What Categories of Information Could Trigger A Consumer Class Action if Breached?

Consumers can successfully bring suit under the CCPA if they can prove the following five elements:

  1. A business incurred a data breach;
  2. The data breach involved a sensitive category of information identified in California Civil Code Section 1798.81.5;
  3. The business had a legal duty to protect the personal information from breach;
  4. The business failed to implement reasonable security procedures and practices; and
  5. The business’s failure resulted in (i.e., caused) the data breach.

The definition of personal information used in California Civil Code Section 1798.81.5 is far narrower than the definition of personal information used within the rest of the CCPA.  Specifically, while the CCPA’s general definition of “personal information” contains 26 examples of types of data fields, only the following six data combinations can form the basis of a consumer lawsuit:

  1. Name and social security number;
  2. Name and driver’s license number or California identification card number;
  3. Name and account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  4. Name and medical information;
  5. Name and health insurance information;
  6. A username or email address in combination with a password or security question and answer that would permit access to an online account.1

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil. Code. Section 1798.81.5(d)(1)(A).