The facts on CCPA and email encryption

Egress | 20th Dec 2021

The California Consumer Privacy Act of 2018 (CCPA) doesn't only affect companies based in California. If you have Californian customers, you'll need to follow this law. Here's what CCPA is, who needs to follow it, how it affects email usage, and how you can upgrade your email security strategy to stay compliant.

What is CCPA and why is it important?

CCPA protects a California resident's privacy rights, and it gives people added control and transparency over a business' collection and use of personal information. 

Under CCPA, people have the right to know how a business collects, uses, and shares their personal information, as well as the right to have such information deleted and opt-out of the sale of the data. Additionally, companies must not discriminate against consumers who exercise their CCPA rights.

Even if you operate outside of California, achieving compliance with the robust CCPA standards can help you build trust with customers. Not to mention, many states are introducing a version of privacy legislation similar to the CCPA. Becoming CCPA-compliant can help you build a solid foundation so you can adapt to new regulations more easily.

Who needs to follow CCPA?

CCPA affects organizations that serve California residents and have over $25 million in annual revenue. It also applies to companies of all sizes that collect personal data from at least 50,000 consumers, households, or devices annually or generate half of their revenues from selling personal data. Organizations don't need to be based in California or have a physical presence there to fall under the law. 

How to make your emails CCPA-compliant

If your business falls under the CCPA's scope, here's how to ensure that your email communications are CCPA-compliant:

Encrypt sensitive data

Under CCPA, litigation only applies to unencrypted sensitive data that's disclosed or lost. To protect your company against direct or class action litigation related to data loss, you should encrypt all the personal information you collect and store.

Secure all email correspondence

Ensure that attachments containing personal information are sent to the correct recipients. If you send mass emails, you should put all the recipients' email addresses in the Bcc field to protect their privacy.

Be ready to share how you collect user data

California customers can demand to know what data you collect, where you get it from, and how you use it. You must respond to such requests within ten days. 

Have the ability to delete data upon request

Customers can request that their personal information be deleted from your system. You must have the ability to respond to these requests promptly and verify customers' identities when you do so.

Use extra care when selling customer data

If you collect email addresses and other personal information with the intent of selling them, you must communicate what data you're selling. You need to put a visible "Do Not Sell My Data" button on your opt-in forms or web pages and be ready to disclose how you share the data upon request.

Preventing Email Data Loss Gated Widget Cropped

Preventing email data loss in Microsoft 365

Get your copy

Upgrade your email security strategy for CCPA compliance

The penalty range for CCPA starts at $2,500 per violation and goes up to $7,500 for each intentional violation. If you fail to protect your data, the fines can add up quickly.

CCPA applies data breach sanctions only if companies fail to protect personal data with encryption or redaction. Since unauthorized parties can't use encrypted personal information, there's no basis for penalization. As such, encryption measures that protect all the data in your email system are a critical component of staying compliant.

Egress Intelligent Email Security can help prevent email data breaches, safeguard sensitive information, support data subject access requests (DSARs), and audit email data flows for ongoing compliance with new ways to retain, protect, and share sensitive data.

Our Outlook plug-in stops misdirected emails and attachments to prevent breaches in real-time. Meanwhile, you can send CCPA-compliant encrypted emails and attachments directly within Outlook.


Does CCPA apply to email?

Yes. Email addresses are considered personal information under CCPA. As such, you must have the ability to delete all email data upon request and offer email opt-out to all consumers. 

Does CCPA require data encryption?

Although there's no explicit mention of encryption requirements, breached information that's non-encrypted and non-redacted can result in penalties of up to $7500 per violation. Encrypting your data can help you avoid such fines.  

Is CCPA better than GDPR?

Although the GDPR and CCPA are different in many ways, they're similar in spirit. Some people may argue that the CCPA is modelled after the GDPR, while others consider CCPA to be a less strict version of the GDPR.