California’s Customer Records Act: Data Privacy, Data Security and Breach Liability Risks

The California Customer Records Act (CRA), codified at Civil Code §1798.80 et seq., is a foundational state data security statute that requires businesses to implement and maintain reasonable security measures to protect personal information about their customers. Enacted in 2002 and amended several times since, the CRA predates California’s more celebrated privacy legislation — the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA) — and remains an important, if frequently misunderstood, element of California’s data privacy framework.

“The California Customer Records Act (CRA) Civil Code §1798.80 et seq. is a comprehensive state privacy law that mandates strict security, proper disposal, and breach notification procedures for businesses that hold the personal information of California residents.”

While the CRA lacks the headline-generating features of the CCPA — it does not create broad rights of access, deletion, or opt-out — it provides a direct private right of action for individuals whose personal information is compromised due to a business’s failure to maintain reasonable security. This makes it one of the primary litigation vehicles for California data breach plaintiffs alongside the CMIA and the CCPA’s limited private right of action.

The CRA’s role in California breach litigation was examined by the Supreme Court in J.M. v. Illuminate Education Inc., 2026 S.O.S. 1331, where the court addressed a threshold question that had not previously received definitive guidance: who, exactly, is a “customer” entitled to sue under the statute?

Scope and Purpose

The CRA was enacted in response to growing concern about identity theft and unauthorized access to personal information. Its core purpose is to require businesses that own or license “personal information” about California residents to (1) implement and maintain reasonable security procedures and practices, and (2) properly dispose of records containing personal information when they are no longer needed.

The legislature’s findings accompanying the statute recognized that California residents were increasingly vulnerable to identity theft and that inadequate data security practices by businesses posed a systemic risk to the public. The CRA was intended to set a minimum floor of security obligation that would apply across industries and business types — a floor below which no business handling California customer data could lawfully fall.

What Information Is Protected

The CRA defines “personal information” to mean “an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted”:

• Social security number
• Driver’s license number or California identification card number
• Account number, credit card number, or debit card number, combined with any required security or access code, PIN, or password
• Medical information (defined as any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
• Health insurance information
• Unique biometric data generated from measurements or technical analysis of human characteristics (fingerprints, retina or iris images, etc.)
• Information or data collected through the use or operation of an automated license plate recognition system

The statute also covers, for purposes of its disposal obligations:

• Email addresses combined with passwords or security questions and answers

Notably, this definition is narrower than the CMIA’s definition of “medical information.” While the CMIA protects any individually identifiable health information held by covered entities, the CRA’s medical information trigger requires the information to be linked to a person’s name. Anonymous health data, or health data that has been de-identified from personal identifiers, would not qualify.

Who Is a “Customer” Under the CRA?

One of the most litigated questions under the CRA has been who qualifies as a “customer” entitled to bring a claim. The statute defines “customer” at §1798.80(c) as:

“An individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.”

This definition requires a transactional relationship: the individual must have provided their information to the business and done so for the purpose of obtaining a product or service from that business.

In J.M. v. Illuminate Education Inc., the Supreme Court addressed the question of whether students whose information was maintained by an educational technology company — but who had no direct relationship with the company — could qualify as CRA “customers.”

The Court of Appeal had held that the students were the “ultimate” customers or beneficiaries of Illuminate’s services, reasoning that the company’s platforms were ultimately deployed for the students’ educational benefit. The Supreme Court rejected this reasoning. Justice Goodwin H. Liu wrote that “J.M. has not alleged he has a customer relationship with Illuminate,” pointing out that J.M. did not provide his information to Illuminate directly — the school districts did — and that J.M. obtained services from his school districts, not from Illuminate.

The ruling establishes an important limiting principle: third-party beneficiaries of a company’s services are not “customers” under the CRA, even if they are the ultimate end-users of those services and even if the company maintains data about them. The CRA protects individuals who have a direct transactional relationship with the data-holding business, not individuals whose information was provided to that business by an intermediary.

This distinction has broad implications for technology vendors, software-as-a-service providers, and other businesses that handle consumer data on behalf of other companies. Such vendors may hold detailed personal records about thousands or millions of individuals — but if those individuals never directly transacted with the vendor, they may not be “customers” entitled to sue under the CRA when a breach occurs. As we’re seeing a lot of litigation arising out of CDAFA, CMIA, and CIPA cases over Californian’s personal data handling and misuses. A surefire way to prevent these expensive legal headaches are by using verified consent management platforms and solutions like the ones provided by Captain Compliance.

The Reasonable Security Obligation

At the heart of the CRA is the obligation imposed on businesses by §1798.81.5: “A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

The statute does not define “reasonable security” in specific technical terms. Courts and regulators have generally interpreted this requirement by reference to:

Industry standards: Compliance with recognized security frameworks — such as NIST, ISO 27001, or SOC 2 — is often cited as evidence of reasonable security, though it is not a safe harbor. Courts assess reasonableness in light of the nature of the information at issue and the known threat landscape at the time of the breach.

The CIS Controls: The California Attorney General has endorsed the Center for Internet Security’s Critical Security Controls as a minimum standard for reasonable security under the CRA and related California laws.

Risk-based proportionality: The reasonableness of security measures must be appropriate to the “nature of the information.” A business storing social security numbers and credit card data will be held to a higher standard than one storing names and email addresses.

The AG’s data breach reports: The California Attorney General has issued a series of data breach reports that effectively establish guidance on minimum acceptable security practices for California businesses.

Critically, neither HIPAA compliance nor PCI-DSS compliance automatically satisfies the CRA’s reasonable security obligation. Businesses that have invested heavily in federal compliance programs must conduct a separate analysis of their CRA obligations.

Disposal Obligations

The CRA imposes independent obligations on how businesses must handle personal information that is no longer needed. Under §1798.81, any business that “owns or licenses” records containing personal information must take “all reasonable steps to destroy, or arrange for the destruction of, a customer’s records within its custody or control containing personal information” once the records are no longer needed for the purpose for which they were collected.

Acceptable methods of disposal include:

• Shredding, erasing, or otherwise destroying physical records
• Permanently destroying or rendering unreadable or undecipherable electronic records through “reasonable measures” appropriate to the technology

Improper disposal — such as discarding records containing personal information in an unsecured dumpster or failing to erase data from disposed-of hardware — constitutes a CRA violation independent of any data breach event.

Vendor Contracts

The CRA also imposes obligations on how businesses structure their relationships with third-party vendors who handle personal information. Under §1798.81.5(b), any business that “discloses personal information about a California customer pursuant to a contract with a nonaffiliated third party” must require by contract that the third party implement and maintain reasonable security procedures and practices.

In practice, this means that CRA compliance requires adequate security provisions in vendor contracts — data processing agreements, business associate agreements, and similar documents must include security obligations flowing down to subcontractors and vendors. Businesses that fail to include such provisions, or that continue to contract with vendors known to have inadequate security practices, face exposure under the CRA if those vendors suffer a breach.

The Private Right of Action and Remedies

Unlike many data privacy statutes, which vest enforcement exclusively in government agencies, the CRA creates a private right of action for injured “customers.” Under §1798.84:

• Customers whose personal information was breached due to the business’s failure to implement and maintain reasonable security may bring a civil action
• Plaintiffs may recover actual damages
• Plaintiffs may seek injunctive relief to compel compliance
• Courts have discretion to award civil penalties in litigation brought by the California Attorney General

A notable limitation compared to the CMIA: the CRA does not expressly provide for nominal damages or statutory minimum recovery in the absence of actual harm. This means CRA plaintiffs face a more demanding standing challenge in the post-TransUnion federal standing environment, where courts have increasingly required plaintiffs to demonstrate concrete, particularized harm — not merely a technical statutory violation.

In state court, however, California courts have generally been more receptive to intangible-harm theories, and the CCPA’s limited private right of action — which is calibrated to apply specifically to data breaches — has supplemented the CRA as a breach litigation vehicle for California consumers.

Relationship to the CCPA and CPRA

The California Consumer Privacy Act, effective January 1, 2020, and the California Privacy Rights Act, effective January 1, 2023, are the centerpiece of modern California data privacy law. The CRA, CCPA, and CPRA are distinct statutes with different scopes, obligations, and remedies — but they overlap significantly in the data breach context.

CCPA private right of action: The CCPA created a limited private right of action specifically for data breaches. Under Civil Code §1798.150, a consumer may sue a business if their personal information was subject to unauthorized access and exfiltration, theft, or disclosure due to the business’s failure to maintain reasonable security procedures, and the information was not encrypted or redacted. Notably, this private right of action tracks the reasonable security obligation — which is itself borrowed from the CRA.

CPRA and enforcement: The CPRA established the California Privacy Protection Agency (CPPA), a dedicated enforcement body. The CPPA has authority to investigate CRA violations alongside CCPA/CPRA violations, adding regulatory pressure on businesses beyond the civil litigation risk.

Practical interaction: In California data breach litigation, plaintiffs’ counsel typically plead claims under the CRA, CMIA (where health data is involved), and CCPA/CPRA together. Each statute has different coverage, different defendant requirements, and different damages structures — making a multi-statute pleading strategy essential for comprehensive plaintiff recovery.

How To Defend Against California’s Customer Records Act Privacy Lawsuits

Despite its breadth, the CRA has significant limitations:

The “customer” requirement: As clarified in Illuminate, the CRA only protects individuals with a direct transactional relationship with the breached entity. Employees, third-party beneficiaries, and individuals whose data is held by intermediaries may not be covered.

The name-linking requirement: The CRA’s definition of “personal information” requires that the sensitive data element (social security number, medical information, etc.) be linked to the individual’s name. Data breaches that expose sensitive data without associated name fields may not trigger the CRA.

No data minimization obligation: Unlike the CCPA/CPRA, the CRA does not require businesses to limit data collection to what is necessary for their stated purposes. Businesses may collect expansive personal information so long as they secure it adequately.

No consumer rights: The CRA is purely a security and breach-response statute. It does not give consumers rights to access, correct, or delete their information — those rights are found in the CCPA/CPRA.

Recent Enforcement and Litigation Trends

California’s data privacy enforcement landscape has grown significantly more active in recent years. Key developments affecting CRA litigation include:

AG enforcement actions: The California Attorney General has used the CRA as a basis for enforcement actions against companies with inadequate security practices, including in the healthcare and financial services sectors.

Class action proliferation: Following the Supreme Court’s Illuminate ruling clarifying the “customer” definition, plaintiffs’ attorneys are expected to refine their class definitions to focus on direct consumers — tightening their pleading to satisfy the transactional relationship requirement while still capturing large classes of affected individuals.

Multi-statute coordination: The most sophisticated breach litigation in California now routinely combines CRA, CMIA, and CCPA claims, along with common-law negligence and breach of contract theories, to maximize recovery potential and resist dismissal.

Encryption as a defense: In light of Justice Groban’s concurrence in Illuminate — which specifically flagged robust encryption as a potential defeat of a “significant risk” finding under the CMIA — defense practitioners are increasingly likely to argue that strong encryption should similarly bear on the reasonableness analysis under the CRA’s security obligation.

Practical Compliance Checklist for CRA

For businesses subject to the CRA, a minimum compliance program should include:

• A written information security policy appropriate to the nature of the personal information held
• Encryption of personal information at rest and in transit, at a minimum for the categories enumerated in §1798.80
• A vendor management program that includes contractual security obligations and periodic audits
• A records retention and disposal schedule that provides for secure destruction of personal information when no longer needed
• A data breach incident response plan calibrated to the CRA’s requirements alongside any applicable CCPA/CPRA and CMIA obligations
• Regular security assessments and penetration testing
• Employee training on data handling and security obligations

No single compliance checklist eliminates litigation risk entirely but using the software tools from Captain Compliance can help protect against these issues. The CRA’s “reasonable security” standard is inherently fact-specific, and courts will assess adequacy based on the circumstances of each breach — including what was known about the threat environment at the time.