendor contracts and your CRM's suppression logic both need a country field that actually changes behavior, not just a label.
Vendor due diligence is where most GTM risk actually lives
Marketing and sales rarely collect raw data themselves anymore — enrichment providers, intent data platforms, and list vendors do. That makes vendor contracts the real control point, regardless of which law ultimately applies to a given record.
Ask every data vendor for:
- Written confirmation of the lawful basis used to collect each record, per market.
- The ability to produce proof of consent or notice on request, not just an assurance that it exists.
- A contractual obligation to flag and exclude contacts on relevant do-not-contact registries.
- Clear terms on how long they'll retain source records for audit purposes, and under which law's retention expectations.
Design consent capture and CRM hygiene as one global system
Consent that lives in a form tool but never reaches the CRM is functionally invisible — and unenforceable suppression is the fastest way to end up emailing someone who opted out under any applicable law, in any market.
- Sync consent status, its legal basis, and its source (form, vendor, event, call) into the record itself, not a side spreadsheet.
- Make opt-out at least as easy as opt-in, everywhere — a two-click unsubscribe or "do not sell/share" toggle honored instantly across every connected tool.
- Re-verify consent state at the point of send, not just at the point of import, since preferences and applicable law can both change as a contact moves.
- Log automated decisions (lead scoring, routing) that meaningfully affect a person — several regimes, GDPR included, give individuals a right to contest purely automated decisions with significant effects.
Cross-border transfers need a named legal mechanism, every time
If personal data collected in one region flows into a GTM stack hosted or operated in another, that transfer typically needs a recognized safeguard — an adequacy decision, standard contractual clauses, binding corporate rules, or (for regimes like PIPL) a specific transfer mechanism or government security assessment. "The tool is based somewhere else" is a fact, not a safeguard.
This is worth checking now, quietly, rather than during due diligence for a partnership or acquisition: which of your GTM tools store or process data outside its region of origin, and what mechanism covers that transfer today, under each applicable law?
When something goes wrong, more than one clock can start at once
Breach notification windows vary by regime — GDPR generally expects notice to the supervisory authority within 72 hours of awareness, unless the breach is unlikely to pose a risk to individuals; other laws set their own thresholds and timelines. A breach touching contacts in multiple regions can trigger multiple notification duties simultaneously, on different clocks.
Build the muscle once, then localize
The teams that handle this well don't maintain a separate compliance program per country. They build one global operating model — lawful basis on every record, enforceable suppression, vendor accountability, named transfer mechanisms, a breach protocol — and treat each market's specific law as a configuration layer on top of it, not a reason to start over.
REVIEW
The pre-flight checklist
Before your next campaign, list pull, or vendor contract renewal, run it against these seven questions — across every region your contacts touch.
- Does every contact have a documented lawful basis for this specific outreach, under the law that applies to them?
- Does the destination country's opt-in or opt-out pattern match how this record was sourced?
- Can the data vendor produce proof of consent or notice on request, market by market?
- Does an opt-out or "do not sell/share" request anywhere suppress the contact everywhere, within minutes?
- Is there a named legal mechanism covering any cross-border transfer involved?
- Does someone own the breach notification clock — for every law that could apply — if this data is ever exposed?
- Could you answer a data subject or consumer rights request using this system today, wherever it comes from?



