CCPA (California Consumer Privacy Act) gives California residents the right to know what personal data you collect, delete it, and opt out of its sale. For email marketers, this means honoring data deletion requests (which includes email addresses), providing a 'Do Not Sell My Personal Information' link if you share subscriber data with third parties, and maintaining records of consent. CCPA doesn't replace CAN-SPAM — both apply simultaneously.
CCPA and Email Marketing: What California Law Requires
CCPA and Email: What You Need to Know
CCPA isn't an email law — it's a data privacy law. But since email addresses are personal information, every email marketing program that touches California residents needs to comply. See our GDPR guide for EU-specific requirements.
Who CCPA Applies To
CCPA applies to for-profit businesses that meet any one of these thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or share personal information of 100,000+ California consumers, households, or devices
- Derive 50% or more of annual revenue from selling personal information
If you meet any threshold, CCPA covers your email marketing to California residents regardless of where your business is located.
CCPA Rights That Affect Email Marketing
Right to Know
California residents can request:
- What personal information you've collected (including email address, name, activity data)
- What categories of sources you collected it from
- Your business purpose for collecting it
- What third parties you've shared it with
Email impact: You need systems to respond to these requests within 45 days.
Right to Delete
Consumers can request deletion of their personal information.
Email impact: A deletion request means removing the email address from all lists, suppression lists, analytics databases, and backup systems. This goes beyond unsubscribe — it's full data erasure.
Practitioner note: The deletion requirement is where most email programs struggle. Unsubscribing is easy — you add the address to a suppression list. Deletion means removing it from the suppression list too, which means you could accidentally re-add them later from an old import. Build your data architecture to handle this.
Right to Opt Out of Sale
If you sell or share email subscriber data with third parties, consumers can opt out.
Email impact: If you share lists with partners, co-registration services, or data brokers, add the "Do Not Sell My Personal Information" link. Process opt-out requests immediately.
CCPA Compliance Checklist for Email
- Privacy policy updated with CCPA disclosures
- Data inventory documents what subscriber data you collect and where it's stored
- Deletion request process can fully remove an email address from all systems
- "Do Not Sell" mechanism in place (if you share subscriber data)
- Data access request process can report all data held on a specific subscriber
- Response timelines are within 45 days
- Age verification for consumers under 16 (opt-in required for selling their data)
CCPA vs GDPR vs CAN-SPAM
| Requirement | CAN-SPAM | CCPA | GDPR |
|---|---|---|---|
| Opt-in required | No | No | Yes |
| Unsubscribe mechanism | Yes | N/A (data law, not email law) | Yes |
| Right to deletion | No | Yes | Yes |
| Right to access data | No | Yes | Yes |
| Opt-out of data sale | No | Yes | N/A (consent required) |
| Physical address in email | Yes | No | No |
| Penalty per violation | $51,744/email | $2,500-$7,500/violation | Up to 4% of revenue |
Practitioner note: The companies that struggle most with CCPA are the ones using email addresses across 15 different systems — CRM, ESP, analytics, data enrichment, retargeting, partner tools. A deletion request means finding and removing that address from all 15. Document your data flow before you get a request.
CPRA Updates (2023+)
The California Privacy Rights Act (CPRA) amended CCPA and added:
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
- Creation of the California Privacy Protection Agency (CPPA) for enforcement
These additions don't fundamentally change email marketing obligations but strengthen enforcement and add the correction right.
If you need help auditing your email program's CCPA compliance, schedule a review.
Sources
- California Attorney General: CCPA Official Text
- CPPA: CPRA Regulations
- FTC: CAN-SPAM Act
- IAPP: CCPA vs GDPR Comparison
v1.0 · April 2026
Frequently Asked Questions
Does CCPA apply to email marketing?
Yes. Email addresses are personal information under CCPA. If you collect email addresses from California residents and meet CCPA's thresholds (annual revenue over $25M, data on 100K+ consumers, or 50%+ revenue from selling data), CCPA applies to your email marketing program.
How is CCPA different from CAN-SPAM for email?
[CAN-SPAM](/email-deliverability/can-spam-compliance-guide) regulates the content and sending of commercial email. CCPA regulates how you collect, store, share, and delete personal data including email addresses. You must comply with both. CAN-SPAM is opt-out only; CCPA adds data rights (access, deletion, opt-out of sale) on top.
Do I need a 'Do Not Sell' link in my emails?
Only if you sell or share subscriber personal information with third parties. If you share email lists with partners, sell data to advertisers, or use third-party data enrichment services, you need the 'Do Not Sell My Personal Information' link. If you don't share data, you don't need it — but you still need to comply with CCPA's other requirements.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.