September 26, 2019

CCPA Security FAQs: Can a consumer bring suit in a California state court under the CCPA even if they were not injured by a data breach?

BCLP

+ Follow Contact

Send

Embed

Yes, if they satisfy the elements of a CCPA data breach claim.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if the consumer’s “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices …”

As a result, there appear to be five elements necessary to establish a claim under the CCPA:

A business incurred a data breach;
The data breach involved a sensitive category of information identified in Cal. Civil Code Section 1798.81.5;
The business had a legal duty to protect the personal information from breach;
The business failed to implement reasonable security procedures and practices; and
The business’s failure resulted in (i.e., caused) the data breach.

Absent from these elements is a requirement that the affected consumer have suffered any injury as a result of the data breach. In fact, the CCPA provides that an affected consumer may recover “damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty [dollars] ($750) per consumer per incident or actual damages, whichever is greater.”¹ And unlike Article III of the U.S. Constitution, which requires a plaintiff to establish standing to bring suit, the California Constitution empowers state courts to adjudicate any “cause” brought before them.² As a result, a consumer whose personal information was subject to a data breach (and who meets the other elements set forth above) may bring suit in California state court even if they were not injured by the data breach.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code § 1798.150(a)(1)(A).

2. Cal. Const., art. VI, § 10.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.