What is CCPA Private Right of Action?


The private right of action provision of the California Consumer Privacy Act (CCPA) allows consumers whose non-unencrypted and non-redacted personal information is subject to a data breach, exfiltration or theft to sue companies that have failed to implement reasonable data breach security measures.

Under California state law, a company that suffers a data breach has to notify California residents whose personal information was affected. For an action of statutory damages, an individual has to give a company 30 days to “cure” the alleged violation before filing a lawsuit. However, a consumer who intends to sue a company solely for financial damages is not required to give that business any notice.

The CCPA requires covered businesses to disclose the business or commercial purpose for collecting or selling personal information. However, “commercial purposes” does not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism,” according to the law.

California consumers have a private right of action when their non-encrypted and non-redacted personal information is “subject to an unauthorized access, exfiltration, theft, or disclosure due a business violating their duty to implement and maintain reasonable security procedures.

Under section 1798.150 CCPA’s private right of action includes the availability of statutory damages. Most data breach and privacy laws, which require proof of actual damage and don’t provide statutory damages. The CCPA private right of action is different from the standard applied by federal courts in the past which require some form of injury when a breach occurs.  CCPA allows statutory damages without evidence of actual damages. It remains to be seen if companies being sued for statutory damages will challenge these charges in court.

There are three key elements for the limited private right of action under the CCPA:

  1. Non-encrypted and non-redacted personal information.
  2. Unauthorized access and exfiltration, theft, or disclosure.
  3. Failure of the business to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

CCPA’s private right of action provides a narrow definition of personal information which includes:

  • Social Security number
  • Driver’s license number or California identification card number
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information; or health insurance information

California consumers that experience a data breach under the private right to action a limited definition of personal information can pursue several different remedies.

The private right of action provision of the CCPA lets a consumer bring an individual cause of action or class action against a business even if the individual didn’t suffer any actual damage from the breach.

As such, the provision better ensures that victims have standing to file lawsuits. Under U.S. Supreme Court jurisprudence, plaintiffs in class action data breach lawsuits have had a difficult time establishing standing, that is demonstrating they’ve suffered financial or other damages as a result of a breach of their personal information.

However, the CCPA’s private right of action provision potentially removes this roadblock by providing for statutory damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

The provision for statutory damages will likely result in an increase in data breach class action lawsuits.

The CCPA, which enhances privacy rights and consumer protections for California residents, went into effect Jan. 1, 2020. The California Attorney General’s Office will begin enforcing the law on July 1, 2020, six months after the final regulations were published.

Signed into law by then-Governor Jerry Brown on June 28, 2018, the CCPA is the first United States law that offers consumers privacy protections similar to those offered by the European Union’s General Data Protection Regulation. There is no federal law like the CCPA.

The CCPA applies to large companies that do business in California or that make the sale of data a central piece of their operations. The privacy law also applies to out-of-state companies that do business in California, including collecting the personal information of California residents and deciding how to process and use that information.