Site icon Mailtrap

Everything You Need to Know About CCPA and Email Marketing

The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. And it’s just as significant as you would expect a law fueled by the Cambridge Analytica scandal to be. 

This all happened a year and a half after the General Data Protection Regulation (GDPR) caused sleepless nights for millions of marketers around the world. But what does the change in consumer rights in terms of privacy protection mean for you? How can you make sure you are compliant and applying the rules of CCPA in email marketing? Let this article teach you!

Disclaimer: CCPA is not to be confused with the California Privacy Rights Act (CPRA), which builds upon and amends the CCPA, introducing additional provisions and expanding privacy rights for California residents. This act came into effect on January 1, 2023.

Do you need to worry about CCPA?

CCPA may seem like a simple regional law that doesn’t impact anyone outside of the US. However, it’s much more than that.

You see, while California is only one of 50 US states, its population of nearly 40 million people is higher than that of Poland, Canada, Malaysia, and 150+ other countries. So,  if California were a sovereign country, it would be the world’s fifth-largest economy beating even the United Kingdom. 

Most online businesses can’t ignore such significant changes to local legislation in a state as important as California because even if their headquarters are in another state or country, they’re very likely to have Californian customers making them obliged to follow certain procedures when processing data.

Who should pay special attention to CCPA requirements? Companies that meet any of the following criteria:

Smaller businesses with customers that are primarily located outside the state of California may be excluded from following the new law. And the same applies to brick-and-mortar stores located far away from the Golden State.

Also, certain exceptions can apply to data under other data privacy laws, such as HIPAA.

Everyone else should exercise due diligence to ensure they’re already CCPA-compliant.

How to be CCPA-compliant

CCPA is not some kind of breakthrough in the realm of privacy laws. In many ways, it’s similar to GDPR and implements similar mechanics to protect resident data. Therefore, if you’re already compliant with GDPR regulations, it should be fairly easy to make yourself compliant with CCPA regulations, as well.

Disclaimer: We’re pretty good at providing a platform that covers all email-related needs, but this law isn’t our field of expertise by any means. So, please don’t consider this article a piece of legal advice. Also, we strongly recommend consulting a lawyer to discuss the individual needs of your business.

That being said, here are some of the main things to keep in mind:

Be ready to share where you get consumer data from

Under CCPA, Californian customers can request to know the following at any time:

If you change the way you use a specific category of data and it’s not covered in your privacy policy, you need to communicate this change to interested parties along with providing all the necessary information on consumers’ privacy rights.

So, be ready to handle these types of requests for information, as under CCPA, you need to respond to each request within 10 days. Also, in your response, you must specify how a request will be handled and when a response can be expected.

Make it easy to delete consumers’ personal information upon request

As was the case with GDPR, under CCPA, a resident of California can choose to have (nearly) all of their data deleted permanently by you and any third-party service providers you shared it with. This is often referred to as a request to delete

Of course, there are certain exceptions to this rule, but all other information must go if a customer so wishes.

That being said, you need to have a mechanism in place to quickly remove all the sensitive information and contact information you collect (name, email address, phone number, social security number, driver’s license number, credit card number, biometric data, IP address, geolocation data, and other digital identifiers, employment data, etc.) if/when necessary as well as remove the consumer that requested the deletion from your email list. 

Also, for both ‘know’ and ‘delete’ consumer requests, you will need to have a reliable way to verify the identity of a consumer. 

More about how to handle this issue can be found on page 18 of the CCPA text.

Use extra care when selling a customer’s data

Selling data has been a common practice, and now the CCPA finally regulates it. 

So, while you can continue the sale of personal information, you will need to follow certain procedures.

First, you must clearly communicate to consumers what exact data you will use in this case and give them a visible “Do Not Sell My Data” button somewhere on your page so they can opt-out. 

Then, you must also reveal to whom their data is sold upon request.

If you’re not comfortable doing any of the above, consider ceasing the sale of user data.

Update your privacy policy and be transparent about this change

Consider updating your privacy policy with all relevant changes, and in it, clarify consumer rights regarding data protection and how they can be executed. Also, state how user data is used.

While updating, refrain from using technical or legal jargon in stating what has changed. Instead, write everything in clear, straightforward, and understandable language, especially for those who are less tech-savvy.

CCPA also explicitly indicates that your privacy policy terms need to be easily accessible to people with disabilities and, regardless of the customer’s device, so they can get themselves familiar with it.

If they’re not, the minimum you will have to do is provide clear instructions on accessing an alternative version. Fortunately, plenty of great resources exist that can help your business easily generate a free privacy policy that meets all these CCPA requirements.

Treat every customer as though they have California privacy rights

Laws change quite abruptly, and other US state legislators are already creating laws similar to the California law. On top of that, there’s also talk of a new federal law that would apply the conditions outlined in CCPA to all other US states and territories.

With that said, think about whether you know exactly where each of your consumers resides at the moment. Only a few companies do. And, even if you’re not directly impacted by the law (yet), you should work on your compliance with it. 

The basics of CCPA

To recap, here are the primary rights granted to California residents under CCPA:

If you’re found in breach of any of these rules, you may be fined:

While these numbers might not seem significant, they can be if numerous people are affected. 

Let’s do some quick math!

87 million people were affected by the Facebook-Cambridge Analytica scandal. Assuming that 12% of them lived in California (CA residents make up approximately 12% of the US population), that’s 10.44 million data breaches. So, if Californians had CCPA rights at that time, these breaches would’ve set Facebook back by one to eight billion dollars.

Differences between CCPA and GDPR

We pointed out earlier that CCPA and GDPR are similar but that there are also some key distinctions between the two (besides the geographical region the laws apply to, of course):

How CCPA applies to email marketing

While CCPA doesn’t directly regulate email marketing, its rules are relevant to this activity as the personal information the law refers to can include email addresses and other data collected through email marketing. 

So, if your business falls under the CCPA scope, make sure to (with the help of a legal professional or privacy expert) carefully review the law’s requirements and ensure you are complying with its provisions and how they relate to email marketing. 

Here are some key CCPA email marketing aspects to keep in mind that might affect your practices:

Wrapping up

As of July 1st, 2020, the California Attorney General’s office started enforcing CCPA and punishing any violations. Meaning that all people working in email marketing or other marketing fields, as well as business owners, need to have already sorted out their CCPA compliance/non-compliance. 

Also, just like California, Nevada has implemented similar measures, and more states should have begun processing similar laws in 2020. 

Inevitably, the whole of the US will eventually be covered under similar privacy legislation in the near future. So, even if you’re not directly affected just yet, the time is now to become compliant and apply the rules of CCPA in email marketing!

Disclaimer: The information provided in this text should be accurate. However, it should be noted that as privacy laws and privacy regulations do change over time, it’s essential to consult the most up-to-date sources or legal professionals for the latest information on things like CCPA’s enforcement status in Nevada, the future expansion of similar laws across the U.S., and other things mentioned.

Want to learn more about legal matters, specifically email marketing laws? Then check out our article covering CAN-SPAM, GDPR, CCPA, HIPAA, and more.

Exit mobile version