California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The CCPA establishes a private right of action under Section 1798.150 of the statute. That means it gives private individuals - specifically, California consumers - the right to sue businesses in certain circumstances. However, the private right of action established in the CCPA does not apply to violations of the CCPA itself. In other words, a consumer cannot sue a business for its failure to uphold its obligations, such as disclosure or deletion, under CCPA.
Instead, the CCPA’s private right of action applies to violations of a different statute – Section 1798.81.5. That statute predates the CCPA and requires businesses to take certain steps to protect the security of personal information they hold. The CCPA allows consumers whose nonencrypted and nonredacted personal information is breached due to a business’s failure to comply with the security rules in Section 1798.81.5 to initiate a civil action to recover damages.
The private right of action in the CCPA provides that a consumer may recover either statutory damages between $100 and $750 per consumer per incident, or actual damages (i.e., the true damages actually suffered by the consumer as a result of the breach), whichever is greater. That means that it is not necessary for a consumer to suffer actual damages to recover under the CCPA. It is highly likely that the CCPA’s private right of action will lead to new consumer class actions – which are lawsuits brought on behalf of numerous, similarly-situated individuals – claiming damages under the CCPA for violations of California’s data breach law.
If a consumer cannot sue a business when it violates the CCPA, how are the CCPA’s disclosure, deletion, and notice obligations enforced? That is the subject of our article titled How Much Do CCPA Violations Cost?
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.