Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .”¹

The CPRA did not expand the private right of action beyond the context of data security breaches, but, as of Jan. 1, 2023, it will add to the categories of personal information about which a data breach lawsuit could be brought email address in combination with a password or security question that would permit access to an email account.²

The following provides a complete list of the types of data for which data breach litigation is permitted under the CCPA as of Jan. 1, 2020, and for which data breach litigation will be permitted under the CPRA as of Jan. 1, 2023:³

Data Types	Permitted as Subject of Breach Litigation under CCPA	Permitted as Subject of Breach Litigation under CPRA (Beginning Jan. 1, 2023)
Social Security Number (with name)
Driver’s license number (with name)
California identification card number (with name)
Tax identification number (with name)
Passport number (with name)
Military identification number (with name)
Other unique identification number issued on a government document used to verify identity. (with name)
Financial account number (which permits access to the account) (with name)
Credit card number (with required security code or password) (with name)
Debit card number (with required security code or password) (with name)
Medical information (with name)
Health insurance information (with name)
Unique biometric data (with name)
Username and password that would permit access to an online account

¹ Cal. Civ. Code § 1798.150(a)(1) (West 2020).
² Cal. Civ. Code § 1798.150(A)(1) (West 2021).
³ CPRA Section 31(a).