CCPA and Cart Abandonment Emails: What You Need to Know

January 16, 2020

The California Consumer Privacy Act (CCPA) is now officially in force, protecting the data rights of Californians and spelling significant consequences for ecommerce businesses across the globe. What does this mean for your cart abandonment emails?

The new law applies to any ecommerce business dealing with Californian residents, affecting more than 500,000 companies in the US alone. Yet, last year only 14% of companies were CCPA compliant. 

With penalties as high as $7,500 per violation, it’s crucial that your online store and cart abandonment campaigns are entirely CCPA compliant, and this guide is here to explain more. 

What is CCPA?

CCPA stands for the California Consumer Privacy Act – a comprehensive piece of data protection legislation that came into force on January 1st, 2020. 

The Act introduces new data protection rights for Californian residents, giving them the right to access any personal information about them stored, bought or sold, and the right to opt-out of the collection or selling of this information and request full deletion. 

Personal information

Under CCPA, a Californian’s personal information includes data such as demographic information, social security numbers, account details, browsing data, education, passport number, driving license, purchase history, device type, and more. 


The aim of CCPA is to protect Californian residents. It, therefore, applies to any business, wherever located, meeting any of the following criteria:

  • Sells to Californian residents and generates more than $25 million in annual revenue;
  • Receives, buys, sells or shares the personal information of more than 50,000 Californian consumers, households, or devices annual, for commercial purposes; or
  • Earns more than half of its annual revenue through selling Californian’s personal information. 

Comparison with GDPR

CCPA is considered by some to be “GDPR lite,” and while the legislation certainly isn’t as onerous as its EU counterpart, it still represents a significant risk of litigation that you should do all to protect against. 

What CCPA Means for your Ecommerce Business?

If you fall within the scope of CCPA, then you must comply with the regulations. Specifically, this means that you must:

Offer consumers an opt-out option

Consumers should have the ability to opt-out of their personal information to be stored, shared, or sold to third parties. Also, any customers under the age of 16 must opt-in to the storing, sharing, and selling of their information. 

Offer consumers the “right to be forgotten”

Consumers should also have the option to request the permanent deletion of any personal information held. 

Comply with any requests for personal information

Any consumer requesting a record of the personal information you store on them and/or information on how and where that information has been obtained, shared, and sold, should be complied with within 45 days. 

Failure to comply with any of the requirements of CCPA could result in fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. For a small business dealing with 35 Californian customers, this could total $262,500 – making compliance essential for companies of all sizes. 

Also, those whose information has also been accessed illegally, stolen, or disclosed owing to substandard security measures are entitled to take private action and obtain damages of up to $750 per consumer, per incident. 

What Does CCPA Mean for your Cart Abandonment Emails?

While CCPA will predominantly affect your internal procedures, privacy policy, and some of your website content, it’s wise to ensure that your cart and browse abandonment email campaigns are also fully compliant. 

This is especially so if you use on-site recovery campaigns, such as real-time data capture, enriched contact records, and advanced visitor tracking, to collect contact information for your customer recovery emails. 

Further reading: On-Site Campaigns: How to Capture Ecommerce Leads & Drive Conversion

If you’re using Cart Stack, the good news is that we’re already fully CCPA compliant. All of your customer data collected by our on-site tools is securely held, never sold or distributed to any third party, and is easily accessible or deletable by emailing All cart and browse abandonment emails also include an unsubscribe link at the bottom, making it easy for customers to opt-out.

If you’re not using CartStack, then you’ll need to ensure that any customer data collected for your cart abandonment campaigns is secure, properly recorded, and easily accessible should a customer request access or deletion. You should also include a clear unsubscribe link in all of your email campaigns, alongside a regularly monitored email address for any CCPA requests. 

What You Need to do Now

CCPA is already in force, so if you haven’t taken precautionary steps, now is the time to start. Specifically, you should:

1. Determine whether CCPA applies to your business

First, it’s necessary to understand whether your business falls into the scope of CCPA. Review your business against the criteria and, if unsure, err on the side of caution. 

2. Conduct a personal information audit

Next, it’s necessary to prepare your data to highlight any gaps in the required information and to properly prepare yourself for any personal information requests. To do this, thoroughly audit your data and associated processes to create a data inventory that details the following:

  • The type and details of data collected, how it has been received, and why
  • The people who have access to this data
  • Any data that has been sold to a third party, and details of that third party
  • How data is stored and encrypted. 

3. Implement a procedure for complying with CCPA requests

It will also prove useful to have a detailed process in place for handling any CCPA requests, such as access to data, details of third parties, deletion of information, and opting out of the sale or collection of information. This procedure should detail who will handle the request and how they will respond within 45 days, including how data will be extracted, how data will be deleted, and how the individual’s identify will be verified. 

4. Update your website and emails

Your ecommerce website and cart and browse abandonment emails should include a link to your updated privacy policy, and a clear and easily identifiable “do not sell my personal information” and “do not collect my personal information” buttons or links. 

Specifically, your updated privacy policy should include an explanation of rights under CCPA, details of the personal information collected and/or shared, and at least two methods of requesting information, deletion, or opting out. 

5. Secure your customer data

While CCPA doesn’t alter any law regarding data security, now is a good time to audit your processes and ensure that you’re holding data in a secure format. 

6. Prepare for the future

Finally, GDPR and CCPR are just two of many legislative acts expected on the topic of data protection. With similar legislation expected from other states and counties over the coming years, we recommend assigning a dedicated Data Protection Officer to ensure compliance today and in the future. 

Key Takeaways

While the hype around CCPA might not be as big as GDPR, that doesn’t make it any less important for your ecommerce business and cart abandonment emails. With personal data and big fines at risk, ensuring that you understand the implications of CCPA and are fully compliant can be vital to the future of your business. 

We hope this guide has helped you to understand the scope and impact of CCPA, but, as ever, if you’re in doubt about how you comply with statutory legislation, seek the help of an appropriately qualified lawyer.