CCPA/CPRA Compliance for AI-Generated Consumer Emails

California's Consumer Privacy Act requires transparency when AI agents contact consumers. MultiMail's disclosure infrastructure embeds required notices automatically in every outbound email.

The problem

Why this matters

CCPA and its 2020 amendment CPRA require businesses to disclose when automated systems make decisions that affect consumers, and to provide opt-out mechanisms for automated decision-making (ADM). When an AI agent sends promotional emails, account notices, or personalized outreach to California residents, that communication falls under ADM disclosure obligations. Most email APIs have no concept of AI authorship — they treat every message identically regardless of whether a human or an agent composed it. That leaves your legal team manually auditing outbound campaigns, inserting disclosures by hand, and hoping nothing slips through. At scale, that process breaks down: agents can send thousands of emails before a compliance review catches a missing disclosure.

The solution

How MultiMail solves this

MultiMail tracks AI authorship at the message level. Every call to send_email or reply_email accepts an ai_generated flag that embeds a machine-readable disclosure in the email's signed X-MultiMail-Identity header and injects human-readable disclosure text into the message body. For California-resident targeting, you pass a california_consumer flag to activate CCPA-specific language — including the required opt-out link and the disclosure that automated decision-making was used. The gated_send oversight mode gives your compliance team a review queue for AI-drafted messages before they reach consumers, with message body and headers visible in the approval UI. Every sent message is logged with its disclosure status, giving you an auditable trail for CCPA data subject requests and regulatory inquiries.

1

Tag California consumers in your contact list

Query your CRM or data warehouse for contacts with California billing addresses or California-resident flags. Pass california_consumer: true in the send_email call metadata. MultiMail uses this to select CCPA-compliant disclosure language and activate the opt-out mechanism required under Cal. Civ. Code § 1798.120.

2

Enable AI disclosure on every outbound message

Set ai_generated: true in the send_email or reply_email payload. MultiMail appends a signed X-MultiMail-Identity header containing the agent identifier, generation timestamp, and disclosure flag. The header is DKIM-signed, so downstream mail systems and auditors can verify authenticity. A plain-text disclosure notice is also injected into the message footer.

3

Route through gated_send for compliance review

With the gated_send oversight mode enabled, AI-drafted messages enter a human-approval queue before delivery. Your compliance team sees the full message — body, headers, recipient metadata, and disclosure status — in the approval UI. They can approve, edit, or reject. Approval decisions are logged with timestamps and reviewer identity.

4

Deliver with embedded disclosures

Once approved (or immediately if you use monitored mode for lower-risk sends), MultiMail delivers the message with the signed identity header and footer disclosure intact. The opt-out link in the footer routes to MultiMail's hosted preference center, which fires a webhook to your system when a consumer exercises their CCPA opt-out right.

5

Log compliance events for audit trail

Every send event generates a compliance log entry accessible via the MultiMail API: message ID, recipient, ai_generated flag, california_consumer flag, disclosure text version, approval event (if gated), and delivery status. Use these logs to respond to CCPA data subject requests or to demonstrate compliance to regulators.

Code examples

Implementation

Send with CCPA disclosure (Python SDK)
python
from multimail import MultiMailClient

client = MultiMailClient(api_key="mm_live_...")

response = client.send_email(
    from_address="[email protected]",
    to=["[email protected]"],
    subject="Your privacy choices",
    body="""Hi there,

This email was sent by an AI agent on behalf of YourApp.

We&"cm">#039;re writing to let you know about updates to your account preferences.

[Disclosure: This message was composed by an automated AI system. 
You have the right to opt out of automated decision-making communications 
under California law. See the link below.]""",
    metadata={
        "ai_generated": True,
        "california_consumer": True,
        "agent_id": "outreach-agent-v2"
    }
)

print(f"Message ID: {response.message_id}")
print(f"Disclosure header: {response.identity_header}")
print(f"Status: {response.status}")

Send an AI-authored email to a California consumer with required CCPA disclosures embedded automatically.

REST API — AI disclosure with California flag
bash
curl -X POST https://api.multimail.dev/v1/send_email \
  -H "Authorization: Bearer $MULTIMAIL_API_KEY..." \
  -H "Content-Type: application/json" \
  -d &"cm">#039;{
    "from": "[email protected]",
    "to": ["[email protected]"],
    "subject": "Your privacy choices",
    "body": "This email was sent by an AI agent. Your privacy rights under CCPA allow you to opt out of automated communications.",
    "metadata": {
      "ai_generated": true,
      "california_consumer": true,
      "agent_id": "outreach-agent-v2",
      "compliance_tags": ["ccpa", "cpra"]
    }
  }&"cm">#039;

"cm"># Response includes signed identity header:
"cm"># X-MultiMail-Identity: v=1; agent=outreach-agent-v2; ai_generated=true;
"cm">#   ca_disclosure=true; ts=2024-01-15T10:30:00Z;
"cm">#   sig=<dkim-signature>

Direct API call using curl, showing the full request structure for a CCPA-compliant outbound email.

Webhook handler — log opt-out events for CCPA compliance
python
from flask import Flask, request, jsonify
from multimail import verify_webhook_signature
import logging

app = Flask(__name__)
logger = logging.getLogger(__name__)

@app.route("/webhooks/multimail", methods=["POST"])
def handle_multimail_webhook():
    payload = request.get_data()
    signature = request.headers.get("X-MultiMail-Signature")

    if not verify_webhook_signature(payload, signature, secret="whsec_..."):
        return jsonify({"error": "invalid signature"}), 401

    event = request.get_json()

    if event["type"] == "consumer.opt_out":
        data = event["data"]
        consumer_email = data["recipient"]
        opt_out_type = data["opt_out_type"]  "cm"># "ai_communications" | "all"
        message_id = data["triggered_by_message_id"]
        timestamp = data["timestamp"]

        "cm"># Log for CCPA audit trail
        logger.info(
            "CCPA opt-out received",
            extra={
                "consumer": consumer_email,
                "type": opt_out_type,
                "source_message": message_id,
                "timestamp": timestamp,
                "regulation": "CCPA/CPRA"
            }
        )

        "cm"># Update your CRM or suppression list
        suppress_ai_communications(consumer_email)

    return jsonify({"received": True}), 200

def suppress_ai_communications(email: str):
    "cm"># Add to your suppression list before any future sends
    pass

Handle the opt_out webhook event when a California consumer exercises their CCPA right to opt out of automated decision-making.

Bulk California consumer check before campaign send
python
from multimail import MultiMailClient
from typing import List

client = MultiMailClient(api_key="mm_live_...")

def send_campaign_with_ccpa_compliance(
    recipients: List[dict],
    subject: str,
    body_template: str
):
    for recipient in recipients:
        is_california = recipient.get("state") == "CA"

        "cm"># Check suppression list before sending
        contact = client.manage_contacts(
            email=recipient["email"]
        )
        if contact and contact.opt_out_ai_communications:
            print(f"Skipping {recipient[&"cm">#039;email']} — CCPA opt-out on record")
            continue

        response = client.send_email(
            from_address="[email protected]",
            to=[recipient["email"]],
            subject=subject,
            body=body_template.format(**recipient),
            metadata={
                "ai_generated": True,
                "california_consumer": is_california,
                "agent_id": "campaign-agent",
                "compliance_tags": ["ccpa"] if is_california else []
            }
        )

        print(f"Sent {response.message_id} to {recipient[&"cm">#039;email']} "
              f"[CA disclosure: {is_california}]")

# Example usage
recipients = [
    {"email": "[email protected]", "state": "CA", "name": "Alex"},
    {"email": "[email protected]", "state": "TX", "name": "Jordan"}
]

send_campaign_with_ccpa_compliance(
    recipients=recipients,
    subject="Your account update",
    body_template="Hi {name}, here&"cm">#039;s what changed in your account."
)

Before running an outbound campaign, filter the recipient list and enforce CCPA disclosures on California contacts.

Benefits

What you get

Machine-readable disclosures in signed headers

The X-MultiMail-Identity header is DKIM-signed and contains structured AI authorship data. This means downstream systems — mail clients, compliance tools, regulators — can verify disclosure authenticity without relying on body text alone.

Automated opt-out infrastructure

MultiMail's hosted preference center handles the CPRA opt-out flow required under Cal. Civ. Code § 1798.120. When a consumer opts out of automated decision-making communications, MultiMail fires a webhook to your system and flags the contact — no custom preference-center build required.

Auditable compliance log per message

Every message includes a compliance record: ai_generated flag, california_consumer flag, disclosure text version, approval chain (for gated_send), and delivery status. These records are queryable via the API for CCPA data subject access requests.

Compliance review before delivery

The gated_send oversight mode gives your legal or compliance team a structured review queue. Reviewers see the full message including embedded disclosures before anything reaches a consumer — catching edge cases that automated checks miss.

No disclosure drift as regulations evolve

MultiMail maintains versioned disclosure templates. When California amends CPRA requirements or new regulations like SB 1047 introduce new obligations, you update the template once — not across every agent that sends email.

Oversight

Recommended oversight mode

Recommended
gated_send
Consumer communications carrying legal disclosure requirements benefit from human review before delivery. Under gated_send, your AI agent can draft messages autonomously and read inbound responses without friction, but outbound sends queue for approval. This gives your compliance team a checkpoint on AI-authored content before it reaches California consumers — important during initial CCPA/CPRA implementation when disclosure language and targeting logic are still being validated. Once you've run sufficient volume through the approval queue and confirmed disclosures are appearing correctly, you can migrate high-confidence message types to monitored mode while keeping edge cases gated.
FAQ

Common questions

Does CCPA actually require disclosure when an AI agent sends email?
CPRA (the 2020 amendment to CCPA) added explicit rights around automated decision-making under Cal. Civ. Code § 1798.185(a)(16), directing the California Privacy Protection Agency to issue regulations on ADM disclosure and opt-out. The CPPA's final ADM regulations (effective 2025) require businesses to disclose when automated systems are used to make decisions that have significant effects on consumers, including targeted marketing. AI agents sending personalized outreach to California residents fall within this scope.
What disclosure text does MultiMail inject for California consumers?
When california_consumer: true is set, MultiMail appends a footer containing: (1) a statement that the email was composed by an automated AI system, (2) the name of the agent or service that generated it, (3) a link to your CCPA opt-out preference center, and (4) a reference to the consumer's right to opt out of automated decision-making under California law. The disclosure text is versioned — you can retrieve the current version via the API and pin a specific version if your legal team requires stability across a campaign.
How does MultiMail identify California consumers?
MultiMail doesn't automatically detect California residency — you pass california_consumer: true based on your own data (billing address, account registration state, IP-based geolocation, etc.). MultiMail's role is to enforce the disclosure requirements once you've identified the consumer as California-resident. This separation keeps your data processing logic in your system while MultiMail handles the disclosure mechanics.
Can I use the opt-out webhook to update my CRM automatically?
Yes. When a consumer clicks the opt-out link in the MultiMail-generated footer, MultiMail fires a consumer.opt_out webhook event to your configured endpoint. The payload includes the consumer's email, the type of opt-out (ai_communications or all), and the message ID that triggered the opt-out. You handle the webhook to update your suppression list, CRM, or marketing platform. Before any future send, call manage_contacts to check the opt-out status.
Does the signed identity header satisfy CCPA's disclosure requirements on its own?
No. The X-MultiMail-Identity header is machine-readable and supports downstream verification, but CCPA compliance requires consumer-visible disclosure. MultiMail provides both: the signed header for audit purposes and the plain-text footer disclosure for consumers. Your legal counsel should confirm the specific disclosure language meets your obligations — MultiMail's versioned templates are a starting point, not a legal opinion.
What happens if I send to a California consumer without the california_consumer flag?
MultiMail will still embed the ai_generated flag in the identity header if you set ai_generated: true, but the CCPA-specific footer disclosure and opt-out link will not be injected. The responsibility for identifying California consumers sits with you — MultiMail enforces the disclosure mechanics you request. For campaigns where California residency is uncertain, consider defaulting california_consumer: true for all recipients to avoid compliance gaps.
How long are compliance logs retained?
MultiMail retains compliance log records — including ai_generated flag, disclosure version, and approval chain — for 36 months. This covers the typical statute of limitations for CCPA enforcement actions. Logs are queryable via the API by message ID, recipient email, date range, and compliance tag. You can also export logs in JSON or CSV format for external storage or legal hold purposes.
Related

Explore more use cases

Compliance Notifications

legal

View guide →

EU AI Act Article 50 Email Compliance

legal

View guide →

State AI Disclosure Law Compliance

legal

View guide →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 50-tool MCP server. Formally verified in Lean 4.

Read the Docs See Pricing