US Data Privacy Litigation: Security breach litigation
This article provides insight into security breaches in relation to US data privacy litigation.
Published: 24 March 2025
This article is part of a series on US Data Privacy Litigation. The full series can be accessed here, with the other articles in the series listed below.
Section 1798.150 of the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides a private right of action that allows private plaintiffs to bring civil actions against businesses in limited circumstances.
The CCPA is unique among its cohort of comprehensive state privacy laws for having a PRA. While every such law contains enforcement avenues for public authorities, such as attorneys general and government agencies, the CCPA is the only comprehensive state privacy law passed so far to include a PRA. Washington state's My Health My Data Act and Illinois' Biometric Information Protection Act both provide for PRAs, but they are limited to health data and biometric data, respectively. Vermont's legislature passed a bill containing a PRA, but Gov. Phil Scott, R-Vt., vetoed it partly due to the controversial inclusion of a PRA, "which would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits." This remains the only comprehensive state privacy bill to be vetoed.
So, how does the CCPA's PRA work? Which consumers can sue which businesses over what kind of data breaches, and when?
This article provides insight into security breaches in relation to US data privacy litigation.
US Data Privacy Litigation – Series Overview
The overview page for the series can be accessed here.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
US Data Privacy Litigation: Security breach litigation
This article provides insight into security breaches in relation to US data privacy litigation.
Published: 24 March 2025
Contributors:
Caroline Kibby
Former Westin Fellow, IAPP
CIPP/E, CIPP/US
This article is part of a series on US Data Privacy Litigation. The full series can be accessed here, with the other articles in the series listed below.
Section 1798.150 of the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides a private right of action that allows private plaintiffs to bring civil actions against businesses in limited circumstances.
The CCPA is unique among its cohort of comprehensive state privacy laws for having a PRA. While every such law contains enforcement avenues for public authorities, such as attorneys general and government agencies, the CCPA is the only comprehensive state privacy law passed so far to include a PRA. Washington state's My Health My Data Act and Illinois' Biometric Information Protection Act both provide for PRAs, but they are limited to health data and biometric data, respectively. Vermont's legislature passed a bill containing a PRA, but Gov. Phil Scott, R-Vt., vetoed it partly due to the controversial inclusion of a PRA, "which would make Vermont a national outlier, and more hostile than any other state to many businesses and non-profits." This remains the only comprehensive state privacy bill to be vetoed.
So, how does the CCPA's PRA work? Which consumers can sue which businesses over what kind of data breaches, and when?
This article provides insight into security breaches in relation to US data privacy litigation.
US Data Privacy Litigation – Series Overview
The overview page for the series can be accessed here.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
