CCPA’s Private Right of Action Simplified For Businesses

Generate a CCPA-compliant Privacy Policy
CCPA-Private-Right-of-Action-Simplified-For-Businesses-01

The California Consumer Privacy Act (CCPA) is a data privacy law enacted in June 2018 by the state legislature of California that gives Californians the right to know, restrict, and delete the data that businesses collect from them.

It also allows a private right of action that gives California residents the right to file private lawsuits against negligent businesses.

Read on to learn more about how the CCPA enables private right of action for California consumers.

Table of Contents
  1. What Is Private Right of Action?
  2. Who Is Covered by the CCPA’s Private Right of Action?
  3. Violations That Can Trigger a Private Right of Action
  4. Damages Outlined by the CCPA
  5. How To Avoid Private Claims Under the CCPA
  6. Summary

What Is Private Right of Action?

A private right of action is defined as a right for a private person to bring a claim to protect one’s rights under the law.

There are two components to this right, private and action:

  • Private: The meaning of “private” in the context of a private right of action is a right belonging to a private person. It does not include a government, whether it be state, local, or federal.
  • Action: The meaning of “action” in the context of a private right of action is the act of enforcing one’s legal rights. In other words, it refers to the initiation of a legal claim in court to protect one’s legal rights.

How Does the CCPA Incorporate Private Right of Action?

Californians have the following rights under the CCPA:

  • Right of disclosure: A consumer has the right to request that a company disclose what personal information it has collected from the individual.
  • Right of deletion: A consumer has the right to request that the company delete any personal information it has collected.
  • Right to opt-out: A consumer has the right to request that a company not sell the personal information it has collected about the consumer.
  • Right to non-discrimination: A consumer has the right not to be discriminated against by companies for exercising their rights under the CCPA.
  • Private right of action: The CCPA further provides that if a consumer feels that a company violated their rights, they “may institute a civil action.”

Who Is Covered by the CCPA’s Private Right of Action?

The private right of action of the CCPA allows consumers to initiate a lawsuit against a business that violated the CCPA before California state courts.

Consumers

Consumers in California can now initiate civil action against businesses that violate their rights under the CCPA. The definition of a consumer in this particular context is “a natural person who resides in California.”

A natural person means that the “consumer” definition does not include businesses. Thus, only individual California residents can bring a civil action under the CCPA.

The CCPA adopted the definition of resident from the California Code of Regulations. It states that residents of California include individuals who reside in California for a purpose other than a temporary or transitory one and individuals who are domiciled in California but live in another state for temporary or transitory purposes.

Lastly, under the CCPA’s private right of action, consumers are not entitled to sue other consumers, only businesses.

Businesses

If a business meets the following requirements, then it must abide by the CCPA:

  • It is a business that operates for-profit.
  • It is based in California.
  • It collects (or has collected) the personal information of its consumers.
  • It is in charge of determining the purpose and means of processing the collected personal information.
  • It meets one of the following:
    • It has more than $25 million in annual gross revenue.
    • It buys, receives for a commercial purpose, sells, or shares the personal information of at least 50,000 consumers, households, or devices each year.
    • More than half of its yearly revenue is derived from selling its consumers’ personal information.

Violations That Can Trigger a Private Right of Action

The CCPA’s private right of action only applies to data breaches.

A consumer can bring a civil action against a business if all of the following requirements are met:

  1. The individual’s non-encrypted or non-redacted name or other listed data elements have been subject to unauthorized access, exfiltration, theft, or disclosure.
  2. This unauthorized access, exfiltration, theft, or disclosure occurred as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
  3. Before filing a lawsuit, the individual must provide the business with 30 days’ written notice to cure the alleged violation.

The following sections will define these elements more closely.

1. Personal Information Must Be Affected

Affected consumers can bring a private cause of action against you if your company is involved in a data breach of their personal information and you failed to maintain appropriate security procedures,

However, the CCPA defines “personal information” more narrowly regarding the private right of action.

Simply put, the CCPA uses the definition of personal information from Section 1798.81.5(d)(1)(A) of California’s Customer Records Act for the purposes of private right of action. Under this Act, Personal information can be broken down into two distinct categories.

Category 1
  • The individual’s first name or first initial and last name and its combination with one of the following data elements:
    • Social security number
    • Government documents with unique identification numbers like:
      • Driver’s license number
      • State of California identification card number
      •   Tax identification number
      • Passport number
      • Military identification number
    • Account number or credit or debit card numbers along with their security or access code or password that would give access to an individual’s bank or other financial accounts
    • Medical information
    • Health insurance information
    • Biometric data
    • Genetic data
Category 2
  • A username or email address in combination with a password or security question and answer that would permit access to an online account

Furthermore, if either an individual’s name or one of the listed data elements is not encryped or redacted, this data will be considered as “Personal Information” in context of private right of action under the CCPA.

This definition of personal information also has some caveats and explanations that you must be aware of:

  • Biometric data includes a fingerprint, retina scan, or iris image used to identify an individual. It does not include a photo of an individual unless that photo is used for facial recognition.
  • Medical information refers to any identifiable information about an individual’s medical history, treatment or diagnosis, whether it is in paper or digital form.
  • Health insurance information includes the person’s insurance policy number or subscriber identification number, a unique identifier used by the insurance company to identify the individual or any information in an individual’s insurance application, and history of claims.
  • Genetic data includes any data about the results of an analysis of an individual’s biological sample and concerns genetic material. Examples of genetic material include DNA, RNA, genes, chromosomes, and modifications to DNA or RNA.

2. Personal information must be subject to Unauthorized Access and Exfiltration, Theft, or Disclosure

A data breach has two components:

  1. Unauthorized access
  2. Exfiltration, theft, or disclosure

Unauthorized Access

Unauthorized access refers to anyone accessing a consumer’s information without permission. For example, if your security controls are not adequate or non-existent, a hacker (who by definition does not have authorized access) can access the consumer’s personal information and steal it.

Similarly, an employee of your company can also access your consumers’ personal information without permission (unauthorized access) and further disclose it to your competitors or elsewhere.

You must be concerned about external and internal actors who can implicate your company in a CCPA lawsuit.

Exfiltration, Theft, or Disclosure

Exfiltration, theft, or disclosure refers to that access data being withdrawn, stolen, or shared (without the user’s consent).

3. A Data breach must occur as a result of a business’s failure to implement and Maintain Reasonable Security Procedures and Practices

Remember that a consumer can only initiate a private cause of action for a data breach if you fail to implement and maintain reasonable security procedures and practices.

The CCPA does not define “reasonable security procedures and practices.” Thus, you must assess your company’s operations and calculate the security measures appropriate to protect consumers’ personal information.

It may be beneficial to hire an IT security or consulting firm to assist you in implementing security controls and procedures for your company.

4. Individual must give business 30 days opportunity period to cure alleged violation

The CCPA allows a business to “notice and cure” any breach and avoid penalties.

Before a consumer initiates a lawsuit against the business, it provides the business notice of which CCPA provision the consumer is accusing the business of violating. The business then has 30 days to rectify the situation.

If the business can cure the situation, no action will get filed against the business. It’s important to note that this notification is not required if the consumer has suffered financial harm.

During that period, the business must provide the consumer with an express written statement with an explanation that the violation has been cured and that no other violations will occur.

If no remedy is taken within the cure period of 30 days or the business violates the written statement, then the business is in violation of CCPA.

Damages Outlined by the CCPA

When a business violates a consumer’s data privacy rights under the CCPA, it is liable to pay damages.

A consumer can bring a cause of action to recover the actual or statutory damages.

  • Actual damages refer to the actual losses that consumers face due to a company’s data breach.
  • Statutory damages range between $100 and $750 per consumer per incident.

The business will be liable to either pay for actual or statutory damages, whichever is higher.

The court determines CCPA statutory damages by looking at the following:

  • Nature and seriousness of the breach
  • Number of violations
  • Persistence of the breaches
  • Length of time the offense occurred
  • Wilfulness of the business’s misconduct
  • Business’s assets, liabilities, and net worth

Under the CCPA, a business can face injunctive or declaratory relief and “any other relief the court deems proper.”

A business can also face an injunction and a civil action brought by the California Attorney General for violating the CCPA. In addition, the business will be liable for not more than $2,500 per unintentional violation or $7,500 per intentional violation.

Furthermore, the CCPA sets an upper limit on the damages a business may have to pay: The business will be liable for not more than $2,500 per unintentional violation or $7,500 per intentional violation.

How To Avoid Private Claims Under the CCPA

The legal process and costs of defending a CCPA lawsuit can add up quickly, especially if it’s a massive data breach. Further, your company’s public image will suffer with a data breach announcement and subsequent lawsuit, especially if the media coverage is extensive.

Avoiding these claims should take priority in your business operations because reshaping your company’s image and rebuilding its security controls will be very costly.

Implementing data protection controls and security is the easiest way to avoid a breach.

You should note that the CCPA does not list specific appropriate security measures businesses should apply. However, companies are not without guidance regarding “reasonable security practices” they should consider implementing.

For example, California Attorney General’s 2016 Data Breach Report refers to 20 Critical Security Controls as recommended by the Center for Internet Security. In this report, the Attorney General emphasizes that failure to implement these security measures will likely amount to a failure to apply reasonable security measures.

These controls include “Secure Configuration of Enterprise Assets and Software” and “Access Control Management.”

In addition to these controls, your company should consider the following measures and practices to avoid claims in connection with the CCPA:

  • Manage and control access to accounts
  • Protect data
  • Implement network security and defense systems
  • Set measures to backup and recover data
  • Establish protection against malware

Applying data encryption and data redaction to all personal information can put this information outside the application of CCPA’s private right of action. This can ensure that you are not subject to lawsuits due to data breaches under the CCPA.

The CCPA private right of action only applies to personal information that is unencrypted or non-redacted. If all the information is encrypted, then it does not fall under the definition of personal information.

Summary

The CCPA gives Californian residents a private right of action to sue businesses for breaching their rights.

Businesses that service Californian residents must maintain sufficient security and protection of the consumer data it collects to prevent breaches. In the event of a breach, companies can face lawsuits from consumers and civil action from the California State Attorney General.

Maintaining data integrity and protection is your top concern as a business to avoid liability under the CCPA.

Ali Talip Pınarbaşı, CIPP/E, & LLM
More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Related Articles

Explore more resources