California privacy compliance
without the headache.
The CCPA’s private right of action hinges on “reasonable security.” Our infrastructure defines what reasonable looks like — and proves it continuously.
CCPA security
obligations.
The California Consumer Privacy Act (as amended by the California Privacy Rights Act) creates a private right of action under §1798.150 for consumers whose “nonencrypted and nonredacted personal information” is breached due to a business’s failure to “implement and maintain reasonable security procedures and practices.”
Unlike GDPR (which is primarily enforced by regulators), the CCPA’s private right of action means class action plaintiffs’ attorneys are the primary enforcement mechanism for security failures. Statutory damages range from $100 to $750 per consumer per incident — which scales rapidly with breach size.
The CPRA (effective January 2023) strengthened these obligations by creating the California Privacy Protection Agency (CPPA), expanding the definition of sensitive personal information, and requiring businesses to implement security measures “appropriate to the nature of the personal information.”
California courts look to the CIS Controls and industry standards to define “reasonable.” PrismWeb’s sixteen checks align with these benchmarks, providing documented evidence that your security posture meets the standard California courts expect.
How PrismWeb supports
CCPA/CPRA obligations.
| Check | CCPA/CPRA Requirement | Security Category |
|---|---|---|
| DNSSEC | §1798.150 (reasonable security) | Network integrity |
| SSL/TLS | §1798.150 (encryption requirement) | Encryption of personal information |
| Enhanced HTTPS | §1798.150 (encryption requirement) | Enforced encryption |
| Enhanced TLS | §1798.150 (reasonable security) | Strong encryption configuration |
| Certificate Validation | §1798.150 (reasonable security) | Authentication integrity |
| Security Headers | §1798.150 (reasonable security) | Application hardening |
| SPF | §1798.150 (reasonable security) | Anti-phishing / anti-spoofing |
| DKIM | §1798.150 (reasonable security) | Email authentication |
| DMARC | §1798.150 (reasonable security) | Email policy enforcement |
| MTA-STS | §1798.150 (encryption requirement) | Email encryption enforcement |
| TLS-RPT | §1798.150 (reasonable security) | Security monitoring |
| IP Abuse | §1798.150 (reasonable security) | Reputation monitoring |
| WordPress Detection | §1798.150 (reasonable security) | Vulnerability management |
| Website Scanning | §1798.100(e), §1798.150 | Data minimization, Security |
| IPv6 | §1798.150 (reasonable security) | Infrastructure resilience |
| RPKI | §1798.150 (reasonable security) | Network routing security |
Litigation-ready
security evidence.
Comprehensive documentation of security measures aligned with CIS Controls and California AG guidance on “reasonable security.” Evidence that defeats the §1798.150 liability standard.
Timestamped evidence that personal information was encrypted in transit — the key factor in whether the private right of action applies. If data was encrypted at the time of breach, §1798.150 claims typically fail.
Documentation for your service provider agreements under §1798.140(ag), demonstrating that data processing occurs under appropriate security controls and contractual limitations.
Ongoing security monitoring records showing that security measures were implemented and maintained — not just at a point in time, but continuously. Critical for demonstrating the “maintain” requirement.
If a breach occurs, evidence of what security measures were in place, when they were last verified, and the security posture at the time of incident — essential for defending against class action claims.
Reasonable security
that’s provable.
The CCPA’s private right of action makes “reasonable security” a litigation question. Our infrastructure provides the answer your legal team needs.