A Guide to CCPA Private Right of Action

Under the California Consumer Protection Act (CCPA), consumers are granted several rights. One of these is the private right of action, which allows consumers to sue businesses. However, some conditions need to be met in order to proceed with legal action.

In short

What is the Private Right of Action?
When Can a Business Be Sued?
What are the Consequences of the Private Right of Action under the CCPA?
Best Practices for Businesses

What is the Private Right of Action?

The Private Right of Action under the CCPA allows individual consumers to sue businesses that violate the law. In particular, this right is defined in Cal. Civ. Code § 1798.150, which states that consumers can sue a business if their nonencrypted and nonredacted personal information was stolen in a data breach, as a result of the business’s failure to keep adequate security procedures and practices to protect it.

Definition of Business under the CCPA

The California Consumer Protection Act defines a business as a for-profit organization that collects the personal information of consumers, determines the purposes and method of the processing, targets Californian residents, and meets at least one of the following requirements:

has annual gross revenues exceeding twenty-five million dollars ($25,000,000); or
derives 50% or more of its annual revenues from selling or sharing the personal information of California consumers; or
buys, sells, or shares the personal information of 100,000 or more California consumers annually.

When Can a Business Be Sued?

There should be a data breach

As we said, consumers can’t sue businesses for any violation of the Act, but only when certain conditions are met.

There has been a data breach, where the consumer’s nonencrypted and nonredacted personal information was stolen.
The data breach was a result of the business’s failure to protect personal information through security measures.

The business must process specific categories of personal information

Moreover, the business must also process specific categories of personal information to be sued. The Act specifies that to exercise the private right of action, the following information should be stolen in the data breach:

The first name (or first initial) and the last name of the consumer;
Combined with any of the following information:
- Social security number.
- Any unique identification number issued on a government document, such as a driver’s license number, tax identification number, passport number, military identification number, etc.
- Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would allow access to your account.
- Medical or health insurance information.
- Any unique biometric data used to identify a person, such as a fingerprint, retina, or iris image (this doesn’t include photographs, unless used for facial recognition purposes).

In 2023, the CCPA was amended by the California Privacy Rights Act (CPRA) to expand consumers’ rights. The CPRA also expanded the private right of action to include email addresses in combination with a password or security questions and answers in the list of personal information categories that are covered under the Act.

Businesses can “cure the violation” before being sued

Before suing, consumers must inform the business with a written notice, explaining which section of the Act was violated. Businesses have 30 days to respond and fix the issue.

If the business is able to fix the issue and gives its written statement that it has done so, consumers cannot sue the business. If, instead, the violation continues, consumers can proceed with the legal action.

For any other violation of the CCPA, consumers can file a complaint with the Attorney General or the California Privacy Protection Agency, which will take care of investigating and proceeding with legal actions.

What are the Consequences of the Private Right of Action under the CCPA?

A consumer may sue for either type of damages:

Monetary damages that it suffered from the breach. For example, if the breach compromised the bank account information and led to monetary loss, the compensation would amount to the actual loss. Or
Statutory damages range from $100 to $750 per violation. The amount of statutory damages is usually decided by the court.

⚠️ Statutory damages can add up

Though it may seem like a small amount, if compared with other privacy laws, you must note that the Act says “per violation”. A violation happens every time a consumer’s data is breached, and typically, a data breach involves a large number of consumers.

Best Practices for Businesses to Avoid Legal Cases under the Private Right of Action

As a business, of course, you want to avoid getting sued. That’s why you shouldn’t overlook compliance with the CCPA.

Among other things, the CCPA requires you to take security measures to protect the personal information you collect and process. Even though the CCPA does not explicitly say what security measures you should apply, it talks about “reasonable security practices”.

Here are a few things you can do to safeguard your data:

Encrypt your data. The first thing to do is to make the data difficult to decipher to external agents. Encrypted data needs an encryption key to be deciphered, so it’s an effective way to protect it.
Limit access to your accounts. Give access to your accounts only to those who need it. By limiting access, you also limit the chances of unauthorized access.
Use strong passwords and 2-FA. Remember to use strong passwords, different for each account. To make protection stronger, also implement 2-factor authentication, which requires a 1-time code to enter your account.
Invest in your business’s security system and train your staff appropriately. Everyone in your company should know the basics of cybersecurity. You don’t want a security breach because of somebody’s lack of knowledge or carelessness.
Assess your processing activities regularly. You should carry out audits and assessments regularly to determine whether there are aspects of your security practices that you can improve.

💡

Learn more about the CCPA

About us

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com

Still have questions?

Attend one of our free webinars Email us Live chat

Find out your site’s compliance rate. Can you get to 100%?

Streamline your compliance journey

Templates

Legislations

Guides

Integrations

Have a project in mind?

Documentation