Yes.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” 1  If a plaintiff is successful in bringing such a suit, the CCPA states that the plaintiff can recover “damages in an amount . . . not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”2


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code 1798.150(a)(1).

2. Cal. Civil Code 1798.150(a)(1)(A).

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.