Skip to content

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .”1

The CPRA did not expand the private right of action beyond the context of data security breaches, but, as of Jan. 1, 2023, it will add to the categories of personal information about which a data breach lawsuit could be brought email address in combination with a password or security question that would permit access to an email account.2

The following provides a complete list of the types of data for which data breach litigation is permitted under the CCPA as of Jan. 1, 2020, and for which data breach litigation will be permitted under the CPRA as of Jan. 1, 2023:3

Data Types Permitted as Subject of Breach Litigation under CCPA Permitted as Subject of Breach Litigation under CPRA (Beginning Jan. 1, 2023)
Social Security Number (with name) check mark check mark
Driver’s license number (with name) check mark check mark
California identification card number (with name) check mark check mark
Tax identification number (with name) check mark check mark
Passport number (with name) check mark check mark
Military identification number (with name) check mark check mark
Other unique identification number issued on a government document used to verify identity. (with name) check mark check mark
Financial account number (which permits access to the account) (with name) check mark check mark
Credit card number (with required security code or password) (with name) check mark check mark
Debit card number (with required security code or password) (with name) check mark check mark
Medical information (with name) check mark check mark
Health insurance information (with name) check mark check mark
Unique biometric data (with name) check mark check mark
Username and password that would permit access to an online account check mark

 

1 Cal. Civ. Code § 1798.150(a)(1) (West 2020).
2 Cal. Civ. Code § 1798.150(A)(1) (West 2021).
3 CPRA Section 31(a).