How do U.S. state-level privacy laws (CCPA, CPA, VCDPA) affect email?

The patchwork of US state privacy laws-including California's CCPA/CPRA, Colorado's CPA, Virginia's VCDPA, and similar laws in Connecticut, Utah, and other states-creates new obligations for email marketers even when GDPR doesn't apply. While these laws vary in their specifics, they generally grant consumers rights to know what personal information is collected about them, request deletion of their data, opt out of the sale or sharing of their information, and in some cases, correct inaccurate data. For email programs serving US subscribers, these rights translate into operational requirements for honoring data requests and maintaining transparent data practices.

The CCPA/CPRA is the most comprehensive, affecting businesses that meet certain revenue or data-processing thresholds and collect California residents' personal information. Key requirements include providing a "Do Not Sell or Share My Personal Information" link, honoring Global Privacy Control (GPC) signals from browsers, and obtaining opt-in consent before selling data from consumers under 16. For email marketers, this may affect how you monetize subscriber data, share information with third-party partners, or use cross-context behavioral advertising. The CPRA also created the California Privacy Protection Agency with enforcement authority, increasing the stakes for non-compliance.

Other state laws follow similar patterns but with meaningful variations. Virginia and Colorado require data protection assessments for certain processing activities, while Utah's law has narrower applicability thresholds. The lack of federal privacy legislation means these state laws will continue proliferating, each with its own nuances. Email marketers should establish baseline privacy practices that meet the strictest applicable requirements and build flexible systems for accommodating new state laws as they emerge-because the US privacy landscape is only becoming more complex.