TrackyrBILTAI
Start hunting

// Guide

GDPR and CCPA for Outreach Data: A Practical Primer

Last verified · 2026-06-24

The short answer

GDPR (EU/UK) and CCPA/CPRA (California) give people rights over their personal data, including access and deletion, and require a lawful basis or disclosure for processing it. For outreach, this means tracking data provenance, honoring opt-outs and deletion requests, and limiting use to what you can justify. This is not legal advice — consult counsel. Trackyr records provenance and supports public DSAR requests.

Two regimes, overlapping ideas

GDPR governs personal data of people in the EU and UK; CCPA/CPRA governs California residents. They differ in detail, but both grant data-subject rights and expect you to know what data you hold, where it came from, and why you're processing it.

This is an educational overview, not legal advice. Applicability depends on who you contact and where. Consult a privacy attorney before relying on any approach.

Lawful basis and disclosure

Under GDPR you generally need a lawful basis (such as legitimate interest, assessed and documented) to process personal data for outreach. CCPA leans on disclosure and opt-out rights rather than upfront consent. Either way, 'we bought a list' is not a strategy.

Honor the rights

  • Right of access: tell a person what data you hold about them.
  • Right to deletion / erasure: remove their data on valid request.
  • Right to opt out: stop processing or selling on request.
  • Right to correction: fix inaccurate records.

Why provenance is the foundation

You can't answer a data-subject request if you don't know where a record came from. Trackyr attaches provenance (which engine, which public source) to every contact from the first scrape, so you can trace and justify each record when asked.

Deletion and DSAR handling

A data subject access request (DSAR) or deletion request must be actioned within the timelines the law sets. Trackyr exposes a public DSAR path and sub-minute suppression so requests propagate quickly across your pulls.

More on this topic: Compliance

// Common questions

Answered.

Does GDPR apply if my company is based in the US?+

It can. GDPR follows the data subject, not the sender. If you process data of people in the EU/UK, it may apply regardless of where you are. Confirm with counsel.

What's a DSAR?+

A Data Subject Access Request — a person asking what data you hold about them, or asking you to delete it. You must respond within statutory timelines.

How does provenance help with compliance?+

Provenance lets you trace each contact to its public source, which is essential for answering access requests and justifying your lawful basis or disclosure.

Trackyr

Put it into practice.

Verified creator + B2B contacts, one shared pool, paid only for what you use.

Start hunting →