Data protection laws and regulation icons
Data protection laws and regulation icons

Did you know that a data breach at exposed more than 125 million email addresses and 9 billion data points in 2018 in one of the largest security breaches to date? 

As more data is available online than ever before, data breaches like the one at are becoming more common. These data breaches not only lead to damaged brand reputations and broken trust, but they can also result in big fines as more countries begin to implement strict data compliance laws.

If you’re working within sales and revenue operations at a B2B organization, it’s essential to understand these six B2B data protection laws and regulations so that you stay on the right side of the law.

B2B data protection laws and regulations

The past few decades have drastically changed the ways user data is collected and distributed, with advanced technology that searches for and collects sensitive data at unprecedented scale and speed. 

As more consumers have become aware of how their personal information is shared online, there’s been an uptick in global data protection laws and regulations. And now, B2B companies must proceed with caution when it comes to collecting user data.

From Amazon and Apple to Google and, countless companies have faced heavy regulatory fines due to compliance issues, such as widespread data breaches and the improper collection of consumer data. In response, countries worldwide have enforced various data compliance laws to ensure B2B companies only use data that has been given with consent.

Here are the six B2B data protection laws and regulations to be aware of in 2022, along with the dangers of failing to comply.

1. SOC-2

Service Organization Control 2, better known as SOC-2, is a voluntary compliance standard used to demonstrate how B2B companies should securely manage customer data. Created by the American Institute of CPAs (AICPA), SOC 2 compliance requirements are based on five trust services components: 

  • Availability
  • Confidentiality
  • Privacy
  • Processing integrity
  • Security 

To gauge current compliance levels, a certified public accountant (CPA) or accounting firm performs a SOC audit with a Type I and Type II report. 

A Type I report details a company's current data systems and if the design complies with the five trust services components. 

A Type II report details the operational efficiency of these data systems to help identify any potential update needs. 

While you don’t have to be SOC-2 compliant, it has become a standard practice for enterprise software companies, like UserGems, or companies that sell to enterprise organizations.

That’s because complying with established SOC-2 regulations can demonstrate an organization’s high level of data security and prove sensitive customer information is handled properly. 

What happens if you don’t comply with SOC-2 regulations?

Failing to comply with the various trust services components not only demonstrates a company’s lack of proper data handling to outside organizations but can also induce complications when it comes time for the SOC-2 audit.


Established by the European Union (EU) in May 2018, the General Data Protection Regulation (GDPR) built on the EU’s previous data protection framework to become the world’s toughest security and privacy law. 

Though based out of the EU, GDPR regulations can be imposed on any company across the globe if they target or collect customer data from individuals residing in the European Union. Generally speaking, the role of GDPR is to provide EU citizens more control over their personal data. 

There are numerous compliance requirements that ensure companies legally gather data with explicit permission, such as the use of permission requests on websites, as well as the adoption of security measures to protect collected data from unlawful misuse and data breaches. 

What happens if you don’t comply with GDPR?

For enterprises using EU citizen customer data, failing to properly comply with GDPR restrictions holds some of the harshest fines across any data privacy regulation. 

In fact, those who violate standards established under GDPR can not only face fines of up to €20 million or 4% of their global revenue, but customers affected by the violations can also seek compensation for damages as well. 

In fact, several corporations have already been slapped with GDPR fines much larger than €20 million Euros, including:

  • Amazon:  €746 million (~$804 million USD) 
  • Whatsapp:  €225 million (~$242 million USD)
  • Google:  €50 million (~$53 million USD) 
  • H&M:  €35 million (~$37 million USD) 
  • TIM:  €27.8 million (~$29 million USD) 


Back in 2003, the U.S. Congress passed the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) to address the ongoing issue of unrequested emails.  For B2B companies who use email marketing strategies, these regulations require marketers to:

  • Adhere to specific commercial email rules
  • Follow message layout requirements
  • Provide recipients with the right to opt out of emails via an unsubscribe link

Messaging covered under this law includes “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” 

CAN-SPAM’s core regulation requirements include but are not limited to:

  • Identifying a message as an ad
  • Quickly honoring opt-out requests
  • Avoiding false or misleading subject lines
  • Providing recipients with the company’s physical location 

What happens if you don’t comply with CAN-SPAM?

For B2B enterprises utilizing robust email communications, strict compliance with these various requirements must remain a heavy focus. According to the Federal Trade Commission (FTC), each separate email violation is subject to a fine of up to $46,517 under the CAN-SPAM Act.

In rare cases, the most egregious violators can even be sentenced to up to 3 years of jail time in federal prisons. 


In 2014, the Canadian government enacted the Canadian Anti-Spam Law (CASL), affecting any business that sends commercial electronic messages to a Canadian resident. 

Similar to regulations established under CAN-SPAM, CASL strictly regulates unsolicited email communications by establishing message requirements and the opportunity for recipients to unsubscribe from a sender’s email list.

However, unlike CAN-SPAM legislation that requires businesses to include an option to opt-out of commercial electronic communications, CASL requires businesses to first request consumers to opt in. 

A B2B company that uses customer contact information to send commercial emails to Canadian residents must gain verbal or electronic confirmation from the recipients before they are allowed to send them marketing emails.

What happens if you don’t comply with CASL?

If found in violation of CASL, an administrative monetary penalty (AMP) may be enforced of up to $1 million CAD for individuals and up to $10 million CAD for businesses. 

With some of the harshest fines and penalties established under any customer data regulation worldwide, it’s crucial for a company to fully understand its responsibilities when it comes to CASL before communicating with Canadian customers.


Specific to California residents, the California Consumer Privacy Act (CCPA) was established in 2018 to give consumers enhanced control over the personal information sought after by businesses. 

Under this legislation, a California resident may ask a business to disclose the personal information they have regarding them, inquire what they do with this information, or ask them to delete or refrain from selling their data.

Personal information covered under the CCPA includes:

  • Name
  • Email address
  • Transaction records
  • Internet browsing history
  • Geolocation data
  • Fingerprints 

What happens if I don’t comply with CCPA?

Companies that fail to comply with the CCPA can face maximum penalties of $7,500 USD for intentional violations and $2,500 USD for unintentional violations. Failing to comply with CCPA also runs the risk of costly consumer lawsuits that seek damage reimbursements following a data breach in which the business was at fault.


The Personal Data Protection Act (PDPA) was established by the Singapore government in 2012 to create a baseline for the protection of local consumer data. 

This act goes hand-in-hand with various Singapore legislative frameworks, including the Insurance Act and the Banking Act. PDPA enforces various compliance requirements for businesses regarding the collection, use, and distribution of Singapore residents’ personal data. 

These requirements include the need to establish security measures that protect data and a transfer limitation obligation that restricts Singapore residents’ data from being transferred outside the country.

Furthermore, the PDPA also created the National Do Not Call Registry to protect the personal contact information of those who registered to be excluded from businesses’ that conduct telemarketing efforts. 

What happens if I don’t comply with PDPA?

Companies that fail to comply with the PDPA can face fines of up to 1 million SGD ($724,853 USD) or 10% of a company’s annual revenue if it exceeds 10 million SGD.

Complying with data protection laws in 2022 

Every B2B business must remain cognizant of both national and international data protection laws if they want to avoid damaging their brand’s reputation, costly fines, and — in the most egregious cases — jail time.  

This not only applies to your own data but also to any data aggregator vendors you rely on for sourcing or enriching data. That’s why it is best to use a fully SOC-2, GDPR and CCPA compliant company like UserGems. 

Looking to up-level your sales and marketing efforts from a company committed to upholding the highest security standards? Request a free demo.  

Want to get more pipeline with less work?