Skip to content

Marginally.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” [1]

The CPRA did not expand the private right of action beyond the context of data security breaches, but, as of January 1, 2023, the categories of personal information about which a data breach lawsuit can be brought will expand to include email address in combination with a password or security question that would permit access to an email account.[2]

The following provides a complete list of the types of data for which data breach litigation is permitted under the CCPA as of January 1, 2020, and for which data breach litigation will be permitted under the CPRA as of January 1, 2023:[3]

Data Types

Permitted As

Subject of Breach

 Litigation under CCPA

Permitted As Subject of Breach Litigation under CPRA

(Beginning January 1, 2023)

Social Security Number (with name)
Driver’s license number (with name)
California identification card number (with name)
Tax identification number (with name)
Passport number (with name)
Military identification number (with name)
Other unique identification number issued on a government document used to verify identity. (with name)
Financial account number (which permits access to the account) (with name)
Credit card number (with required security code or password) (with name)
Debit card number (with required security code or password) (with name)
Medical information (with name)
Health insurance information (with name)
Unique biometric data (with name)
Username and password that would permit access to an online account

[1]              Cal. Civ. Code 1798.150(a)(1).

[2]              CPRA 1798.150(A)(1)(.

[3]              CPRA Section 31(a).