Skip to main content

CCPA/CPRA

14 min read

CCPA Private Right of Action: How It Impacts Your Business

By Safna December 11, 2024

CCPA Private Right of Action: How It Impacts Your Business

The CCPA private right of action gives consumers a direct voice in data breach accountability. Though CCPA litigation has surged, businesses with strict data security protocols are thriving. With potential damages reaching $750 per incident, it is time to rethink the approach to data security. Discover what this means for your business and proactive measures to stay compliant. 

What is the CCPA private right of action?

Test Your Business for CCPA/CPRA Compliance ā€“ It’s Free!

The California Consumer Privacy Act (CCPA), implemented in 2020, is a groundbreaking privacy regulation designed to protect the personal data of California residents. A key provision of the law is its limited private right of action which allows consumers to sue businesses in certain circumstances of data breach due to unauthorised access.

Trends in CCPA Filings in the United States (Statista)

Section 1798.150 establishes the private right of action and specifies the conditions under which consumers can file a suit. 

Section 1798.150 of CCPA

No cookie banner? That’s a risk

CookieYes has the easiest cookie consent solution for CCPA compliance

14-day free trialCancel anytime

Types of personal information covered under the CCPA private right of action

CCPA is too specific when it comes to the definition of personal information and takes it from 1798.81.5 rather than the regulation itself. 

To invoke private right of action, the following data types are personal information under CCPA when combined with the consumerā€™s nonencrypted and nonredacted first name or first initial and last name.  

  • Any unique identification number issued by the Government including the following:
    • Social security number
    • Driverā€™s licence number
    • California identification card number
    • Tax identification number 
    • Passport number
    • Military identification number or any other 
  • Account number, credit or debit card number combined with its credentials that can gain access to the financial account
  • Medical information
  • Health insurance information
  • Unique biometric data such as fingerprint, retina or iris image that can identify an individual. However, it does not include photographs unless used for facial recognition
  • Genetic data
  • Username or email address combined with its password or security question and answer that can gain access to an individualā€™s online account

When can the CCPA private right of action be invoked?

The private right of action can be invoked only in limited circumstances. We will cut through the legal clutter to get a better understanding.

Non-encrypted and nonredacted personal information

The CCPA private right of action can be invoked only if the listed personal data is stored in a non-encrypted and non-redacted form. Therefore businesses have a duty to protect the confidentiality of consumersā€™ personal information.

In simple words, encryption means safeguarding the data with a special key or password.

Source: IAPP

Redaction is similar to pseudonymisation where the sensitive or a particular part of the data is removed or hidden.

Source: IAPP

Unauthorised access and exfiltration, theft, or disclosure 

Consumers can sue a business for data breach only if unauthorised access results in exfiltration, theft, or disclosure.

Unauthorised access refers to when someone gains entry to data stored by companies without permission. Unauthorised access alone is insufficient to invoke the CCPA private right of action; it must also result in one of the outcomes below.

  • Exfiltration: Unauthorised transfer of personal data from your system such as by using a device like pen drive.
  • Theft: Data gets stolen or unauthorisedly taken 
  • Disclosure: Data is shared or exposed without your permission.

Unauthorised access to personal information can occur from external sources, meaning from outside the organisation, or from internal sources within the organisation.

Failure to implement and maintain reasonable security procedures

Adopting reasonable security measures is a fundamental responsibility for businesses under the CCPA. If a business adheres to the security requirements, the consumerā€™s private right of action might not stand.

The security measures should be proportionate to the nature and amount of data you possess. For example, sensitive data requires heightened security. 

Some of the common measures include encryption and password protection, anonymisation, access controls, incident response plans and regular backups.

Who can file a CCPA private right of action?

Consumers, as defined under CCPA can exercise private right of action against a business if a data beach occurs due to inadequate security measures. 

Who is a consumer under CCPA?

A consumer is a natural person who is a Californian resident and does not include legal persons like a company. This means that only a living individual who resides in California, except for temporary or transit purposes can sue businesses for data breaches.

Need for a 30-day cure period

Before initiating a private right of action, the affected consumer should give a 30-day cure period to the business. This notice must contain the alleged violations and the applicable CCPA provisions.

If a business resolves the breach within the cure period and provides a written statement to the consumer, then the affected consumer cannot exercise private right of action . Note that, merely implementing security measures does not count as curing the violation.

Who is a business under CCPA?

Under CCPA, consumers can only sue businesses for data breaches and not service providers or contractors.

Source: CCPA regulation

A business includes all categories of for-profit entities specified in subsections (1), (2), (3) and (4) as seen in the above image. 

In essence, a for-profit business collecting personal information from California residents or operating within California, and determining the purpose and processing methods, would fall under the CCPA’s right of private action if it satisfies any of the following criteria.

  • Raised $25 million in the previous year
  • Buys sells or shares personal data of at least 100,000 consumers annually
  • Gains at least 50% of the gross annual revenue by selling or sharing the personal information of Californians

What are the amount of damages that an affected consumer can claim?

CCPA states that consumers can claim the following under their right to private action:

Statutory damages

It ranges between $100 and $750 per consumer per incident, depending on various factors such as the seriousness of the breach or the number of violations. The court decides the amount.

Courts can also impose statutory damages upon companies even if the consumer did not experience any monetary loss as a result of the breach that occurred.

Actual damages

It is the total amount of financial loss that a consumer faces when their personal data is unauthorisedly exposed, infiltrated or stolen. 

For example, suppose an individualā€™s social security number or credit card information is stolen. In that case, this might result in a significant monetary loss to the owner, probably higher than the statutory damages prescribed under the CCPA.

Injunction and declaratory reliefs/ Any other reliefs

In addition to fines, businesses might also face injunctive or declaratory orders to stop the breach. This might even mean a disruption of your business operations.

Courts can also apply their discretion to decide on any other suitable relief.

Key impacts on businesses and customer litigations

Here are the key impacts of the CCPA private right of action on businesses.

Surge in customer litigations

Since the law allows consumers to take legal action against companies, it is quite likely that there will be lawsuits from individual plaintiffs or in the form of class actions.

For instance, if a large-scale breach takes place, there would be a substantial number of lawsuits that a company would need to manage. This also means litigation and other associated charges on businesses.

Compliance costs

Though a key impact of CCPA in general, one cannot overlook the compliance costs. When it comes to private rights of action, the costs of implementation and maintenance of security to protect consumersā€™ personal information are crucial for compliance.

Reputational and financial loss

Incidents such as a data breach can greatly diminish your customers’ trust in your organisation. Similarly, it may trigger a public backlash in both conventional and social media platforms. 

Beyond the loss of reputation, companies may also encounter enforcement actions like CCPA penalties, which can reach as high as $7,500 for each violation, along with any statutory and actual damages.

Steps to minimise risks of a private right of action

Following are some of the steps to privacy-proof your organisation and minimise the risks associated with a private right of action.

Fortify security measures

Implement cybersecurity measures at organisational and technical levels to safeguard the personal data that your business possesses. 

This includes encryption, anonymisation, multi-factor authentications, access controls, identification of sensitive data for enhanced security, regular security and vulnerability tests and more.

Educate and train your employees

Protecting personal data is a combined responsibility which involves your employeesā€™ caution while performing their roles. Therefore, it is crucial to train them in privacy practices. Moreover, it is important to maintain a positive work environment where employees are encouraged to report any suspicious activity.

Conduct periodical sessions and workshops and phishing simulations. Additionally, they should be trained on breach response plans. 

Establish privacy governance

Appoint a privacy officer or a Data Protection Officer for your organisation and define their roles and responsibilities. This is to oversee your data handling practices and create privacy-compliant policies that would minimise risks such as data breaches. 

Furthermore, conduct risk assessments and data privacy audits to discover and identify potential vulnerabilities.

FAQ on CCPA private right of action

How did CPRA amendments expand the private right of action?

The California Privacy Rights Act enhanced the private right of action under the CCPA, enabling consumers to initiate legal action if their email address and associated credentials that provide access to the account were accessed, stolen, compromised, or exposed without authorisation.
Additionally, it specifies that merely implementing security measures will not be considered a cure for the breach.

What is section 1798.150 of CCPA?

Section 1798.150 of the CCPA authorises consumers to bring legal action against companies for certain data breaches. This right does not apply to all violations of the CCPA, but only to those explicitly mentioned in the provision.

Is there a private right of action under GDPR?

Section 82 of the GDPR allows data subjects to seek compensation for any damages, whether material or non-material, that result from violations of their rights.
The private right of action granted by the GDPR appears to be more extensive than that provided by the CCPA.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles