What is the California Consumer Privacy Act?

May 21, 2020
Written by
Brooke Isaacs
Opinions expressed by Twilio contributors are their own

What is the California Consumer Privacy Act?

In our 2022 Email Deliverability Guide, we took a deep dive into all things email deliverability, including how privacy and compliance affect your delivery rates. As we continue to depend on the internet for communications and business, we’ve seen an uptick in privacy legislation around the world aiming to protect internet users. Heavy-hitting regulations such as the GDPR and CAN-SPAM have changed the way we send–especially in the world of marketing and email. 

In July 2020, another major privacy law will go into effect: the California Consumer Privacy Act, (CCPA). This act provides state-wide privacy protections for consumers, but will only apply to businesses meeting specific requirements.

Before we dive into the CCPA, it’s important that we refresh our memories of CAN-SPAM and the GDPR, as the CCPA shares a lot of the foundational elements found in both regulations. Let’s recap!



In 2003, the United States Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or CAN-SPAM Act. CAN-SPAM protects recipients’ privacy by restricting the way commercial emails are sent. As a result of CAN-SPAM, the world saw a huge decline in unsolicited email in the early 2000s.

CAN-SPAM compliance centers around the idea that all commercial communications should avoid deception, clearly state the purpose of the email(s), and ensure that recipients’ preferences are respected. 

If your business sends commercial or marketing emails of any kind, the CAN-SPAM Act’s requirements of commercial entities should be on your radar. More likely than not, your email communications are already compliant with CAN-SPAM standards.


The General Data Protection Regulation (GDPR) is likely the most talked-about privacy regulation related to email in the last decade. If you do business within the European Union or with its citizens, GDPR compliance should be top of mind when developing your international strategy.

The GDPR grants EU citizens more control over their personal data and how it can be used by commercial entities. The GDPR applies to all businesses working within the EU that handle any personal data belonging to a citizen of the EU. 

The GDPR requires companies to treat consumers with fairness and transparency when dealing with personal information. Businesses must be compliant with several specific data processing requirements, including providing transparency about how personal data is used, where and how much of it is stored, and ensuring the security of that data.

Now that we’ve had a bit of a refresher, let’s talk about the CCPA.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) was passed in 2018, but will not be enforced by the California Attorney General until July 1, 2020. The CCPA gives consumers a considerable amount of control over their data and how it can be used, but will only apply to businesses falling into specific categories. 

In many ways, the CCPA feels like the natural descendant of CAN-SPAM and the GDPR. Under the CCPA, consumers have the right to:
  1. Know “what personal information is collected, used, shared or sold” by the organizations with whom they interact.
  2. Delete “personal information held by businesses,” including any of the business’s own service providers.
  3. Opt-out of the sale of their information.
    • This element of the CCPA gives consumers the right to “direct a business that sells personal information to stop selling [their] information.”
    • Minors are also protected under this element.
      • Those under age 16 “must provide opt-in consent.”
      • Those under age 13 must have a “parent or guardian consent" on their behalf.
  4. Non-discrimination when exercising any CCPA privacy rights, including access to “price or service.”
Businesses that meet the specific criteria outlined in the legislation must be compliant with the CCPA. For your business to be affected, only one of the following must apply:
  1. The business’s gross annual revenue exceeds $25 million.
  2. The business “buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.”
  3. 50 percent or more of the business’s annual revenue comes from the sale of personal consumer information.
To comply with CCPA standards, businesses must notify all involved parties regarding data collection either before or at the time of collection. The CCPA requires that, in addition to maintaining compliance with CAN-SPAM’s opt-out expectations in a timely and respectful manner, businesses include a “Do Not Sell My Info” option for consumers. Businesses must also provide a response to any opt-out requests or privacy setting changes, which can be fulfilled with a confirmation email. 
Compliance with CAN-SPAM and the GDPR does not ensure compliance with the CCPA.
While there are some similarities in the protections provided by each law, their individual legal obligations do not necessarily overlap, so be sure to know how each law affects your strategy. For more information about specific regulations and obligations under the CCPA, check out the California Attorney General’s Fact Sheet. 

Getting to the inbox doesn’t have to be rocket science. For everything you need to know about optimizing your sending for high deliverability, check out our 2022 Email Deliverability Guide.The CCPA gives consumers more control over their data and how it can be used, but only applies to businesses meeting specific criteria.

Recommended For You

Most Popular

Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.