Clarifying CCPA Email Rules

On January 14, 2020
5min read
Piotr Malek Technical Content Writer @ Mailtrap

The California Consumer Privacy Act came into effect on January 1st, 2020. It’s just about as significant as you could expect from a law resulting in the fallout from the Cambridge Analytica scandal. One and a half years after GDPR caused sleepless nights for millions of marketers around the world, the US is slowly catching up. What does it mean for you? How can you make sure your emails are CCPA compliant? Let me show you.

Do you need to worry about CCPA?

CCPA may seem like a simple regional law that wouldn’t impact anyone outside of the US. However, it’s much more than that.

While California is only one of 50 states, its population of nearly 40 million people is higher than that of Poland, Canada, Malaysia, and over 150 other countries. If California was a sovereign country it would be the world’s fifth-largest economy, and even beats the United Kingdom. Most online businesses can’t ignore such significant changes to local legislation. 

Even if your headquarters are in another state or country, you’re very likely to have Californian customers and are obliged to follow certain procedures when processing their data.

The new law will specifically apply to companies that meet either of the following criteria:

  • Have an annual gross revenue higher than $25M.
  • Buy, sell, receive or share the personal data of at least 50,000 Californian residents, households or devices.
  • Make more than 50% of annual revenue by selling the data of Californian customers.

Smaller businesses with customers that are primarily located outside the state of California may be excluded from the new law. The same will apply to brick-and-mortar stores that are located far away from the Golden State. Certain exceptions can also apply to data under other privacy laws, such as HIPAA.

Everyone else should exercise due diligence to ensure they’re already CCPA-compliant.

What are CCPA email requirements?

CCPA is not some kind of breakthrough in the realm of privacy laws. In many ways, it’s similar to GDPR and implements similar mechanics to protect resident data. Therefore, if you’re already compliant with GDPR, it should be fairly easy to make yourself compliant with CCPA, as well.

Disclaimer: We’re pretty good at email testing but the law isn’t our field of expertise by any means. While we share the most up-to-date information on CCPA, please don’t consider it a piece of legal advice. We strongly recommend consulting a lawyer to discuss the individual needs of your business.

That being said, here are some of the main things to keep in mind:

Be ready to share where you get user data from

Under CCPA, California customers can request to know the following at any time:

  • What categories of data you collect
  • The source of your data
  • How you are using the data

If you change the way you use a specific category of data and it’s not covered in your Privacy Policy, you need to communicate this change to interested parties.

Be ready to handle these requests for information. Under CCPA, you need to respond to each message concerning these requests within 10 days. In your response, you must specify how a request will be handled and when a response can be expected.

Make it easy to delete the data upon request

As was the case with GDPR, under CCPA a Californian resident can choose to have (nearly) all of their details deleted permanently. This is often referred to as a request to delete. There are certain exceptions to this rule but all other information must go if a customer chooses to do so. Have a mechanism in place to quickly remove all the data if/when necessary.

For both ‘know’ and ‘delete’ requests, you will need to have a reliable way to verify the identity of a customer. More about how to handle this issue can be found on page 18 of the CCPA text.

Use extra care when selling a customer’s data

Selling data has been a common practice, and now the CCPA finally regulates it. You can continue to do it, but you will need to follow certain procedures.

You must clearly communicate to users the exact data you will use in this case. You will need to give them a visible “Do Not Sell My Data” button somewhere on your page so they can immediately opt-out from having their data sold. You must also reveal who their data is sold to upon request.

If you’re not comfortable doing any of the above, consider ceasing the sale of user data.

Update your privacy policy and be transparent about this change

Consider updating your policy with all relevant changes. Clarify user rights regarding data protection and how they can be executed. State how user data is used.

Refrain from using technical or legal jargon when stating what has changed. Write everything in clear, straightforward, and understandable language, especially for those who are less tech-savvy.

The new policy needs to be easily accessible, regardless of the customer’s device, so they can get themselves familiar with it. CCPA also explicitly indicates that the terms need to be easily accessible to people with disabilities. If they’re not, the minimum you will have to do is provide clear instructions on accessing an alternative version.

Treat every customer as though they lived in California

Laws change quite abruptly and other states are already following the footsteps of California legislators. There’s also talk of a new federal law that would apply the conditions implemented in CCPA to all other states and territories.

Do you know exactly where each of your contacts resides at the moment? Not many companies do. So, even if you’re not directly impacted by the law yet, you should work on your compliance with CCPA anyway. 

The basics of CCPA

To recap, here are the primary rights granted to California residents under CCPA:

  • To know what personal information is collected and how it is used.
  • To know if, and to whom, this data is sold or disclosed, or to opt-out of this practice.
  • To access personal information.
  • Not to be discriminated against for the exercise of privacy rights.
  • To sue for illegal distribution of personal information.

If you’re found in breach of any of these rules, you may be fined:

  • $2,500 for unintentional violations; $7,500 for intentional violations
  • $100-$750 for each resident and incident, or actual damages; whichever is greater

While these numbers might not seem significant, they can be if numerous people are affected. Let’s do some quick math. 87 million people were affected by the Facebook-Cambridge Analytica scandal. Assuming that 12% lived in California (CA residents make up approximately 12% of the US population), that’s 10.44 million data breaches. If CCPA was in place at that time, these breaches could set Facebook off by one to eight billion dollars for every single one.

Differences between CCPA and GDPR

We pointed out earlier that both laws are similar but that there are also some key distinctions, with the exception of the geographical aspect, of course.

  • GDPR affects all organizations of any size doing business in the EU (non-profits included). Various businesses and nearly all non-profits are excluded from CCPA because they don’t meet any of the three conditions we mentioned earlier.
  • Both laws give users the right to delete their personal data from the record. However, only GDPR enables the right to amend the data, as well. Of course, CCPA doesn’t discourage it but there’s no mention of this right in the current iteration.
  • The way both laws affect minors also differs. Under GDPR, parents of children under 16 must consent to data processing in an online environment. CCPA gives anyone the age of 13 years or older the right to consent on their own.
  • Certainly, GDPR is a lot more specific on the technical aspects of data protection. It gives clear indications on how to collect data and which practices one should avoid. CCPA is more focused on clarifying the rights of the resident, as well as the privacy and security obligations of businesses. It doesn’t give precise technical instructions in the current revision.

Wrapping up

Although CCPA already went into effect, marketers and business owners have until July 1st, 2020 to sort out their compliance with the new law. This is when the California Attorney General’s office will start enforcing it and punishing any violations.

Like California, Nevada has also implemented similar measures and more states will begin processing similar laws in 2020. Inevitably, the whole of the US will be covered under similar laws in the near future. So, even if you’re not directly affected just yet, the time to act is now.

Article by Piotr Malek Technical Content Writer @ Mailtrap