The California Consumer Privacy Act (CCPA, amended by CPRA) gives California residents the right to know what personal data you collect, delete their data, opt out of data sales/sharing, and not be discriminated against for exercising these rights. For email marketers: you must honor data deletion requests, provide a 'Do Not Sell My Personal Information' link if you share data with third parties, and disclose your data collection practices. Unlike GDPR, CCPA doesn't require consent before sending marketing email — CAN-SPAM governs that.
CCPA and Email Marketing: What California Law Requires
CCPA Basics for Email Marketers
The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA) effective January 2023, governs how businesses handle California residents' personal data. Email addresses are personal information under CCPA.
Key distinction: CCPA doesn't regulate email sending — that's CAN-SPAM. CCPA regulates what you do with personal data, including email addresses, once collected.
Who Must Comply
CCPA applies if you collect California residents' personal information AND meet any one of these thresholds:
- Annual gross revenue exceeds $25 million
- Buy, sell, or share personal information of 100,000+ California consumers, households, or devices annually
- Derive 50% or more of annual revenue from selling or sharing California consumers' personal data
If you don't meet any threshold, CCPA doesn't apply — but other state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA) may, with different thresholds.
Consumer Rights Under CCPA
Right to Know
California consumers can request disclosure of:
- What categories of personal information you collect
- The sources of that information
- Your business purpose for collecting it
- Categories of third parties you share it with
- The specific pieces of personal information you hold about them
For email marketing, this means disclosing: their email address, engagement data, any profile data, consent records, and purchase history linked to their email.
Right to Delete
Consumers can request deletion of their personal information. You must delete their data and direct your service providers to delete it. Exceptions exist for completing transactions and legal obligations, but marketing data must be deleted upon request.
Right to Opt Out of Sales/Sharing
If you sell or share personal data with third parties (including data brokers, advertising partners, or co-marketing partners), consumers can opt out. You must provide a clear "Do Not Sell or Share My Personal Information" link on your website.
Important for email: If you share your email list with partners, affiliates, or co-marketing companies, this is considered "sharing" under CCPA. Consumers can opt out of this specific use.
Right to Non-Discrimination
You cannot penalize consumers for exercising CCPA rights — no degraded service, no different pricing, no reduced access.
Practitioner note: The most common CCPA compliance gap I see in email marketing is list sharing. Companies share email lists with partners for co-branded campaigns and don't realize this triggers the "Do Not Sell or Share" requirement. If you ever share your list with anyone, you need the opt-out mechanism.
CCPA vs. GDPR vs. CAN-SPAM
| Requirement | CAN-SPAM | GDPR | CCPA |
|---|---|---|---|
| Consent to send email | No (opt-out model) | Yes (opt-in) | No (defers to CAN-SPAM) |
| Unsubscribe required | Yes (10 days) | Yes (immediately) | N/A |
| Right to data deletion | No | Yes (30 days) | Yes (45 days) |
| Right to access data | No | Yes (30 days) | Yes (45 days) |
| Data sale opt-out | No | N/A | Yes |
| Business size threshold | None | None | Yes ($25M+) |
| Fines | $50K/violation | 4% revenue | $2,500-7,500/violation |
The practical impact: if you're GDPR-compliant, you're already meeting most CCPA requirements. CCPA is less restrictive for email sending but adds the data sale/sharing dimension.
Compliance Requirements for Email
Privacy Policy
Your privacy policy must disclose:
- Categories of personal information collected (email address, engagement data)
- Business purposes for collection (email marketing, transactional communication)
- Categories of third parties you share data with
- Consumer rights and how to exercise them
"Do Not Sell or Share" Link
Required on your website if you share personal data with third parties. Must be a clear, conspicuous link. Most companies place it in the footer alongside the privacy policy.
Data Request Process
You need a documented process for handling consumer requests:
- At least two methods for submitting requests (email + web form, or toll-free number)
- Verify the consumer's identity before fulfilling requests
- Respond within 45 days (can extend to 90 with notice)
- Provide data in a portable, machine-readable format
Record Keeping
Maintain records of consumer requests and your responses for 24 months.
Practitioner note: Most email marketers overestimate CCPA's email-specific requirements and underestimate the data handling requirements. You don't need consent to send email (that's CAN-SPAM), but you do need a real process for data deletion requests. "We'll get to it eventually" isn't compliance.
Practical Compliance Checklist
- Determine if CCPA applies to your business (revenue/data thresholds)
- Update privacy policy with required disclosures
- Add "Do Not Sell or Share" link if you share data with third parties
- Create a data request intake process (web form + email)
- Document your identity verification process for requests
- Ensure your ESP can export and delete individual contact data
- Train staff who handle consumer requests
- Set up 45-day response tracking for requests
- Review data sharing agreements with third parties
- Implement reasonable security for personal information
ESP Compliance Features
Most major ESPs have built-in CCPA compliance tools:
- Mailchimp — GDPR/CCPA consent fields, data export, individual deletion
- Klaviyo — Data portability, deletion API, privacy compliance center
- HubSpot — Data deletion, consent management, privacy settings
- ActiveCampaign — Contact data export, deletion, GDPR/CCPA fields
For businesses needing comprehensive consent management across multiple tools, platforms like OneTrust or Osano centralize consent tracking and automate request fulfillment.
The Bottom Line
CCPA compliance for email marketing is mostly about data handling, not email sending. If you're already following CAN-SPAM (working unsubscribe, no deceptive headers) and can handle data deletion requests, you're most of the way there. The biggest gap is usually around data sharing with third parties — if you share lists, you need the opt-out mechanism.
If you're unsure about your compliance posture across CAN-SPAM, GDPR, and CCPA, schedule a consultation — I'll audit your email data practices and identify any gaps.
Sources
- California Attorney General: CCPA Information
- CPPA: CPRA Regulations
- IAPP: CCPA vs GDPR Comparison
- FTC: CAN-SPAM Act
v1.0 · March 2026
Frequently Asked Questions
Does CCPA require consent to send marketing emails?
No. CCPA doesn't regulate email consent — that's CAN-SPAM's domain. CCPA governs how you collect, store, share, and delete personal data (including email addresses). You can send marketing email to California residents under CAN-SPAM rules, but you must honor CCPA data rights requests.
Who does CCPA apply to?
Businesses that collect California residents' personal information AND meet one of three thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ consumers, or derive 50% or more of revenue from selling personal data.
How is CCPA different from GDPR for email?
GDPR requires opt-in consent before marketing email. CCPA doesn't regulate email consent (CAN-SPAM does). GDPR applies to EU residents regardless of business size. CCPA applies only to businesses meeting revenue/data thresholds. CCPA focuses on data sales and sharing; GDPR focuses on all data processing.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.