CCPA requires that businesses implement and maintain ‘reasonable security procedures and protections’ over the private data of California resident, wherever that business is based.
Free webmail accounts are free for a reason: the webmail provider gets access to the data. To comply with CCPA, businesses should not send emails containing any private data to free webmail accounts. Given that the CCPA definition of private data is very broad, this means in practice that most emails containing any content personal to the recipient are likely to be included in the scope.
The data breach only arises because the client is using a free webmail account. If the client had their own private email account (as companies do) the problem would not arise. It might seem a little unfair that the company, not the client, is the one liable, but those are the rules. Companies can avoid the problem by either not using email entirely or implementing a corporate email encryption solution.
StayPrivate only takes a few minutes to implement across your entire organization. StayPrivate's simple, seamless email & value-added web interface and apps ensure that, as well as being convenient, your clients also get a great experience.