Everything You Need to Know About CCPA and Email Marketing

On May 11, 2023
7min read
Piotr Malek Technical Content Writer @ Mailtrap

The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. And it’s just as significant as you would expect a law fueled by the Cambridge Analytica scandal to be. 

This all happened a year and a half after the General Data Protection Regulation (GDPR) caused sleepless nights for millions of marketers around the world. But what does the change in consumer rights in terms of privacy protection mean for you? How can you make sure you are compliant and applying the rules of CCPA in email marketing? Let this article teach you!

Disclaimer: CCPA is not to be confused with the California Privacy Rights Act (CPRA), which builds upon and amends the CCPA, introducing additional provisions and expanding privacy rights for California residents. This act came into effect on January 1, 2023.

Do you need to worry about CCPA?

CCPA may seem like a simple regional law that doesn’t impact anyone outside of the US. However, it’s much more than that.

You see, while California is only one of 50 US states, its population of nearly 40 million people is higher than that of Poland, Canada, Malaysia, and 150+ other countries. So,  if California were a sovereign country, it would be the world’s fifth-largest economy beating even the United Kingdom. 

Most online businesses can’t ignore such significant changes to local legislation in a state as important as California because even if their headquarters are in another state or country, they’re very likely to have Californian customers making them obliged to follow certain procedures when processing data.

Who should pay special attention to CCPA requirements? Companies that meet any of the following criteria:

  • Have a gross annual revenue higher than $25M
  • Buy, sell, receive, or share the personal data of at least 50,000 Californian residents, households, or devices
  • Make more than 50% of their annual revenue by selling the data of Californian customers

Smaller businesses with customers that are primarily located outside the state of California may be excluded from following the new law. And the same applies to brick-and-mortar stores located far away from the Golden State.

Also, certain exceptions can apply to data under other data privacy laws, such as HIPAA.

Everyone else should exercise due diligence to ensure they’re already CCPA-compliant.

How to be CCPA-compliant

CCPA is not some kind of breakthrough in the realm of privacy laws. In many ways, it’s similar to GDPR and implements similar mechanics to protect resident data. Therefore, if you’re already compliant with GDPR regulations, it should be fairly easy to make yourself compliant with CCPA regulations, as well.

Disclaimer: We’re pretty good at providing a platform that covers all email-related needs, but this law isn’t our field of expertise by any means. So, please don’t consider this article a piece of legal advice. Also, we strongly recommend consulting a lawyer to discuss the individual needs of your business.

That being said, here are some of the main things to keep in mind:

Be ready to share where you get consumer data from

Under CCPA, Californian customers can request to know the following at any time:

  • What categories of personal information/data you obtain through data collection
  • The source of your data
  • How you are using the data

If you change the way you use a specific category of data and it’s not covered in your privacy policy, you need to communicate this change to interested parties along with providing all the necessary information on consumers’ privacy rights.

So, be ready to handle these types of requests for information, as under CCPA, you need to respond to each request within 10 days. Also, in your response, you must specify how a request will be handled and when a response can be expected.

Make it easy to delete consumers’ personal information upon request

As was the case with GDPR, under CCPA, a resident of California can choose to have (nearly) all of their data deleted permanently by you and any third-party service providers you shared it with. This is often referred to as a request to delete

Of course, there are certain exceptions to this rule, but all other information must go if a customer so wishes.

That being said, you need to have a mechanism in place to quickly remove all the sensitive information and contact information you collect (name, email address, phone number, social security number, driver’s license number, credit card number, biometric data, IP address, geolocation data, and other digital identifiers, employment data, etc.) if/when necessary as well as remove the consumer that requested the deletion from your email list. 

Also, for both ‘know’ and ‘delete’ consumer requests, you will need to have a reliable way to verify the identity of a consumer. 

More about how to handle this issue can be found on page 18 of the CCPA text.

Use extra care when selling a customer’s data

Selling data has been a common practice, and now the CCPA finally regulates it. 

So, while you can continue the sale of personal information, you will need to follow certain procedures.

First, you must clearly communicate to consumers what exact data you will use in this case and give them a visible “Do Not Sell My Data” button somewhere on your page so they can opt-out. 

Then, you must also reveal to whom their data is sold upon request.

If you’re not comfortable doing any of the above, consider ceasing the sale of user data.

Update your privacy policy and be transparent about this change

Consider updating your privacy policy with all relevant changes, and in it, clarify consumer rights regarding data protection and how they can be executed. Also, state how user data is used.

While updating, refrain from using technical or legal jargon in stating what has changed. Instead, write everything in clear, straightforward, and understandable language, especially for those who are less tech-savvy.

CCPA also explicitly indicates that your privacy policy terms need to be easily accessible to people with disabilities and, regardless of the customer’s device, so they can get themselves familiar with it.

If they’re not, the minimum you will have to do is provide clear instructions on accessing an alternative version.

Treat every customer as though they have California privacy rights

Laws change quite abruptly, and other US state legislators are already creating laws similar to the California law. On top of that, there’s also talk of a new federal law that would apply the conditions outlined in CCPA to all other US states and territories.

With that said, think about whether you know exactly where each of your consumers resides at the moment. Only a few companies do. And, even if you’re not directly impacted by the law (yet), you should work on your compliance with it. 

The basics of CCPA

To recap, here are the primary rights granted to California residents under CCPA:

  • To know what personal information is collected and how it is used
  • To know if and to whom personal data has been sold or disclosed and to opt out of this practice 
  • To access personal information
  • To enjoy non-discrimination when exercising their privacy rights
  • To sue for illegal distribution of personal information

If you’re found in breach of any of these rules, you may be fined:

  • $2,500 for unintentional violations; $7,500 for intentional violations
  • $100-$750 for each resident and incident, or actual damages; whichever is greater

While these numbers might not seem significant, they can be if numerous people are affected. 

Let’s do some quick math!

87 million people were affected by the Facebook-Cambridge Analytica scandal. Assuming that 12% of them lived in California (CA residents make up approximately 12% of the US population), that’s 10.44 million data breaches. So, if Californians had CCPA rights at that time, these breaches would’ve set Facebook back by one to eight billion dollars.

Differences between CCPA and GDPR

We pointed out earlier that CCPA and GDPR are similar but that there are also some key distinctions between the two (besides the geographical region the laws apply to, of course):

  • GDPR affects organizations of all sizes doing business in the European Union (non-profits included). Various for-profit businesses and nearly all non-profits are excluded from CCPA because they don’t meet any of the three criteria we mentioned earlier.
  • Both laws give consumers the right to delete their personal data from the record. However, only GDPR gives them the right to amend the data, as well. Of course, CCPA doesn’t discourage it, but there’s no mention of this right in its current iteration.
  • Under GDPR, parents of children under 16 must consent to data processing in an online environment. CCPA gives anyone aged 13 years or older the right to consent on their own.
  • GDPR is a lot more specific on the technical aspects of data protection – it gives clear indications on how to collect data and which practices one should avoid. CCPA is more focused on clarifying the rights of the resident, as well as the privacy and security obligations of businesses. It doesn’t give precise technical instructions in its current iteration.

How CCPA applies to email marketing

While CCPA doesn’t directly regulate email marketing, its rules are relevant to this activity as the personal information the law refers to can include email addresses and other data collected through email marketing. 

So, if your business falls under the CCPA scope, make sure to (with the help of a legal professional or privacy expert) carefully review the law’s requirements and ensure you are complying with its provisions and how they relate to email marketing. 

Here are some key CCPA email marketing aspects to keep in mind that might affect your practices:

  • Provide a notice before or when collecting personal information, which includes email addresses, and state how the information will be used, as well as link to your privacy policy.
  • Inform consumers about their CCPA-granted rights and give them mechanisms for exercising them when collecting personal information, including email addresses, for marketing purposes.
  • Provide consumers with the option to submit an opt-out request in case you are selling or sharing consumers’ personal information, including email addresses.
  • Provide consumers with the option to submit an opt-out request in case they want to stop receiving marketing emails from you or any third parties you sold or transferred their email addresses to.
  • Safeguard the email addresses you collected along with the rest of the personal information of your consumers.
  • Review and evaluate the privacy policies and data collection practices of third parties with access to your consumer’s data, including email addresses, and mention those parties in your privacy policy.
  • Require an email service provider to sign a “service provider agreement” obliging them to comply with CCPA before sharing consumer email addresses with them.
  • Ensure that you follow the “purpose limitation” provision of the CCPA and use consumer email addresses only for the purposes you stated when collecting them.
  • Stop sending any emails once a consumer asks to have their personal information deleted or unsubscribes, and you must inform all third parties to which you sold or transferred their email address of this as well.

Wrapping up

As of July 1st, 2020, the California Attorney General’s office started enforcing CCPA and punishing any violations. Meaning that all people working in email marketing or other marketing fields, as well as business owners, need to have already sorted out their CCPA compliance/non-compliance. 

Also, just like California, Nevada has implemented similar measures, and more states should have begun processing similar laws in 2020. 

Inevitably, the whole of the US will eventually be covered under similar privacy legislation in the near future. So, even if you’re not directly affected just yet, the time is now to become compliant and apply the rules of CCPA in email marketing!

Disclaimer: The information provided in this text should be accurate. However, it should be noted that as privacy laws and privacy regulations do change over time, it’s essential to consult the most up-to-date sources or legal professionals for the latest information on things like CCPA’s enforcement status in Nevada, the future expansion of similar laws across the U.S., and other things mentioned.

Want to learn more about legal matters, specifically email marketing laws? Then check out our article covering CAN-SPAM, GDPR, CCPA, HIPAA, and more.

Article by Piotr Malek Technical Content Writer @ Mailtrap