California Consumer Privacy Act
The California Consumer Privacy Act is probably the most well-known of a raft of incoming (and reasonably similar) state-level laws across the US.
CCPA requires that businesses implement and maintain ‘reasonable security procedures and protections’ over the private data of California resident, wherever that business is based.
Free webmail accounts are free for a reason: the webmail provider gets access to the data. To comply with CCPA, businesses should not send emails containing any private data to free webmail accounts. Since the CCPA definition of private data is very broad, this means in practice that most emails containing any personal content are likely to be included in the scope.
The data breach only arises because the client is using a free webmail account. If the client had their own private email account (as companies do) the problem would not arise. It might seem a little unfair that the company, not the client, is the one liable, but those are the rules.
Companies can avoid the problem by asking their clients to use a private email account, such as StayPrivate, or by using StayPrivate themselves.