Module: 02f — U.S. State Privacy Law: CCPA/CPRA and the State Patchwork Difficulty: Intermediate

Questions

Q1. Under Cal. Civ. Code § 1798.150, what is the per-consumer statutory damages range available in a private civil action for a qualifying data breach?

  • A) $500 to $5,000 per consumer per incident
  • B) $100 to $750 per consumer per incident
  • C) $2,500 to $7,500 per consumer per incident
  • D) $1,000 to $3,000 per consumer per incident

Correct answer: B Explanation: Cal. Civ. Code § 1798.150 sets statutory damages at $100 to $750 per consumer per incident (at the court's discretion), or actual damages if greater. This narrow private right of action is limited to breaches of security — not general CCPA/CPRA violations.

Q2. What structural change did the California Privacy Rights Act (CPRA) make that distinguished it most sharply from the original CCPA?

  • A) It added a 90-day cure period for all violations
  • B) It created the California Privacy Protection Agency (CPPA) as an independent state enforcement agency
  • C) It eliminated the private right of action for data breaches
  • D) It lowered the business threshold to $10 million in annual revenue

Correct answer: B Explanation: CPRA created the California Privacy Protection Agency (CPPA) under Cal. Civ. Code § 1798.199.10 et seq. as a fully independent state agency with rulemaking and enforcement authority — replacing the prior regime in which the California Attorney General held exclusive enforcement power.

Q3. A consumer submits a Right to Know request under Cal. Civ. Code § 1798.100 to a covered business. What is the business's initial response deadline, and what extension is available?

  • A) 30 days, extendable by 30 days with notice
  • B) 45 days, extendable by another 45 days with notice
  • C) 60 days with no extension
  • D) 90 days, extendable by 30 days with notice

Correct answer: B Explanation: Under §§ 1798.100 and 1798.110, businesses must respond to Right to Know requests within 45 days, with an additional 45-day extension permitted if the business provides the consumer with notice of the extension before the initial period expires.

Q4. Which of the following is NOT listed as "sensitive personal information" under Cal. Civ. Code § 1798.140(ae), the category subject to the CPRA's Right to Limit Use?

  • A) Precise geolocation (within 1,850 feet)
  • B) Account log-in credentials (username + password)
  • C) Home address of record
  • D) Contents of mail, email, or text messages (unless the business is the intended recipient)

Correct answer: C Explanation: Home address is included in the broad definition of "personal information" under § 1798.140(v) but is NOT listed among the sensitive personal information categories under § 1798.140(ae) that trigger the Right to Limit Use. Precise geolocation, account credentials, and the contents of messages are all expressly listed as sensitive personal information.

Q5. The Illinois Supreme Court's 2023 decision in Cothron v. White Castle System, Inc. resolved what critical question about BIPA liability?

  • A) Whether BIPA applies to out-of-state employers whose employees work in Illinois
  • B) Whether BIPA violations accrue once per employee or separately for each biometric scan or transmission
  • C) Whether BIPA's $5,000 per-violation cap is constitutional under the Eighth Amendment
  • D) Whether biometric data collected with written authorization can still trigger BIPA if the retention policy is inadequate

Correct answer: B Explanation: In Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court held the "per-scan" rule: a separate BIPA cause of action accrues each time a private entity scans or transmits a biometric identifier without complying with the statute, not just once when the first violation occurs.

Q6. Which state comprehensive privacy law is considered the most business-friendly, featuring a permanent cure period, no Global Privacy Control requirement, no data protection assessment requirement, and no right to correct inaccurate data?

  • A) Iowa (ICDPA)
  • B) Montana (MTCDPA)
  • C) Utah (UCPA)
  • D) Nevada (SB 220)

Correct answer: C Explanation: Utah's Consumer Privacy Act (Utah Code § 13-61-101 et seq.) is generally considered the most business-friendly comprehensive state privacy law. It has no GPC requirement, no data protection assessment requirement, a permanent (no-sunset) cure period, and no right to correct inaccurate data.

Q7. Under Virginia's Consumer Data Protection Act (Va. Code § 59.1-571 et seq.), which enforcement mechanism is available that is NOT available under the California CCPA/CPRA for general privacy violations?

  • A) Private civil lawsuits by affected consumers
  • B) AG enforcement with a 30-day cure period
  • C) Mandatory cybersecurity audits submitted to regulators
  • D) Per-scan liability for biometric data

Correct answer: B Explanation: Virginia CDPA enforcement is exclusively by the Attorney General under § 59.1-580, with a 30-day cure period that has no sunset. Unlike California's CCPA/CPRA (which eliminated the cure period for CPPA enforcement and applies only a 30-day pre-suit cure for § 1798.150 breach actions), the Virginia CDPA permanently requires the AG to provide 30 days' cure opportunity before filing a civil action. Virginia has no private right of action at all.

Q8. The Colorado Privacy Act (C.R.S. § 6-1-1306) was notable for expressly requiring controllers to honor what type of browser-level signal by July 1, 2024?

  • A) Do Not Track (DNT) headers under FTC guidance
  • B) Global Privacy Control (GPC) and technically similar universal opt-out signals
  • C) P3P (Platform for Privacy Preferences) machine-readable privacy declarations
  • D) GDPR-compliant consent management platform signals

Correct answer: B Explanation: The Colorado Privacy Act was the first state privacy law to expressly require controllers to honor Global Privacy Control (GPC) signals and technically similar universal opt-out mechanisms by July 1, 2024 (§ 6-1-1306(1)(a)(III)), forcing businesses to build systems capable of recognizing browser-level privacy signals rather than requiring per-site manual opt-out.

  • A) The researcher is automatically a "business" under § 1798.140(d) once they download any personal data
  • B) The researcher faces direct CCPA § 1798.150 liability because they are now in possession of breach data
  • C) The researcher's risk depends on whether they qualify as a "business" and is reduced by minimizing retention — collecting only what is necessary and deleting after disclosure
  • D) The researcher has no legal exposure under CCPA because the researcher is not the entity that was originally breached

Correct answer: C Explanation: As the module explains, most individual researchers fall below CCPA's business thresholds ($25M revenue or 100,000 consumers), but the legally safest approach regardless of classification is to collect the minimum necessary to document the vulnerability, promptly report, and delete. Extended retention of PII-containing breach data is where legal risk accumulates, even for parties who may not be "businesses" under CCPA.

Q10. California's breach notification statute (Cal. Civ. Code § 1798.82) defines personal information that triggers notification as a first name plus last name in combination with certain data elements. Which of the following is NOT a triggering combination under § 1798.82?

  • A) Driver's license number
  • B) Home address and date of birth without any financial or account information
  • C) Username or email address plus a password or security question that would permit access to an online account
  • D) Unique biometric data such as a fingerprint or retina scan

Correct answer: B Explanation: Under Cal. Civ. Code § 1798.82, home address alone — even combined with date of birth — does not trigger breach notification without an accompanying financial, account, medical, biometric, or government-ID element. Driver's license numbers, biometric data, and username/email plus password are all expressly listed triggering combinations.