CCPA Security FAQs: Does the CCPA Allow an Individual Whose Email Address is Compromised Through a Data Breach to Recover Statutory Damages?

July 23, 2019

No.

The Act generally defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1  The Act includes a non-exhaustive list of examples of personal information which makes clear that “email address” falls within the definition.2

While “email address” falls within the general definition of “personal information,” the section of the CCPA that permits consumers to bring suit to recover statutory damages following a data breach if a business did not use reasonable security procedures and practices to protect the information from breach, states that the private right of action only applies to “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5 . . . .”3  That subsection contains a much narrower definition of “personal information” that includes only an individual’s first name or first initial and his or her last name in combination with one of the following data elements:

  1. Name and Social security number;
  2. Name and driver’s license number or California identification card number;
  3. Name and account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  4. Name and medical information;
  5. Name and health insurance information;4
  6. A username or email address in combination with a password or security question and answer that would permit access to an online account. 

Thus, although the CCPA generally regulates the collection, sharing, and deletion of email addresses, the statutory damages provision would not permit an individual whose email address was lost as a result of a data breach to initiate suit, or to seek statutory damages.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Article 1798.140 (o)(1).

2. CCPA, Section 1798.140(o)(1)(A)

3. CCPA, Section 1798.150(a)(1).

4. Cal. Civil. Code. Section 1798.81.5(d)(1)(A).