The California Consumer Privacy Act, commonly referred to as the "CCPA," is designed to protect consumer privacy rights. The majority of the CCPA's provisions can only be enforced through government action by California's attorney general. Under specific circumstances, however, the law provides California consumers with their own private right of action, allowing recovery of either actual or statutory damages of at least $100 per consumer per incident.
A consumer may exercise the private right of action when their "personal information" is involved in "an unauthorized access and exfiltration, theft, or disclosure [...]." Cal. Civ. Code § 1798.150(a)(1).
The CCPA outsources the definition of the term "personal information" to another law, the Customer Records Act. For the application of the CCPA, this law defines "personal information" as:
1. An individual's first name or initial
PLUS
2. Their last name
PLUS
3. Any one of the following "data elements":
Their social security number
Any other government-issued identification number, such as a a driver's license number, tax ID, or passport number
An account number or credit/debit card number in combination with a code or password that would permit access to a financial account
Their medical information
Their health insurance information
Unique biometric data used to authenticate them
Their genetic data
According to Cal. Civ. Code § 1798.81.5, from which the CCPA borrows its definition of "personal information, either the individual's name or the data element must be unencrypted or un-redacted in order for there to be a violation of the law.
Notably, the CCPA's private right of action will change effective January 1, 2023. The amended law will define "personal information" in a manner that maintains elements of 1-3, above, but also includes an alternative. It will define personal information as:
EITHER
1. An individual's first name or initial
PLUS
2. Their last name
PLUS
3. Any one of the "data elements" (described above)
OR
1. Their email address
PLUS
2. A password or the answer to a security question that would permit access to an account
News reports frequently identify data security incidents where certain information is exposed. Not all of these incidents qualify for the CCPA's private right of action. If you were involved in a data security incident, and you want to know whether the CCPA or another law may allow for you to take legal action, contact us by clicking here.
