CCPA Security FAQs: Does a consumer have to establish injury to bring suit in federal court in California under the CCPA?


Section 1798.150 of the CCPA permits consumers to “institute a civil action” if the consumer’s “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices …”1

However, a plaintiff suing in federal court must establish she has standing under Article III of the U.S. Constitution.  Article III standing requires (1) an injury-in-fact, (2) fairly traceable to the challenged conduct, (3) that is likely to be redressed by a favorable judgment.  The U.S. Supreme Court has held that the alleged of a statutory right does not automatically satisfy the injury-in-fact requirement just because a statute authorizes a person to sue to vindicate that right.  Rather, to constitute an injury-in-fact, plaintiff’s injury must be both concrete and particularized, and these requirements are to be evaluated separately, even when the plaintiff asserts a statutory violation.  Concrete injuries can be tangible or intangible, but when the injury is intangible, the mere fact that a cause of action exists in law does not confer Article III standing.  Instead, the intangible injury must be real and have a close relationship to traditional, common law harms.2

A consumer whose personal information is subject to a data breach but who has not been injured at all by the data breach – for example, where the consumer has not suffered actual fraud and cannot establish a substantial likelihood of future identity theft – cannot establish she meets the standing requirements of Article III and will not be able to pursue her claim in federal court.  On the other hand, the standard of pleading required to establish injury-in-fact may be quite low; for example, if a consumer alleges she suffered anxiety resulting from unauthorized access to her data, or that she spent time freezing her credit and reviewing her credit reports, some federal courts may consider that sufficient to establish standing.

1. Cal. Civil Code 1798.150(a)(1).

2. Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).