2020: CCPA Brings GDPR-Style Privacy to California
On January 1, 2020, California became the first state in the United States to enact a comprehensive consumer privacy law that bore real resemblance to Europe’s GDPR. The California Consumer Privacy Act — CCPA — did not arrive quietly. It was the product of a real estate developer’s ballot initiative threat, frantic legislative negotiations, and a growing realization that the United States could not remain a privacy regulation outlier forever. For email marketers, CCPA didn’t change the rules about sending emails, but it fundamentally changed the rules about what you could do with the data those emails generated.
The Unlikely Origin Story
CCPA’s origin was unusual for major legislation. In 2017, San Francisco real estate developer Alastair Mactaggart became alarmed after a Google engineer told him at a cocktail party that people would be “shocked” by the amount of personal data tech companies collected. Mactaggart spent roughly $3.5 million of his own money to qualify a ballot initiative — the California Consumer Privacy Act — for the November 2018 ballot.
The ballot initiative terrified the tech industry. If passed directly by voters, it would be nearly impossible to amend. California’s legislature struck a deal with Mactaggart: withdraw the ballot initiative, and they would pass a legislative version that could be refined over time. Mactaggart agreed. The legislature passed AB 375 in June 2018, Governor Jerry Brown signed it, and CCPA was born — with an effective date of January 1, 2020.
The legislative version was drafted in just seven days, which showed. Ambiguities, inconsistencies, and practical implementation challenges prompted multiple rounds of amendments before the law took effect. The California Privacy Rights Act (CPRA), approved by voters in November 2020, further expanded and clarified CCPA’s protections.
What CCPA Covers
CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding $25 million; buying, selling, or sharing the personal information of 100,000 or more consumers, households, or devices annually; or deriving 50% or more of annual revenue from selling consumers’ personal information.
The law gives California residents four fundamental rights. The right to know: consumers can request that a business disclose what personal information it has collected about them, the sources of that information, the business purpose for collecting it, and the categories of third parties with whom it’s shared. The right to delete: consumers can request deletion of their personal information, with certain exceptions. The right to opt out: consumers can direct businesses not to sell their personal information. The right to non-discrimination: businesses cannot penalize consumers who exercise their CCPA rights.
The Email Marketing Impact
CCPA’s relationship with email marketing is nuanced. The law does not change CAN-SPAM’s framework for sending commercial emails. You can still send marketing emails to California residents under CAN-SPAM’s opt-out model. CCPA does not require opt-in consent for email.
Where CCPA bites is in what happens after the email is sent. Every marketing email generates data. Tracking pixels record when and where an email is opened. Click tracking records which links are clicked. Purchase attribution connects email campaigns to transactions. Behavioral data builds subscriber profiles over time. All of this constitutes “personal information” under CCPA.
If a California resident requests to know what data has been collected about them, businesses must be able to produce it. If they request deletion, businesses must comply (with limited exceptions). If a business sells subscriber behavioral data to third-party data brokers — a common practice before CCPA — consumers can opt out.
This created a significant compliance burden for email marketers. Most marketing platforms track extensive behavioral data by default. Advertisers routinely share or sell subscriber data. Under CCPA, all of this required disclosure, and consumers could shut it down.
The “Do Not Sell” Challenge
The opt-out of sale provision proved particularly challenging for the email marketing ecosystem. Many companies had complex data-sharing arrangements that blurred the line between “selling” data and “sharing” it for business purposes. CCPA’s initial definition of “sale” was broad: any exchange of personal information for monetary or other valuable consideration.
Email publishers that sold advertising based on subscriber data, shared subscriber lists with partners, or participated in data cooperatives all had to evaluate whether their practices constituted a “sale” under CCPA. Many chose to add “Do Not Sell My Personal Information” links to their emails and websites, even if they weren’t entirely sure their practices qualified as sales, because the risk of non-compliance was not worth the gamble.
Enforcement and Penalties
The California Attorney General’s office was given enforcement authority, with the ability to impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. While these per-violation penalties might seem modest compared to GDPR’s percentage-of-revenue fines, they add up quickly when applied across thousands or millions of consumer records.
CCPA also included a limited private right of action for data breaches, allowing consumers to sue for statutory damages of $100 to $750 per consumer per incident if their unencrypted personal information was compromised due to a business’s failure to implement reasonable security measures.
Early enforcement actions signaled that the Attorney General’s office was serious. Companies received inquiry letters, and settlements began appearing for violations ranging from inadequate privacy notices to failure to honor opt-out requests.
The Domino Effect
CCPA’s passage triggered a wave of state privacy legislation across the United States. Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, and Delaware all passed comprehensive privacy laws in the years following CCPA. While the specifics vary, the core consumer rights — access, deletion, opt-out — appear in virtually all of them.
The patchwork of state laws created exactly the kind of compliance complexity that businesses had long feared. Companies operating nationally had to navigate different thresholds, different consumer rights, different enforcement mechanisms, and different definitions across multiple states. The situation strengthened arguments for a comprehensive federal privacy law, though as of this writing, no such law has been enacted.
Why It Matters for Email
CCPA represents a fundamental shift in the American approach to data privacy — from a regime where businesses could collect and use personal data with minimal restrictions to one where consumers have meaningful rights and businesses have affirmative obligations.
For email marketers, the practical takeaway is straightforward: know what data you collect, be transparent about how you use it, give people control over their information, and maintain systems capable of fulfilling access and deletion requests. These are not just legal requirements — they are best practices that build trust with subscribers and strengthen long-term relationships.
The era of treating subscriber data as a free resource with no strings attached is over. CCPA, following GDPR’s lead, established that personal data comes with obligations — and that those obligations extend to every tracking pixel, every click log, and every behavioral profile built from email interactions.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state privacy law that took effect January 1, 2020, giving California residents the right to know what personal information businesses collect about them, request deletion of that data, opt out of the sale of their personal information, and not be discriminated against for exercising these rights.
How does CCPA affect email marketing?
CCPA primarily affects email marketing through data handling rather than sending permissions. Unlike GDPR, CCPA does not require opt-in consent for marketing emails — CAN-SPAM's opt-out model still applies. However, CCPA gives consumers the right to know what data is collected via email interactions (tracking pixels, clicks, purchase history), request its deletion, and opt out of having that data sold to third parties.
What is the difference between CCPA and GDPR for email?
GDPR requires opt-in consent before sending marketing emails. CCPA does not change CAN-SPAM's opt-out framework for email sending. However, CCPA gives consumers rights over the personal data collected through email interactions. GDPR applies to all EU residents regardless of company size. CCPA applies only to businesses meeting certain revenue or data-volume thresholds and only covers California residents.