Mailtrap Blog

Clarifying CCPA Email Rules

The California Consumer Privacy Act came into effect on January 1st, 2020. It’s just about as significant as you could expect from a law resulting in the fallout from the Cambridge Analytica scandal. One and a half years after GDPR caused sleepless nights for millions of marketers around the world, the US is slowly catching up. What does it mean for you? How can you make sure your emails are CCPA compliant? Let me show you.

Do you need to worry about CCPA?

CCPA may seem like a simple regional law that wouldn’t impact anyone outside of the US. However, it’s much more than that.

While California is only one of 50 states, its population of nearly 40 million people is higher than that of Poland, Canada, Malaysia, and over 150 other countries. If California was a sovereign country it would be the world’s fifth-largest economy, and even beats the United Kingdom. Most online businesses can’t ignore such significant changes to local legislation. 

Even if your headquarters are in another state or country, you’re very likely to have Californian customers and are obliged to follow certain procedures when processing their data.

The new law will specifically apply to companies that meet either of the following criteria:

Smaller businesses with customers that are primarily located outside the state of California may be excluded from the new law. The same will apply to brick-and-mortar stores that are located far away from the Golden State. Certain exceptions can also apply to data under other privacy laws, such as HIPAA.

Everyone else should exercise due diligence to ensure they’re already CCPA-compliant.

What are CCPA email requirements?

CCPA is not some kind of breakthrough in the realm of privacy laws. In many ways, it’s similar to GDPR and implements similar mechanics to protect resident data. Therefore, if you’re already compliant with GDPR, it should be fairly easy to make yourself compliant with CCPA, as well.

Disclaimer: We’re pretty good at email testing but the law isn’t our field of expertise by any means. While we share the most up-to-date information on CCPA, please don’t consider it a piece of legal advice. We strongly recommend consulting a lawyer to discuss the individual needs of your business.

That being said, here are some of the main things to keep in mind:

Be ready to share where you get user data from

Under CCPA, California customers can request to know the following at any time:

If you change the way you use a specific category of data and it’s not covered in your Privacy Policy, you need to communicate this change to interested parties.

Be ready to handle these requests for information. Under CCPA, you need to respond to each message concerning these requests within 10 days. In your response, you must specify how a request will be handled and when a response can be expected.

Make it easy to delete the data upon request

As was the case with GDPR, under CCPA a Californian resident can choose to have (nearly) all of their details deleted permanently. This is often referred to as a request to delete. There are certain exceptions to this rule but all other information must go if a customer chooses to do so. Have a mechanism in place to quickly remove all the data if/when necessary.

For both ‘know’ and ‘delete’ requests, you will need to have a reliable way to verify the identity of a customer. More about how to handle this issue can be found on page 18 of the CCPA text.

Use extra care when selling a customer’s data

Selling data has been a common practice, and now the CCPA finally regulates it. You can continue to do it, but you will need to follow certain procedures.

You must clearly communicate to users the exact data you will use in this case. You will need to give them a visible “Do Not Sell My Data” button somewhere on your page so they can immediately opt-out from having their data sold. You must also reveal who their data is sold to upon request.

If you’re not comfortable doing any of the above, consider ceasing the sale of user data.

Update your privacy policy and be transparent about this change

Consider updating your policy with all relevant changes. Clarify user rights regarding data protection and how they can be executed. State how user data is used.

Refrain from using technical or legal jargon when stating what has changed. Write everything in clear, straightforward, and understandable language, especially for those who are less tech-savvy.

The new policy needs to be easily accessible, regardless of the customer’s device, so they can get themselves familiar with it. CCPA also explicitly indicates that the terms need to be easily accessible to people with disabilities. If they’re not, the minimum you will have to do is provide clear instructions on accessing an alternative version.

Treat every customer as though they lived in California

Laws change quite abruptly and other states are already following the footsteps of California legislators. There’s also talk of a new federal law that would apply the conditions implemented in CCPA to all other states and territories.

Do you know exactly where each of your contacts resides at the moment? Not many companies do. So, even if you’re not directly impacted by the law yet, you should work on your compliance with CCPA anyway. 

Join our newsletterOnly the best content, delivered once a month. Unsubscribe anytime.

The basics of CCPA

To recap, here are the primary rights granted to California residents under CCPA:

If you’re found in breach of any of these rules, you may be fined:

While these numbers might not seem significant, they can be if numerous people are affected. Let’s do some quick math. 87 million people were affected by the Facebook-Cambridge Analytica scandal. Assuming that 12% lived in California (CA residents make up approximately 12% of the US population), that’s 10.44 million data breaches. If CCPA was in place at that time, these breaches could set Facebook off by one to eight billion dollars for every single one.

Differences between CCPA and GDPR

We pointed out earlier that both laws are similar but that there are also some key distinctions, with the exception of the geographical aspect, of course.

Wrapping up

Although CCPA already went into effect, marketers and business owners have until July 1st, 2020 to sort out their compliance with the new law. This is when the California Attorney General’s office will start enforcing it and punishing any violations.

Like California, Nevada has also implemented similar measures and more states will begin processing similar laws in 2020. Inevitably, the whole of the US will be covered under similar laws in the near future. So, even if you’re not directly affected just yet, the time to act is now.

Exit mobile version