State of California with padlock illustrating CCPA compliance

CCPA Compliance: Regulations Email Marketers Must Follow

A lot happened in the year 2020. So, if the topic of CCPA compliance flew under your radar, it’s understandable. However, this consumer privacy law went into full effect last year, and it’s considered the strictest of its kind in the United States.

The CCPA impacts email marketers everywhere. So, it’s important to understand what CCPA compliance means to your organization. Let’s take a look at the essentials of this privacy law and how it pertains to your email marketing efforts.

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state statute specifically written to protect Californians’ personal data and information. CCPA was introduced not long after GDPR entered the scene in Europe. It’s had a major impact on corporate privacy policies and practices.

The law went into effect on January 1, 2020, but enforcement of CCPA compliance didn’t officially begin until July 1, 2020. State lawmakers are also still making amendments to the law.

Essentially, the CCPA ensures California residents have the right to:

  • Know what kinds of personal data companies are collecting.
  • Know if their personal information is sold or shared (and who has it).
  • Refuse the sale of their personal information.
  • Access personal data that companies collect about them.
  • Request the deletion of the personal information collected (AKA right to be forgotten)
  • Not be discriminated against for exercising their rights under CCPA.

In addition, organizations that must follow CCPA compliance are also required to maintain reasonable security practices in order to protect consumer data.

There are many similarities between CCPA and GDPR. In a sense, if you’re complying with GDPR, you’re already following most of California’s consumer privacy law. However, there are some key differences between the two, including the way the CCPA views a consumer’s personal data.

Defining “personal data” under CCPA

While GDPR applies to “any information relating to an identified or identifiable natural person,” CCPA takes it a step further and applies regulations to an entire household. The legislation describes personal information as:

“ … information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Legal experts note that, in comparison to GDPR, this is a much broader and more complex definition of personal information, which raises some interesting questions.

The California Lawyers Association has published an in-depth breakdown of that language. It includes the fact that “information” can include many types of data, such as images and audio recordings. Of course, it also includes the kinds of personal data we normally think of, such as email addresses, mailing addresses, social security numbers, and phone numbers.

Here’s where the words “directly or indirectly” come into play.

For an eCommerce company, personal information would also include a consumer’s purchase history. For a streaming service, it would include the media an individual consumed on the platform. For wireless companies, it includes geolocation data collected on smart devices. And the list goes …

For email marketers, personal information includes more than just the email address and common personal identifiers. It also includes data about which emails subscribers have opened and what they clicked on.

Under the CCPA, only publicly available data is not considered personal information. That would include things like government records.

Is anyone exempt from CCPA?

The CCPA may apply to any organization that collects the personal information of Californians. However, there are some specific qualifiers for which CCPA compliance is required.

The CCPA applies to any for-profit company doing business in California that meets any of these three criteria:

  1. The company has a gross annual revenue of more than $25 million.
  2. The company gets more than 50% of its annual revenue from California residents.
  3. The company buys, sells, or receives personal information of more than 50,000 California residents.

Remember, you only need to meet one of these criteria for CCPA compliance to be a requirement.

So, if you have an email list with more than 50,000 Californians, but your revenue is less than $25 million, you’d still need to comply with the CCPA. If your annual revenue surpasses $25 million, but California residents only make up a small portion of your list, you still need to comply. If you’re a small business operating in California, you most likely need to follow CCPA compliance since more than 50% of your revenue comes from state residents.

If you’re a smaller business with fewer than 50,000 California-based subscribers, you may not need to comply. However, considering the way consumer privacy laws are evolving, following CCPA best practices for email marketers is very wise. It’s better to be in compliance now than be forced to make major changes later.

At this point, the CCPA does not apply to non-profits/charities or government agencies -- including political campaigns.

Unlike the CCPA, GDPR regulations don’t have any restrictions on the size, revenue, or for-profit status of a company. Technically, GDPR uses the term “data controllers” rather than companies to define who must comply with privacy regulations.

CCPA compliance and B2B emails

Does CCPA compliance apply to business-to-business organizations? Yes … and no.

If a business is collecting personal information about a California resident during a B2B transaction, the rules will apply … eventually. There is a grace period for B2B companies that apply to certain requirements. That grace period was set to expire at the start of 2021 but was extended to January 1, 2022.

Until that time, B2B email marketing has a little leeway. The National Law Review explains that, under the exemption, businesses are not required to provide certain notices or extend consumer rights to business contacts. Essentially, most B2B email communications are fine since they “occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service.”

Even though it’s a law meant to protect consumer privacy, many B2B companies still need to examine their data collection, storage, and sharing practices to be compliant. B2B companies are not exempt from CCPA requirements such as:

  • Informing people of a data breach.
  • Honoring requests that personal information not be sold.
  • Avoiding discrimination against individuals who exercise CCPA rights.

So, while there’s time to adjust, B2B companies will not be exempt from the CCPA. As the grace period continues, it’s best to get in line as soon as possible if your company meets the law’s criteria.

CCPA Penalties

The Attorney General of California is tasked with enforcing CCPA regulations and issuing monetary penalties to violators of the law. CCPA non-compliance penalties are smaller than other privacy and anti-spam laws. There is a maximum fine of $2,500 per unintentional violation and up to $7,500 per intentional violation.

According to The National Law Review, businesses that “cure” non-compliance issues within 30 days of being notified will not be held liable. However, it also notes that some non-compliance, such as data breaches, are not capable of being fixed.

An interesting aspect of the CCPA is that private citizens may file civil cases against organizations they believe to be in violation of the law. That stands in stark contrast to CAN-SPAM, the federal anti-spam law in the U.S. Under CAN-SPAM only the Federal Trade Commission (FTC), other federal agencies, or state attorneys general can pursue legal action against potential spammers.

CCPA compliance: Best practices for email marketing

CCPA compliance is about much more than stopping spam. So, what steps should email marketers take to makes sure their organization is following the rules?

Update your website’s privacy policy

Privacy policies on company websites should be updated to advise visitors of their rights under the CCPA. Be sure the privacy policy clearly explains the following:

  • What personal information is collected and how.
  • Why the data is collected (how it is used).
  • Who the company may share data with.
  • Who to contact for more information about data use and storage.

While writing privacy policies may not fall to the email team, your data collection practices should be explained on this page. For more help, check out this CCPA privacy policy checklist.

Establish a notice at collection

Any place where you may collect personal information should include a notice that informs individuals to that fact. For email marketers, this would include newsletter sign-ups, forms filled to access content, contact forms, anywhere online orders are placed, and more.

That's why you'll see something like this on the Email on Acid website whenever you fill out a form to download email marketing white papers or sign up for our newsletter.

Screenshot of Email on Acid's notice at collection for CCPA compliance.
Email on Acid's "notice at collection"

The notice should explain what data is collected and how it is used. The notice should also link to your website’s privacy policy. And, if you are selling personal information, it must include a “Do Not Sell Link” so California consumers can opt out.

Evaluate data storage practices

It is your company’s responsibility to provide personal data collected to California residents who request it. You must also be able to delete that information if requested.

For that reason, it’s important to have easy access to subscriber data and the ability to delete it. The information must be provided free of charge and cover the 12-month period prior to the consumer’s request. Ensure you have a process for gathering data and distributing personal information.

It should go without saying, but if a California resident asks for the deletion of personal information, that includes their email address, and you should no longer send them email communications.

There should be at least two ways to contact your organization if a Californian wants to access data or have it deleted. One of those methods would logically be a specific email address.

Know what third parties do with subscriber data

Under the CCPA, you may also be liable for how partners and vendors use the data you collect on California residents. That would include email service providers (ESPs), customer relationship management (CRM) software, and customer data platforms (CDPs).

Review and evaluate the privacy policies and data collection practices of third parties with access to your subscribers’ data. Make sure to mention these third parties in your privacy policy.

Making email better for everyone

GDPR and CCPA are just the beginning of a move to enhanced consumer privacy. It’s a growing concern for the general public. So, lawmakers and companies like Apple are making consumer data privacy changes. According to Fast Company, at least ten other states are on track to pass their own data privacy laws in 2021.

Sometimes, consumer privacy laws and anti-spam regulations may feel like they throw a wrench into email marketing by making things even more complicated. However, as email marketers, we should all want this channel to remain healthy, effective, and secure.

GDPR and CCPA compliance may feel like a hassle, but they won’t ruin email marketing. In fact, they could make it stronger. When we spoke to marketing legend Seth Godin about the future of email, he explained that it’s up to all of us to do what’s right:

seth godin headshot

“Either you’re a spammer or you’re not. Either you’re regularly skirting the edges, trading lists, hustling people, writing link bait subject lines, evading policies and skulking around, OR, you’re being clear and open and delivering messages that are anticipated, personal and relevant.

The test is easy: If you didn’t send out your emails tomorrow, would people contact you to find out what happened?”

Seth challenges marketers to make email better, not just louder.

That’s a huge part of our mission here at Email on Acid. Our platform is designed to help simplify the complexities of email marketing so you can deliver perfection. If you care about the quality of your email marketing, give our email pre-deployment testing platform a try. Take the 7-day free trial to find out how it helps.

Give Campaign Precheck a Try!

While you can use our email readiness platform in a variety of ways, we’ve designed the optimal predeployment checklist with Campaign Precheck. It streamlines and simplifies the entire pre-send process for efficiency and accuracy. Log in now to start using Campaign Precheck. Or, sign up for your free trial today!

Start Your Free Trial