After buying a shirt on a popular online retail site, a consumer learns that the company has sold his information to a third party without giving him any notification of an opportunity to opt out of the sale. Angry, the consumer decides to file a private right of action lawsuit against the offending company using the regulations that are clearly laid out in the California Consumer Privacy Act (CCPA) as his foundation. He will likely fail. Undeterred, others will do the same.

The private right of action under the CCPA is strictly defined. Under the CCPA, consumers are permitted to bring a civil action only if their personal data, as defined under Section 150 of the regulation—such as a person’s full name, Social Security number or credit card number—is breached as the result of a business’ failure to implement reasonable security procedures and practices. Other types of personal information, such as geolocation data, non-unique biometric data, or professional and employment-related information, wouldn’t qualify as a trigger for a private right of action.