On January 1, 2026, three more state privacy laws went live: Indiana, Kentucky, and Rhode Island. That brings the total to 20 states with comprehensive consumer privacy legislation. By the end of 2026, at least three more states are expected to follow.
If you sell to consumers or businesses across state lines, which is almost everyone reading this, your CRM now operates under a patchwork of 20 different regulatory frameworks. Each with slightly different definitions of personal data, different consent requirements, different deletion timelines, and different penalties.
Most sales teams are not ready. A 2025 IAPP survey found that only 23% of B2B companies had updated their CRM data handling procedures to comply with state laws beyond California's CCPA. The other 77% are operating on borrowed time.
The 20-State Map
Here is where comprehensive privacy laws are now active, grouped by effective date.
2023: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA)
2024: Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Florida (FDBR)
2025: Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Tennessee (TIPA), Nebraska (NDPA), Minnesota (MCDPA)
January 2026: Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDPA)
Maryland's Online Data Privacy Act takes effect October 2026 with some of the strictest provisions yet, including a data minimization standard that goes beyond any current state law.
Congress has failed to pass the American Data Privacy and Protection Act (ADPPA) in three consecutive sessions. With no federal law on the horizon, the state patchwork will only get more complex. Companies that wait for federal preemption to simplify compliance are making a bet that has not paid off for four years running.
What State Privacy Laws Mean for Sales Teams
These laws were written with consumer apps and data brokers in mind. But they apply to B2B sales data too. Here is where they hit sales operations directly.
Consent and Opt-Out Rights
Every state law gives consumers the right to opt out of the sale or sharing of their personal data. Most extend this to "targeted advertising," which includes the behavioral profiling that sales teams do when they use intent data, lead scoring, and automated outreach sequencing.
What this means in practice: if a prospect in Colorado opts out of data sharing, you cannot send their contact information to a third-party enrichment tool. If a prospect in Connecticut opts out of profiling, you cannot include them in an AI-scored lead list without their consent. If a prospect in Texas exercises their opt-out right, you need to process it within 30 days (some states allow 45).
The problem: most sales stacks have no mechanism to propagate an opt-out across tools. A prospect opts out via your website form. That opt-out gets recorded in your marketing automation platform. But does it reach your CRM? Your sales engagement platform? Your enrichment provider? Your call intelligence tool? In a fragmented stack, the answer is usually no. The opt-out sits in one system while the other seven continue processing the prospect's data.
Deletion Rights
All 20 states grant consumers the right to request deletion of their personal data. The timelines vary from 15 to 45 days depending on the state. When someone requests deletion, you must delete their data from every system that holds it.
This is where fragmented sales stacks become a compliance liability. A deletion request comes in. You delete the contact from Salesforce. But their call recordings still live in Gong. Their email history lives in Outreach. Their enrichment data lives in ZoomInfo's cache. Their visitor tracking data lives in Clearbit. Their support tickets live in Zendesk. Their proposal views live in PandaDoc.
A single deletion request in an 11-tool sales stack requires coordinated deletion across an average of 7 systems. Each system has a different deletion API (or no API at all). Each has different data retention policies. Some purge immediately, some batch-process deletions weekly. In practice, most companies achieve partial deletion and hope for the best. That is not compliance. That is a liability waiting for an enforcement action.
Data Minimization
Several states, including Colorado and the upcoming Maryland law, require data minimization: you may only collect and retain personal data that is "reasonably necessary" for the purpose disclosed to the consumer. This is a direct challenge to the data-hoarding culture in B2B sales.
Sales teams routinely collect and store data they never use. Personal cell phones from enrichment tools that nobody calls. Home addresses for contacts who only do business via email. Social media profiles scraped by intent data vendors. Demographic data from third-party data brokers. If you cannot articulate a specific, disclosed business purpose for each data element you store, data minimization standards put you at risk.
The practical implication: your CRM should have a data retention policy tied to purpose. If a lead has been inactive for 18 months and you have no active business relationship, retaining their personal data may violate data minimization requirements in states with strong minimization standards.
AI Profiling Opt-Out
This is the newest and most directly relevant provision for sales teams using AI. Colorado, Connecticut, and the EU AI Act all require opt-out mechanisms for automated profiling that produces legal or similarly significant effects. Several 2026 state laws include similar provisions.
AI-driven lead scoring, deal probability prediction, and automated prioritization all constitute profiling. If your AI system decides which leads get attention and which do not, that is an automated decision with a significant effect on the individual (they either get sold to or they do not). Prospects in covered states have the right to opt out of that profiling.
B2B sales teams often assume privacy laws only apply to B2C companies. Wrong. Most state privacy laws apply to personal data regardless of the business context. A contact's name, email, phone number, and behavioral patterns are personal data even when that person is a VP of Procurement at a Fortune 500 company. The B2B exemption that existed in some early drafts was removed from most final legislation.
Why Fragmented Stacks Cannot Comply
The core compliance problem is architectural, not procedural. You can write all the privacy policies you want. If your technology cannot execute them, the policies are fiction.
A fragmented stack fails compliance in four specific ways.
Consent propagation failure. An opt-out recorded in one system does not automatically propagate to other systems. The consent state in your CRM may differ from the consent state in your enrichment tool, your sequencing platform, and your call intelligence tool. This means you are processing data that the individual has opted out of processing, which is a violation in every state with an opt-out provision.
Incomplete deletion. Deletion across 7 to 11 systems requires either manual effort (error-prone and slow) or custom-built automation (expensive and fragile). Most companies achieve deletion in their primary CRM and call it done. The data persists in secondary systems, creating ongoing liability. Shadow AI compounds this risk because reps may have exported prospect data into personal AI tools that the company cannot even identify, let alone delete from.
No centralized audit trail. When an enforcement action or consumer complaint arrives, you need to prove what you did with the individual's data and when. In a fragmented stack, that proof lives in 11 different audit logs (assuming the tools even have audit logs). Assembling a complete data history for a single individual requires pulling records from every system, correlating timestamps, and hoping the records are consistent. They rarely are.
Data residency uncertainty. Some state laws and many enterprise procurement requirements specify where data must be stored. In a fragmented stack, your data is in Salesforce's data centers, Gong's data centers, Outreach's data centers, ZoomInfo's data centers, and so on. You may not even know which regions each vendor uses. Answering "where is this person's data stored?" requires surveying every vendor's data residency documentation.
How a Single-Platform Architecture Solves This
The compliance argument for platform consolidation is separate from the cost argument, though they reinforce each other. Here is what changes architecturally when all revenue data lives in one system.
Single consent state. When a prospect opts out, the opt-out applies immediately across every capability: CRM, sequences, enrichment, call intelligence, visitor tracking, AI profiling. One database, one consent flag, one enforcement point. No propagation delay. No system-to-system inconsistency.
Complete deletion in one operation. A deletion request removes the contact and all associated data: activity history, call recordings, email threads, enrichment data, visitor tracking cookies, deal associations, and AI-generated insights. One API call. One confirmation. Full compliance. No hunting through seven different admin consoles.
Revian's Postgres database with row-level security means deletion is not just a soft delete that hides the record. The data is purged from the database in compliance with the strongest state deletion standard (California's 15-business-day requirement). The audit trail records that the deletion was requested, when it was executed, and what was removed, which is the documentation you need when an AG's office asks for proof of compliance.
If your platform can comply with the strictest US state law (currently California, soon Maryland), it is also substantially GDPR-ready. Revian's deletion, consent management, and data minimization controls were built to the GDPR standard from the beginning, which means US state compliance is a subset of what the platform already supports. Companies expanding to European markets do not need a separate compliance overhaul.
Centralized audit trail. Every data access, modification, and deletion across all 33 capabilities is logged in a single audit trail. When a regulator or consumer asks "what did you do with my data," the answer is a single query that returns every interaction, every change, every access event, with timestamps and user attribution. The 279-mutation audit trail in Revian was designed specifically for this use case.
Permission-scoped AI with compliance guardrails. Revian's AI assistant operates within the same row-level security that governs the entire platform. If a contact has opted out of AI profiling, the AI cannot score, prioritize, or profile that contact. The opt-out is enforced at the database level, not the application level. There is no workaround. There is no way for a well-meaning rep to accidentally include an opted-out contact in an AI-driven workflow.
What to Do This Month
You do not need to solve the entire compliance problem at once. But you need to start now, because enforcement is accelerating. Texas issued its first TDPSA enforcement action in November 2025. Connecticut followed in January 2026. The grace periods are over.
First, audit your data map. For every tool in your sales stack, document: what personal data does it store, where is it stored (data center region), how is it deleted, and how long does deletion take? If you cannot answer these questions for any tool in under 10 minutes, your deletion response time is already non-compliant for 15-day states.
Second, test your deletion process. Submit an internal test deletion request for a fictitious contact. Track how long it takes to confirm deletion across every system. If it takes more than 48 hours end-to-end, you have a process gap that will fail under enforcement scrutiny.
Third, evaluate your AI profiling exposure. List every AI or ML model that scores, ranks, or prioritizes contacts. For each model, answer: does it respect opt-out preferences? Can a contact be excluded from profiling? Is the profiling decision documented in an audit trail? If any answer is no, that model is creating compliance risk in opt-out states.
Fourth, evaluate consolidation. Not for cost reasons (though the cost savings are real). For compliance reasons. Every tool you eliminate is one fewer deletion target, one fewer consent propagation point, one fewer audit trail to correlate. The multi-tenant security architecture piece covers the technical foundations that make single-platform compliance possible.
Twenty states. Twenty different compliance standards. More coming every quarter. The companies that will navigate this without incident are the ones whose architecture makes compliance automatic rather than manual. Everyone else is one deletion request, one AG inquiry, or one data breach away from learning how expensive non-compliance actually is.
Compliance-ready by architecture
One database. One consent state. One deletion command. One audit trail. See how Revian makes privacy compliance automatic across all 20 states.
Request Access