The CCPA private right of action gives consumers a direct voice in data breach accountability. Though CCPA litigation has surged, businesses with strict data security protocols are thriving. With potential damages reaching $750 per incident, it is time to rethink the approach to data security. Discover what this means for your business and proactive measures to stay compliant.
What is the CCPA private right of action?
Test Your Business for CCPA/CPRA Compliance ā It’s Free!
The California Consumer Privacy Act (CCPA), implemented in 2020, is a groundbreaking privacy regulation designed to protect the personal data of California residents. A key provision of the law is its limited private right of action which allows consumers to sue businesses in certain circumstances of data breach due to unauthorised access.
Section 1798.150 establishes the private right of action and specifies the conditions under which consumers can file a suit.
No cookie banner? That’s a risk
CookieYes has the easiest cookie consent solution for CCPA compliance
14-day free trialCancel anytime
Types of personal information covered under the CCPA private right of action
CCPA is too specific when it comes to the definition of personal information and takes it from 1798.81.5 rather than the regulation itself.
To invoke private right of action, the following data types are personal information under CCPA when combined with the consumerās nonencrypted and nonredacted first name or first initial and last name.
- Any unique identification number issued by the Government including the following:
- Social security number
- Driverās licence number
- California identification card number
- Tax identification number
- Passport number
- Military identification number or any other
- Account number, credit or debit card number combined with its credentials that can gain access to the financial account
- Medical information
- Health insurance information
- Unique biometric data such as fingerprint, retina or iris image that can identify an individual. However, it does not include photographs unless used for facial recognition
- Genetic data
- Username or email address combined with its password or security question and answer that can gain access to an individualās online account
When can the CCPA private right of action be invoked?
The private right of action can be invoked only in limited circumstances. We will cut through the legal clutter to get a better understanding.
Non-encrypted and nonredacted personal information
The CCPA private right of action can be invoked only if the listed personal data is stored in a non-encrypted and non-redacted form. Therefore businesses have a duty to protect the confidentiality of consumersā personal information.
In simple words, encryption means safeguarding the data with a special key or password.
Redaction is similar to pseudonymisation where the sensitive or a particular part of the data is removed or hidden.
Unauthorised access and exfiltration, theft, or disclosure
Consumers can sue a business for data breach only if unauthorised access results in exfiltration, theft, or disclosure.
Unauthorised access refers to when someone gains entry to data stored by companies without permission. Unauthorised access alone is insufficient to invoke the CCPA private right of action; it must also result in one of the outcomes below.
- Exfiltration: Unauthorised transfer of personal data from your system such as by using a device like pen drive.
- Theft: Data gets stolen or unauthorisedly taken
- Disclosure: Data is shared or exposed without your permission.
Unauthorised access to personal information can occur from external sources, meaning from outside the organisation, or from internal sources within the organisation.
Failure to implement and maintain reasonable security procedures
Adopting reasonable security measures is a fundamental responsibility for businesses under the CCPA. If a business adheres to the security requirements, the consumerās private right of action might not stand.
The security measures should be proportionate to the nature and amount of data you possess. For example, sensitive data requires heightened security.
Some of the common measures include encryption and password protection, anonymisation, access controls, incident response plans and regular backups.
Who can file a CCPA private right of action?
Consumers, as defined under CCPA can exercise private right of action against a business if a data beach occurs due to inadequate security measures.
Who is a consumer under CCPA?
A consumer is a natural person who is a Californian resident and does not include legal persons like a company. This means that only a living individual who resides in California, except for temporary or transit purposes can sue businesses for data breaches.
Need for a 30-day cure period
Before initiating a private right of action, the affected consumer should give a 30-day cure period to the business. This notice must contain the alleged violations and the applicable CCPA provisions.
If a business resolves the breach within the cure period and provides a written statement to the consumer, then the affected consumer cannot exercise private right of action . Note that, merely implementing security measures does not count as curing the violation.
Who is a business under CCPA?
Under CCPA, consumers can only sue businesses for data breaches and not service providers or contractors.
A business includes all categories of for-profit entities specified in subsections (1), (2), (3) and (4) as seen in the above image.
In essence, a for-profit business collecting personal information from California residents or operating within California, and determining the purpose and processing methods, would fall under the CCPA’s right of private action if it satisfies any of the following criteria.
- Raised $25 million in the previous year
- Buys sells or shares personal data of at least 100,000 consumers annually
- Gains at least 50% of the gross annual revenue by selling or sharing the personal information of Californians
What are the amount of damages that an affected consumer can claim?
CCPA states that consumers can claim the following under their right to private action:
Statutory damages
It ranges between $100 and $750 per consumer per incident, depending on various factors such as the seriousness of the breach or the number of violations. The court decides the amount.
Courts can also impose statutory damages upon companies even if the consumer did not experience any monetary loss as a result of the breach that occurred.
Actual damages
It is the total amount of financial loss that a consumer faces when their personal data is unauthorisedly exposed, infiltrated or stolen.
For example, suppose an individualās social security number or credit card information is stolen. In that case, this might result in a significant monetary loss to the owner, probably higher than the statutory damages prescribed under the CCPA.
Injunction and declaratory reliefs/ Any other reliefs
In addition to fines, businesses might also face injunctive or declaratory orders to stop the breach. This might even mean a disruption of your business operations.
Courts can also apply their discretion to decide on any other suitable relief.
Key impacts on businesses and customer litigations
Here are the key impacts of the CCPA private right of action on businesses.
Surge in customer litigations
Since the law allows consumers to take legal action against companies, it is quite likely that there will be lawsuits from individual plaintiffs or in the form of class actions.
For instance, if a large-scale breach takes place, there would be a substantial number of lawsuits that a company would need to manage. This also means litigation and other associated charges on businesses.
Compliance costs
Though a key impact of CCPA in general, one cannot overlook the compliance costs. When it comes to private rights of action, the costs of implementation and maintenance of security to protect consumersā personal information are crucial for compliance.
Reputational and financial loss
Incidents such as a data breach can greatly diminish your customers’ trust in your organisation. Similarly, it may trigger a public backlash in both conventional and social media platforms.
Beyond the loss of reputation, companies may also encounter enforcement actions like CCPA penalties, which can reach as high as $7,500 for each violation, along with any statutory and actual damages.
Steps to minimise risks of a private right of action
Following are some of the steps to privacy-proof your organisation and minimise the risks associated with a private right of action.
Fortify security measures
Implement cybersecurity measures at organisational and technical levels to safeguard the personal data that your business possesses.
This includes encryption, anonymisation, multi-factor authentications, access controls, identification of sensitive data for enhanced security, regular security and vulnerability tests and more.
Educate and train your employees
Protecting personal data is a combined responsibility which involves your employeesā caution while performing their roles. Therefore, it is crucial to train them in privacy practices. Moreover, it is important to maintain a positive work environment where employees are encouraged to report any suspicious activity.
Conduct periodical sessions and workshops and phishing simulations. Additionally, they should be trained on breach response plans.
Establish privacy governance
Appoint a privacy officer or a Data Protection Officer for your organisation and define their roles and responsibilities. This is to oversee your data handling practices and create privacy-compliant policies that would minimise risks such as data breaches.
Furthermore, conduct risk assessments and data privacy audits to discover and identify potential vulnerabilities.
FAQ on CCPA private right of action
The California Privacy Rights Act enhanced the private right of action under the CCPA, enabling consumers to initiate legal action if their email address and associated credentials that provide access to the account were accessed, stolen, compromised, or exposed without authorisation.
Additionally, it specifies that merely implementing security measures will not be considered a cure for the breach.
Section 1798.150 of the CCPA authorises consumers to bring legal action against companies for certain data breaches. This right does not apply to all violations of the CCPA, but only to those explicitly mentioned in the provision.
Section 82 of the GDPR allows data subjects to seek compensation for any damages, whether material or non-material, that result from violations of their rights.
The private right of action granted by the GDPR appears to be more extensive than that provided by the CCPA.