top of page
  • Writer's pictureKevin Osborne

Quick Reference: What Data Is Covered by the CCPA's Private Right of Action

The California Consumer Privacy Act, commonly referred to as the "CCPA," is designed to protect consumer privacy rights. The majority of the CCPA's provisions can only be enforced through government action by California's attorney general. Under specific circumstances, however, the law provides California consumers with their own private right of action, allowing recovery of either actual or statutory damages of at least $100 per consumer per incident.

A consumer may exercise the private right of action when their "personal information" is involved in "an unauthorized access and exfiltration, theft, or disclosure [...]." Cal. Civ. Code § 1798.150(a)(1).

The CCPA outsources the definition of the term "personal information" to another law, the Customer Records Act. For the application of the CCPA, this law defines "personal information" as:

1. An individual's first name or initial


2. Their last name


3. Any one of the following "data elements":

  1. Their social security number

  2. Any other government-issued identification number, such as a a driver's license number, tax ID, or passport number

  3. An account number or credit/debit card number in combination with a code or password that would permit access to a financial account

  4. Their medical information

  5. Their health insurance information

  6. Unique biometric data used to authenticate them

  7. Their genetic data

According to Cal. Civ. Code § 1798.81.5, from which the CCPA borrows its definition of "personal information, either the individual's name or the data element must be unencrypted or un-redacted in order for there to be a violation of the law.

Notably, the CCPA's private right of action will change effective January 1, 2023. The amended law will define "personal information" in a manner that maintains elements of 1-3, above, but also includes an alternative. It will define personal information as:


1. An individual's first name or initial


2. Their last name


3. Any one of the "data elements" (described above)


1. Their email address


2. A password or the answer to a security question that would permit access to an account

News reports frequently identify data security incidents where certain information is exposed. Not all of these incidents qualify for the CCPA's private right of action. If you were involved in a data security incident, and you want to know whether the CCPA or another law may allow for you to take legal action, contact us by clicking here.



EKO stacked logo
bottom of page