It happens more than I would like to admit.
I start by advising clients on opt-in language, consent for email lists, and ensuring forms include GDPR-compliant language. And without fail, someone says, “We don’t need that. We don’t market to Europe.”
It sounds reasonable on the surface. But it’s also one of the most common and risky misconceptions in digital marketing today.
When people hear “data privacy,” they often think of the General Data Protection Regulation. And yes, GDPR is widely considered the gold standard. It set a precedent for how organizations should collect, store, and use personal data.
But GDPR is not the only law you need to worry about.
Countries like Canada have their own regulations, such as Canada's Anti-Spam Legislation. And here in the United States, data privacy is becoming increasingly regulated at the state level.
More importantly, these laws are not static. They are constantly evolving, expanding, and becoming more stringent. New regulations are introduced, existing ones are amended, and enforcement continues to increase.
That is why treating GDPR as your baseline is a best practice. If your processes meet GDPR standards, you are far more likely to be compliant with current laws and better prepared for whatever comes next.
One of the biggest misunderstandings is that consent only applies to sending emails.
It does not.
When someone fills out a form on your website, you are not just getting permission to email them; you are also getting permission to use their data. You are collecting and storing their personal data in your CRM. That includes names, email addresses, company information, and sometimes even behavioral data.
That means you need clear, explicit consent for:
Without that consent, you are exposing your organization to unnecessary risk.
Another common argument is, “Our audience is only in the U.S.”
But in today’s digital environment, that is nearly impossible to guarantee.
With remote work, global teams, and frequent travel:
Most companies do not block international traffic. That means you could be collecting data from individuals in regions with strict privacy laws without even realizing it.
And intent does not protect you from non-compliance.
Even if you set aside international regulations, U.S. laws are evolving quickly.
California led the charge with the California Consumer Privacy Act, giving consumers more control over how their data is collected and used.
Since then, more states have followed:
Closer to home, Maine has also strengthened its data privacy protections through laws like the Maine Act to Protect the Privacy of Online Consumer Information, which places stricter requirements on how consumer data is handled, particularly by service providers.
The trend is clear. Data privacy laws are not slowing down. They are expanding in scope, tightening in enforcement, and becoming a permanent part of doing business.
If you are unsure what applies to your business, here are starting points for key state laws:
Each of these laws has different requirements, but they all reinforce the same principle: consumers have rights, and businesses are responsible for protecting their data. And more states are sure to follow…
Non-compliance is not just a theoretical risk.
Depending on the law, penalties can include:
Under GDPR, fines can reach up to 20 million euros or 4 percent of annual global revenue. U.S. laws may have lower thresholds, but they still carry meaningful financial and operational consequences.
And beyond fines, there is a higher cost. Losing customer trust is far harder to recover from.
Whether you think you market to Europe or not, whether your audience is “only B2B,” or whether your business operates in a single state, data privacy laws still apply to you.
And because these laws are constantly changing and expanding, the safest and smartest approach is to hold yourself to the highest standard available.
Treat GDPR as your baseline. Build your processes around clear, transparent consent.
Because in today’s digital landscape, it is not a question of if these laws affect you.
It is a question of whether you are prepared when they do.