Tag Archives: unsubscribes

Email Marketers and California’s New Data Privacy Law

Data Privacy
In June of 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA). Taking its inspiration from the European Union’s General Data Protection Regulation (GDPR), the CCPA was intended to protect online data privacy. Like the GDPR, it gives California residents the right to opt out of any sharing of their data and the right to have their data deleted. It was created by Alastair Mactaggart, a rich San Francisco real estate investor, and drafted by him with friends, including cybersecurity and data privacy expert Mary Stone Ross.

But Mactaggart wasn’t happy with the legislation and, two years later, introduced ballot measure Proposition 24, intended to correct what he saw as problems with the CCPA. In November 2020 the California voters passed a revision to the CCPA entitled the California Privacy Rights Act of 2020 (CPRA).1 Not everyone was happy with the new resolution, including MacTaggart’s former associate Mary Stone Ross who opposed it as did the ACLU among others. Nonetheless, the proposition passed and is now law in California.

Why It Matters

While California is just one of the fifty US states, it has one of the largest populations and an over-sized influence on the rest of the country. Legislation passed by California is often copied by other states. So what has been the impact of the CCPA on the email marketing community, and what should we expect from the CPRA?

So far, the CCPA doesn’t appear to have had a significant impact on many in the email marketing community. Will the CPRA change that? Will it have a more significant impact on businesses? Only time will tell for the true effects, but there are a number of changes in the law that seem likely to cause an impact. We have read the law and attempted to interpret how the changes will affect the email marketing community. Please note that this is not legal advice. For specific questions about the law, please consult an attorney.

One of the changes was intended to close loopholes around businesses sharing information. The new law changes the wording to include the sharing of information between companies in almost every way. Whereas before, with the 2018 version of the law, many people interpreted it to allow businesses to share information between companies with affiliate relations, that is now explicitly disallowed.

The California Privacy Protection Agency

The most dramatic change from CCPA is the creation of the California Privacy Protection Agency. Previously, the prosecution of privacy violations was left to the California attorney general’s office, which acknowledged they don’t have the resources to bring many cases to court. With a projected budget of $5 to $10 million dollars a year and a law that says the proceeds from these cases will go to the new agency, the California Privacy Protection Agency actually benefits from prosecuting cases. With these kinds of resources, we expect that there will be significantly more prosecutions. Additionally, with CCPA, there were rules that allowed a company to “cure” violations to avoid punishment. With the new law, the ability to cure violations is reduced to a one-time opportunity.

It’s not all bad news, however. As with the CCPA, the CPRA has little effect on smaller businesses. It only applies to businesses that earn over $25 million a year. If anything, it’s more lenient than the CCPA since it increases the number of subscribers a business can have from 50,000 to 100,000.

The exceptions are businesses that earn 50% or more of their annual revenue from selling or sharing consumers’ personal information. The changes in this law make it clear that sharing data with another business, regardless of the creative words used to describe the arrangement or the annual earnings, are now illegal without strict contractual requirements to ensure that business maintains the same level of privacy protection. If you make money by selling your email leads, you will need to be very careful about this law. And the penalties for violations remain debilitatingly high. Fines could be millions of dollars for a single email blast!

The law continues or even strengthens the requirements of disclosure for the personal information you collect. This law goes so far as to give the exact words you need to provide as a link on the homepage of your website to explain to users the information you collect and requires you to make an option available to users to request that this data be deleted.

In GDPR and Email: Part 1, an Overview, we pointed out that much of this legislation requires businesses to forget all the information about a recipient, without addressing the inevitable problems this can cause. Our reading of this is that the law does allow for the storage of some key identifier to support a user’s request to be deleted (specifically, email address in our case). While we doubt that this was the intended purpose of this subsection, it certainly appears to let businesses off the hook in regards to keeping email addresses to prevent further data gathering and further email sending.

Don’t Add Data to Unsubscribes

The new law makes it explicitly clear that personal information cannot be added to records for recipients that have unsubscribed. Maintaining the email address to know the person has unsubscribed appears legal, but you cannot then augment the file of information about that user to include any personal information, even if you won’t be sending to them. Some software or business practice changes may be necessary for companies to comply with this.

One thing that is unequivocally banned by the CPRA is the practice of assuming that consent is provided by hovering over, muting, pausing, or closing a given piece of content. It also prohibits the practice of using “dark patterns” to add data about users, which it defines as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.” Hopefully few businesses were doing this, but should you be considering it, now it is explicitly illegal.

Another frustration we have experienced with GDPR that doesn’t appear resolved by these California laws is the question of what constitutes personal information. Some things are obvious, such as Social Security Numbers, addresses, dates of birth, etc. But how about information like clickthroughs or opens? Is it personal information to keep track of what content the person opened, or to store the links that they clicked on? Certainly, an argument could be made that this information is unworthy to be considered confidential or private information, but the laws are not clear. It would be nice if this could be resolved for the email marketing community but for now, each company and their lawyers will need to make their own decision.

The CCPA went into effect at the beginning of 2020 and will stay in effect until the 1st of January, 2023. At that point, the CPRA will go into action, but the law also applies to personal information collected by a business on or after January 1st, 2022. If you are an email marketer who doesn’t collect any personal information about your recipients and simply blasts untargeted advertisements at them you may not need to change business practices. You need to offer an explicit “delete” option, rather than just an unsubscribe, but no other changes may be required. However, if you target recipients based on the information you have collected about them no matter what the source, you may have to make changes to “dumb down” your program. Untargeted advertisements appear to be acceptable but targeted advertisements may get you in trouble. It’s a bit ironic that the “benefit” of privacy protection may neuter all marketing to be generic and unengaging to recipients.

Go to Goolara website


1. The California Privacy Rights Act of 2020 in PDF form.

© Goolara, LLC, 2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Goolara, LLC and the Goolara Blog with appropriate and specific directions (i.e., links) to the original content.

Yahoo Recycles Dead Email Addresses

Yahoo recycles email addresses

In a move that has many people in both the email marketing industry and the Internet security field shaking their heads, Yahoo has announced that any Yahoo email addresses that haven’t been logged onto in over twelve months will be made available to other users. In a post on their blog, Jay Rossiter, Yahoo’s senior vice president of platforms, wrote that the reason for doing this was to allow Yahoo users who weren’t online during the initial email address land grab to get the Yahoo addresses they wanted. “If you’re like me,” Rossiter explained, “you want a Yahoo ID that’s short, sweet, and memorable like albert@Yahoo.com instead of albert9330399@Yahoo.com”

Security experts are especially skeptical of this move, saying that the possibilities for identity theft abound. The recently deceased, or long-term hospitalized people could be prime targets, they argue. Elderly people whose kids set up their account and helped them buy a few things on Amazon two years ago are also possible targets. But the Email Marketing community has its own set of potential problem areas that must be dealt with if Yahoo goes through with this program.

30 Day Turnover

According to a Yahoo spokesperson once an old email address is requested, Yahoo will send bounce back emails alerting senders that the deactivated accounts no longer exist, and they will also unsubscribe these accounts from commercial emails such as newsletters, email alerts, etc. But Yahoo’s plan is to allow only thirty days for this process. This quick turnover only adds to the possible problems email marketers are liable to encounter.

Suppose you have a customer who purchased something from your company a year-and-a-half ago. You’ve been sending email offers, but as the person hasn’t been that engaged, you’ve tapered off on the mailings. You send something at the end of June, and then something again at the beginning of September. In between, that address has gone to someone else. How will that new recipient react? As far as they’re concerned, your email unsolicited, which makes it a good candidate for the Spam folder. This is, admittedly, worst case scenario, but a man named Murphy already proved that if something can go wrong, it will.

For an individual, sending to a bad address is no big deal. They will receive some kind of bounce message, but other mail they send will go through. That is not the same for mass marketers who send thousands of emails per day. When a marketer sends a large volume of email, the ISPs keep track of how many bad addresses are attempted and use that as a factor in determining the Reputation Score of the sender. This is explained in greater detail in our guides, but, suffice it to say, you can’t send to bad addresses regularly and maintain good inbox penetration. Good email marketing software looks at failure messages and immediately removes bad addresses from any future distributions to keep the failure rate as low as possible.

Beware of Spam Traps!

If you have removed inactive recipients from your list, you may have already removed some of the accounts that will be reactivated by Yahoo. One idea might be to reactivate all Yahoo users who were previously marked as bad addresses, in case some of them are now valid addresses. However, this would be a bad idea for many reasons. One is that some of those bad addresses have been turned into “spam traps.” This is an anti-spam technique used by all ISPs that takes old, inactive or closed accounts and reactivates them. Before the account is closed, the ISPs return an error message that the user is inactive to anyone trying to send to that address. After a period of time, the ISP will stop returning these message and turn the account into a spam trap. The idea is that good marketers send email to their recipients on a regular basis, so they will know that the account is no longer valid. Those that don’t follow best practices, or buy a list from questionable sources, may get email addresses that have not been sent to in many months. When an ISP receives an attempt to send to an address they have turned into a spam trap it results in an immediate and significant drop in the Reputation Score.

Even if there are no spam traps on your list, if most of those bad addresses remain bad, reactivating them will cause a large spike of unknown user rejections from Yahoo, which will also hurt your Reputation Score.

Re-subscription Issues

The problem isn’t simply limited to old addresses either. If you have a user who gets marked as invalid within the short window Yahoo provides, and, coincidentally, the new owner of that account wants to join your distribution, the new user may or may not get added, depending on how the request comes in. Many marketers re-import their list on a regular basis to add new recipients or change their demographics, so good email marketing software has to look at the import and see if the recipient is already in an unsubscribed or on-hold status. It would be a mistake to re-enable all recipients who are re-imported, as you would be causing another Unknown User request against the mail server, or re-activating a user who had unsubscribed. Therefore, if the new user’s request to be added comes into your website and is added to a bulk import, the request may be ignored.

If the request to add the email address is sent to the email marketing software in a non-batch mode, such as via an API call, it will depend on the implementation of the software as to whether the request is processed or not. Check with your ESP on how this would be handled.

Best Practices

Sending to a person who inherits an email address is probably a bad thing, and if that person marks your email as spam, it will be more difficult for you to get future mail delivered to Yahoo. Therefore, if you do not already have a program in place to remove inactive users, start one, or make sure that you send an email to all your users at least once a month. Above all, you’ll need to be especially vigilant when it comes to any clients using a Yahoo address.

Go to Goolara website