Data Security Law Blog

A Closer Look at the CCPA’s Private Right of Action and Statutory Damages

The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).

While consumers already had the right to bring suit under California’s data breach law, the CCPA’s provision allowing consumers to sue, known as a private right of action, adds a few new wrinkles. First, it provides for statutory damages. In many data breaches, demonstrating and quantifying damages caused by the breach can be difficult, making it hard for plaintiffs to successfully sue and obtain monetary damages. Statutory damages eliminates that hurdle by dispensing with the need to prove actual damages. Plaintiffs’ attorneys may be more likely to bring class action lawsuits on behalf of groups of data breach plaintiffs with this new tool in hand. The CCPA provides courts with a laundry-list of considerations for determining the amount of statutory damages to award. That list includes “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.” Id. § 1798.150(a)(2).

Second, the new provision of the CCPA allows businesses the opportunity to avoid a consumer suit under the private right of action provision by “curing” the violation of “its duty to implement and maintain reasonable security procedures and practices” that resulted in “unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information. To pursue statutory damages under the CCPA, would-be plaintiffs must first provide the would-be defendant business with 30 days’ written notice that the data security provision of the CCPA has been violated. Id. § 1798.150(b). The business then has 30 days to “cure” the violations and provide the plaintiffs with “an express written statement that the violations have been cured and that no further violations shall occur.” Id. If the business does so, then the plaintiff may not request statutory damages in a subsequent suit. The statute does not define “cure,” so it remains to be determined how a business can successfully “cure” data security violations under the statute. The concept of “cure” will require clarification from the California Attorney General when he issues regulations or will be litigated after the law goes into effect.

Third, the CCPA authorizes a private right of action only for breaches involving the nonredacted and unencrypted “personal information” of California consumers Id. § 1798.150(a)(1). The private right of action provision selects a narrower definition of “personal information” than is used throughout the rest of the CCPA (see our three-part series on that expansive definition), deferring, instead, to one subpart of the definition of “personal information” found in the California data breach statute. Id. § 1798.81.5(d)(1)(A). Thus, a consumer can bring suit under the CCPA only if the following information is accessed or obtained without authorization:

  • an individual’s name along with his or her
    • social security, driver’s license, or California identification card number;
    • account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or
    • medical or health insurance information.

Id. § 1798.81.5(d)(1)(A).

The CCPA is set to become operative on January 1, but before that date we expect legislative amendments, as well as CCPA-mandated regulations to be issued by the California Attorney General. Until then, the CCPA, including the private right of action and related statutory damages, remains unsettled. Significantly, a bill (SB 561) backed by the Attorney General of California to expand the private right of action to any violation of the consumer rights provided by the CCPA has stalled in committee, making it less likely that the private right of action and statutory damages will meaningfully expand to the entire CCPA before the operative date.

Despite its limitations and questions about its scope, the CCPA’s private right of action and related statutory damages provisions must be taken seriously by businesses subject to the law. While California’s data breach law already provided a private right of action to recover damages, id. § 1798.84(b), the CCPA’s addition of statutory damages puts a new arrow in plaintiffs’ quiver, one that does not require a showing of actual harm.

This blog will continue in-depth coverage of the CCPA, as well as coverage of any significant amendments or regulations to the law.