Everything to know about the California privacy laws and email marketing
Nikol, MailerLite development team
CCPA. CPRA. Both big acronyms. Both big California privacy laws. But do they both also have big impacts on your email marketing? The answer is, it depends.
First the good news. These laws only apply to companies that meet specific criteria. Many smaller businesses with customers or email subscribers in California won’t have to worry about them.
Even if the laws do apply to your business, you won’t have to make too many changes to your email marketing processes if you’re already compliant with GDPR.
To be on the safe side, read on to learn what CCPA and CPRA entail, if they apply to your business, the penalties and requirements involved, and how the acts are similar and different from GDPR. Then scroll all the way down for a CCPA and CPRA checklist.
This article contains our insights about CCPA and CPRA, however, please do not consider it as legal advice. We strongly recommend consulting a lawyer to discuss the individual needs of your business.
What is CCPA?
CCPA stands for California Consumer Privacy Act. The act gives individuals who reside in California, even if they are temporarily out of state, more control over the personal information that businesses collect about them.
The laws give residents the right to know what data is being collected about them, to delete the data, and to opt out of the sale of their data.
In the context of CCPA, the term “personal information” includes data that you likely use in your email marketing, such as names, email addresses, IP addresses, and geolocation data. If the act applies to your business, you’ll have to ensure that your email marketing practices comply.
The term also covers but is not limited to social security numbers, driver’s license numbers, credit card numbers, biometric data, professional or employment information, and other information that is not publicly available.
CCPA vs CPRA: What’s the difference?
If the CCPA is like the original data privacy guardian, the CPRA is the upgraded version. It's the next level of data protection, giving Californians even more control over their personal information.
The CPRA gives California residents special protection for "sensitive personal information" like their precise location. Plus, it introduces a new "right to correct" inaccurate consumer data and tightens rules around how long companies can keep your information.
So, the CPRA builds on the foundation laid by the CCPA, providing stronger protections and ensuring that your personal data remains private and secure.
Does CCPA apply to my business?
Here’s the good news, especially if you’re a small business: Not all companies with customers in California have to adhere to CCPA and CPRA.
The acts only apply if you meet the following conditions:
You are a for-profit entity
You conduct your business in California (if you collect personal data of California residents, that includes you)
You meet one or more of these conditions:
You earn gross annual revenue of over USD 25 million
You buy, receive or sell the personal information of 100,000 or more California residents, households, or devices per year
You derive 50% or more of your annual revenue from selling California residents’ personal information
If these conditions describe your business, read on for important compliance information. If they don't apply to you, feel free to keep learning by reading more, or check out this article to learn about email marketing laws and regulations that probably do apply, such as CAN-SPAM and GDPR.
Ok, back to business. Here are the key requirements to help your email marketing comply with CCPA and CPRA, along with some practical insights and a compliance checklist.
First step in CCPA and CPRA compliance: Use a notice at collection
Before starting to collect personal information of California residents, you should provide them with a “notice at collection.”
This term is explained in the CCPA and further clarified under CPRA Regulations as “the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer.”
The notice of collection is usually a page on your website that provides more information about how you use a consumer’s personal data. It must list the categories of personal information you collect about consumers and the purposes for which you use such information, including for email marketing.
Make this page easy to find by linking to the notice in your website’s footer or including the relevant details directly in your privacy policy. This way, users can easily access and understand how their personal information is being collected and used.
If you sell consumers’ personal information, your notice at collection should include a Do Not Sell link as well as the link to your Privacy Policy.
Under the CPRA, if you collect sensitive personal information, you should additionally provide a clear link allowing consumers to limit the use of their sensitive personal information.
Below is an example from AGCO Corporation and what their notice at collection looks like. This is a good example because it contains:
Links to the needed information in the notice at collection
Links to what personal information is collected and for what purpose
Links to use the ‘Do Not Sell My Personal Information’ option
Links to the California Privacy Notice and the general Privacy Policy
Here are other good examples of notices at the collection: The Standard, Experis.
The 5 main California resident rights
If the CCPA and CPRA apply to your business, make sure that you comply with these 5 main California resident rights, and include them in your Privacy Policy.
The right to know what personal information your business collects about California residents and how it’s used and shared.
The right to delete personal information collected from consumers.
The right to opt out of the sale of personal information.
The right to non-discrimination for exercising their CCPA rights.
The Right to Correct Inaccurate Personal Information (New under CPRA).
Your Privacy Policy may include information about the third parties to which the consumer’s personal information is transferred. Therefore, you may use this statement about MailerLite in your Privacy Policy:
“We use MailerLite to manage our email marketing subscriber list and to send emails to our subscribers. MailerLite is a third-party provider, which may collect and process your data using industry-standard technologies to help us monitor and improve our newsletter. MailerLite’s Privacy Policy is available at https://www.mailerlite.com/legal/privacy-policy. You can unsubscribe from our newsletter by clicking on the unsubscribe link provided at the end of each newsletter.”
1. The right to know what personal information your business collects and how it’s used and shared
California residents should be allowed to contact you via at least two different contact methods (e.g. contact form, email, phone) to ask for:
The exact personal information you have collected about them
Where you collected this information
For what purpose you use the information
The information you sell or disclose to third parties and who the third parties are
This information should be provided free of charge for the 12-month period preceding the request and within 45 days from receiving it, although in some cases the period might be extended for 45 more days.
Do you track where your consumers reside at the moment? For most companies, the answer is ‘no’. Therefore, in cases where your client wants to know about or delete their personal information, you should treat them as a California resident.
2. The right to delete personal information collected from consumers
California residents should be allowed to contact you via at least two different contact methods to ask for the deletion of their personal data.
You should make sure that you respond to their request within 45 days of receiving it, although in some cases this period might be extended for 45 more days
Have a mechanism in place to map all the information you collect about your consumer. It will be way easier in case you need to provide the consumer with their collected information or delete it from your databases.
If you use MailerLite, you can check how to see and delete all saved information about your subscribers in the video tutorial below. The GDPR tools also apply for CCPA.
3. The right to opt out of the sale of personal information
If you sell the personal information of your customers, you should provide a ‘Do Not Sell My Personal Information’ link on your website so your clients can submit their opt-out request.
You should also include the same link in your Privacy Policy, as well as information about how people can opt out.
If you don’t sell your customers’ personal information, make this clear in your Privacy Policy.
Usually the ‘Do Not Sell My Personal Information’ link is provided at the end of the website. T-Mobile and Bloomingdale's are both good examples, you can see them below.
If you sell the personal information of minors (13-16 years old), you should receive prior consent from them before selling their information.
If minors are younger than 13 years old, it is necessary to obtain consent from their parents or guardians. Ensure that you keep the consents saved in your databases in case you ever need to prove that such consents were obtained.
4. The right to non-discrimination for exercising their CCPA rights
Ensure that you won’t discriminate against customers if they decide to exercise any of the above rights. Non-discrimination means that you will continue to provide the same services to customers who exercise their rights: You can’t offer different prices, goods, or levels of quality.
Keep in mind that if a person contacts you asking to see or delete their personal information, or to opt-out of the sale of their personal information, you should first verify their identity and determine that this person is actually who they say they are. Do not rush to perform a person's request without double-checking and verifying them.
5. The right to correct inaccurate personal information
The CPRA introduces a new right allowing consumers to request corrections to inaccurate personal information. Similar to the other rights, businesses must provide a method for consumers to submit these consumer requests and then respond to them promptly.
Implement a straightforward process for consumers to request corrections to their inaccurate personal information. Ensure your system for updating records is efficient and accessible.
Consider adding a section to your Privacy Policy detailing how consumers can submit correction requests, including contact methods and required information. Regularly review and audit your data accuracy practices to minimize errors and ensure compliance.
CCPA and CPRA apply to my business. What does this mean for my email marketing?
If they apply to your business, CCPA and CPRA will call for some tweaks to your daily practices, including your email marketing.
Here are the things to keep in mind when sending your regular marketing emails.
Email addresses are personal data
If the consumer asks to delete their personal information, this includes their email address. You can no longer send any emails to this consumer and you should inform all third parties to which you sold or transferred the email address accordingly.
You should also delete all data related to their email. Make sure to have a mechanism in place to map all the data that’s related to each subscriber. MailerLite customers can use our Forget feature to remove all a subscriber’s data.
Customers can opt out from you and third parties
Every consumer should be allowed to opt out of marketing emails from both you and all third parties to which you sold the consumer’s email.
The CCPA has a broad definition of the terms ‘sell’, ‘selling’, ‘sale’, or ‘sold.’ It covers selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Ensure your opt-out mechanisms cover all aspects of data collection and sharing.
Have a process to handle edit requests
The CPRA introduces the right for consumers to request corrections to inaccurate personal information. Ensure your system can handle these requests efficiently. This means having a process in place to update or correct subscriber information as needed.
Keep your privacy policy updated
Your Privacy Policy must clearly outline what data is collected, how it is used, and with whom it is shared. For email marketing, this means detailing how personal information is used in your campaigns and how consumers can exercise their rights.
Don’t discriminate against those who exercise their rights
Ensure that consumers who exercise their privacy rights are not discriminated against. This means providing the same level of service and not offering different prices or quality based on whether consumers opt out of data sales or request the deletion of their information.
Provide additional disclosures for sensitive personal information
The CPRA introduces special provisions for sensitive personal information (e.g., race, religion, or genetic data). If your email marketing collects or uses such data, you must provide additional disclosures and obtain explicit consent for its use.
CCPA and CPRA penalties and violations explained
If you violate CCPA or CPRA you get 30 days to resolve the issues. If it is not resolved, you will receive a fine.
These penalties can be substantial. Under the CCPA, the penalty is up to USD 2,500 per unintentional violation and up to USD 7,500 per intentional violation.
Additionally, California consumers can sue if you are subject to a data breach where non-encrypted and non-redacted personal information is stolen as a result of your failure to maintain reasonable security procedures and practices to protect it.
Your consumers might sue you for the number of monetary damages or statutory damages they have actually suffered of up to USD 750 per incident.
In case of suing for statutory damages, the consumer should offer written notice of which CCPA or CPRA sections were violated and give you 30 days to make a written statement that you have solved the violations and that no further violations will occur.
Though a fine of USD 750 doesn’t seem that high, if you have 10,000 clients and all of their data was lost, you are looking at USD 7,500,000!
The CPRA, which amends and expands the CCPA, carries similar penalties for violations. The CPRA also introduces the California Privacy Protection Agency (CPPA), which enforces these regulations and may impose fines and penalties for non-compliance.
CCPA vs. GDPR: What’s the difference?
At some point throughout this article you might have thought: “So how does the CCPA differ from the GDPR?” Good question. Let’s have a look.
There are many similarities. Both acts relate to the security of your customers’ personal information. Complying with CCPA will be way easier if you are already compliant with GDPR.
You should be well-prepared to comply with CCPA if you have already:
Educated yourself about data protection best practices
Prepared a Privacy Policy
Implemented practices to help consumers know and delete all collected personal information
Implemented organizational and technical security measures around data
How about the differences?
| CCPA | GDPR |
|---|---|
| Applicable to for-profit businesses (that meet certain requirements) that collect personal information directly from California residents. | Applicable to all data collected about EU citizens and residents. |
| CCPA penalties have no ceiling and are assessed on a per violation basis. | GDPR penalties for data breaches are capped based on a company’s annual revenue. |
| CCPA does not require a consent to collect personal data, it just allows the consumers to opt-out of it. | GDPR requires consumers consent to opt-in. |
| CCPA requires giving consumers only a notice before the sale and transfer of their data. | GDPR business should receive a consent in order to transfer personal data to third parties. |
Both GDPR and CCPA were created to protect the personal information of consumers. As CCPA was created after GDPR, it is believed that it took all the best practices and transferred them in order to protect California residents.
If you are preparing to be compliant with CCPA and CPRA, don't forget to make sure that you have implemented all of the mandatory requirements. To help you with this, we prepared a CCPA and CPRA compliance checklist.
CCPA and CPRA compliance checklist
✅ Make sure that CCPA and CPRA apply to you.
✅ Supplement your Privacy Policy by describing the five main rights and how you implement them. State how user data is being collected, shared, and used.
✅ Prepare and publish your notice at collection.
✅ If you sell the personal data of California residents, have a mechanism ready that collects consent of minors (13-16 years can consent themselves, those younger than 13 years old should ask for their parents’ or guardians’ consent).
✅ Prepare at least two contact methods such as email, customer support, or website forms that your customers can use to contact you if they want to know what personal information you collect, opt out of data sales, or ask for a deletion of this information.
✅ Introduce an internal system for the identity verification of consumers making any of the requests.
✅ In case consumers want to know or delete their personal information, have an internal procedure in place to be able to map all of the information collected about each consumer.
✅ Prepare a Do Not Sell My Personal Information link on your website.
✅ Evaluate security risks and implement the appropriate technical and organizational measures to ensure a level of security.
✅Ensure that you have a process in place to respond to consumer rights requests within the required timeframes, such as 45 days, with possible extensions.
✅ Facilitate consumer access to personal data and provide it in a portable format.
✅ Perform regular audits to ensure ongoing compliance.
More questions about California Privacy Laws
Finally, here are some common questions about how California privacy laws relate to email marketing.
What tools can help with CCPA and CPRA compliance in email marketing?
MailerLite has plenty of tools to help with CCPA and CPRA compliance in email marketing.
We make it easy for you to find and amend a customer’s data. Plus, we store information about when people who join your email list consented to have their information collected. In addition, MailerLite allows you to create subscription forms that include explicit consent checkboxes and we help you manage and track subscriber consent, which is crucial for compliance with these laws.
We also have a ‘Forget Me’ setting that deletes all the information you have about a particular subscriber.
MailerLite automatically includes unsubscribe links in every email campaign, which is a key requirement under CCPA, CPRA, and other regulations to allow users to easily opt out of future communications.
At MailerLite we also provide options to export subscriber data, making it easier to fulfill data access requests from consumers who want to know what information you have about them.
What is the CAN-SPAM Act and how does it affect email marketing in California?
The CAN-SPAM Act is a federal law that businesses sending commercial email in the U.S. must follow. It is separate from the CCPA and CPRA, but since California is in the U.S. you must also follow this law. Its main goal is to reduce the volume of unsolicited and unwanted spam emails and provide consumers with better control over the marketing messages they receive.
You can stay compliant with CAN-SPAM by:
Including a physical address in your email
Including an unsubscribe link in your email
Using accurate From, To and Reply-to header information
Using subject lines that clearly relate to the email’s content
Clarify when an email is an advertisement
Monitor and respond to unsubscribe requests
These are all email marketing best practices that most email service providers make it easy to comply with.
Are there any exceptions to California's email marketing laws for small businesses?
Many small businesses won’t be impacted by CCPA and CPRA. The 2 acts only affect companies that meet the following criteria.
Are a for-profit entity; and
Conduct business in California (to be explicit, if you collect personal data of California residents); and
Meet at least one of these conditions:
Earn gross annual revenue of over USD 25 million
Buy, receive or sell the personal information of 100,000 or more California residents, households, or devices per year
Derive 50% or more of your annual revenue from selling California residents’ personal information
If you don’t meet the above criteria, you don’t have to worry about the laws. Although, if you plan to grow your business, it’s never too early to start thinking about how you will implement them when you meet the requirements.
What are the requirements for obtaining consent for email marketing under California law?
You don’t strictly need prior consent to collect email addresses, or other types of personal data, under California law. The focus is more on ensuring transparency and giving consumers control over their personal information.
The exception is that you must receive prior consent if you sell the personal data of minors aged 13 to 16. For those under 13, you must collect consent from their parents or guardians.
In practice, this means that unless you have a way of knowing someone’s age before collecting their email address, it’s safer to collect consent from everyone who signs up to your list if you plan to sell their data.
You must also provide information about the type of data you collect and how you use this data via a Notice at Collection that is easy to find, either in your privacy policy or on a separate page on your website.
Remember that under CCPA and CPRA, you need to provide consumers with the right to access, delete, and opt out of the sale of their personal data. Ensure that your consent practices align with these rights by allowing recipients to exercise these rights easily.
Do you have questions about CCPA? Let me know in the comments, I’m available to answer any questions.
