Ask HN: Will California Consumer Privacy Act Kill the Newsletter?
CCPA makes a company liable for $750 per user in the event of a breach if the company has revenue of over $25M or 50,000+ users. We have a weekly newsletter with 75,000 subscribers and so I assume that if our mail provider is breached then we could be liable for $56,250,000 -- more than the Equifax.... What's everyone's plan for this?
https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
4 comments
[ 4.5 ms ] story [ 21.7 ms ] threadA business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance.
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
There is also a need to make sure data is being appropriately stored by the service provider since you have a "duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information" [1].
I'd start by digging into how the mail provider is approaching compliance and security and whether they are planning to get certified.
--
[0] Section 999.314 of the proposed regulations from AG https://hq.services/blog/ccpa-proposed-regulations/#999.314
[1] Section 1798.150 of CCPA https://hq.services/blog/ccpa-full-text-with-amendments/#179...
Note, the above links are to a version of the regulation that my company formatted to be easier to read. The original versions are here if you'd prefer:
[0] https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cc...
[1] https://leginfo.legislature.ca.gov/faces/billCompareClient.x...
The law also specifically calls out in the next section that: "In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth."
So seems like an accidental breach of a not super sensitive piece of data might be treated with more nuance.
[0] CCPA 1798.150.a (I linked to this in a comment above)