
Ask HN: Will California Consumer Privacy Act Kill the Newsletter? - rdlecler1
CCPA makes a company liable for $750 per user in the event of a breach if the company has revenue of over $25M or 50,000+ users. We have a weekly newsletter with 75,000 subscribers and so I assume that if our mail provider is breached then we could be liable for $56,250,000 -- more than the Equifax.... What&#x27;s everyone&#x27;s plan for this?<p>https:&#x2F;&#x2F;www.csoonline.com&#x2F;article&#x2F;3292578&#x2F;california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
======
uxamanda
My understanding is that you should make sure that you have a service provider
[0] contract in place with your mail provider and that they have easy to use
tools for you to opt-out and delete subscribers info.

There is also a need to make sure data is being appropriately stored by the
service provider since you have a "duty to implement and maintain reasonable
security procedures and practices appropriate to the nature of the information
to protect the personal information" [1].

I'd start by digging into how the mail provider is approaching compliance and
security and whether they are planning to get certified.

\--

[0] Section 999.314 of the proposed regulations from AG
[https://hq.services/blog/ccpa-proposed-
regulations/#999.314](https://hq.services/blog/ccpa-proposed-
regulations/#999.314)

[1] Section 1798.150 of CCPA [https://hq.services/blog/ccpa-full-text-with-
amendments/#179...](https://hq.services/blog/ccpa-full-text-with-
amendments/#1798.150.a)

Note, the above links are to a version of the regulation that my company
formatted to be easier to read. The original versions are here if you'd
prefer:

[0]
[https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/cc...](https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-
proposed-regs.pdf)

[1]
[https://leginfo.legislature.ca.gov/faces/billCompareClient.x...](https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201720180AB375)

------
dredmorbius
From the statute, address issues promptly and you're in good shape:

 _A business shall be in violation of this title if it fails to cure any
alleged violation within 30 days after being notified of alleged
noncompliance._

[https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375)

------
throw03172019
As a user, my email is not worth $750. Where did they come up with this
number? Now if we are talking SSN...I could justify $750.

~~~
uxamanda
It's actually a range between $100-$750 or actual damages, whichever is
greater. [0]

The law also specifically calls out in the next section that: "In assessing
the amount of statutory damages, the court shall consider any one or more of
the relevant circumstances presented by any of the parties to the case,
including, but not limited to, the nature and seriousness of the misconduct,
the number of violations, the persistence of the misconduct, the length of
time over which the misconduct occurred, the willfulness of the defendant’s
misconduct, and the defendant’s assets, liabilities, and net worth."

So seems like an accidental breach of a not super sensitive piece of data
might be treated with more nuance.

[0] CCPA 1798.150.a (I linked to this in a comment above)

