What Is CCPA and How Does It Impact Email Marketing?

Melanie Balke
March 6, 2023

Also known as the California Consumer Privacy Act, the CCPA is one of many laws governing digital marketing. Much like its predecessor, the 2003 CAN-SPAM Act, CCPA gives consumers a host of rights surrounding their personal information.

While there are plenty of benefits to such legislation — including increased user happiness and improved trust — this law also impacts your email marketing! If you’re planning on serving Californian residents any time soon, then this guide is a must-read!

Today’s blog post is dedicated to the CCPA and its intricacies, which I’ll break into easy-to-understand bites. So, keep on scrolling because there’s a lot of ground to cover!

What Is the CCPA?

Overlapping tropical leaves with overlaid text. "The Basics: Understanding the CCPA."

Passed in 2018, the CCPA is just one of many modern solutions to digital privacy. It is overseen by the California Privacy Protection Agency (CPPA).

The law was intended to complement the federal CAN-SPAM Act by providing additional protections to California residents’ personal information. Under CCPA, consumers have five basic rights:

  1. The right to correct their information
  2. The right to delete information
  3. The right to know how information is used and its source
  4. The right to non-discrimination
  5. The right to opt out of data collection

The law also provides for-profit businesses precise language to use when informing consumers of these rights, but I’ll get to that later! For now, let’s focus on the basics.

What Is “Personal Information” Under the CCPA?

It stands to reason that — as a consumer privacy act — CCPA deals with personal information. The text of the California Consumer Privacy Act has plenty of examples of personal information, handily chunking the topic into smaller categories.

(For those interested in the legal angle of this post, you’ll find this information in section 1798.140(v)(1). It’s way down there, so you’ll need to do quite a bit of scrolling to reach it!)

To make a long story short: California law deems anything that is not publicly available as personal information.

Palm leaves feature overlaid text. The text describes the examples of personal information listed below.

This is a remarkably broad classification, but the California attorney general helpfully offers examples of such data. Generally, you should treat any information your business collects as private information. However, if you’re curious (or have an understandable need to avoid legal claims), here’s a handy list of what is considered personal information:

  • Commercially identifying information (e.g., on-site interactions and purchase history)
  • Digital identifying information (e.g., geolocation data, browsing history, and search history)
  • Inferred data (namely, any personal information that has been inferred or predicted using personal data)
  • Information that may be used to identify an individual (e.g., driver’s license number, IP address, and passport number)
  • Professional information (e.g., place of employment or position)
  • “Sensitive” personal information (e.g., ethnic background, racial identity, and religious or philosophical beliefs)

Who Does the California Consumer Privacy Act Cover?

A dense crowd. The overlaid text reads, "Who Is Covered: When and Where the CCPA Applies."

One of the key things marketers must know about the CCPA is that it doesn’t end at the California border! In fact, the CCPA specifically covers any current resident of California, regardless of where they are.

A Californian surfing your site while vacationing in Maui is still a resident, as is the worker on a business trip in Paris, France! In other words, it may be worth complying with CCPA regulations regardless of where you work.

Nonetheless, this valuable consideration should be tempered by reality. There are a few caveats, and some businesses are exempt from CCPA regulations. In addition to non-profit organizations and governmental organizations, for-profit businesses that do not meet any of the following criteria can ignore the CCPA:

  • Store information on 100,000 or more Californian residents
  • Obtain 50% or more of their revenue from the sale of data from Californian residents
  • Possess a gross annual revenue greater than $25,000,000
  • Related to any business meeting these requirements

What Happens If My Business Violates the CCPA?

A jail cell. "Fines and Shame: The Steep Cost of Violating the CCPA."

While no business should be dodging laws, it’s always wise to understand the consequences. Like every other consumer privacy act, CCPA violations have a hefty price.

The California Privacy Protection Agency categorizes violations into two categories: accidental and intentional; both have different penalties.

As of 2021, the fine for an accidental violation of the CCPA is up to $2,500 per email. So, let’s assume a single campaign inadvertently violated the CCPA. If this campaign was sent to as few as 20 people, you’re still looking at a $50,000 fine.

Intentional violations are even worse! In addition to the damage to your brand’s reputation, you’ll face a $7,500 fine. And, yes, that is also the price per email. I’ll put that into perspective with the example I just used. If your business — for some inscrutable reason — intentionally violated CCPA regulations, those 20 emails now have a $150,000 price tag!

Now, before you get too scared, I should point out that the California Privacy Protection Agency generally gives brands a 30-day period to fix their mistakes. Unintentional violations may warrant such leniency. However, intentional or repeated violations do not get the same treatment. Data breaches are treated similarly and can incur the same level of fines on top of consumer-led legal claims.

TL;DR: Don’t dodge or avoid the CCPA!

Consumer Rights Under the California Consumer Privacy Act (CCPA)

The Golden Gate Bridge. "Breakdown: Understanding the CCPA."

Now that I’ve covered the basics, it’s time to dive into the five rights of every Californian. Since it’s been a bit of a stroll — or, should I say, a scroll — to get to this point, here’s a quick refresher. The CCPA (and its later amendments through the California Privacy Rights Act) gives California residents five fundamental rights:

  1. Correction
  2. Deletion
  3. Knowledge
  4. Non-discrimination
  5. Opt-out

From a business perspective, these rights impact how the personal information collected by various sources can be used.

The Right to Correct Data

A vacuum cleans up fallen debris. The overlaid text reads, "Right to Correct: California Residents Have the Right to Fix Any Inaccurate Data."

Let’s face it: Everyone makes mistakes — even computers and databases! Sometimes, the data stored in your system doesn’t match reality. Fixing such errors is the goal of the CCPA’s right to correct inaccurate personal information, which is a “what it says on the box” situation.

This simple facet of the California Consumer Privacy Act was added in 2023 as part of the California Privacy Rights Act (CPRA). Summarily, this portion of the law gives any particular consumer the right to request that incorrect data be rectified.

The precise text is found in section 1798.105(a) if you’re so inclined to check!

The Right to Delete Information

Overlapping leaves. The header text reads, "Right to Delete: Customers Have the Right to Request the Deletion of Their Data."

While the first point is straightforward and logical, the second requirement is dicier. No business — especially any for-profit entity selling consumers’ personal information — wants to delete its hard-won data. Unfortunately, if a consumer requests to exercise this right, it must be done.

When consumers exercise this right, a business must delete all information for that particular consumer. (If you need a refresher on what that means, scroll up and check out the bit about “personal information.”) Businesses engaging in data-sharing (e.g., those using a third-party data manager) must also alert the relevant organizations.

The deleted information cannot be kept or stored elsewhere. As they often say in television ads, “Everything must go!”

Exceptions (That You Probably Can’t Use)

As a side note, there are a few exceptions to this right. Both non-profit organizations and government entities can ignore this rule. Moreover, businesses can deny a consumer’s request if it meets any of the following criteria:

  • Removal Is Impossible: In very specific situations, removing the user’s data will compromise the overall experience. For example, a customer can’t ask a bank to delete their data, as the act renders the service unusable.
  • The Information Is Being Used for Research: Let’s be honest; your business isn’t going to qualify for this one. However, if you do happen to be running a peer-reviewed research team, you can keep the info.
  • The Information Is Necessary for a Transaction: Information can be kept when it is essential to the completion of a service. For example, a customer can’t ask to delete their address when a product is en route to their home.

The Right to Know How Data Is Used

An open notebook. Overlaid text reads, "Right to Know: California Consumers Have the Right to Know About Their Information."

In the simplest terms, the right to know gives customers the power to request disclosure.

Now, what do businesses disclose? That’s where it gets complicated. This chunky portion of the CCPA includes a lengthy list of information and additional stipulations on how data stored for each consumer should be handled. (For the exact text, you’ll want to find section 1798.110(a).)

The power to request disclosure covers several specific categories of information:

  • Reasoning: Consumers must be informed of the “purpose for collecting, selling, or sharing” their data.
  • Sources: Customers can ask about the sources for a business’ personal information.
  • Specifics: California residents can access and view the exact information a business stores about their activity and digital identity.
  • Third Parties: Businesses should have a list of any relevant third-party merchants or vendors that may use a consumer’s data.
  • What Data Is Kept: Businesses must provide a list of data stored for each eligible user. Common examples include the consumer’s address, mobile phone number, and name.

Moreover, when the right to request disclosure is enacted, a business must have a record of prior information. While the timer on such information was reset in 2022, the law states that every business should have a 12-month user data record for California residents.

Under California law, third parties must also obtain explicit permission before selling or otherwise distributing the personal information of a resident.

The Right to Non-Discrimination

Various leaves. The overlaid text reads, "Non-Retaliation: A California Resident Cannot Be Punished for Exercising CCPA Rights."

Also known as the right of no retaliation, the non-discrimination specifics are part of section 1798.125. Summarily, this stipulation prevents businesses from providing lesser services to users who refuse to provide personal information.

Some explicitly named examples of discrimination include:

  • Altering Prices (specifically, “charging different prices or rates” based on opt-in preferences)
  • Direct Retaliation (particularly against employees)
  • Providing Lesser Service (through customer service or quality, for example)
  • Refusing Service
  • Suggesting Altered Service (yes, just the suggestion of altered service levels is banned)

These regulations also apply to digital giveaways, sweepstakes, and competitions.

There are, however, some caveats in this bit of the CCPA.

Businesses can offer financial incentives (e.g., sales, coupons, and promotions) to consumers who willingly opt in. If a for-profit entity can conclusively prove that the differences in service are caused by a lack of personal information, then the non-discrimination portion is similarly waived. (Note that the latter caveat is precisely worded, and it’s more difficult to prove this than it is to comply with the CCPA.)

Unsurprisingly, the CCPA also bans overly coercive, unfair, and illegal incentives.

The Right to Opt-Out (and The Right to Limit)

A PlayStation controller with overlaid text, "Right to Control: Consumers Can Limit and Opt-Out at Any Time and For Any Reason."

While the rights to opt out and limit information are listed separately in the legislative text (being, respectively, sections 1798.120 and 1798.121), I’ve combined them for the sake of simplicity. However, both are fairly straightforward.

Together, these sections of the CCPA give customers the right to refuse (or opt out of providing their information) and limit the amount of available personal data. Both rights can be enacted at any time and for any reason, and the request must be honored promptly.

In both cases, businesses cannot continue gathering information. However, any prior metrics can be kept for administrative purposes.

I should also point out that businesses are banned from collecting personal information on any California residents under the age of 16. While it’s impossible to know everyone’s age, a business with reasonable means of doing so must adhere to this prohibition. The only exception is if a business obtains explicit consent from a legal guardian of a consumer between the ages of 13 and 16.

How to Comply With the CCPA

A gaming controller. The overlaid text reads, "How to Comply: 2 Ways to Obey the CCPA."

That’s a lot to remember, right?

Well, here’s the bad news: the regulations don’t stop there. There are certain steps a business must follow, and the CCPA outlines two ways to stay on the right side of the California attorney general.

Option #1: The Disclaimer Page

The first way to abide by the CCPA involves the creation of specific web pages and disclaimers.

First and foremost, businesses must maintain at least two ways to submit requests — through electronic or other means. If a business has a brick-and-mortar location, it must include a valid toll-free phone number as one of the options. (Digital-only storefronts are allowed to use a single online form.)

One of the options for submitting requests must be easily accessible online. Moreover, the links must be labeled as “Do Not Sell or Share My Personal Information.” An additional link — “Limit the Use of My Sensitive Personal Information” — must also be included. Alternatively, a single page can outline both rights.

Option #2: Ignoring Opt-Out Preferences

The second option is trickier to master.

Rather than asking users to opt-in, this approach asks users if they wish to opt out. However, a website must meet multiple requirements to legally use this setup:

  • Customers are still allowed to opt-out entirely
  • Opting out must be as easy as opting-in
  • The relevant link is not overly dramatic (e.g., taking up the entire page or otherwise blocking content)

Avoid the Headache and Reduce Your Workload

All of this may seem irrelevant, but these consumer privacy laws ultimately impact your email marketing. In fact, they touch every part of digital marketing. And, frankly, they’re hard to understand!

If you’re sick of worrying about your marketing’s legal issues, it may be time to find a partner. My team at The Email Marketers knows what it takes to make campaigns that are legal and fun, and we’ll use our abilities to supercharge your business!

Take the plunge! Sign up for a free consultation and strategy session, and I’ll show you what The Email Marketers can do for you. You can also find plenty of tips and tricks on my blog! So, keep your eyes open; there are plenty more guides on the way.

(The information contained in this site is provided for informational purposes only and should not be construed as legal advice on any subject matter.)