Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information

The California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) labels 20 data fields as constituting “sensitive personal information.” [1]  If Proposition 24 is enacted businesses would be permitted to use sensitive personal information for one of the following purposes:[2]

  1. Performing services reasonably expected by the consumer.[3]
  2. Providing goods reasonably expected