California Consumers Denied Right to Sue Companies Directly for Privacy Violations – For Now


The Appropriations Committee of the California Senate on May 17 halted efforts to add to the California Consumer Protection Act (CCPA) a private right of action that would have allowed individuals to sue businesses directly for violations of the law’s privacy-related rights.

The expansion was proposed via SB 561 which was supported by the state’s Attorney General’s office and privacy rights groups, and opposed by business groups. The CCPA still allows individual consumers to sue for certain types of data breaches, but leaves enforcement of privacy rights to the AG.

“Of course, this does not mean businesses can slow down compliance efforts,” says MoginRubin Counsel Jennifer Oliver. “The CCPA still allows the Attorney General’s office to seek $2,500 per ‘violation’ and $7,500 per each intentional violation. If those amounts are applied on a per-consumer or per-day basis, the potential damages could be substantial. Additionally, the CCPA allows consumers to seek statutory damages of between $100 and $750 ‘per consumer, per incident’ for data breaches due to a business’s failure to implement and maintain reasonable security procedures and practices.”

For more background, read Oliver’s post about the debate leading up to the Senate Judiciary’s 5-3 support of SB 561 on April 9.

Sign up to view this Whitepaper