Everything to know about the California Consumer Privacy Act (‘CCPA’) and email marketing
Have you heard about the ‘CCPA’ and what it means for your email marketing? If you didn’t, no worries. That’s why you're reading this!
CCPA stands for California Consumer Privacy Act. In this article, we’ll explain in simple terms what this Californian act means for your business and email marketing.
As we’ve seen with the introduction of GDPR, personal data protection has become much more important and it’s up to you to ensure your marketing practices are compliant. All these new regulations can feel a little overwhelming, but you should remember that these types of regulations like GDPR do more good than bad for your email marketing.
CCPA went into effect on January 1st, 2020 but its enforcement began on July 1st, 2020.
It’s important to note that even though it came into effect, the final CCPA regulation isn’t published yet. The California Attorney General’s office recently published final modifications to the CCPA regulation draft (so keep an eye on any updates after the publication of this post).
Read on to learn what CCPA entails, if it applies to your business, the penalties and requirements involved and how it’s similar and different from GDPR. Scroll all the way down for a CCPA checklist.
Disclaimer: Please note that we share our insights about CCPA, however, please do not consider it as legal advice. We strongly recommend consulting a lawyer to discuss the individual needs of your business.
What does CCPA stand for and what is it?
The California Consumer Privacy Act (‘CCPA’); at first the term might make you go “The what?!” but the key thing to remember is that this act is good for your customers and will help your email marketing. When you respect people’s personal data, your results will flourish.
CCPA is similar to GDPR, except that it only applies to businesses that collect personal information of California residents.
It was created to give CA residents—individuals who reside in California, even if they are temporarily outside of the state—more control over the personal information that businesses collect about them.
In this context, ‘personal information’ includes, but is not limited to: name, email address, social security number, driver’s license number, credit card number, biometric data, IP address, geolocation data, professional or employment information and other information that is not publicly available.
Read on to see if the act applies to your business.
Does CCPA apply to my business?
Before you continue reading, let’s first find out if CCPA applies to your business.
A for-profit entity; and
Conduct your business in California (to be explicit, if you collect personal data of California residents); and
Adhere to at least one of these conditions:
You earn gross annual revenue of over USD 25 million; or
You buy, receive or sell the personal information of 50,000 or more California residents, households, or devices per year; or
You derive 50% or more of your annual revenue from selling California residents’ personal information.
If CCPA applies to you, please read on. If it doesn’t apply to you, feel free to keep learning by reading more, or check out this fun article about how to apologize when you make an email mistake.
Ok, back to business. Here are the requirements to help your email marketing comply with CCPA, along with some practical insights and a CCPA compliance checklist.
First step in CCPA compliance: Get a notice at collection in place
Before starting to collect personal information of California residents, you should provide them with a “notice at collection”. This term is explained in the CCPA Regulations as “the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer”.
For example, inform consumers on your website’s homepage or on the page where orders are placed or personal information is entered (e.g. registration page) that you are collecting personal information.
This notice at collection must list the categories of personal information you collect about consumers and the purposes for which you use such information. If you sell consumers’ personal information, your notice at collection should include a ‘Do Not Sell’ link as well as the link to your Privacy Policy.
Below you’ll see an example from AGCO Corporation and what their notice at collection looks like. This is a good example because it contains:
Links to the needed information are provided in the notice at collection
Links to what personal information is collected and for what purpose
Links to use the ‘Do Not Sell My Personal Information’ option
Links to the California Privacy Notice and the general Privacy Policy
Here are other good examples of notices at the collection: The Standard, Experis.
The 4 main California resident rights
If CCPA applies to your business, make sure that you comply with these four main California resident rights, and include them together with its implementation in your Privacy Policy.
1. The right to know about personal information your business collects about California residents (and how it’s used and shared)
2. The right to delete personal information collected from consumers
3. The right to opt-out of the sale of personal information
4. The right to non-discrimination for exercising their CCPA rights
Your Privacy Policy may include information about the third parties to which consumer’s personal information is transferred. Therefore, you may use this statement about MailerLite in your Privacy Policy:
“We use MailerLite to manage our email marketing subscriber list and to send emails to our subscribers. MailerLite is a third-party provider, which may collect and process your data using industry standard technologies to help us monitor and improve our newsletter. MailerLite’s Privacy Policy is available at https://www.mailerlite.com/legal/privacy-policy. You can unsubscribe from our newsletter by clicking on the unsubscribe link provided at the end of each newsletter.”.
1. The right to know about personal information your business collects about California residents (and how it’s used and shared)
California residents should be allowed to contact you via at least two different contact methods (this could be an email, contact form or in any other way) and ask for exact personal information you have collected about them, where you collected this information, for what purpose you use it (e.g. to send goods, invoices, newsletters, etc.), what information and to which third parties you sell, disclose or share the information.
This information should be provided free of charge for the 12-month period preceding the request and within 45 days from receiving it (in some cases it might be extended for 45 more days).
Do you track where your consumers reside at the moment? For most companies, the answer is ‘no’. Therefore, in case your client wants to know or delete their personal information, treat them as a California resident.
2. The right to delete personal information collected from consumers
California residents should be allowed to contact you via at least two different contact methods (this could be an email, contact form or in any other way) in order to ask for the deletion of their personal data. You should make sure that you respond to their request within 45 days of receiving it (in some cases it might be extended for 45 more days).
Have a mechanism in place to map all the information you collect about your consumer. It will be way easier in case you need to provide the consumer with their collected information or delete it from your databases.
If you use MailerLite, you can check how to see and delete all saved information in the video tutorial below. The GDPR tools also apply for CCPA.
3. The right to opt-out of the sale of personal information
If you sell personal information of your clients, you should provide a ‘Do Not Sell My Personal Information’ link on your website, so your clients can submit their opt-out request. In addition to that, you should include the same link in your Privacy Policy, as well as the rules on opting-out. In case you don’t sell their personal information, you should include this as a statement in your Privacy Policy.
Usually the ‘Do Not Sell My Personal Information’ link is provided at the end of the website. T-Mobile and Bloomingdale's are both good examples, you can see them below.
Moreover, in case you sell personal information of minors (13-16 years old), you should make sure to receive prior cookie consent from them before selling their information.
If minors are younger than 13 years old, it is necessary to obtain consent from their parents or guardians. You should ensure that you keep the consents saved in your databases in case you ever need to prove that such consents were obtained.
4. The right to non-discrimination for exercising their CCPA rights
As consumers have all the rights mentioned in points 1-4 above, you should ensure that in case your clients decide to exercise any of these rights, they won’t be discriminated against for that. Non-discrimination means that the services will continue to be provided. Different prices or a different level/quality of goods or services will not be applied to these consumers.
Keep in mind that if a person contacts you asking to see or delete their personal information, or to opt-out of the sale of their personal information, you should make sure to verify their identity and determine that this person is actually your client.
Do not hurry to perform a person's request without double-checking and verifying them because it might cause you some real trouble.
CCPA applies to my business. What does this mean for my email marketing?
As you’ve already suspected, CCPA will call for some tweaks to your daily business practices, including your email marketing.
Here are the things to keep in mind when sending your regular marketing emails:
1. If the consumer asks to delete their personal information, don’t forget that their email address is considered personal data as well. You can no longer send any emails to this consumer and you should inform all third parties to which you sold or transferred the email address accordingly.
2. Together with your subscriber’s name and email address, all related email data should be deleted as well. Make sure to have a mechanism in place to map all the data that’s related to each subscriber.
3. Every consumer should be allowed to opt-out from marketing emails from you and all third parties to which you sold the consumer’s email. Please keep in mind that according to the CCPA, ‘sell’, ‘selling’, ‘sale’, or ‘sold’, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
CCPA penalties and violations explained
In case of a violation of CCPA, the penalty is up to USD 2,500 and up to USD 7,500 per intentional violation (they actually give you 30 days to resolve the issues and if it is not resolved, you are fined).
Additionally, California consumers can sue you in case of a data breach when non-encrypted and non-redacted personal information was stolen in a data breach as a result of your failure to maintain reasonable security procedures and practices to protect it.
Your consumers might sue you for the number of monetary damages or ‘statutory damages’ they have actually suffered of up to USD 750 per incident. In case of suing for ‘statutory damages’, the consumer should offer written notice of which CCPA sections were violated and give you 30 days to make a written statement that you have cured the violations and that no further violations will occur.
Though it looks like a fine of USD 750 isn’t that high, if you have 10,000 clients and all of their data was lost, then you are already looking at USD 7,500,000!
CCPA versus GDPR
Somewhere throughout this article you might have thought: “So how does the CCPA differ from the GDPR?” Good question. Let’s have a look.
For the most part, there are a lot of similarities. Both are about the security of your customers’ personal information. Therefore, complying with CCPA will be way easier if you are already compliant with GDPR.
You should be well-prepared for CCPA if you:
Educated yourself about data protection overall
Prepared a Privacy Policy
Implemented practices for consumers to know and delete all collected personal information, as well as organizational and technical security measures
How about the differences?
| CCPA | GDPR |
|---|---|
| Applicable to for-profit businesses (that meet certain requirements) that collect personal information directly from California residents. | Applicable to all data collected about EU citizens and residents. |
| CCPA penalties have no ceiling and are assessed on a per violation basis. | GDPR penalties for data breaches are capped based on a company’s annual revenue. |
| CCPA does not require a consent to collect personal data, it just allows the consumers to opt-out of it. | GDPR requires consumers consent to opt-in. |
| CCPA requires giving consumers only a notice before the sale and transfer of their data. | GDPR business should receive a consent in order to transfer personal data to third parties. |
Both GDPR and CCPA were created to protect the personal information of consumers. As CCPA was created after GDPR, it is believed that it took all the best practices and transferred it in order to protect California residents.
However, if you are preparing to be compliant with CCPA, don't forget to make sure that you have implemented all of the mandatory requirements.. To help you with this, we prepared a CCPA compliance checklist.
CCPA compliance checklist
✅ Make sure that CCPA is applied to you.
✅ Supplement your Privacy Policy describing the four main rights and how you implement it. State how user data is being collected and used.
✅ Prepare and publish your notice at collection.
✅ If you sell personal data of California residents, have a mechanism ready that collects consents of minors (13-16 years can make a consent themselves, younger than 13 years old should ask their parents’ or guardians’ consent).
✅ Prepare at least two contact methods (email, customer support, special forms on your website, etc.) for your consumers to contact you, in case they want to know what personal information is collected and/or ask for a deletion of this information.
✅ Introduce an internal system for the verification of the identity of consumers making any of the requests.
✅ In case consumers want to know or delete their personal information, have an internal procedure in place to be able to map all of the information collected about each consumer.
✅ Prepare a ‘Do Not Sell My Personal Information’ link on your website.
✅ Evaluate security risks and implement the appropriate technical and organizational measures to ensure a level of security.
Do you have questions about CCPA? Let me know in the comments, I’m available to answer any questions.
