CCPA Email Marketing: What California Privacy Law Means for Your Lists in 2026

CCPA email marketing means giving California residents notice at collection, an opt-out from the sale or sharing of their data, the right to access and delete what you hold, and a working response process within 45 days. Email addresses are personal information under the law; you only fall in scope if your business meets one of three thresholds. This is general guidance, not legal advice; California's regulator can fine you $2,500 per unintentional violation and $7,500 per intentional one.

The California Consumer Privacy Act took effect in January 2020. The California Privacy Rights Act amended and strengthened it in January 2023 (the combined regime is often called CCPA/CPRA, though most operators still say CCPA). Enforcement moved from the state Attorney General to a dedicated agency, the California Privacy Protection Agency, which has been steadily issuing guidance and bringing cases since 2023.

This article is educational. It is not legal advice. CCPA compliance depends on your specific business, revenue, data flows, and consumer base; a qualified privacy lawyer is the right person to sign off on your program.

Table of contents

What is the CCPA?

The CCPA is California's omnibus consumer privacy law. It gives California residents rights over personal information that businesses collect about them and imposes notice, response, and process obligations on businesses meeting certain size thresholds. The CPRA, passed by ballot initiative in November 2020 and effective January 2023, expanded the law: added the right to correct, added a category of "sensitive personal information" with extra protections, and stood up the CPPA as a dedicated regulator.

For email marketers, the simple framing is: California residents on your list have rights that mostly mirror GDPR rights, your obligations as the business kick in once you cross size thresholds, and you need to be able to find, export, and delete a subscriber's data on request. The official CCPA consumer guide at the California AG is a readable primer.

A nuance that catches people out: the CCPA is broader than email. It covers all personal information your business collects, from a California resident, in any context. The rules I cover below are the email-specific subset, but a request to delete arrives against your whole stack, not just your ESP.

Does the CCPA apply to your business?

Only if your business meets at least one of three thresholds:

1. Annual gross revenue over $25 million
2. Buys, sells, or shares the personal information of 100,000 or more California consumers or households each year
3. Derives 50% or more of annual revenue from selling or sharing California consumers' personal information

If you don't hit any of those, you are technically out of scope. The catch is that the second threshold (100,000 consumers) is lower than it sounds; if your email list has 100,000 California subscribers, you're in scope on that alone. The California Department of Finance estimates roughly 12% of the US population lives in California, so a moderately large US-focused list crosses the line faster than most operators expect.

Even if you are out of scope, building to the CCPA bar is a defensive move. Two more US states (Virginia, Colorado) passed lookalike laws in 2023, four more in 2024, and the trend line is obvious. The architecture you build for California will mostly cover what comes next.

What is "personal information" under the CCPA?

The definition is sweeping. Per the CCPA statute, personal information is anything that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Specifically named categories include identifiers (name, email, account ID, IP address), commercial information (purchase history), internet activity (browsing, search history, interactions with a website), geolocation, and inferences drawn from the data. Email addresses are squarely in scope; so are the open and click events your ESP logs.

The CPRA added "sensitive personal information" as a tighter sub-category: government IDs, financial account numbers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, the contents of communications (other than to your business), genetic data, biometrics, health data, and data revealing sexual orientation or sex life. Most email marketers will not collect sensitive PI deliberately, but if you segment your list by health condition, religious affiliation, or sexual orientation, you are touching it.

What rights do California consumers have?

Six rights matter for email marketing:

The right to know (Civ. Code § 1798.110). A consumer can request the categories and specific pieces of personal information you collected about them in the last twelve months (or longer, under the CPRA expansion), the sources, the purposes, and the third parties you shared the data with.

The right to delete (Civ. Code § 1798.105). A consumer can request deletion of the personal information you collected from them, subject to nine exceptions including completing the transaction, security, and legal compliance.

The right to correct (Civ. Code § 1798.106, added by CPRA). A consumer can request that you correct inaccurate personal information.

The right to opt out of sale or sharing (Civ. Code § 1798.120). A consumer can direct you to stop selling or sharing their personal information. The CPRA added "sharing" to capture cross-context behavioral advertising arrangements that some businesses had been arguing were not "sales."

The right to limit use of sensitive personal information (Civ. Code § 1798.121, added by CPRA). A consumer can direct you to use sensitive PI only for the limited purposes the law allows (mostly performing the service requested).

The right to non-discrimination (Civ. Code § 1798.125). You cannot deny service, charge a different price, or provide a different level of quality because the consumer exercised a CCPA right. Loyalty programs and reasonable financial incentives are allowed if structured carefully.

The response timeline is 45 days from receipt of a verifiable request, extendable once by another 45 days when reasonably necessary. The clock starts when you receive the request, not when you finish verifying identity.

What does "sale" or "sharing" mean in practice for email marketers?

This is where most email-marketer confusion lives. The CCPA definition of "sale" is broad: any disclosure of personal information to a third party for monetary or other valuable consideration. The CPRA added "sharing" to mean disclosure for cross-context behavioral advertising even without an exchange of money.

What is not a sale or share:

• Transferring data to a service provider bound by a written contract that restricts use to your specified purposes (e.g., your ESP, your CRM, your analytics tool)
• Disclosures the consumer directs you to make
• Disclosures necessary to complete a transaction the consumer initiated

What is a sale or share:

• Renting your email list to a partner brand for their own marketing
• Trading list data with another business
• Letting a third-party ad network use email addresses as a join key for cross-site retargeting
• Embedding tracking pixels from a third party that uses the data for its own purposes

If you only send your own email to your own list using an ESP under a data processing agreement, you are not selling or sharing. If you participate in list-rental, list-exchange, or shared-subscriber-targeting arrangements with other brands, you are; you owe a "Do Not Sell or Share My Personal Information" link and a process for honoring those requests.

How do you make signup forms CCPA-compliant?

The CCPA requires notice at or before the point of collection. In practice, that means the signup form (or the page hosting it) tells the visitor what categories of personal information you will collect and the purposes for which you will use them. The full detail can live in your privacy policy, but the form must make the link visible.

A few patterns that hold up under audit:

• The signup form links to your privacy policy in the field area, not buried in the page footer
• The privacy policy explicitly identifies the categories of personal information collected and the purposes
• If you sell or share personal information, a "Do Not Sell or Share My Personal Information" link appears on your home page and in the footer
• The privacy policy includes a clear description of California-resident rights and how to exercise them

The CPRA also created the Global Privacy Control signal. A GPC signal from a visitor's browser must be treated as a valid opt-out request from sale or sharing, applied to the device and the linked account. If your stack respects GPC at the browser level, this is mostly automatic; if not, you need a manual workflow.

How do you handle access, delete, and correct requests?

Three flows worth designing carefully.

For access requests, your goal is to produce a complete export of every category of personal information you hold about the requester, including data your ESP has logged (opens, clicks, bounces, suppression status) and data in any other system tied to the same identifier. The export should be in a portable, machine-readable format (CSV or JSON). Mailneo's per-subscriber export covers the email side; your CRM and analytics tools need to do the same.

For delete requests, the harder part is propagation. You need to actually delete the data, not just suppress sends; you need to delete it from backups within a reasonable timeframe (the CPPA has accepted "next routine backup rotation" as reasonable); and you need to instruct your service providers to delete as well. The exceptions (transaction completion, security, legal obligation) are real but narrow; do not over-rely on them.

For correct requests, the procedural bar is verification, not deletion. You confirm identity, you confirm the correct value, you update the record, and you propagate the change to service providers.

A common architectural pattern: a single privacy request inbox or web form, a ticketing workflow with a 45-day SLA, and a runbook that lists every system holding consumer data and the steps to extract or delete from each.

CCPA vs GDPR: how do they differ?

US operators who already built for GDPR usually find CCPA additive but lighter. Europeans who land in California often find the inverse.

CCPA/CPRA vs GDPR for email marketers

Dimension	CCPA/CPRA (California)	GDPR (EU/UK)
Consent model	Opt-out (notice at collection; opt-out of sale/share)	Opt-in (freely given, specific, informed, unambiguous)
Scope trigger	Business thresholds (revenue, volume, or revenue share)	Any processing of EU/UK residents' data
Response window	45 days, extendable once	30 days (one month), extendable
Right to delete exceptions	Nine enumerated exceptions	Five enumerated grounds for refusal
Sensitive data	Sensitive PI category with "limit use" right	Special category data needing explicit consent
Max civil penalty	$2,500 unintentional, $7,500 intentional per violation	20M EUR or 4% of global turnover
Private right of action	Limited (data breaches only)	Yes, broad

If you are running a single global stack, build to GDPR; CCPA gaps are mostly the California-specific notice text, the "Do Not Sell or Share" link, and respecting GPC. Our GDPR email marketing guide covers the European baseline.

What does CCPA enforcement actually look like?

Under the original CCPA, enforcement sat with the California AG. Under the CPRA, the CPPA gained co-enforcement authority and dedicated staff, which has accelerated case volume.

A few cases to know:

• Sephora was fined $1.2 million by the California AG in 2022 for failing to disclose sale of personal information and failing to honor GPC signals. The settlement explicitly named the tracking pixels Sephora used as the basis of the "sale" finding (CA AG press release).
• The DoorDash settlement of $375,000 in 2024 turned on cross-marketing arrangements with a marketing cooperative that the AG argued met the CCPA definition of sale.
• The CPPA's enforcement advisory on "dark patterns" warned that confusing opt-out flows are themselves a violation, separate from any underlying data sharing.

The pattern: regulators are less interested in your privacy policy text than in whether your actual stack honors consumer requests. A clean policy and a broken delete pipeline is a worse position than a plain policy and a working one.

Practical CCPA checklist for email marketers

Working version refined after several customer audits. The first column is what to verify; the second is where it usually breaks.

1. Annual review of whether your business meets one of the three CCPA thresholds
2. Notice at collection on every signup form, clearly linked to a complete privacy policy
3. Privacy policy lists CCPA categories of PI collected and purposes for each
4. If you sell or share PI, a "Do Not Sell or Share My Personal Information" link in your site footer
5. Global Privacy Control signal honored at the device and account level
6. Privacy request inbox or form actually monitored; 45-day SLA tracked
7. Access export covers the ESP, CRM, analytics, and any third party with a copy
8. Delete pipeline removes the record from all systems and instructs service providers to do the same
9. Correct workflow includes verification and propagation
10. Data processing agreement in place with every service provider; sale/share contracts (where applicable) include the required terms

Key takeaways

• The CCPA applies only if your business meets one of three thresholds, but the 100,000-consumer threshold is lower than most US operators expect
• "Sale" and "share" are defined broadly enough that ad pixels and list-rental arrangements can trigger obligations even without money changing hands
• California residents have rights to know, delete, correct, opt out of sale/share, and limit sensitive PI use; you have 45 days to respond
• Global Privacy Control signals must be honored as valid opt-outs from sale/sharing
• If you already comply with GDPR globally, the additional CCPA work is mostly notice text, the "Do Not Sell" link, and GPC handling

Frequently asked questions

Is an email address really "personal information" under the CCPA?

Yes. The CCPA defines personal information broadly enough to include any identifier that can be linked to a particular consumer or household; email addresses are explicitly listed in the statute as an example. Open and click events tied to a subscriber are also personal information.

Do small businesses need to comply?

Only if you meet one of the three thresholds. Most small businesses fall outside CCPA scope. The catch is the 100,000-consumer threshold; an email list with that many California addresses brings a sub-$25M-revenue business into scope on volume alone.

What if a consumer's request is fraudulent?

The CCPA requires you to verify the request before fulfilling it. Verification standards depend on the sensitivity of the request and the data involved; a delete request needs higher verification than a request to know categories. The CPPA has published regulations detailing acceptable verification methods.

Does CCPA preempt CAN-SPAM?

No. The two operate in parallel. A commercial email to a California resident has to comply with CAN-SPAM (sender ID, opt-out, physical address) and with CCPA (notice at collection, response to consumer requests, opt-out of sale/share if applicable). They cover different aspects of the same activity.

What about other US states?

Sixteen US states now have comprehensive privacy laws as of early 2026 (Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Delaware, Iowa, Tennessee, New Jersey, Indiana, Kentucky, Minnesota, Maryland; New Hampshire and Rhode Island in 2026). The architectural pattern is close enough to CCPA that compliance work compounds. If you're building privacy infrastructure, design for many-state rather than California-only.

Related resources

• Mailneo CCPA tooling and policies
• GDPR email marketing guide
• CAN-SPAM compliance guide
• Opt-in glossary entry
• Unsubscribe glossary entry
• GDPR glossary entry
• How to start email marketing
• Email list hygiene guide

Further reading (external)

• California Privacy Protection Agency (cppa.ca.gov)
• CCPA consumer guide from the California AG (oag.ca.gov)
• CCPA statute text (leginfo.legislature.ca.gov)
• CPPA regulations (cppa.ca.gov)
• Sephora CCPA settlement press release (oag.ca.gov)
• Global Privacy Control specification (globalprivacycontrol.org)