Regulations like GDPR and CCPA do not apply to the collection and use of intent data because there is no correlation between the data collected and an individual's PII.

The key idea is that these regulations protect personal data, not just data that explicitly names someone. Personal data means any information relating to an identifiable person or to someone who can be identified, directly or indirectly. Intent data—such as what pages a person viewed, what actions they took, or what products they showed interest in—can reveal who a person is or what they care about, especially when it’s tied to identifiers like cookies, device IDs, IP addresses, or an account. Because it can be linked to an individual or used to build a profile, GDPR and CCPA can apply to intent data. The data doesn’t have to include a name to fall under these laws; the ability to identify or reasonably link the data to a person is what matters. If the data were truly anonymized in a way that no longer allows identification or linkage, it might fall outside, but that’s not the typical scenario for intent data collected in marketing contexts.