Does the CCPA Have a Private Right of Action?

The CCPA establishes a private right of action under Section 1798.150 of the statute. That means it gives private individuals - specifically, California consumers - the right to sue businesses in certain circumstances. However, the private right of action established in the CCPA does not apply to violations of the CCPA itself. In other words, a consumer cannot sue a business for its failure to uphold its obligations, such as disclosure or deletion, under CCPA.

Instead, the CCPA’s private right of action applies to violations of a different statute – Section 1798.81.5. That statute predates the CCPA and requires businesses to take certain steps to protect the security of personal information they hold. The CCPA allows consumers whose nonencrypted and nonredacted personal information is breached due to a business’s failure to comply with the security rules in Section 1798.81.5 to initiate a civil action to recover damages.

The private right of action in the CCPA provides that a consumer may recover either statutory damages between $100 and $750 per consumer per incident, or actual damages (i.e., the true damages actually suffered by the consumer as a result of the breach), whichever is greater. That means that it is not necessary for a consumer to suffer actual damages to recover under the CCPA. It is highly likely that the CCPA’s private right of action will lead to new consumer class actions – which are lawsuits brought on behalf of numerous, similarly-situated individuals – claiming damages under the CCPA for violations of California’s data breach law.

If a consumer cannot sue a business when it violates the CCPA, how are the CCPA’s disclosure, deletion, and notice obligations enforced? That is the subject of our article titled How Much Do CCPA Violations Cost?