What are the CCPA requirements for collecting email addresses in person at a brick and mortar store?
Michael Ko
Co-founder & CEO, Suped
Published 31 Jul 2025
Updated 18 May 2026
9 min read
Summarize with
No. The CCPA does not categorically prohibit a brick and mortar store from collecting an email address in person. An email address is personal information under the CCPA, so a covered business has to handle the collection properly. The California Attorney General explains that consumers have the right to be notified before or at the point personal information is collected.
The practical answer is simple: collect the email address only after giving a notice at collection, state why you are collecting it, avoid using it for unrelated marketing unless the customer clearly chose that use, and give the customer usable CCPA rights paths. The CPPA notice guide says the notice belongs where consumers will see it at or before collection, and in-person collection can be handled orally.
I treat in-store email capture as two separate questions. First, can the store collect the email address for the stated purpose? Usually yes, if the notice and privacy policy are in place. Second, can the store add that person to ongoing marketing? That needs a cleaner permission step, because CCPA notice is not the same thing as email marketing consent.
The short answer
If a covered retail business asks for an email address at checkout, the CCPA requirements are about transparency, limits, and rights. The law does not say a cashier cannot ask for an address. It says the customer must get the required information at or before collection, and the business must use and retain the address in a way that matches the disclosed purpose.
- Applicability: CCPA applies to for-profit businesses doing business in California that meet one of the statutory thresholds.
- Notice: The customer needs notice at collection before the email field is typed, scanned, or spoken.
- Purpose: The notice should say whether the address is for a receipt, account, loyalty program, delivery update, or marketing.
- Rights: The privacy policy needs clear ways to request access, deletion, correction, opt-out, and non-discrimination rights.
- Sharing: If the business sells or shares personal information, the notice needs the required opt-out path.
- Marketing: A CCPA notice does not replace the permission, unsubscribe, and sender identification rules for commercial email.
Plain-English rule
The store can collect the email address when collection is disclosed and tied to a legitimate purpose. The weak pattern is asking for an email at the register, giving no notice, then silently adding that address to promotional campaigns.
Who must care about CCPA
The CCPA does not apply to every small store. It applies to for-profit businesses that do business in California and meet at least one threshold. A retailer with one local shop can still choose to use the same standard voluntarily, but the statutory duties turn on whether the business is covered.
|
|
|
|---|---|---|
Revenue | $25 million+ | Large chains usually review every capture point. |
Data volume | 100,000+ | Loyalty, ecommerce, and foot traffic can count. |
Data sales | 50% revenue | Ad data and list sharing need close review. |
Common CCPA applicability triggers for retail email collection.
If the business is under the thresholds, the same operational discipline still helps. A cashier script, short notice, clean consent record, and easy unsubscribe path reduce disputes and complaints even when CCPA does not govern the specific store.
If the store collects addresses from California residents, do not rely only on the location of the physical store. A national retailer, franchise group, or ecommerce-backed retail brand can have California obligations even when an individual transaction happens outside California.
What notice at collection means in a store
Notice at collection is the part that makes in-person capture feel harder than a web form. Online, the link sits beside the email field. In a store, the notice has to appear in the physical checkout flow, on the printed signup form, on the customer display, on nearby signage, or through a short oral statement before the customer gives the address.
Flowchart showing the retail email collection steps from notice to safe sending.
A good short notice does not need to carry the full privacy policy. It needs to tell the customer the categories collected, the purposes, whether the information is sold or shared, retention timing, and where the full privacy policy and rights instructions live. The full policy then needs the complete description of online and offline information practices.
Example in-store notice copy
We collect your email address to send receipts and order updates. If you choose marketing, we also use it for promotional emails. We keep it as described in our Privacy Policy. Scan the QR code or ask staff for our California privacy notice. You can request access, deletion, correction, or opt-out rights.
I prefer a short notice near the terminal plus a staff script for spoken collection. If the customer is typing on a customer-facing screen, put the notice or QR link on that screen before the email field. If the cashier is asking aloud, train the cashier to state the purpose before asking for the address.
Receipt only
This is the lower-risk path because the customer expects the email to support the transaction.
- Purpose: Send the receipt, warranty details, delivery notes, or return instructions.
- Retention: Keep the address only as long as the disclosed business need supports it.
- Messaging: Do not turn receipt collection into promotional sending by default.
Marketing signup
This needs a separate choice because the customer is agreeing to future commercial messages.
- Choice: Ask a clear marketing question instead of bundling it into receipt delivery.
- Proof: Store the source, date, location, form version, and consent language.
- Quality: Send a confirmation email before repeated promotional campaigns.
What to collect and what to avoid
The cleanest in-store setup collects the least information needed for the specific job. If the purpose is an e-receipt, the email address is enough. If the purpose is a loyalty program, the business needs to explain that program and any financial incentive tied to the data. If the store asks for birth date, phone number, location, or household details, the notice and retention plan need to cover those categories too.
Staff script matters
- Avoid: Asking for an email address without saying why the store needs it.
- Avoid: Saying the email is required when the customer can complete the purchase without it.
- Use: A short, consistent prompt that names the purpose before collection.
|
|
|
|---|---|---|
Email | Receipt | Collect only the address. |
Name | Account | Explain account use. |
Birthday | Rewards | Make it optional. |
Purchase | History | Disclose retention. |
Data minimization choices for common store flows.
Point-of-sale addresses also tend to have quality issues. Customers speak quickly, staff mistype, shared family inboxes get used, and some people give a fake address to finish the transaction. If the business plans to send more than a receipt, confirmed opt-in is a practical safeguard. It confirms control of the inbox and reduces complaints.
Consent, CAN-SPAM, and deliverability
CCPA is not an email marketing consent statute in the same way CAN-SPAM handles commercial email requirements. A CCPA notice tells the customer what personal information is collected and how it is used. It does not, by itself, prove that the customer asked for marketing.
For commercial messages, I separate the privacy step from the email marketing step. Use a clear marketing opt-in, include a working unsubscribe link, and include the required physical address in email footers. If a signup happens through an account flow, do not assume registration grants permission. For ongoing campaigns, also make sure your one-click unsubscribe process works before you send.
Deliverability is the next control. Even with clean legal permission, a new in-store list can hurt sender reputation if it contains typo addresses, role accounts, or people who never expected marketing. Send a confirmation message first, suppress bounces quickly, and keep receipt traffic separate from promotional traffic when volume is high.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
Before the first campaign to a store-collected segment, run a real message through Suped's email tester. That helps catch authentication, content, and sending issues before a legal collection problem turns into inbox placement trouble.
Good capture pattern
- Notice: Show the short CCPA notice before the customer provides the address.
- Choice: Ask separately whether the customer wants marketing.
- Record: Store source, date, location, and exact consent language.
- Confirm: Send a confirmation email before regular promotional sending.
How Suped fits after the address is collected
CCPA compliance lives in privacy operations. Email performance lives in authentication, sending quality, and reputation. The two meet when a store-collected list starts receiving mail. Suped's product helps with the second side: checking that your domain, sending sources, authentication records, and alerts are ready before customer data turns into outbound email.
Suped DMARC dashboard showing email volume, authentication health, and source breakdown
For most teams, Suped is the best overall practical fit when they want one place for DMARC monitoring, SPF and DKIM visibility, hosted records, alerts, and blocklist monitoring (blacklist monitoring). It does not replace privacy counsel or your consent records. It gives the email team a clean way to see whether messages sent after collection are authenticated and whether reputation issues are forming.
- DMARC: Confirm that legitimate retail, ecommerce, and receipt senders pass authentication.
- SPF and DKIM: Find missing or misconfigured senders before campaigns scale.
- Alerts: Get notified when failures increase after a new store list or vendor is added.
- Hosted records: Manage SPF, DMARC, and MTA-STS changes without chasing DNS access each time.
- Reputation: Watch domain and IP blocklist (blacklist) signals after promotional sending starts.
Keep the workflows separate
Use privacy tooling and counsel to design the collection notice, rights process, and retention schedule. Use Suped to monitor whether the resulting email program is authenticated, trusted, and free of avoidable domain reputation problems.
Views from the trenches
Best practices
Use a short in-store notice before capture, then link to the full privacy policy online.
Separate receipt delivery from marketing consent so staff do not blur the purpose at checkout.
Send a confirmation email before repeated marketing to reduce typo and permission issues.
Common pitfalls
Relying on a website-only notice can miss customers who share details only at the counter.
Adding receipt addresses to campaigns without a separate opt-in creates trust and complaint risk.
Treating every POS address as valid leads to typos, shared inboxes, and spam complaints.
Expert tips
Train staff to say the purpose aloud when the customer gives an address at checkout each time.
Keep the short notice beside the terminal so it appears before the email field is typed.
Retain the source, date, and capture purpose so later requests are easier to answer accurately.
Marketer from Email Geeks says CCPA does not ban a customer from giving an email address for a receipt, but the business still needs a proper notice before collection.
2021-05-18 - Email Geeks
Marketer from Email Geeks says retail collection works when the notice, request path, and marketing permission are designed for the physical store instead of copied from an online form.
2021-05-18 - Email Geeks
Practical close
The answer is no: CCPA does not ban in-person email collection at a brick and mortar store. The legal risk comes from collecting without a notice, hiding the purpose, using receipt addresses for marketing without a real choice, or failing to provide the rights process that covered businesses owe California consumers.
My practical rule is to design the checkout flow as if the customer asked, "Why do you need my email, what will you do with it, and how do I exercise my rights later?" If the staff script, signage, form, privacy policy, consent record, and unsubscribe flow answer that cleanly, the store is in a much stronger position.
For email teams, the work does not end at collection. Confirm permission, validate the address, monitor authentication, and watch reputation. Privacy compliance keeps the collection honest. Deliverability controls keep the resulting email program from damaging the domain.
