How to run CCPA-compliant email marketing campaigns
Email marketing is one of the most powerful ways to drive conversions, with half of customers stating they’ve made a purchase from an email in the past couple of years.
But marketing teams that want to leverage this valuable channel need to understand how to do so while maintaining data privacy compliance.
Email marketing is facing increasing scrutiny under California’s major privacy laws. The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), which expands its scope, have expanded companies’ responsibilities, especially regarding the selling or sharing of personal information.
Now, even standard email workflows like confirmations and promotions can introduce compliance risks when they involve customer data. If you don’t manage those risks properly, they can result in fines, legal claims, and damage to your brand’s reputation.
This guide outlines how to run email campaigns that can comply with CCPA requirements, without compromising marketing performance. We explain what California’s privacy laws say about email marketing, how these rules apply to common workflows, and some best practices for achieving regulatory compliance.
At a glance
- If your email marketing practices involve collecting, using, or tracking personal identifiers, including email addresses, then the CCPA/CPRA likely applies.
- Email addresses count as personal information, even more so when you attach opens, clicks, or other behavioral data to them.
- The CPRA widened the CCPA’s reach, so employee and B2B contacts now get the same data rights as consumers (deletion, correction, processing opt out, and more).
- Compliance with the California privacy laws requires clear notices, a working “Do Not Sell or Share” option where relevant, and a swift response to consumer requests.
- Messy workflows introduce risk, so keep an eye out for undisclosed third parties, broken opt-outs, weak security, or the use of data for purposes or timeframes beyond what you originally promised.
What the CCPA means for email marketing
The California Consumer Privacy Act (CCPA) is a privacy law that gives California residents rights over how organizations sell and share their personal information. Its amendment, the California Consumer Privacy Act (CPRA), strengthens these rights by expanding on legal definitions and adding more rules for businesses.
Together, they require organizations to be transparent about data practices and give people choices about how their data is handled.
Unlike many other data privacy regulations around the world, companies are not required in most cases to obtain prior consent before collecting and processing personal data from California residents. They just have to meet notification requirements about data use and enable clear opt-out options.
Email marketing falls under the CCPA/CPRA whenever it involves collecting or tracking personal information. That includes any information that could be used to identify someone, such as names, birthdates, and email addresses.
Since marketing emails often involve using or tracking personal information on some level, campaigns are often subject to these laws.
When your email marketing strategies fall under the CCPA/CPRA, you must uphold the following consumer rights:
Consumers rights under the CCPA/CPRA
Right to delete
Consumers can request that businesses delete their personal information that was collected from the consumer.
Right to correct
Consumers can request a business to correct any incomplete or inaccurate personal information that it holds.
Right to know and access
Consumers have a right to know and access the categories of personal information the business holds about them, the purposes for collecting the information, where the business obtained the information from, categories of third parties who receive the information, and the specific personal information the business has collected about the consumer.
Right to know regarding sale or disclosure
Consumers have the right to know the categories of personal information the business holds, and the categories of personal information sold, shared, or disclosed; and the categories of third parties to whom it is sold, shared, or disclosed.
Right to opt out
Consumers have the right to opt out of the sale or sharing of their personal information.
Right to limit
Consumers have the right to limit the use or disclosure of their sensitive personal information.
Right of nondiscrimination
Consumers have the right not to be discriminated against for exercising any of their rights under the law.
Is an email address personal information under the CCPA?
An email address does count as personal information under the CCPA because it can identify a specific person. That remains true whether it is collected and used alone or combined with other identifiers like location or engagement history.
Most marketing automation platforms use email lists to run campaigns. Whenever these tools collect or use that data, they’re processing personal information. As the entity in charge of the data, it’s your company’s responsibility to make sure these service providers process this data in line with CCPA/CPRA requirements.
For example, email marketing analytics tools may track open rates and record that activity alongside the customer’s email address. The system must be set up to support CCPA rights including:
- Enabling each customer to understand how their data is used
- Supporting requests to have these records deleted
- Respecting when consumers opt out of having this data sold or shared
Do employee and B2B emails fall under the CCPA?
Employee and B2B emails are now subject to CCPA requirements. The CPRA removed the temporary exemption for employers as of January 2023, which means that all professional contact details are now considered personal information.
As a result, you must provide the same rights for workers and business contacts as for consumers. You must disclose your data handling practices and honor any requests to delete contact details, correct inaccurate data, or opt out of sharing email addresses.
Which businesses have to comply with the CCPA’s email marketing requirements?
The CCPA doesn’t apply to every company that operates in California. Only for-profit companies that do business in California and meet at least one of the following criteria must comply with its terms:
- Generate over USD 25 million in gross annual revenue (adjusted according to the Consumer Price Index every two years)
- Derive 50 percent or more of their annual revenue from selling personal information
- Buy, sell, or share the personal information of 100,000 or more California residents or households
Once your business hits one of these thresholds, you immediately become subject to CCPA requirements, and you must be prepared to take relevant measures to achieve email marketing compliance.
Note that the CCPA can apply to your company regardless of its physical address. You might be headquartered in another US state or operate from abroad but still fall under the law’s scope. What matters is whether you process information belonging to California residents.
Best practices for CCPA-compliant email marketing
Email marketing uses personal information at multiple points, so each step must align with CCPA requirements. The following practices can act as a CCPA compliance checklist for applying the law’s core principles to your workflows.
1. Inform consumers of your data practices
Clarify how you collect and use personal information throughout your email marketing workflows. This helps you uphold California residents’ right to know and their right to be informed of how to opt out of the sale and sharing of their personal information.
Start by providing a privacy notice alongside any pop-ups or forms where you capture users’ email addresses. The notice should explain why you need their contact details, what you plan to do with the information, and whether you’ll track their engagement data.
Additionally, publish an email marketing privacy policy somewhere on your website and link to it in your marketing emails. This document should outline your data collection practices in terms of email marketing activities and clarify how customers and email list subscribers can exercise their rights under the CCPA.
If you share consumer data with third parties, include details in both your notices and privacy policy. You must describe what personal information you share, with whom, and for what purpose. This applies to any platforms you use, such as your customer relationship management (CRM) software, analytics tools, and email service providers, as well as advertising partners or agencies you work with.
2. Give consumers control over their data
Make it easy for individuals to decide how your business can use their personal information. These controls must be visible whenever individuals provide contact details or interact with your marketing messages.
One essential control under the CCPA is giving users the ability to opt out of having their personal information sold or shared. That’s why you must provide an easily accessible “Do Not Sell or Share My Personal Information” link.
Include a clear unsubscribe link in your messages, and ensure the required ‘Do Not Sell or Share My Personal Information’ link is available. Also ensure that your system applies user consent choices automatically. Most email marketing tools should include a built-in opt-out mechanism to help you meet international data privacy requirements.
Some users may also want you to delete all the data you have collected. Provide a clear path to submit deletion requests in your privacy policy, such as a form or contact method.
3. Have a process in place for honoring consumer rights
When you receive consumer requests, your company needs a reliable process for verifying and responding to them. The CCPA/CPRA allows the following timeframes for responses:
- 10 days for confirmation
- 15 days to cease sharing or selling personal information
- 45 days to delete, correct, or provide access to personal information
- 90 days for deletion, correction, or access if your business applies for an extension
Start by identifying the team responsible for handling consumer requests. You should then map where your company stores email addresses and engagement data on your system and communicate to the team where they can find this information.
Make it mandatory to document any requests and responses so your business has full records of compliance.
4. Implement appropriate data security measures
The CCPA requires businesses to maintain reasonable security procedures to protect sensitive personal information. This involves taking steps to minimize the risk of data breaches and protect subscriber details stored in your system. Here are some practices to follow to prevent unauthorized access:
Data security practices
Encrypt data during transit and at rest
Use role-based access controls
Require multi-factor authentication (MFA) for all logins
Require complex passwords
Train staff on data protection practices on an ongoing basis
Continuously monitor your system for weaknesses or possible data breaches
Your company is responsible for the data handling by any third-party vendors with which you share email addresses or engagement data.
Vet them thoroughly to confirm they have relevant security certifications, such as ISO 27001 and SOC 2, and that they meet the same high standards for data protection as your business. Additionally, insist on contracts that require third parties to maintain CCPA compliance when handling customer data.
5. Comply with purpose limitation and data minimization principles
Only collect the data you need and only use it for the purposes you disclosed in your notice and privacy policy. Doing so lowers your risk of processing someone’s personal information without their knowledge and permission, which is essential for meeting CCPA requirements.
Start by setting strict limits on the consumer data you collect for email campaigns. You should avoid requesting unnecessary information that could identify customers unless you can clearly justify why it’s needed.
For example, don’t ask for sensitive personal information, like health status or ethnic background, unless that information is necessary to the type of content you plan to send and you plan to take the necessary steps for protecting it.
Also, align the content of any messaging with the original marketing purposes someone agreed to at the point of data collection. For instance, you can’t send customers promos if they only signed up for informational newsletters.
6. Keep email lists confidential and up to date
Protect subscribers from unwanted messages by keeping their details secure. Avoid sharing contact details with third parties without permission or mixing email lists from different sources. That way, customers don’t receive communication they haven’t agreed to.
Similarly, make sure your system automatically removes customers’ emails when they unsubscribe. Unsubscribe lists should be synced across all your platforms so none of your tools automatically re-add users.
7. Don’t discriminate against customers who choose to opt out
Continue to provide the same services whether or not customers exercise their rights under the CCPA, whether that’s requesting that their data be deleted, opting out of the sale or sharing of their data, or something else. This upholds their right not to be discriminated against.
That means your business must not engage in any of the following activities after people unsubscribe or ask you to delete their information:
Denying goods and services
Providing a lower quality service
Charging different rates
Making support slower
Limiting customers’ ability to earn loyalty points
What happens if you violate CCPA email marketing rules?
The California Privacy Protection Agency (CPPA), also known as CalPrivacy, investigates potential violations and enforces the law. They apply penalties of up to USD 2,663 for unintentional violations and USD 7,998 for intentional violations. (Amounts for fines are also adjusted to the Consumer Price Index every two years.)
Some enforcement actions have resulted in substantial fines. For example, the website publisher Healthline was fined USD 1.55 million in 2025 for deceiving consumers about privacy practices, violating the purpose limitation principle, and failing to honor opt-out requests.
Issues often arise when small compliance gaps in your email marketing workflow go unnoticed. Your opt-out mechanism may stop working, or personal data may be shared with a third party you haven’t disclosed. These problems may seem minor, but if they impact a large number of subscribers, they can lead to multiple violations and result in significant CCPA penalties.
Achieve CCPA compliance with an integrated consent management solution
Your email marketing efforts are most effective when they meet data privacy requirements and uphold consumer rights. You can avoid compliance risks and penalties while positioning yourself as a brand that is transparent with customers about data practices and that prioritizes their privacy.
Usercentrics can help you build CCPA compliance into your email marketing workflows. The Usercentrics Consent Management Platform (CMP) can automatically display the right data privacy information and options depending on each visitor’s location, capture and log consent, and keep audit-ready records of customer choices over time.
With the Privacy Policy Generator (PPG) you can create CCPA-compliant privacy notices to protect your business and earn consumer trust.