Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .”1
The CPRA did not expand the private right of action beyond the context of data security breaches, but, as of Jan. 1, 2023, it will add to the categories of personal information about which a data breach lawsuit could be brought email address in combination with a password or security question that would permit access to an email account.2
The following provides a complete list of the types of data for which data breach litigation is permitted under the CCPA as of Jan. 1, 2020, and for which data breach litigation will be permitted under the CPRA as of Jan. 1, 2023:3
1 Cal. Civ. Code § 1798.150(a)(1) (West 2020).
2 Cal. Civ. Code § 1798.150(A)(1) (West 2021).
3 CPRA Section 31(a).