CCPA and GDPR: Explained in Plain English
Did you know that there are 3.9 billion email users in the world? That’s around half the world’s population.
With practically every potential customer being reachable through email, it’s no wonder that email marketing is still a key part of most businesses’ strategies. But recent privacy regulations have some marketers and business owners concerned.
It started with the GDPR, or General Data Protection Regulation, introduced in the European Union in 2018. And now the State of California has followed suit with its own pro-privacy rules, called the CCPA, or California Consumer Privacy Act.
Both of these laws dictate how businesses may use the personal information of citizens in the EU and California, respectively. Email addresses are a part of this personal information. And many worried professionals feared that the GDRP would spell the end of email marketing when it passed.
However, these fears turned out to be completely unfounded in the years after the GDPR’s introduction. Likewise, the CCPA in no way prevents businesses from effectively using email marketing.
Still, there are some new guidelines to follow. Keep reading to learn how to meet CCPA and GDPR compliance.
GDPR Explained
Once thought to be a nail in email marketing’s coffin, the GDPR required marketers to make a few changes to the way they collect and use data. Since the GDRP rules were introduced first all the way back in 2018, we’ll start with them.
GDPR Requirements
The GDPR applies to all businesses that collect personal information from citizens of the European Union. It aims to protect individuals from inappropriate or unwanted advertising, as well as to put consumers in control of their data.
As it applies to email marketers, the GDPR basically requires that businesses get their customers’ informed consent before sending them marketing messages.
This entails telling your customers specifically and accurately what you’re going to send them. It also involves getting a visitor’s direct, active consent to send marketing messages. This means that having customers join your email list by default—say, with a pre-ticked checkbox—is not allowed.
Furthermore, it is up to businesses to keep records of their customers’ consent. The burden of proof that they’re following GDPR guidelines is on the business.
The GDPR also demands that customers be told exactly what data is being collected from them, how that data will be used, and who will be using it.
Separate Terms and Conditions
Customers must be accurately and clearly informed about what data they’re handing over and how it must be used. Because of this, a business cannot simply insert a clause into their existing terms and conditions that explain what customer data is collected and used.
To be GDPR-compliant, a business must make its consent requests separate from its standard terms and conditions. Customers need to see the new terms for their data usage alongside a consent request. Obviously, the customer must also have the ability to choose not to consent.
Easy Opt-Out
Once a customer gives your business consent to use their data, you’re not necessarily home free. Your consenting customers are also allowed to withdraw their consent at any time.
Of course, this is part of standard practice for email marketers. Existing American and Canadian laws require promotional emails to include an opt-out link. But the GDPR goes one step further, requiring that withdrawing consent be just as easy and straightforward as giving it.
If your current setup involves more than two clear, simple steps to unsubscribe, that could be a problem.
It doesn’t do you any good to make unsubscribing difficult, anyway. Once a subscriber has decided to opt-out, making it hard for them to do so will only frustrate them. That’s not a good recipe for repeat business.
Careful Record-Keeping
It’s not enough just to make your landing pages and email messages compliant. You must also keep a careful record of every time that a customer gives consent to collect and use their data.
The GDPR says that businesses must be able to demonstrate that the customers they collect data from gave their informed consent.
You need to record the person who consented, the time of consent, the terms they received before consent, their manner of consent (during checkout, through a Facebook form, etc.), and whether they have since withdrawn consent.
Since the GDPR’s introduction, most email list services now collect this information for you automatically. You’d best double-check before making that assumption, though.
CCPA Explained
Before the CCPA went into effect, businesses could theoretically block all traffic from European IP addresses and ignore the GDPR. But now, the CCPA demands most of the same privacy rights for California citizens.
Fortunately, if your business is already compliant with the GDPR, complying with the CCPA will be easy.
CCPA Requirements
Like the GDPR, the CCPA grants California citizens the right to control when and how their personal data is collected and used. This involves knowing specifically what data is being collected, how businesses will use their data, and who will be using it.
The CCPA also guarantees consumers the right to access a copy of any data a business has collected from them. Businesses must not only provide easy opt-out options but delete all personal data upon the customer’s request.
Businesses are also required to let their customers opt out of the sale of their information. And if a customer does opt out, the business must continue to provide them with the same services at the same price.
Unlike the GDPR, the CCPA also requires website owners to have a data protection officer on staff.
CCPA Applicability
However, it’s important to note that the CCPA doesn’t apply to all businesses. First of all, it’s only applicable to businesses that deal with California citizens. If none of your customers live in California, then it won’t affect you in the first place.
But there are additional conditions a business must meet for the CCPA to be applicable to them. Most significant is that the business must have annual gross revenue exceeding $25 million.
Next, the business must buy, sell, share, or receive personal information for commercial purposes. And it must use the information of at least 50,000 California consumers, households, or devices in the process.
Finally, at least 50% of its annual revenue must come from the sale of California residents’ personal data.
If you operate a small business, chances are you don’t come anywhere close to meeting those criteria. Even if you’re a large or mid-sized business, if you only have a very small customer base in California, the CCPA probably won’t apply.
This is good news for smaller businesses that can’t justify the expense of hiring a dedicated data protection officer.
But it’s still wise to follow the other rules detailed in the CCPA. Not because you’re under any legal obligation to do so, but because it’s simply better for consumers.
CCPA Compliance
For the most part, complying with the GDPR will ensure that you’re also CCPA-compliant. There are just a few additional things to keep in mind.
First of all, it’s important to realize that email addresses are considered personal information. So if a California resident requests to have their personal information deleted, you must also remove them from your mailing list.
Several metrics commonly collected by email marketing software also count as personal information under the CCPA. This includes things like which messages a customer opened, which links they clicked, and other behavioral data. It goes without saying that this information must be deleted upon request as well.
You’re also required by the CCPA to tell consumers exactly who you share their information with. This includes your email service provider. If a customer requests to have their data deleted, this request must also be passed on to any other business you’ve shared their data with in the past.
As a disclaimer, nothing in this article should be taken as legal advice. A reputable lawyer is always necessary for guaranteeing your legal standing.
Maintaining a Compliant and Effective Email Strategy
As you can see, all you need to be compliant are a few extra precautions. Not only will this keep you on the safe side of the law, but it will also result in a better customer experience for your audience.
To ensure your email strategy is not only compliant but effective, give our tools at EmailOversight a try. From avoiding your customers’ spam folders to protecting your online integrity, find out what EmailOversight can do for you.
