The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).
While consumers already had the right to bring suit under California’s data breach law, the CCPA’s provision allowing consumers to sue, known as a private right of action, adds a few new wrinkles. First, it provides for statutory damages. In many data breaches, demonstrating and quantifying damages caused by the breach can be difficult, making it hard for plaintiffs to successfully sue and obtain monetary damages. Statutory damages eliminates that hurdle by dispensing with the need to prove actual damages. Plaintiffs’ attorneys may be more likely to bring class action lawsuits on behalf of groups of data breach plaintiffs with this new tool in hand. The CCPA provides courts with a laundry-list of considerations for determining the amount of statutory damages to award. That list includes “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.” Id. § 1798.150(a)(2).