emailr_
All articles
explainer·8 min

CCPA email compliance guide

complianceccpalegal

Summary

CCPA gives California residents rights over their personal data, including email addresses. You must disclose what data you collect, allow opt-out of data sales, and delete data on request. Non-compliance can result in significant fines.

When CCPA took effect in 2020, a mid-sized e-commerce company discovered they had no idea where all their customer email addresses lived. Marketing had a list. Sales had a different list. Customer service had another. The data warehouse had copies of everything. Responding to a single deletion request meant coordinating across seven different systems.

CCPA compliance isn't just about adding a privacy policy link. It requires understanding where personal data lives in your organization and building processes to honor consumer rights. For email marketers, this means rethinking how you collect, store, and use email addresses.

What CCPA requires

The California Consumer Privacy Act grants California residents specific rights regarding their personal data.

The right to know means consumers can request what personal information you've collected about them, where it came from, what you use it for, and who you've shared it with. For email, this includes their email address, engagement history, and any data derived from their email activity.

The right to delete means consumers can request you delete their personal information. With some exceptions, you must comply. This goes beyond unsubscribing—it means removing their data from your systems entirely.

The right to opt-out of sale means consumers can tell you not to sell their personal information. If you share email lists with partners or sell data to third parties, consumers can stop this.

The right to non-discrimination means you can't penalize consumers for exercising their rights. You can't charge more or provide worse service because someone opted out of data sales.

These rights apply to California residents regardless of where your business is located. If you have California customers, CCPA likely applies to you.

Who CCPA applies to

CCPA applies to for-profit businesses that collect California residents' personal information AND meet any of these thresholds:

Annual gross revenue over $25 million. Most mid-sized and larger businesses qualify.

Buy, sell, or share personal information of 100,000 or more California residents, households, or devices annually. Many email lists exceed this threshold.

Derive 50% or more of annual revenue from selling California residents' personal information. Data brokers and some marketing companies fall here.

If you don't meet these thresholds, CCPA doesn't apply to you—but other privacy laws might, and following CCPA principles is good practice regardless.

Email-specific compliance requirements

For email marketing, CCPA compliance involves several specific considerations.

Disclosure at collection: When you collect email addresses, you must inform consumers what categories of personal information you're collecting and how you'll use it. Your signup forms need clear privacy disclosures.

Privacy policy requirements: Your privacy policy must describe the categories of personal information collected, the purposes for collection, consumer rights under CCPA, and how to submit requests. It must be updated at least annually.

Data inventory: You need to know where email addresses and related data are stored across your organization. CRM, email platform, analytics tools, data warehouse, backups—all of it. You can't honor deletion requests if you don't know where the data lives.

Request handling: You must provide at least two methods for consumers to submit requests (typically web form and toll-free number). You must verify the requester's identity. You must respond within 45 days (extendable to 90 in some cases).

Service provider agreements: If you use email service providers, you need contracts specifying they're service providers under CCPA and restricting how they can use the data.

Handling deletion requests

Deletion requests require careful handling to ensure compliance.

Verify identity before deleting. You need reasonable verification that the requester is who they claim to be. For email-related requests, this might involve sending a confirmation to the email address in question.

Delete from all systems. Unsubscribing isn't enough. You must delete the email address and associated data from your email platform, CRM, analytics, data warehouse, and anywhere else it exists. Document what you deleted.

Exceptions exist. You can retain data necessary to complete transactions, detect security incidents, comply with legal obligations, or for certain internal uses. But these exceptions are narrow—when in doubt, delete.

Notify service providers. If you've shared the data with service providers, you must direct them to delete it too. Your contracts should require them to comply.

Respond in writing. Confirm to the consumer what actions you took. Keep records of requests and responses for compliance documentation.

Opt-out of sale requirements

If you "sell" personal information, additional requirements apply.

"Sale" is defined broadly under CCPA. It includes sharing data for monetary compensation, but also sharing for other valuable consideration. If you share email lists with partners who provide something in return (even non-monetary), that might be a sale.

Do Not Sell link: If you sell personal information, your website must have a clear "Do Not Sell My Personal Information" link. This must be easy to find and use.

Honoring opt-outs: When someone opts out, you must stop selling their information. This might mean removing them from shared lists, stopping data feeds to partners, or excluding them from data monetization programs.

Many email marketers don't sell data in the CCPA sense. If you only use email addresses for your own marketing and share them only with service providers acting on your behalf, you're probably not selling. But review your data flows carefully.

Practical implementation steps

Building CCPA compliance into your email program requires systematic effort.

Audit your data flows. Map where email addresses come from, where they're stored, who has access, and where they go. This inventory is essential for responding to requests and identifying sales.

Update collection points. Ensure signup forms, checkout flows, and other collection points include required disclosures. Link to your privacy policy. Be clear about how you'll use the data.

Update your privacy policy. Include all CCPA-required disclosures. Describe consumer rights and how to exercise them. Review and update annually.

Build request handling processes. Create intake mechanisms (web form, phone number). Establish verification procedures. Define workflows for fulfilling requests across all systems. Train staff who handle requests.

Review vendor contracts. Ensure email service providers and other vendors have appropriate CCPA provisions. They should be classified as service providers with restrictions on data use.

Document everything. Keep records of your compliance efforts, requests received, and actions taken. This documentation is your defense if questions arise.

Penalties and enforcement

CCPA violations can be costly.

The California Attorney General can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. With thousands of affected consumers, fines add up quickly.

Private right of action exists for data breaches. If a breach exposes personal information due to failure to implement reasonable security, affected consumers can sue for $100-$750 per incident or actual damages, whichever is greater.

Enforcement has been active. The Attorney General has pursued cases against companies for inadequate privacy policies, failure to honor opt-out requests, and other violations. This isn't theoretical risk.

The CPRA amendments (effective 2023) created a dedicated enforcement agency and expanded requirements. Compliance is becoming more important, not less.

CCPA vs GDPR

If you're already GDPR compliant, you have a head start on CCPA, but they're not identical.

GDPR requires consent for most data processing. CCPA allows processing but requires disclosure and opt-out rights. The consent models differ significantly.

GDPR applies to all data subjects in the EU. CCPA applies only to California residents. Geographic scope differs.

GDPR has broader individual rights. CCPA rights are more limited but still substantial.

Many organizations build unified privacy programs that satisfy both, erring toward the stricter requirement in each area. This is often more practical than maintaining separate compliance programs.

Frequently asked questions

Does CCPA apply if I'm not based in California?

Yes, if you do business in California and meet the thresholds. CCPA applies based on where your customers are, not where you're located.

Is unsubscribing the same as a deletion request?

No. Unsubscribing stops future emails but doesn't delete existing data. A CCPA deletion request requires removing the consumer's data from your systems, not just stopping communication.

Do I need to delete backup copies?

Generally yes, though there's some flexibility for archived or backup systems if deletion is technically difficult. You should delete from active systems and have a process for backup deletion or expiration.

What if I can't verify the requester's identity?

You can deny requests you can't verify. But your verification process must be reasonable—you can't make it so difficult that legitimate requests are effectively blocked.

e_

Written by the emailr team

Building email infrastructure for developers

Continue reading

explainer

What causes emails to go to spam?

10 minexplainer

What is SPF? Complete guide for developers

8 minexplainer

What is email spoofing and how to prevent it

8 min

Ready to start sending?

Get your API key and send your first email in under 5 minutes. No credit card required.

Get started for freeTalk to sales