We're already well into the GDPR consent compliance era, and clear patterns have begun to emerge. Businesses of all sizes - large, small, medium, you name it - have struggled through months of process updates to land us to where we are now. This said, we have new laws coming into effect frequently, one being CCPA - California Consumer Privacy Act. Although you may not have operations in California, you might still be affected. Keeping yourself informed could save your company massive penalties. Read on and make sure you're staying on the right side of the law.

It took all of 48 minutes for the first GDPR complaint to come in, and major lawsuits worth €9 bn.

*Please note that all information in this article is for informational purposes only. We do not attempt to provide legal consultation, and the information herein is not to be taken as a full legal run down of any laws and we are held harmless should you take any information herein as the word of the law. We highly recommend that you consult a lawyer specializing in marketing law and do not intend to replace the information that a lawyer can provide.

Ahrefs.com can pretty much confirm the chaos that surrounded the online world with businesses hectically searching for keywords like GDPR compliance, GDPR consent, GDPR checklist and GDPR for dummies showing immense spikes for the month of May, some showing over 4 times the volume they had in April.

GDPR keyword analysis during the month of May

General concerns that GDPR won’t be well understood have been totally confirmed. Surveys conducted at the start of the year that only 21% of organizations are concerned about GDPR and have a plan in place, while 27% of respondents are concerned about GDPR, yet have no plan in place, wrote the script for a general world panic in the month of May.

How long did it take for the first GDPR complaint to come in? In case you haven’t read, you can probably guess.

It took all of 48 minutes for the first GDPR complaint to come in, and major lawsuits worth €9 bn.

CCPA isn’t any different - in fact, even more confusion abounds here due to it being a state-specific regulation. Luckily, there’s still time to conform, with CCPA’s enforcement date beginning on January 1, 2020. This being said, it’s important to be ahead of the curve - similar to the massive fines that have been seen with GDPR, CCPA will be quick on the heels of the overzealous marketer.

Yeah I know, you’ll say you totally saw this coming, and that the latest Facebook scandals were clearly pointing to this happening. But hey, it makes sense - you, as a marketer, want to have as much data as possible to be as effective as possible, but you as a consumer also want to make sure that your privacy isn’t disregarded.

Wait – it gets worse. The first month registered a whopping number of GDPR complaints – almost 2000. NNow that’s probably going to surprise a few more of you, but don’t be too surprised, because CCPA will be similar, affecting a wide range of businesses, even if they aren’t in the jurisdiction themselves. We used this really awesome breakdown provided by Iapp to map out the number of complaints received by country for GDPR. Needless to say, we won’t see something similar with CCPA, but the effects will still be profound and seen by all.

GDPR Infographic - Complaints analysis by country

How did GDPR compliance affect small businesses?

As Thycotic reports, and our survey (keep on reading…) confirms, several companies elected to completely shut down their service to EU states at the end of a month they very funnily called GDPR email Spam Month. Every business big and small struggled to get email consent from their marketing lists. The first couple of emails were fun, but receiving 2 rounds of consent emails from everybody you had a subscription at (and at least as many from companies you never heard of)  were key factors to creating a huge mess in your inbox.

Why was it such a mess? Well, for starters, the general public didn’t really know what GDPR was before it all started to happen, and in all honesty, email marketing consultants didn’t always do a very good job at informing them before asking them for their consent.

One of the worst GDPR consent examples was a renowned hit & miss by Premier League club Manchester United, who thought it would be a good idea to use the sideline ad billboards to remind fans they have to send their consent during a matchday. To confirm the general confusion, a survey showed that only 54% of people actually understood what GDPR was about.

Thankfully, there were some who did it like absolute pro’s and set high standards.

After small business owners searched for GDPR for dummies keywords online, then looked into hundreds of other searches and examples, they finally crafted their emails and, with high hopes and big hearts waited for consent. Some got it better than others obviously, but even so, we can have a high-level picture of what happened.

We surveyed 25 US-based businesses and the results were not all that promising to tell the truth.

What did we find out after surveying 25 US-based businesses?

We already said this but it’s worth repeating. The results were far from promising as we somewhat expected. The case here is probably that EU contacts were so fed up being bombarded by spam that they couldn’t tell the difference between them anymore – or didn’t care to do so.

A whopping 14 businesses out of these 25 decided to completely stop sending emails to EU’s. After deliberating and seeing results from some of their peers, they decided that saving 10-15% of their EU mailing lists won’t be worth the investment and hustle. I can definitely see what they were thinking here, but CCPA will be a different beast - removing California from any marketing channel for a US-based business is ensuring failure. Continue reading and we’ll provide some stats on how did the 11 businesses that chose to send the consent emails do.

Only 4 of the 25 businesses (less than 20%) felt that the first email consent was satisfying enough to mandate a second series of email consent messaging.

Unfortunately, I’ll have to repeat myself. I don’t condemn their decision as it’s totally backed up by data.

A single business was satisfied enough with the results they got out of the first two series to implement the third series

GDPR Infographic - Case study on 25 US businesses
I need to make myself clear. These were all businesses that were actively doing business with EU clients.

Okay, but what were the stats on the rest of the GDPR consent compliance sends?

We also compiled a statistic showing what the results were for those 11 businesses that decided to send consent requests to their subscribers. Now, you’ll be able to see the impact GDPR had for US businesses and analyze for yourself. First touch emails got between 3.7% and 28.3% open rates, and as little as 0,8% and 4.9% click rates.

When looking into standard email engagement, being on the high end of these statistics wouldn’t look bad at all, right? Well – when the stake is being able to retain that contact in your list or having to completely remove it, the stats don’t look that good anymore. In laymen’s terms, it means that most US businesses were able to keep between 8 and 49 contacts out of each 1000 contact lists.


Sure – but there must have been a second round, right? Well yeah – in some cases businesses sent second-round consent request. Click rates ranged from 0,8% to 16%, so much better this time. Even so, statistics were pretty worrisome.

GDPR Infographic - Email engagement rates analysis

How does this translate to businesses impacted by the new California CCPA law?

If you’ve been following along with us so far, you’ll have noticed that California’s new law of data protection is going to provide nothing but more of the same. I think the statistics will most likely be better than what we’ve presented above, but not to a wild extent. With California being such a large factor in so many businesses’ operations, CCPA compliance is as close to nationally-mandatory as one can get if a business wants to...well...stay in business!

US businesses should definitely brace for some sort of impact, especially the smaller ones. If your list usually gets a good amount of engagement, say around 40% open rates, you should probably expect to lose about half of your California-based email contacts. You should also plan ahead for some expenses, as you’ll definitely need to send at least 2 series of email consent request.

As you could see from the above stats, the first series won’t get you too many results. People are busy, so they will probably not act until the very last moment.

What do we recommend? (disclaimer, this won’t be a CCPA checklist)

1. For starters – try getting the consent as soon as you possibly can. This will help your brand stand out. If you wait until the very last moment like some other companies did with EU’s GDPR, you’ll just look like another desperate business in California’s version of ‘Spam month’. Sending consent requests nice & early will help you stay ahead of your competition.

2. Build a nice email HTML design. You can have a look at our drag & drop email builder in case you haven’t yet. Use a big and clear CTA. You don’t care about selling your product when asking for GDPR consent, so DON’T include any unnecessary info that doesn’t pertain to the task at hand.

3. Inform your client. Read this again – Inform YOUR client! Don’t send him to another link to read on some other website full of info he’s more or less interested in knowing. Make an effort to summarize the information in a bitesize text that is easily digestible for anybody. This will boost your chances to get consent considerably.

4. This one’s important. Don’t send over a text that looks like a law citation. Don’t use 2000 words in your content! Explain what this is and why they should opt-in using 3-4 rows of clear easy to read text.

Final notes on what to do when California’s Data Protection law comes into play

Hopefully, this article provided you with enough actionable information and statistics to help guide your path. There are loads of GDPR consent checklist articles out there, so here at CodeCrew we wanted to focus on bringing you with a really unique case study that should provide you with enough knowledge to help get the most out of this change, and retain as many contacts as you possibly can.

Feel free to reach out if you have any insights you’d like to share with us – or need any help building your campaign out!

- CCPA compliance - California Consumer Privacy Act compliance
- GDPR - General Data Protection Regulation
- GDPR consent requirements