Email addresses are personal information under the California Consumer Privacy Act. So are open rates, click-through data, geolocation, and any behavioural profile your email platform builds from subscriber activity. If your business meets the CCPA thresholds - more than $26.625 million in gross annual revenue, data on 100,000-plus California residents, or 50% of revenue from selling personal data - every marketing email you send to a Californian is subject to the law.
The California Privacy Protection Agency (CPPA) has made enforcement a priority. In September 2025, the agency issued its largest fine to date - $1.35 million against Tractor Supply Company for CCPA violations. A month earlier, Healthline Media settled for $1.55 million over failures to honour opt-out requests, including those sent via Global Privacy Control. These are not theoretical risks.
Below are nine practices that keep your email marketing on the right side of California privacy law.
1. Know What Counts as Personal Information
The CCPA defines personal information broadly. For email marketers, this goes well beyond the subscriber's name and email address. It includes IP addresses, device identifiers, purchase history, browsing behaviour on your site after clicking through, and any inferences your tools draw from that activity - such as predicted interests or spending patterns.
2. Provide a Clear Privacy Notice at the Point of Collection
Before or at the moment you collect an email address - whether through a signup form, checkout flow, or lead magnet - you must disclose what categories of personal information you collect and how you intend to use them. This is the "notice at collection" requirement, and it applies to every acquisition channel.
A short statement near the subscribe button works. Something along the lines of: "This site collects your email address to send marketing updates and product news. See the Privacy Policy for details on your rights." Link the privacy policy directly from the form. Do not bury it three clicks deep in a footer.
Your privacy policy itself must list the categories of personal information collected, the purposes, any third parties you share data with, and instructions for exercising opt-out rights. Updated CCPA regulations taking effect on 1 January 2026 now require mobile apps to include a privacy policy link in the settings menu - not just on a website.
3. Honour Opt-Out Requests Promptly
The CCPA does not require opt-in consent for email marketing. That is a significant difference from the GDPR, which generally demands affirmative consent before sending promotional emails. Under the CCPA, the obligation is opt-out: you must provide a mechanism for subscribers to tell you to stop selling or sharing their personal information, and you must honour that request within 15 business days.
"Sharing" has a specific meaning under the law. It covers disclosing personal information to third parties for cross-context behavioural advertising. If your email platform passes subscriber data to advertising networks, retargeting tools, or analytics platforms that use the data for their own purposes, that likely qualifies as sharing under the CPRA amendments.
Every marketing email should include a working unsubscribe link. That is already required by the federal CAN-SPAM Act, which applies alongside the CCPA. The CCPA adds a further layer: if you sell or share subscriber data, your website needs a visible "Do Not Sell or Share My Personal Information" link.
4. Respect Global Privacy Control Signals
Global Privacy Control (GPC) is a browser-level signal that tells websites a visitor wants to opt out of data selling and sharing. Browsers including Firefox, Brave, and DuckDuckGo support it natively, and extensions bring it to Chrome. Under CCPA regulations, businesses must treat GPC signals as legally valid opt-out requests.
This matters for email marketing because your landing pages, preference centres, and website tracking all intersect with your email programme. If a subscriber clicks through from an email and their browser sends a GPC signal, your site must stop selling or sharing that visitor's data - including any tracking cookies that feed back into your email segmentation.
In September 2025, the CPPA joined forces with the Attorneys General of Colorado and Connecticut to launch a coordinated enforcement sweep targeting businesses that fail to honour GPC. California's Opt Me Out Act (AB 566), signed in October 2025, goes further by requiring all browsers to include built-in opt-out functionality by January 2027. Ignoring GPC signals is increasingly risky.
| Requirement | CCPA / CPRA | CAN-SPAM | GDPR |
|---|---|---|---|
| Consent model | Opt-out | Opt-out | Opt-in |
| Unsubscribe mechanism | Required (via CAN-SPAM) | Required in every email | Required |
| Right to delete data | Yes (45 days) | No | Yes (30 days) |
| Right to know what data is held | Yes | No | Yes (DSAR) |
| GPC / universal opt-out signal | Must honour | Not applicable | Not directly applicable |
| Fines per violation | Up to $7,988 (intentional) | Up to $53,088 | Up to 4% of global turnover |
| Private right of action | Data breaches only | No (FTC/AG only) | Yes |
5. Handle Deletion Requests Across Your Entire Stack
When a California resident asks you to delete their personal information, you have 45 calendar days to comply. For email marketers, deletion does not stop at removing someone from a mailing list. You must also purge their data from your CRM, analytics cookies, retargeting audiences, and any third-party platforms where you shared their information.
That last point catches many businesses off guard. If you passed a subscriber's email address to an advertising partner or a data enrichment service, you must notify those third parties and instruct them to delete the data as well. Map your data flows before a request arrives - not after.
6. Practise Data Minimisation
The CPRA amendments introduced data minimisation as a principle. Collect only the personal information you genuinely need for your stated purpose. If you are running a newsletter signup, you probably need an email address and perhaps a first name. You do not need a phone number, date of birth, or home address unless those are directly relevant to the service.
Audit your signup forms. If a field does not serve the purpose you disclosed in your notice at collection, remove it. Fewer data points means less exposure if a breach occurs - and under the CCPA, consumers can sue for statutory damages of $100 to $750 per person per incident when a breach results from inadequate security.
7. Vet Your Email Service Provider
Your email service provider (ESP) is a "service provider" under the CCPA, which means you need a written contract specifying how it may use subscriber data. The contract must restrict the ESP from using your subscribers' data for its own purposes - for instance, selling it or using it to improve its own products.
Check whether your ESP supports consumer rights requests. Can it export all data held about a specific subscriber so you can respond to a right-to-know request? Can it permanently delete a subscriber's data, including engagement history and behavioural profiles? If not, you may need to rethink your tooling.
8. Segment California Subscribers for Compliance
Not every subscriber on your list is a California resident. Geo-segmenting your list lets you apply CCPA-specific processes - such as honouring GPC signals or suppressing opted-out subscribers from data-sharing flows - to the right audience without disrupting campaigns aimed at other regions.
That said, many businesses find it simpler to apply CCPA standards across the board. With at least 19 US states now having comprehensive privacy laws, and more taking effect in 2026, treating California's rules as a national baseline saves you from maintaining separate workflows for each jurisdiction.
If you serve subscribers in the EU or UK, you already need a consent management platform that handles UK GDPR and ePrivacy Directive requirements. Adding CCPA opt-out logic to the same system keeps your compliance processes in one place.
9. Do Not Confuse CCPA with CAN-SPAM
The CAN-SPAM Act and the CCPA are separate laws with different scopes. CAN-SPAM is a federal anti-spam statute that governs commercial email content: it requires accurate sender information, honest subject lines, a physical postal address, and a working unsubscribe link in every message. Fines under CAN-SPAM can reach $53,088 per offending email.
The CCPA, by contrast, is a data privacy law. It regulates how you collect, store, share, and delete personal information - not just the content of your emails. You can be fully CAN-SPAM compliant and still violate the CCPA if you fail to disclose data practices, ignore opt-out requests, or share subscriber data without providing the right to object.
What Happens If You Get It Wrong
The CPPA updated its monetary thresholds in December 2024. As of January 2025, CCPA fines stand at $2,663 per unintentional violation and $7,988 per intentional violation. Those numbers apply per violation, per consumer. A single non-compliant email campaign sent to 10,000 California subscribers could, in theory, generate millions in penalty exposure.
Frequently Asked Questions
Does the CCPA require opt-in consent before sending marketing emails?
No. The CCPA follows an opt-out model, meaning you can send marketing emails without prior consent as long as you provide a way for recipients to opt out. The federal CAN-SPAM Act, which applies alongside the CCPA, also follows an opt-out approach but requires an unsubscribe link in every commercial email.
What personal information does the CCPA cover in email marketing?
The CCPA covers email addresses, names, IP addresses, device identifiers, geolocation data, purchase history, browsing behaviour, open rates, click-through data, and any inferences drawn from subscriber activity - such as predicted interests or spending profiles.
How quickly must I process a deletion request from a California subscriber?
You have 45 calendar days to fulfil a verified deletion request. This includes removing the subscriber's data from your email platform, CRM, analytics tools, and any third parties with whom you shared the data.
Do I need to honour Global Privacy Control signals for email subscribers?
Yes. If a subscriber visits your website and their browser sends a GPC signal, you must treat it as a valid opt-out of data selling and sharing under CCPA regulations. This applies to any tracking or data collection triggered by email click-throughs to your site.
Can I still use email engagement data for segmentation under the CCPA?
You can use engagement data for your own internal purposes, such as segmenting your list or personalising content. The restriction applies to selling or sharing that data with third parties for cross-context behavioural advertising. If you keep subscriber data within your first-party operations, the CCPA's opt-out provisions are less likely to be triggered.
What is the difference between CAN-SPAM and CCPA for email marketing?
CAN-SPAM is a federal law regulating the content and mechanics of commercial emails - requiring honest subject lines, sender identification, and an unsubscribe link. The CCPA is a state privacy law governing how you collect, use, share, and delete personal data. Both apply at the same time to emails sent to California residents.
Does the CCPA apply to B2B email marketing?
Yes. The temporary B2B exemption under the original CCPA expired on 1 January 2023. Since the CPRA amendments took full effect, business contact information collected through marketing activities is subject to the same rules as consumer data, including opt-out rights and deletion requests.
Keep Your Email Campaigns on the Right Side of the Law
CCPA-compliant email marketing starts with knowing what data you collect, being transparent about how you use it, and respecting subscriber choices without friction. If your website sets non-essential cookies that feed into email segmentation or retargeting, a regular cookie scan is worth running to make sure nothing slips through. Kukie.io detects, categorises, and helps manage cookies across your site - including those triggered by email click-throughs and landing pages.
