What is the CCPA’s Private Right of Action?

Published February 6, 2020 • 3 min read

The private right of action provision of the California Consumer Privacy Act (CCPA) is one of the penalties stipulated for non-compliance with the law. It allows consumers to sue companies that have failed to implement reasonable data security measures if their nonencrypted or nonredacted personal information is exposed in a data breach or exfiltration.

Under the California law, a company that suffers a data breach has to notify California residents whose personal information was affected. Californians have several private rights of action.

For an action of statutory damages, the plaintiff must give a company 30 days to “cure” the alleged violation before filing a lawsuit. 

However, a consumer who intends to sue a company solely for financial damages is not required to give that business any notice.

The CCPA requires covered businesses to disclose the business or commercial purpose for collecting or selling a consumer’s personal information

For a detailed look at CCPA penalties and other provisions of the law, check out our CCPA guide.

When does the ‘private right of action‘ apply?

California consumers have a private right of action when their non-encrypted and non-redacted personal data is “subject to unauthorized access, exfiltration, theft, or disclosure due to a business violating their duty to implement and maintain reasonable security procedures.” This provision makes strong cybersecurity measures a must in any business regulated by the CCPA.

Under section 1798.150 CCPA’s private right of action includes the availability of statutory damages

Most data breach and privacy laws require proof of actual damage and don’t provide statutory damages

The CCPA private right of action departs from the standard applied by federal courts in the past, which require some form of injury when a breach occurs. CCPA allows suits for statutory damages without evidence of actual damages

The three key elements that must be present for a private right of action under the CCPA are

  1. Non-encrypted and non-redacted personal information
  2. Unauthorized access and exfiltration, theft, or disclosure
  3. Failure of the business to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information

CCPA’s private right of action provides a narrow definition of personal information which includes:

  • Social Security number
  • Driver’s license number or California identification card number
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information or health insurance information

What types of action does the CCPA allow?

California consumers who experience a data breach can pursue several different remedies.

The private right of action provision of the CCPA lets a consumer bring an individual cause of action or class action against a business even if the individual didn’t suffer any actual damage from the breach.

This provision better ensures that victims have standing to file lawsuits. Under U.S. Supreme Court jurisprudence, plaintiffs in class-action data breach lawsuits have had a difficult time demonstrating that they’ve suffered financial or other damages as a result of a breach of their personal information.

However, the CCPA’s private right of action provision potentially removes this roadblock by providing for statutory damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

The CCPA, which enhances privacy rights and consumer protections for California residents, went into effect Jan. 1, 2020. The California Attorney General’s Office was to begin enforcing the law on July 1, 2020.

Does my business need to comply?

CCPA compliance is required of large companies that do business in California or those that make the sale of data a central piece of their operations. The privacy law also applies to out-of-state companies that do business in California, including those collecting the personal information of California residents and deciding how to process and use that information.

Signed into law by Gov. Jerry Brown on June 28, 2018, the CCPA is the first United States law that offers consumers privacy protections similar to those offered by the European Union’s General Data Protection Regulation (GDPR). There is no federal law like the CCPA.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo