With the California Consumer Privacy Act (CCPA) having come into effect on the 1st of January 2020, merchants and email marketers are understandably wanting to know how this affects them.
Before we get into what the CCPA is, it’s important to point out that we are not lawyers or legal experts. While we’ve done our best to provide you with all the information you should know, this article is not and should not be used as a substitute for legal advice.
What is the CCPA?
Fortunately the new CCPA regulations will require little to no changes for stores that are already compliant with the GDPR (General Data Privacy Regulation). This is because, like the GDPR, the CCPA gives Californians more control over their personal data.
Similar to the GDPR, the CCPA grants people the following rights:
- To know what personal information is collected about them.
- To know whether this information is being sold or disclosed to other parties, and if so, to whom.
- To be able to access a copy of all the personal data you have collected on them.
- To opt out of the sale of any personal information.
- To continue to access the same services at the same price if they choose to opt out of the sale of their personal information.
- To have all the personal data you have collected about them deleted at request.
While the GDPR tends to go further by requiring website owners to have a ‘data protection officer’ and include specific privacy mechanisms, the key difference of concern to most is who the rights are being granted to.
The GDPR applies if you’re processing data of people living in the European Union, whereas the CCPA only applies for those living in the US state of California. So if you’re not storing or passing on the data of people living in California, the CCPA doesn’t affect you.
A few other notable differences include the CCPA guaranteeing the right to opt-out of the sale of personal data without an increase in price or reduction in services offered. Meaning that consumers are still entitled to purchase from your store even if they request you do not sell their data or pass it along for commercial purposes.
There are also different requirements for notifying people of data breaches and penalties for non-compliance. Which you can read more on and on other differences here.
Which businesses does the CCPA apply to?
The CCPA only applies to business that are collecting personal information of California residents and that meet any of the following conditions:
- Have an annual gross revenue in excess of $25 million USD.
- Buy, sell, receive for commercial purposes or share for commercial purposes the personal information of 50,000 or more Californian consumers, households or devices a year.
- Derive 50% of more of their annual revenue from the sale of personal data of California residents.
So even if you are collecting the personal data of people from California, if your store does not meet any of the above conditions, then the CCPA likely does not apply to you.
This means that if your online store and customer base is mainly outside of California then you shouldn’t have to worry about the CCPA if fewer than 50,000 Californians access your website a year.
How the CCPA affects email marketing
If your business falls under the scope of the CCPA, then there’s a few things you should be aware of with your email marketing.
Firstly, an email address absolutely constitutes personal information. So if a Californian requests that you delete their personal data, then you must delete their email address from your email lists. This means that you cannot continue sending them emails.
Data such as which emails they opened and clicked is likely also considered personal information under the CCPA. Therefore any email engagement data you’ve got must be provided if they request a copy of the personal information from you.
You may also need to inform them of all the other parties you’ve shared their email address (and any other personal information gained from your email marketing) with, including your email service provider (such as SmartrMail).
The good news is that you might already be compliant with all of this. If your store is compliant with the GDPR, then you’re likely already compliant with the CCPA.
SmartrMail and the CCPA
The changes we made in anticipation for the GDPR in 2018 make it easy for stores using SmartrMail to easily become CCPA compliant with their email marketing.
Features and tools that SmartrMail has that you should be aware of include:
Whenever you delete a subscriber from your mailing list, SmartrMail will also completely erase all of their information on our end too.
This makes it easier for you if one of your subscribers requests you erase all of their personal data. To ensure all of the personal data related to that person that has been shared with SmartrMail has been erased, all you need to do is delete the subscriber from all your mailing lists on SmartrMail.
In this situation, you would also need to ensure you erase all of the personal data you have related to the subscriber outside of SmartrMail too.
Information exports of individual subscribers
SmartrMail allows you to quickly and easily obtain all the information we have related to subscribers on your lists.
This means that when a user reaches out to your store requesting a copy of all the information you have collected about them, you can easily access a copy of all their information stored within SmartrMail. This includes email engagement data such as opens and clicks.
You can then pass this export on to the person who requested a copy of their information.
Subscriber-initiated information deletion
Whenever a subscriber wishes to unsubscribe from a mailing list with SmartrMail, they will also be presented with an option to have all their personal information that SmartrMail holds related to them erased too.
Additionally, subscribers are also able to email firstname.lastname@example.org and we will ensure all their information is erased across all of our SmartrMail systems within 72 hours.
To learn how to use the above features within SmartrMail, check out our support doc here.
If you’re still wanting to learn more about the CCPA, the California Justice Department have created a fact sheet which you can access here. Shopify has also created detailed whitepaper with merchants in mind which you can read here.