The California Consumer Privacy Act (CCPA) is a landmark U.S. privacy law with many laudable features. But the law’s private right of action is not among its strongest provisions. 

The CCPA’s private right of action only grants consumers who have suffered very specific data breaches a limited right to sue. However, this has not stopped law firms trying to force through legal challenges against businesses that have violated irrelevant parts of the CCPA. 

This CCPA case tracker from Perkins Coie reveals that 29 private actions have been lodged about non-compliant privacy notices. A further 25 complaints relate to the sale or disclosure of consumers’ personal information. In fact, nearly half of the tracked cases are unrelated to any data breach.

Such cases are unlikely to succeed. Meeting the CCPA’s private right of action requirements is a very high bar.

Why the CCPA’s private right of action matters

As the U.S. slowly develops its “patchwork” of state privacy laws, the presence of a private right of action in any bill is guaranteed to upset corporate lobbyists.

Of the three comprehensive privacy laws signed into law in the U.S., only California’s contains a private right of action. Virginia and Colorado handed enforcement powers exclusively to the relevant attorneys general and district attorneys.

The CCPA’s private right of action is particularly interesting as it allows consumers to seek statutory damages of $100-$750 per incident. This could add up to billions of dollars where a CCPA violation affects many consumers.

But the CCPA’s private right of action isn’t as powerful as you might expect. In fact, it will be remarkable if more than a handful of the over 150 CCPA complaints lodged so far succeed.

Here are five hurdles you’ll have to clear to successfully sue under the CCPA.

Hurdle 1: Data breaches only

The CCPA grants consumers rights to access and control their personal information and puts certain data protection obligations on businesses.

For example, the CCPA allows you to opt out of the sale of your personal information. Businesses must provide notice before collecting your personal information. If a business fails to fulfill these obligations, it could be guilty of a serious CCPA violation. 

However, few of the CCPA’s rights and obligations are relevant to the law’s private right of action, which only allows you to sue if your personal information is stolen in a data breach.

Hurdle 2: Narrow “data breach” definition

The CCPA defines a “data breach” in a very specific way. Under the CCPA, four interlinked elements must be present to give rise to a data breach:

  1. Unauthorized access, AND

  2. Exfiltration, theft, or disclosure, AS A RESULT OF

  3. Violation of the duty to implement and maintain reasonable security procedures and practices to protect the personal information, THAT ARE

  4. Appropriate to the nature of the information.

Therefore, to establish that there has been an actionable breach, you must show not only that your personal information was subject to unauthorized access, but also that the breach occurred due to a violation of the duty to implement and maintain “reasonable” and “appropriate” security measures.

So, for example, if a business were to merely lose your personal information—and you were unable to show that it had also been accessed—you’d be unable to bring a case under the CCPA.

Compare the CCPA’s data breach definition to the GDPR’s: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

The CCPA’s definition is unarguably narrower. But that’s only half the story—what really restricts the CCPA’s private right of action is that it only covers certain types of personal information. 

Hurdle 3: Extremely narrow “personal information” definition

The CCPA itself contains a particularly broad definition of “personal information.” But that definition doesn’t apply in the context of the law’s private right of action.

You can’t sue a business that has lost control of just any personal information. The CCPA only recognizes private legal claims relating to a different definition of personal information, taken from California’s Data Breach Notification Law.

This other California law defines “personal information” in an extremely specific way.

Essentially, “personal information,” in this context. means a data set including two elements—one from group 1, and one from group 2, below—where at least one of the elements is not encrypted or redacted.

  1. A person’s first name or first initial, AND their last name

  2. One or more of the following elements:

    • Social security number

    • A unique ID number that is “issued on a government document commonly used to verify the identity of a specific individual,” such as:

      • Driver’s license number

      • California ID

      • Tax ID

      • Passport number

      • Military ID

    • An account or credit card number, together with any required information that would permit access to the account, such as:

      • Security code

      • Access code

      • Password

    • Medical information

    • Health insurance info

    • Biometric information, which does not include a physical or digital photo unless that photo is used for identification purposes, such as:

      • Fingerprint

      • Retina image

      • Iris image

So, for example, you can’t sue under the CCPA if a business suffers a data breach and allows criminals to steal: 

  • Your name, phone number, and private address

  • Your last name and medical history, without your first name and initial

  • Your name and credit card number, without your security code

You might be able to sue under the CCPA if a business suffers a data breach and allows criminals to steal your first and last name in combination with your social security number.

Hurdle 4: Notice and cure

Even if you meet the above requirements, you still need to give a business thirty days’ notice so that it can “cure” its CCPA violation. If the business manages to cure its violation, it can avoid a lawsuit.

It’s not clear what would constitute a “cure” in the case of a data breach. Originally, the CCPA specified that businesses could not simply “patch up” a data breach retroactively, with the following line:

“The implementation and maintenance of reasonable security procedures and practices… following a breach does not constitute a cure with respect to that breach.”

However, this provision was eventually removed from the enacted version of the CCPA, implying that such a cure might be possible.

Hurdle 5: Article III standing 

Assuming you clear all the CCPA’s hurdles, you’ll still need to have “Article III standing” under the U.S. constitution to meet the minimum requirements to sue.

Under Federal Rule of Civil Procedure 12 (b) (1), a court will dismiss a plaintiff’s complaint unless:

  • The plaintiff has suffered “injury in fact” that is:

    • Concrete and particularized, and

    • Actual or imminent

  • The plaintiff‘s injury is causally connected to the defendant

  • It is likely that the plaintiff’s injury will be redressed by a favorable decision

And under the interpretation of the Ninth Circuit Court (which covers California) the “sensitivity” of data is an important factor in weighing whether a plaintiff has suffered “injury in fact.” 

This is why the CCPA class action against Marriott failed after Marriott successfully argued that the plaintiffs—whose “names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers” were allegedly breached—lacked Article III standing.

Ultimately, this case was likely to lose anyway due to hurdle 3—the CCPA’s narrow definition of “personal information” in the context of an actionable data breach. But the court didn’t even deal with this issue due to the plaintiffs’ lack of Article III standing.

An impossible task?

Given the ruling in Marriott and the recent judgment at the Supreme Court in Ramirez v TransUnion, the viability of the private right of action per se has come into question.

Without wishing to pass judgment on any specific ongoing litigation, I will be surprised to see a case that successfully clears all five of the hurdles identified above and enables consumers to recover statutory damages.

Upcoming amendments to the CCPA’s private right of action—coming as part of the California Privacy Rights Act (CPRA)—will broaden the actionable types of personal information to include an email address and password. 

However, it is hard to see how this modest amendment will substantially increase the likelihood of successful privacy actions in California