Skip to main content

TCPA, GDPR and CCPA: A Compliance Guide for Global Sales Teams

TCPA covers US calling, GDPR covers EU data and CCPA covers California privacy, and one outbound campaign can trigger all three at once. Here is how to comply with every one of them without slowing your pipeline.

Tcpa Gdpr Ccpa ComplianceGlobal Sales ComplianceInternational Calling RegulationsData Privacy For Sales TeamsGdpr Sales Compliance
Pintu Kumar
Pintu Kumar 8 min read
Share this post
TCPA, GDPR and CCPA: A Compliance Guide for Global Sales Teams

A single outbound campaign can put you under three legal regimes at once. Reach a prospect in California who happens to be an EU citizen, on their US mobile number, and in one touch you have triggered the Telephone Consumer Protection Act (TCPA), the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Three regulators, three definitions of consent, three very different penalties.

That is the reality for any B2B sales team selling across borders. TCPA governs how you call and text US numbers. GDPR governs how you handle the personal data of people in the EU. CCPA governs the privacy rights of California residents. The three were written years apart, by different lawmakers, to solve different problems, and they were never meant to fit together neatly.

This guide maps how TCPA, GDPR and CCPA compliance overlap and diverge, what each one demands from a sales team, and how to build one process that satisfies all three without slowing your pipeline to a crawl.

Key takeaways

  • The three laws cover different ground. TCPA is about phone and text outreach in the US. GDPR is about any handling of EU residents' personal data. CCPA is about a Californian's right to know, delete and opt out.
  • Passing one audit does not clear the others. GDPR consent does not satisfy TCPA, and a TCPA-clean call list says nothing about your GDPR obligations.
  • The penalties are not on the same scale. TCPA runs $500 to $1,500 per call. CCPA runs $2,500 to $7,500 per violation. GDPR tops out at €20 million or 4% of global revenue.
  • One high-standard process beats three separate ones. Build to the strictest rule, then apply it everywhere.

Why one campaign can trigger three regulations

The overlap is not an accident of drafting. Each law grew out of a different decade and a different worry.

TCPA arrived in 1991, when telemarketing volume and early auto-dialers were the problem Congress wanted to curb. It cares about the act of contacting someone by phone, especially on a mobile line, and about honoring the choice not to be called. GDPR took effect in 2018 as the EU's attempt to give people real control over their own data, and its reach goes far beyond sales. Anything you do with an EU resident's data, from collecting it to storing it to handing it to a vendor, falls inside its scope. CCPA, live since 2020 and since strengthened by the California Privacy Rights Act (CPRA), borrowed GDPR's spirit but took a Californian route, centered on the consumer's right to know what you hold, to have it deleted and to opt out of having it sold or shared.

Put a real prospect in front of those three regimes and the overlap stops being theoretical. Picture an account executive in Chicago calling a VP of engineering who works for a US company, lives in San Diego and holds Irish citizenship. The call itself is TCPA territory. The contact record sitting in your CRM is CCPA data. And because the prospect is an EU citizen, GDPR can follow that data wherever it travels. One dial, three rulebooks. For a closer look at the US calling rules specifically, our TCPA compliance guide for sales leaders covers them in full.

What each regulation actually requires

TCPA: the rules for calling US numbers

The Telephone Consumer Protection Act sets the ground rules for reaching people by phone or text in the United States. It applies to calls and texts to mobile phones, to anything sent with an auto-dialer or a prerecorded voice, and to junk faxes.

In practice, a compliant US calling program does a handful of things every time: it secures prior express written consent before placing auto-dialed or prerecorded calls to a mobile number, scrubs against the National Do Not Call Registry, keeps its own internal do-not-call list, identifies the caller and the company at the start of every call, and dials only between 8 a.m. and 9 p.m. in the prospect's local time.

The math on penalties is what makes TCPA dangerous. Each violation carries $500 in statutory damages, rising to $1,500 when a court finds the violation willful or knowing, per the FCC's telemarketing rules. Because every call counts as a separate violation, one sloppy campaign can stack thousands of them, and the most common enforcement route is not a regulator at all but a private class action. State attorneys general and a growing layer of state mini-TCPA laws pile more exposure on top.

GDPR: the rules for EU personal data

The General Data Protection Regulation governs how any organization handles the personal data of people in the EU, no matter where the organization sits. If you hold an EU resident's contact details, GDPR applies to you even when your office is in Texas.

For a sales team, that puts every step of the workflow in scope: collecting a contact, emailing them, calling them, storing the record in a CRM, passing it to a data vendor. The core obligations are a lawful basis for processing (for B2B outreach this is usually legitimate interest, sometimes consent), genuine transparency about how the data is used, working mechanisms for data subject rights such as access, erasure and portability, records of what you process and why, and breach notification within 72 hours.

GDPR is the most expensive law on this list to get wrong. For the most serious breaches the fine reaches up to €20 million or 4% of total annual global revenue, whichever is higher, according to the European Commission. Enforcement is led by the data protection authority in the relevant member state.

CCPA and CPRA: the rules for California residents

The California Consumer Privacy Act, expanded by CPRA, gives California residents a set of privacy rights that land somewhere between TCPA's narrow focus and GDPR's sweep. It governs how you collect, sell and share the personal information of Californians, and it defines "sale" broadly enough to catch sharing data for almost any valuable consideration.

A compliant program discloses what it collects and why, offers a clear way to opt out of data sales, honors "Do Not Sell My Personal Information" requests, provides access and deletion on request, keeps reasonable security in place and never retaliates against someone for exercising a right.

Penalties run to $2,500 for an unintentional violation and $7,500 for an intentional one, per the California Attorney General, with a private right of action available after certain data breaches. Enforcement comes from the Attorney General and, increasingly, from the California Privacy Protection Agency created under CPRA.

Where the three overlap and where they diverge

For all their differences, the three laws rhyme on the fundamentals. Each one expects you to be honest about who you are and why you are reaching out, so hidden identity and deception break all three at the same time. Each one wants a defensible reason for the contact or the data processing, whether you call it consent, legitimate interest or disclosure. Each one gives the individual a way out, be it an opt-out, an unsubscribe or a deletion request. And each one expects you to keep records that prove it, from consent logs to do-not-call lists to processing registers. Build those four habits well and you are most of the way to compliance on all three.

The differences are where teams get caught:

| | TCPA (US) | GDPR (EU) | CCPA/CPRA (California) | | --- | --- | --- | --- | | Scope | Calls and texts to US numbers | All processing of EU residents' data | Collection, sale and sharing of Californians' data | | Consent standard | Prior express written consent for auto-dialed mobile calls | Lawful basis, often legitimate interest for B2B | No upfront consent, but disclosure plus opt-out | | Penalties | $500 to $1,500 per call | Up to €20M or 4% of global revenue | $2,500 to $7,500 per violation | | Enforced by | FCC, FTC, state AGs and private lawsuits | EU member-state authorities | California AG and the CPPA |

Those distinctions matter in daily decisions. TCPA's per-call damages punish high-volume callers, GDPR's revenue-linked fines fall hardest on large enterprises, and CCPA's per-incident amounts sit in the middle. Enforcement follows a different pattern for each: TCPA is driven by private litigation, with plaintiff's lawyers actively hunting violations; GDPR enforcement is rarer but escalating; CCPA enforcement keeps climbing as its new agency finds its feet.

Build one process to the highest standard

Running three parallel compliance workflows is how mistakes happen. The cleaner approach is to take the strictest rule in each area and apply it to everyone.

Treat every call as if TCPA governs it: verify consent, screen against do-not-call lists, give the required disclosures. That keeps you safe on US calls and costs you nothing on the rest. Hold all of your data handling to GDPR's standard, with a lawful basis, real transparency, honored access and deletion requests, and proper records. Do that and you have largely satisfied CCPA and most of the newer US state privacy laws in the same motion. Then track consent at the level of detail GDPR expects, not just whether someone agreed but when, how and to exactly what.

The payoff is more than legal cover. Your team learns one set of rules instead of memorizing which regime applies to which prospect, and far fewer judgment calls get made wrong under deadline. Plenty of sales leaders have found that strong privacy discipline sharpens their outreach rather than slowing it, an argument we make in detail in why privacy regulations are a blessing for B2B sales.

Let technology carry the compliance load

Manual compliance does not survive contact with volume. Check a few hundred numbers by hand and you will miss one. This is where Pair Selling earns its keep: the AI handles the compliance grind so your salespeople can spend their time on the conversations that close.

AvairAI builds this in. A built-in TCPA Compliance Check screens every campaign against do-not-call data and calling-window rules before it launches, and one-click phone classification sorts each number into can be called, must be called by a human, or do not call. Consent and contact history are logged automatically, which serves TCPA's documentation requirement and GDPR's accountability principle at once. Where AI calling is used, it stays a secondary, TCPA-limited capability reserved for warm or opted-in contacts, and it states the required disclosure on every call.

The division of labor is the point. AvairAI's AI agents build and run the outbound program and surface interested leads; your reps have the conversations, and they book and close. Compliance is infrastructure, and infrastructure is the machine's job. You can see how that is hardened across the platform on our security and compliance page.

Make compliance part of the daily workflow

Compliance is not a project you finish. It is a habit the team keeps.

Before a campaign goes out, confirm which rules apply based on where the prospects are, check consent status, screen against do-not-call lists and make sure the right disclosures are configured. A short pre-launch TCPA compliance checklist keeps this from being guesswork. While the campaign runs, log every contact and every consent, honor opt-out requests the moment they arrive and document any complaint. Over time, audit the process on a schedule, update it as the laws change, and train every new hire before they touch a dialer. And when a situation is genuinely unclear, ask a lawyer. The cost of good counsel is a rounding error next to a class action.

Compliance is the price of selling across borders

Selling across borders now means living under all three rulebooks at once, and the enforcement behind them is getting sharper rather than softer. The encouraging part is that the effort compounds. Build to the highest standard, automate the screening that does not need a human, and your team spends its hours on relationships instead of regulations.

There is a business reason to get this right, not only a legal one. A prospect in San Diego or Dublin can tell the difference between a company that reaches out carefully and one that does not, and that impression carries into the deal. Careful outreach is simply better outreach. Give AvairAI your website and it builds and runs a campaign with the compliance checks already in place, so you reach the right contacts, on the right terms, from the very first touch.


← Back to all articles
Pintu Kumar

About Pintu Kumar

Co-founder & Director of Product Operations, AvairAI

Pintu Kumar is a co-founder and Director of Product Operations at AvairAI, where he turns product vision into reliable execution — designing the operational frameworks, quality processes, and go-to-market readiness that keep the company’s AI-driven prospecting workflows scalable and dependable. He brings 22 years at enterprise-integration company Adeptia, advancing from System Administrator to Senior Manager of Software Quality Assurance and owning QA strategy, release management, and DevOps/Kubernetes practices across mission-critical software. At AvairAI he coordinates cross-functional teams, defines process KPIs, and leads onboarding and adoption strategy. His expertise sits where software quality, DevOps, and product operations meet — ensuring AI agents perform consistently in production. He holds an MCA and BCA in Computer Science and a PGDM in management.

More from Pintu Kumar →

See what AvairAI builds from your website

Never sell alone.

14-day free trial · no credit card · see it in ~3 minutes

Prefer to browse first? Grab a free outreach template Start for free