How do U.S. state-level privacy laws (CCPA, CPA, VCDPA) affect email?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A wave of state privacy laws is changing how you handle email subscriber data. California's CCPA and CPRA, Colorado's CPA, Virginia's VCDPA, and similar laws in Connecticut and Utah all give consumers new rights. They can ask you what data you've collected, request deletion, opt out of data sales, and sometimes even correct errors. For email senders, that means new operational requirements even if you're not dealing with GDPR.

The CCPA is the toughest and most detailed. It applies if you do business in California and hit certain thresholds (usually based on revenue or data volume). You have to add a "Do Not Sell or Share My Personal Information" link in emails, honor browser privacy signals like Global Privacy Control, and get opt-in consent before selling data from users under 16. If you're monetizing your list through third-party data sharing or behavioral ads, you need to rethink that strategy. California also created an enforcement agency with real teeth, so violations aren't just annoying. They're costly.

Other states have their own rules. Virginia and Colorado require privacy impact assessments for certain processing. Utah's thresholds are narrower. The headache is that there's no federal law to replace them, so expect more states to pass their own versions. Each one adds more complexity.

What you should do: Start with California's requirements as your baseline (it's the strictest). Make sure your unsubscribe and consent flows work for opt-out requests. Document any data you sell or share. Check your data processor agreements with your ESP. And stay on alert. Your compliance playbook needs to evolve as new laws land.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a compliance checklist tailored to your states.

I need to audit my compliance with state privacy laws. Help me check MY email program: 1. Which state privacy laws apply to my business? 2. Do I have the right privacy links in my emails? 3. How do I handle data deletion requests? 4. What should I document for compliance? 5. Do my data processor agreements cover these laws? My details (fill in what applies): - States where I do business: list - Email platform/ESP: Mailchimp, SendGrid, etc. - Do you sell or share subscriber data: yes / no - Data deletion process: automated / manual / none - Privacy policy: yes, URL / no - Last compliance review: date

Edit the yellow boxes, then send to the AI of your choice.