Ask HN: Will California Consumer Privacy Act Kill the Newsletter?

6 points by rdlecler1 ↗ HN
CCPA makes a company liable for $750 per user in the event of a breach if the company has revenue of over $25M or 50,000+ users. We have a weekly newsletter with 75,000 subscribers and so I assume that if our mail provider is breached then we could be liable for $56,250,000 -- more than the Equifax.... What's everyone's plan for this?

https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html

4 comments

[ 4.5 ms ] story [ 21.7 ms ] thread
My understanding is that you should make sure that you have a service provider [0] contract in place with your mail provider and that they have easy to use tools for you to opt-out and delete subscribers info.

There is also a need to make sure data is being appropriately stored by the service provider since you have a "duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information" [1].

I'd start by digging into how the mail provider is approaching compliance and security and whether they are planning to get certified.

--

[0] Section 999.314 of the proposed regulations from AG https://hq.services/blog/ccpa-proposed-regulations/#999.314

[1] Section 1798.150 of CCPA https://hq.services/blog/ccpa-full-text-with-amendments/#179...

Note, the above links are to a version of the regulation that my company formatted to be easier to read. The original versions are here if you'd prefer:

[0] https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cc...

[1] https://leginfo.legislature.ca.gov/faces/billCompareClient.x...

As a user, my email is not worth $750. Where did they come up with this number? Now if we are talking SSN...I could justify $750.
It's actually a range between $100-$750 or actual damages, whichever is greater. [0]

The law also specifically calls out in the next section that: "In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth."

So seems like an accidental breach of a not super sensitive piece of data might be treated with more nuance.

[0] CCPA 1798.150.a (I linked to this in a comment above)