The Regulatory Landscape
GDPR (EU, in force since 2018, refined by CJEU rulings). CPRA (California, full enforcement since 2024). India’s DPDP Act (effective 2025). Singapore PDPA. Saudi Arabia PDPL. China PIPL. Brazil LGPD. Plus the EU AI Act overlaying AI-specific rules — Article 5 prohibitions in force February 2025, Article 6 high-risk obligations effective August 2026. Enterprise CRMs sit at the intersection of every framework because they hold the personal data that triggers them. The 2025 CJEU Schrems-II follow-up rulings narrowed permissible third-country transfers further, and the EU-US Data Privacy Framework remains under continuous legal challenge.
Consent Management
Granular consent per data use is the standard, not blanket “we may use your data” language. Unsubscribe and opt-out must be honored across every system the contact touches — the marketing platform, the CRM, the analytics warehouse, the AI training corpus. AI-training use requires explicit consent in most jurisdictions; the EU EDPB’s December 2024 opinion on training data made clear that legitimate interest is not a free pass. Consent management platforms — OneTrust, Cookiebot, Iubenda, Didomi, Ketch — integrate with Salesforce, Dynamics 365, and HubSpot as the source of truth for consent state. The contract pattern: CMP holds the consent record, CRM reads it on every send.
Consent record (canonical shape)
contact_id: ct-77821
purpose: marketing_email
status: granted
granted_at: 2026-02-14T09:21:00Z
proof_method: double_opt_in_link_clicked
withdrawn_at: null
last_validated: 2026-04-15
ai_training_use: denied (default)Data Subject Rights
Access, rectification, erasure, portability, objection, automated-decision restriction. The CRM must support all six. Erasure is the hard one — it must cascade across integrations, backups, analytics warehouses, AI training corpora, vector embeddings, and prompt caches. The 30-day default (extendable to 90) under GDPR Article 12 applies. Subject access requests under Article 15 must include the categories of recipients and the retention periods. Salesforce, HubSpot, and Dynamics 365 all ship native DSAR workflows; the gap is usually the downstream systems that copy CRM data without re-implementing erasure.
AI Act Intersection
Automated decisioning that produces legal or similarly significant effects on a data subject triggers GDPR Article 22 protections — the right not to be subject to such decisions, the right to obtain human intervention, and the right to contest. Layered on top of that, the EU AI Act treats CRM AI use cases under Annex III: credit scoring, employment selection, access to essential services, and law enforcement predictions are explicitly named. Article 14 mandates documented human oversight; Article 13 mandates transparency; Article 27 requires fundamental rights impact assessments for deployers of high-risk systems. If your CRM AI sorts job applicants, ranks credit applications, or filters access to financial services, you are in scope.
What Changed in 2026
Three shifts: AI Act high-risk obligations begin August 2026, forcing many CRM AI deployers to complete conformity assessments; the India DPDP rules took effect mid-2025 and surfaced new India-specific consent and localization requirements; and US state privacy laws multiplied (Texas, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware all in force) creating a patchwork that rivals the EU in complexity.
Common Failure Modes
The recurring failures: consent state held in only one system while five others ignore it, erasure stopping at the CRM and never reaching the analytics warehouse, AI-training use slipping past consent checks because the data scientist did not see the consent flag, and DSAR workflows that take 28 days to discover the data exists in three more systems nobody catalogued.
Cost Considerations
CMP licensing $20-150K depending on volume. DSAR tooling $15-80K. Privacy impact assessment work $50-200K initial, then per-product. AI Act conformity assessment for a high-risk system $100-500K. Budget the data-team capacity to maintain catalogs and enforce policies — typically one privacy engineer per 10 in-scope systems.
What to do this week
Pick one DSAR scenario — an erasure request from an EU customer with five years of CRM history. Walk it end-to-end with the data team. Time the steps. The longest step is the next investment.
