The power of email marketing undoubtedly remains strong, but it’s crucial to prioritise consumer privacy due to the global privacy revolution. In short, compliance with email marketing laws is essential, especially in California. Understanding the 6 best practices for CCPA email marketing can make this easier, and this blog is all about it.
An overview of the California Consumer Privacy Act (CCPA)
The CCPA is a Californian data privacy law and its introduction has significantly empowered consumers in the realm of data management. Upon its enactment in 2020, California residents embraced the law, recognising its potential to enhance data protection and privacy rights.
The main objective of the CCPA is to regulate the processing of personal information by businesses and give consumers rights such as the right to know, correct and delete. Furthermore, the law mandates businesses to follow CCPA requirements such as displaying a privacy policy, and notice at collection or allowing consumers to opt out of personal data sales.
Even though the CCPA does not specifically address email marketing, these regulations also apply to email marketing campaigns targeting Californians, as email addresses and names are considered personal data.
- Generated an annual revenue greater than $25 million in the preceding year
- Buy, sell, or share personal data of at least 100,000 consumers
- Derived 50% or more of the annual revenue from the sale of personal data
The numerical threshold was raised by 50% from 50,000 to 100,000 consumers by the CPRA amendments in 2023.
What are the CCPA requirements for email marketing?
Keep the following rules in mind while making or updating your email marketing strategies to build trust with your customers and to avoid enforcement actions from the Attorney General.
Transparency requirements
The CCPA places a strong emphasis on transparency and requires businesses to provide CCPA disclosures such as a privacy policy and notice at collection.
A privacy policy is a document that discloses the data handling practices of a business. It is usually longer and contains information about the types of data that the business collects, the purposes for which they are collected, the data retention period, consumer rights, methods to exercise them, contact information of the business, etc.
Notice at collection, when compared to privacy policy is shorter and is given at the time or before the point of data collection.
Consumer request obligations
In line with most privacy protection laws, the CCPA obliges businesses to establish methods for consumers to exercise their rights. For example, an email address, opt-out links, online forms etc.
They also need to fulfil such requests promptly. For example, stop selling personal information once a consumer opts out using the “Do not sell/share my personal informationā link.
Marketers often share or sell the personal information of consumers such as email addresses to expand their customer base. However, the CCPA regulates this practice by restricting businesses from selling or sharing consumer data once they exercise their right to opt-out.
Data security requirements
Secure consumer data privacy and prevent data breaches by implementing cybersecurity measures.
Third-party compliance
Ensure that any third party or service provider who receives personal data from you such as an email marketing platform complies with CCPA regulations.
6 best practices for CCPA compliance in email marketing
Discover the best practices for CCPA email marketing in this section and become CCPA-compliant.
Best practice #1: Inform consumers about your data practices
Businesses sending emails for marketing purposes must ensure that they provide a privacy policy to consumers.
Pay attention to the following points on transparency:
- Include all the necessary information as required by the CCPA privacy policy standards
- Specify what personal data you use for email marketing and what consumers can do about it
- Make the policy straightforward and avoid jargon
- Provide your contact information in the policy
- Display it conspicuously on your website
- Make sure to regularly review and update your privacy policy, especially when there are significant changes
- Confirm that no links in the privacy policy are broken
Best practice #2: Unsubscribe link
When compared with the General Data Protection Regulation (GDPR), CCPA does not explicitly require consent to use personal information, even for marketing emails. However, allowing consumers to opt out of marketing mail is important, especially under the CAN-SPAM Act. It is a federal law covering Californians which cannot be overlooked.
Therefore, businesses must provide an unsubscribe button in every email. Keep your email list updated and remove unsubscribers.
Furthermore, CAN-SPAM prevents businesses from giving misleading subject lines and requires them to provide contact information in marketing emails. Obtaining explicit consent from consumers is a great practice to comply with the CAN-SPAM provisions
Best practice #3: Enable opt-out control
This is one of the notable provisions that makes CCPA distinct from GDPR. While GDPR prioritises opt-in consent as a legal basis for processing personal data, CCPA only requires businesses to allow consumers to opt out of the sale of their personal information.
Marketing emails usually direct recipients to take action on landing pages or homepages, and that is where cookie opt-out banners play an important role. If your website uses third-party cookies, it might trigger the CCPA opt-out provisions.
Pay attention to the following points on CCPA opt-out for your website:
- Geo-target Californians to deploy an opt-out banner
- Allow consumers to make a real choice rather than an influenced one
- Do not use dark patterns to manipulate user choices
- Link cookie policy in the banner
- Implement āDo not sell/share my personal informationā link
- Record and document user preferences
- Make sure that the consent log is updated
Imagine being able to accomplish all of these tasks in a single location. This is precisely where our expertise lies. CookieYes CMP is best known for its advanced and user-friendly features that deploy opt-out banners to consumers. We are proactive and focused on giving the best cookie compliance tool for our customers.
Work smart with CookieYes
Automate opt-out control and stay CCPA-compliant
Grab your free trial14-day free trialCancel anytime
Best practice #4: Keep the email list confidential
Fortify your safeguards to protect the collected customer data for email marketing purposes. Restrict access to designated individuals as necessary, use security measures such as encryptions, identify any associated risks, etc. While choosing email service providers, look for CCPA-compliant ones.
Best practice #5: Honour consumer rights
Be proactive in responding to consumer requests for exercising their CCPA rights. For this, create a response plan to handle consumer requests. The prescribed time to respond to opt-out requests is 15 days. For other requests such as for deletion or correction, you may take 45 days to respond. This can be extended to another 45 days if necessary.
Furthermore, you are responsible for informing consumers of their CCPA rights. Achieve this by providing it in your privacy policy.
Best practice #6: Avoid secondary uses of personal information
Purpose limitation is a key CCPA requirement and requires consumers to limit the use of consumersā personal information to the original purpose. Therefore, the email address used by a consumer to sign up for your marketing newsletter should only be used for that purpose.
Utilising tools for compliance
Email marketing is a powerful tool for promoting your business, but it is pertinent to wield it responsibly. Creating an email marketing campaign is quite a demanding task, especially when it comes to ensuring compliance with privacy regulations. The good news is technological developments have made it easier.
There are tools to automate the email process, maintain email lists, track analytics, or display ādo not sell my personal informationā.
You may consider several factors before choosing the software that best suits your business needs. Here are a few points to consider.
Features
Look for the product’s capabilities and determine whether they meet your requirements. Features like customisable templates, scalability, easy integrations, segmentation, workflows, and analytics are some of the features you should seek.
Pricing
Compare the pricing plans offered by different service providers, understand the price per mail and whether there are any additional charges. Choose one that suits your needs and budget.
Deliverability
Search for tools that have a high deliverability rate and those that are capable of identifying and fixing spam issues.
Privacy compliance
Email marketing campaigns are not just about selling your services but also about doing it securely. Ensure that the platform complies with the relevant privacy laws including CCPA and CAN-SPAM Act. Furthermore, opt for services that prioritise data security.
Customer support
This is another important factor in choosing a suitable email marketing platform. Confirm that they have reliable customer support in the preferred channel such as a live chat or phone-in-support to receive assistance.
Reviews
Going through customer reviews is a good way to see what the product exactly does and to confirm that their claims are honest. G2 and Trustpilot are two platforms where you can find reviews.
HubSpot, Brevo, Mailtrap, Mailchimp, etc are some of the email marketing platforms in the SAAS market. For implementing āDo not sell my personal informationā links and deploying opt-out banners to comply with CCPA, use CMPs like CookieYes.
What is the penalty for non-compliance?
The California Privacy Protection Agency and the California AG enforce CCPA. They are empowered to initiate legal action for a penalty ranging from $2500 to $7500 per violation depending on several factors. Intentional violations are prone to higher fines. The factors that are used to determine the fines include the nature of the violation, its effect, frequency, revenue of the business, etc.
Furthermore, the CCPA allows a limited private right of action that can be exercised if a data breach occurs.
FAQ on CCPA email marketing?
Email addresses and names come within the definition of personal information under CCPA. Therefore CCPA applies to email marketing even though the law does not explicitly provide specific guidelines.
Though CCPA employs an opt-out approach, the US CAN-SPAM Act requires consent to send marketing emails.
The California Privacy Rights Act merely extends the CCPA and does not serve as a substitute for it. Therefore, both legislations are the same and carry the same obligations.