GDPR + CCPA in Your CRM: What Marketing Teams Keep Getting Wrong

Consent management isn't just a legal requirement — it's a data quality issue. Bad compliance practices corrupt your segmentation, tank deliverability, and expose you to significant fines.

Why this matters beyond legal risk

Most marketing teams treat GDPR and CCPA as a legal department problem. The compliance team sets policies, legal reviews the privacy notice, and marketing carries on. The result is compliance theatre that doesn't actually protect the company and actively damages data quality.

When consent isn't properly captured and stored in your CRM, you lose the ability to segment by consent type, your suppression lists are unreliable, and any third-party integration becomes a liability. The data quality problems cascade in ways that hurt campaign performance long before any regulator comes knocking.

The consent data model most CRMs get wrong

Most CRM implementations capture consent as a binary checkbox: subscribed/unsubscribed. GDPR requires much more granularity: what they consented to, when they consented, how they consented (which form, which version of the privacy notice), and the lawful basis for any processing that isn't covered by explicit consent.

The right data model stores: consent type (marketing, transactional, analytics), consent source (form ID, version), consent timestamp, consent IP address (for audit purposes), and opt-out timestamp if applicable.

The five most common compliance failures

Pre-ticked consent boxes — Still appearing on forms at a surprising rate. Under GDPR, consent must be explicit and affirmative. Pre-ticked boxes are invalid consent.

Bundled consent — One checkbox for "I agree to your terms and I consent to marketing communications." These are separate matters and require separate consent captures.

No consent record — Storing that someone subscribed but not the source form, timestamp, or privacy notice version they agreed to. Useless in an audit.

Legitimate interest over-reach — Using legitimate interest as the lawful basis for outbound cold email. This is not a legitimate use of legitimate interest under GDPR and has been enforced against.

No CCPA opt-out mechanism — US companies with California customers must provide a "Do Not Sell My Personal Information" link and process. Not having this functional and properly connected to your CRM is a straightforward violation.

Building it right in your CRM

In Salesforce and HubSpot, this means custom objects or custom fields for consent records, form configurations that capture source and timestamp, and suppression lists that run off consent type rather than a single subscription status field. The build takes one to two weeks but creates compliance infrastructure that will scale with your database.