US Data Privacy Litigation: Security breach litigation

This article is part of a series on US Data Privacy Litigation.

Section 1798.150 of the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides a private right of action that allows private plaintiffs to bring civil actions against businesses in limited circumstances.

The CCPA is unique among its cohort of comprehensive state privacy laws for having a PRA. While every such law contains enforcement avenues for public authorities, such as attorneys general and government agencies, the CCPA is the only comprehensive state privacy law passed so far to include a PRA. Washington state's My Health My Data Act and Illinois' Biometric Information Protection Act both provide for PRAs, but they are limited to health data and biometric data, respectively. Vermont's legislature passed a bill containing a PRA, but Gov. Phil Scott, R-Vt., vetoed it partly due to the controversial inclusion of a PRA, "which would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits." This remains the only comprehensive state privacy bill to be vetoed.

So, how does the CCPA's PRA work? Which consumers can sue which businesses over what kind of data breaches, and when?

This article provides insight into security breaches in relation to US data privacy litigation.