CCPA Security FAQs: Can a consumer bring suit in a California state court under the CCPA even if they were not injured by a data breach?

Yes, if they satisfy the elements of a CCPA data breach claim.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if the consumer’s “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices …”

As a result, there appear to be five elements necessary to establish a claim under the CCPA:

  1. A business incurred a data breach;
  2. The data breach involved a sensitive category of information identified in Cal. Civil Code Section 1798.81.5;
  3. The business had a legal duty to protect the personal information from breach;
  4. The business failed to implement reasonable security procedures and practices; and
  5. The business’s failure resulted in (i.e., caused) the data breach.

Absent from these elements is a requirement that the affected consumer have suffered any injury as a result of the data breach.  In fact, the CCPA provides that an affected consumer may recover “damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty [dollars] ($750) per consumer per incident or actual damages, whichever is greater.”1 And unlike Article III of the U.S. Constitution, which requires a plaintiff to establish standing to bring suit, the California Constitution empowers state courts to adjudicate any “cause” brought before them.2 As a result, a consumer whose personal information was subject to a data breach (and who meets the other elements set forth above) may bring suit in California state court even if they were not injured by the data breach.