Selling internationally sounds great until your legal team starts asking where each contact on your list is located. Because the moment your enriched prospect list includes contacts from two or more countries, you are operating under multiple regulatory frameworks simultaneously. And those frameworks do not always agree with each other.
This is the reality for any growing B2B company. Your best prospects might sit in San Francisco, London, Toronto, Sao Paulo, and Berlin. Each of those cities comes with a different set of rules about what you can do with enriched contact data, how you can use it for outreach, and what rights the contact has over their information.
Let us walk through the major jurisdictions, the specific challenges they create for enrichment workflows, and the practical strategies for staying compliant without making your sales team want to quit.
The Regulatory Landscape in 2026
There are now over 140 countries with some form of data protection legislation. You do not need to become an expert in all of them. But you do need to understand the major frameworks that affect B2B data enrichment.
GDPR (European Union / EEA)
The General Data Protection Regulation remains the gold standard for data protection. It applies to any organization processing personal data of EU/EEA residents, regardless of where the organization is located. Key requirements for enrichment:
- Lawful basis required for processing (legitimate interest is most common for B2B)
- Data minimization: only enrich what you actually need
- Purpose limitation: use enriched data only for the stated purpose
- Storage limitation: do not keep data longer than necessary
- Data subject rights: access, erasure, portability, objection
- Records of Processing Activities (ROPA) mandatory
- Data Protection Impact Assessments (DPIAs) for high-risk processing
- 30-day response time for data subject requests
UK GDPR (United Kingdom)
Post-Brexit, the UK has its own version of GDPR that is substantively similar but administered by the ICO rather than EU supervisory authorities. The UK also has PECR (Privacy and Electronic Communications Regulations) which governs electronic marketing. Important distinction: PECR allows unsolicited B2B email to corporate email addresses without consent, which is more permissive than some EU member states.
CCPA/CPRA (California)
The California Consumer Privacy Act and its amendment (California Privacy Rights Act) apply to businesses that meet certain thresholds and process California residents' data. Key enrichment implications:
- Right to know what data you have collected and from where
- Right to delete personal information
- Right to opt out of the sale or sharing of personal information
- 45-day response time for consumer requests (extendable by 45 days)
- Vendor contracts must restrict data use and prohibit secondary use or profiling
Other US State Laws
Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others have enacted their own privacy laws. While they share similarities with CCPA, each has unique provisions. The lack of a federal US privacy law means this patchwork is growing.
CASL (Canada)
Canada Anti-Spam Legislation requires express or implied consent before sending commercial electronic messages. The conspicuous publication exception can apply to enrichment scenarios, but it has narrow conditions.
LGPD (Brazil)
Lei Geral de Protecao de Dados closely mirrors GDPR in many respects. It requires a legal basis for processing, grants data subject rights, and mandates a Data Protection Officer for certain organizations. Brazil is a growing market, so if you sell to Latin America, LGPD is relevant.
POPIA (South Africa)
The Protection of Personal Information Act governs processing of personal information in South Africa. It requires lawful processing, purpose specification, and data subject rights similar to GDPR.
PDPA (Singapore, Thailand)
Several Asian markets have enacted Personal Data Protection Acts with varying requirements. Singapore and Thailand are among the most mature. Japan has APPI (Act on Protection of Personal Information).
The Core Challenge: Cross-Border Data Transfers
Enrichment inherently involves cross-border data. When you send a German prospect's name and company to a US-based enrichment provider, that personal data just crossed international borders. Under GDPR, cross-border transfers require a legal mechanism:
Standard Contractual Clauses (SCCs): The most common mechanism. These are pre-approved contract terms between the data exporter (you) and the data importer (your enrichment provider). Most major enrichment vendors include SCCs in their DPAs.
Adequacy Decisions: The European Commission has determined that certain countries provide adequate data protection. Data can flow freely to adequate countries. The EU-US Data Privacy Framework restored adequacy for participating US companies, but its long-term stability remains a question.
Binding Corporate Rules: For multinational companies transferring data within their corporate group. Less relevant for enrichment vendor relationships.
Practical impact: make sure your enrichment vendor has SCCs in their Data Processing Agreement. If they do not, you need to establish an alternative transfer mechanism before processing EU data.
Building a Multi-Jurisdiction Enrichment Framework
The goal is not to create a separate enrichment process for every country. That does not scale. Instead, build a framework that can adapt to jurisdictional requirements without becoming unmanageable.
Step 1: Classify Contacts by Jurisdiction at Point of Entry
Every contact entering your system needs a country tag immediately. This is your first enrichment action, and it drives everything else. If a contact comes in without location data, use IP geolocation, company headquarters data, or domain extension as initial signals. Then refine with enrichment.
BetterEnrich includes geographic data in its enrichment output, which simplifies this step. But even if your tool does not, make country identification your first priority.
Step 2: Define Regulatory Buckets
You do not need a separate workflow for every country. Group countries into regulatory buckets based on similar requirements:
- Bucket 1 (Opt-out permissive): US states without privacy laws, most of Latin America. You can send cold outreach with proper unsubscribe mechanisms.
- Bucket 2 (Opt-out with restrictions): CAN-SPAM jurisdictions, US states with privacy laws. Cold outreach allowed but with specific requirements.
- Bucket 3 (Consent-preferred): CASL jurisdictions, certain EU countries (Germany, France). Implied or express consent needed before outreach.
- Bucket 4 (Consent-required): Strict interpretations of GDPR/ePrivacy. Express consent or very strong legitimate interest needed.
Step 3: Apply the Strictest Rule by Default
When in doubt about a contact's jurisdiction, apply the strictest rules. This means: document your legitimate interest, include opt-out in every communication, maintain suppression lists, and be ready to respond to data subject requests within 30 days.
This sounds conservative, but it actually simplifies operations. Building for the strictest standard means you are automatically compliant in more permissive jurisdictions.
Step 4: Vendor Due Diligence
Your enrichment vendor is a data processor under most privacy frameworks. You need to ensure they can support multi-jurisdictional compliance:
- Do they have DPAs that include SCCs for cross-border transfers?
- Do they maintain a sub-processor list?
- Can they support data deletion requests?
- Do they have SOC 2, ISO 27001, or equivalent security certifications?
- Do they provide source-level transparency for enriched data?
- Can you suppress specific contacts from future enrichment?
Step 5: Cross-Border Transfer Documentation
For every data flow that crosses borders, document: what data is transferred, where it goes, the legal mechanism enabling the transfer (SCCs, adequacy, etc.), and what safeguards are in place. This goes into your ROPA.
Practical Challenges and Solutions
Challenge: Contact Location Changes
People move. A contact enriched as US-based might relocate to Germany. Now GDPR applies to them. Your enrichment refresh should include location verification, and your CRM should trigger a regulatory re-classification when location changes are detected.
Challenge: Company HQ vs. Contact Location
A company might be headquartered in the US but have employees in the EU. GDPR follows the individual, not the company. An EU-based employee of a US company is protected by GDPR. Your jurisdiction classification should be based on the contact's location, not the company's headquarters.
Challenge: Multiple Applicable Laws
A California resident working for a UK company. CCPA applies because of their residency. UK GDPR may apply because of the company. And if you are processing their data from the EU, GDPR might also apply. When multiple laws apply, comply with all of them. In practice, this usually means following the strictest requirements from each.
Challenge: Data Subject Requests Across Systems
If a German contact requests data deletion, you need to delete their data from: your CRM, your marketing platform, your enrichment provider records, your data warehouse, your email sending tool, and any other system that holds their data. Map your systems in advance so you can execute deletion requests within the 30-day GDPR window.
Regional Enrichment Considerations
Europe
European contacts are generally harder to enrich and more expensive due to compliance requirements. Coverage from US-based tools tends to be lower for EU contacts. Consider using EU-focused providers like Cognism (which has 3x more EU contacts than many US-based tools) as part of your waterfall. When using BetterEnrich, the waterfall cascade automatically queries sources with strong EU coverage.
Latin America
Brazil (LGPD), Argentina (PDPA), and Chile (new data protection law) are the most regulated markets. Enrichment coverage for Latin American contacts is generally lower than US or EU. LinkedIn is widely used professionally across Latin America, which helps with contact discovery.
Asia-Pacific
Japan, Singapore, South Korea, and Australia have mature data protection frameworks. India has been developing its Digital Personal Data Protection Act. China has PIPL (Personal Information Protection Law), which is extremely strict and creates significant complexity for companies processing Chinese contacts.
Middle East and Africa
South Africa (POPIA), UAE (federal data protection law), and Kenya are leading regulatory development in these regions. Enrichment coverage is typically the lowest in these regions, making waterfall approaches especially valuable for filling coverage gaps.
Building Your Compliance Technology Stack
Beyond your enrichment tool, consider these compliance-supporting technologies:
- Consent management platform: Track and manage consent records by contact and jurisdiction
- Data mapping tool: Visualize and maintain records of data flows across systems
- DSAR management tool: Automate data subject request intake, processing, and response
- Cookie and tracking consent: Manage website tracking compliance (relevant for deanonymization and web visitor enrichment)
- Suppression list management: Centralized suppression across all outreach channels and tools
The Cost of Getting It Wrong
GDPR fines can reach 4% of global annual revenue or 20 million euros, whichever is higher. CCPA penalties reach $7,500 per intentional violation. CASL penalties can hit $10 million per violation for businesses. Beyond fines, there is reputational damage and lost trust.
But the cost of over-compliance is also real. If your legal team locks down everything so tightly that sales cannot use enriched data effectively, you lose the revenue benefit of enrichment entirely.
The goal is proportionate compliance: robust processes and documentation that satisfy regulators without paralyzing your go-to-market operation. A waterfall enrichment tool with pay-per-valid pricing (like BetterEnrich) helps here because you are only creating compliance obligations for contacts that are verified and actionable, not for masses of unverified, potentially inaccurate data.
An Action Plan for International Enrichment
If you are currently enriching contacts internationally without a compliance framework, here is how to get started:
- Audit your current contact database by country. Understand your jurisdictional exposure.
- Sign DPAs with all enrichment vendors. This is table stakes.
- Document your legal basis for each jurisdiction bucket.
- Implement jurisdiction-based segmentation in your CRM.
- Set up a unified suppression list that works across all outreach tools.
- Create a data subject request process with clear ownership and timelines.
- Train your sales and marketing teams on jurisdiction-specific requirements.
This is a one-time setup effort (roughly 2-3 weeks for a mid-sized team) that puts you in a defensible position. After that, it is about maintaining the framework as your target markets and regulations evolve.