Between “private right of action” consumer lawsuits for data breaches and civil penalties levied by the California attorney general for non-compliance, the California Consumer Privacy Act (CCPA) can be an expensive law to break.

The Golden State designed CCPA, the nation’s most stringent data privacy law, to protect consumers’ (“a natural person who is a California resident”) rights over their personal information. The CCPA applies to for-profit businesses that meet certain criteria, including at least $25 million in annual revenue, and that collect personal information from California residents.

The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR). Unlike the GDPR, however, the CCPA grants consumers the right to sue if someone gets unauthorized access to their personal data. Those consumers may qualify for statutory damages if they can show that the breach occurred because of a lack of “reasonable security procedures” such as encryption or redacting identifying data.

Private Right of Action

Under California law, damages may include:

  • $100 to $750 per consumer per incident, or actual damages, whichever is greater
  • Injunctive or declaratory relief
  • Any other relief the court deems proper

When assessing damages, the CCPA directs a court to consider:

  • The nature, seriousness, and persistence of the misconduct
  • The number of violations
  • The length of time over which the misconduct occurred
  • Whether it was an intentional violation
  • The defendant’s assets, liabilities, and net worth

The law does give businesses a chance to right any wrongs before having to pay. If a consumer files a complaint against the organization that got breached, the accused business has 30 days to take corrective action before the suit can progress. If the consumer has suffered financially because of a breach, however, this notification is not required. 

Civil penalties

Even if there has been no breach, the California attorney general can prosecute a business for general violations of the CCPA. Examples include a business’s failure to respond to  consumer requests to view or delete personal information, or its unauthorized sale of their personal information  (or sharing of that data). 

The AG, too, must give business 30 days to come into CCPA compliance. If a business does not rectify any problems during that time, the attorney general may impose a civil penalty of up to $2,500 per violation or $7,500 for each “intentional” violation.