Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

CPRA Expanded Privacy Right of Action

Download: CPRA Decision-Making Guide
Published December 16, 2022
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

Shortly after California’s Consumer Privacy Act (CCPA) was enacted in January 2020, it imposed significant obligations on businesses in relation to the processing of personal data and also introduced an array of consumer rights. It was extensively amended by California voters on November 3rd, 2020, through the California Privacy Rights Act (CPRA), also known as Proposition 24.

As the CPRA goes into effect on January 1st, 2023, businesses must plan and prepare for some significant changes brought about by the amending legislation, such as an expanded ‘private right of action,’ to ensure compliance with the revised legal framework.

CCPA’s Private Right of Action

The private right of action is a fundamental component of the U.S. judicial system. It entitles individuals to bring legal actions against entities who have wronged them and to seek redressal and restitution for the harm that they have suffered through compensatory remedies.

The CCPA, through Cal. Civ. Code § 1798.150 read with Cal. Civ. Code § 1798.82, authorizes consumers to initiate legal proceedings against businesses in the event their non-encrypted and non-redacted personal information becomes subject to unauthorized access and exfiltration, theft, or disclosure, due to the lack of implementation and maintenance of appropriate security measures by a business.

As a result of such proceedings, the consumers could recover monetary damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater or obtain other relief from the court.

CCPA Private Right of Action Cure Period

The CCPA obligates consumers to provide 30 days' written notice to a business identifying the legal provisions being violated, prior to initiating any action for statutory damages. In the event the business cures the violations within 30 days and provides the consumer with an express written statement to this effect, while also certifying that no further violations shall occur, no action for statutory damages can be initiated against the business.

It is important to note here that the implementation and maintenance of reasonable security measures by a business following a breach do not constitute a cure for such a breach.

A consumer is not obligated to provide the foregoing notice where they initiate a civil action solely to recover actual pecuniary damages suffered due to the violations of the CCPA by a business.

Moreover, if a business continues to violate the CCPA in breach of the express written statement provided to the consumer, the consumer may initiate an action against the business to enforce the written statement and pursue statutory damages for not only the breach of the statement but also any other CCPA violation that postdates the statement.

CPRA’s Amendment of CCPA’s Private Right of Action

The CPRA expands the scope of Cal. Civ. Code § 1798.150, and further authorizes consumers to bring legal action against businesses if their email address in combination with a password or security questions and answers (that would permit access to an online account), is subject to unauthorized access and exfiltration, theft, or disclosure, as a result of a business’s failure to implement and maintain appropriate security measures to protect their personal information.

Secondly, the CPRA clarifies that the implementation and maintenance of reasonable security procedures and practices pursuant to Cal. Civ. Code Section 1798.81.5 following a breach will not constitute a cure with respect to that breach - this really then leaves a big unanswered question: how can a business cure a data breach?

CPRA Data Types and Litigation

The comprehensive breakdown of personal data categories for which data breach litigation will be allowed under the CPRA as of January 1, 2023, and for which it is currently allowed under the CCPA, is shown below.

Data Types Permitted As Subject of Breach Litigation under CCPA Permitted As Subject of Breach Litigation under CPRA (Beginning January 1, 2023)
Social Security Number (with name)
Driver’s license number (with name)
California identification card number (with name)
Tax identification number (with name)
Passport number (with name)
Military identification number (with name)
Other unique identification number issued on a government document used to verify identity. (with name)
Financial account number (which permits access to the account) (with name)
Credit card number (with required security code or password) (with name)
Debit card number (with required security code or password) (with name)
Medical information (with name)
Health insurance information (with name)
Unique biometric data (with name)
Email address along with password or security question and answer that would grant access to an online account

The Impact of CPRA’s Private Right of Action

Undoubtedly, the enforcement of the CPRA will significantly broaden the scope of consumers’ right to private action against businesses for breach of their personal information. This legal amendment is expected to cause a substantial increase in the number of legal actions initiated against businesses, due to the fact that many data breaches only include the exposure of email addresses and the relevant passwords or security questions and answers, ultimately providing access to a user account.

The CPRA emphasizes that businesses collecting consumers’ personal information should implement reasonable security procedures and practices appropriate to the nature of the information, so as to protect the information from unauthorized or illegal access, destruction, use, modification, or disclosure.

Therefore, it is essential for businesses to keep accurate records of the personal data they process, conduct regular risk assessments, and implement and maintain appropriate security measures to protect personal data.

How Businesses Should Improve their Security Posture

The following are a few ways in which businesses can start to improve their security posture and protect the personal data of consumers:

Conduct Regular Security Audits

The objective of security audits is to eliminate risk. Businesses must regularly examine their data protection measures by planning ahead and conducting regular audits to identify weaknesses in their existing security framework and infrastructure.

Develop a Security Strategy

The explosion of internet-enabled devices has brought forth many opportunities and challenges in relation to digital privacy and security. Businesses must appropriately retain records of the massive influx of personal data and adopt appropriate security strategies, including robust encryption and secure backup systems to provide security safeguards that are reasonable and proportionate to the level of risk related to the personal information in question.

Appoint a Security Professional

Businesses subject to the CPRA’s regulations must appoint a dedicated resource that administers their data security posture.

Provide Training

The amendment of the CCPA through the CPRA is evidence that data privacy rules are continually changing. Businesses should aim to regularly train their staff on the evolving privacy laws, the value of data security, current and upcoming security trends, and appropriate preventative measures.

How Securiti Can Help Businesses Ensure CPRA Compliance

Statutory damages under the CPRA may range from $100 to $750 per consumer per occurrence. Moreover, consumers could also be awarded the actual damages they suffered due to a breach of their personal data. As breaches frequently involve hundreds of thousands or even millions of user’s data, the quantum of pecuniary penalties could be catastrophic for businesses.

Securiti can help enterprises in achieving CPRA compliance. Securiti’s Data Command Center, among other functionalities, enables organizations to implement automated controls around data mapping, generating reports of processing activities, and risk assessments to assist them in keeping accurate records of all personal data processed by them and the risks posed by any such processing activities. This helps organizations in devising appropriate security measures catered to the protection of personal data owned, maintained, or licensed by them.

Request a demo of Securiti's tools to see them in action.

Learn more about how to comply with CPRA.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New