Skip to Content Skip to Footer
The Impact of GDPR and CCPA on Digital Marketers

The Impact of GDPR and CCPA on Digital Marketers

Courtenay Worcester

Over the past two years, two major regulations have had a widespread impact on digital marketers – GDPR and CCPA. At this time last year, marketers were making sure they were in compliance with the General Data Protection Regulation (GDPR). As you probably recall, the EU law went into effect in May 2018 to ensure data protection and privacy for all individuals citizens of the European Union (EU) and the European Economic Area (EEA) and companies doing business in the EU and EEA areas.

This year, we’re all gearing up for the California Consumer Privacy Act (CCPA). Going into effect January 1, 2020, CCPA is reported to be among the most stringent data protection privacy laws in the U.S.


Focusing on the privacy rights of individuals, CCPA regulates the way marketers handle personal information of California residents. If a business has over $25M in annual revenue, processes (buys, sells, receives, or shares) 50,000 or more California consumer records each year, or earns 50 percent or more of its annual revenue from selling personal information of California residents, it must comply with CCPA.

CCPA also applies to companies that share common branding (name, service mark or trademark) with a business that meets the criteria. This includes marketing agencies, online payment processing vendors, and digital marketing technology companies, for example. If your business doesn’t fall within the criteria outlined above but is a service provider to a company that does fit the criteria, you should still be knowledgeable about CCPA requirements.  

The Fines Print

While GDPR’s roots are European and CCPA’s are in California, both regulations have had a ripple effect on businesses around the globe, forcing businesses to provide greater transparency and institute more stringent business processes around customer data.

It’s no wonder when you look at the fines. The fines for failing to comply with GDPR range from 10 million euros to four percent of the company’s annual global turnover, which could add up to billions for some companies.

Businesses that don’t comply with CCPA can face a maximum fine of $750 per consumer or violation. For example, if a business collects data from 1,000 California residents without complying with CCPA, they can face fines of up to $750,000. Also, if a business doesn’t meet certain data security requirements, consumers can demand that it be fixed within 30 days or the business risks legal action. Some might think it’s easy to just suppress California contacts from a campaign list but that’s short sighted. Let’s not forget that with a population of 39.5 million, California is the world’s sixth largest economy according to the Bureau of Economic Analysis.

Government Regulations Benefit Marketers & Customers

Both GDPR and CCPA have driven digital marketers to update back-end systems, review privacy statements, update third party contracts, audit contact lists, and confirm subscribers. While these actions can be time consuming and costly, they create opportunities for digital marketers to elevate their presence in customers’ inboxes.

CCPA is the latest example of the rising demand for proper collection and management of customer data. We can likely expect other states to follow suit with CCPA and institute stricter regulations and fines to protect consumers and ensure more meaningful online experiences.  

With CCPA coming up, we recommend another thorough audit of your lists. If you rely on consents obtained by your digital marketing partners, make sure that you have been specifically identified in the properly worded consent clause. This can save lots of time and headaches, especially when the holiday campaigns are in full swing. Not to mention avoiding the hefty fines associated with non-compliance.

Also, if you’re working with a marketing agency to help execute your campaigns, you need to be sure they’re compliant or you can be held liable. To avoid this situation, ask your marketing agency for the source of their contacts, verification of opt-ins, and if the contacts have opted-in across the various marketing channels you’re using for your campaign such as mobile and social, be sure customers know exactly how you’ll use their data. And remember to always make it easy for customers to change their preferences, withdraw consent, and update their contact info.

Thanks to GDPR and CCPA, more businesses are aware of the negative side of implicit consent, so hopefully, we’ll see less unsolicited messages and more communication that’s relevant and tailored to customer needs.

Courtenay Worcester is the U.S. Director of Marketing for GetResponse. She is responsible for driving the company's marketing strategy in the U.S. including positioning, competitive analysis, lead generation, customer engagement, and brand awareness.  She brings more than 10 years of experience in digital marketing to GetResponse. Prior to joining GetResponse, Courtenay drove corporate events for Seismic Software, a leader in sales enablement and content management. She has additional corporate and digital marketing experience gained at Attend, Inc. where she developed traditional, digital, and event marketing strategies that attracted and engaged target segments.