There are no prescriptive security requirements outlined in the CCPA. The only real place “security” is mentioned as a topic is in section 150. That section actually contains what is left of the original ballot proposal’s private right of action, and it details how consumers can make a claim under the CCPA. In turn, some insight can be gained into the obligations of organizations, and how they can rebut consumer claims.

At the time of writing, consumers will only be able to institute a civil action against an organization for failure to secure data. Such a claim actually has several requirements under section 150. First, the personal information must be “nonencrypted or nonredacted.”152 So, an easy way for organizations ...

Get The California Consumer Privacy Act (CCPA) now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.