How do U.S. state-level privacy laws (CCPA, CPA, VCDPA) affect email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A wave of state privacy laws is changing how you handle email subscriber data. California's CCPA and CPRA, Colorado's CPA, Virginia's VCDPA, and similar laws in Connecticut and Utah all give consumers new rights. They can ask you what data you've collected, request deletion, opt out of data sales, and sometimes even correct errors. For email senders, that means new operational requirements even if you're not dealing with GDPR.
The CCPA is the toughest and most detailed. It applies if you do business in California and hit certain thresholds (usually based on revenue or data volume). You have to add a "Do Not Sell or Share My Personal Information" link in emails, honor browser privacy signals like Global Privacy Control, and get opt-in consent before selling data from users under 16. If you're monetizing your list through third-party data sharing or behavioral ads, you need to rethink that strategy. California also created an enforcement agency with real teeth, so violations aren't just annoying. They're costly.
Other states have their own rules. Virginia and Colorado require privacy impact assessments for certain processing. Utah's thresholds are narrower. The headache is that there's no federal law to replace them, so expect more states to pass their own versions. Each one adds more complexity.
What you should do: Start with California's requirements as your baseline (it's the strictest). Make sure your unsubscribe and consent flows work for opt-out requests. Document any data you sell or share. Check your data processor agreements with your ESP. And stay on alert. Your compliance playbook needs to evolve as new laws land.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.