CCPA Security FAQs: What factors will courts look to when determining what statutory damages to award?

September 5, 2019

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” 1  If a plaintiff is successful in bringing such a suit, the statute instructs a court to examine some, or all, of the following factors when determining the statutory damages to which the plaintiff may be entitled: 

  • Nature of the misconduct;
  • Seriousness of the misconduct;
  • Number of violations;
  • Persistence of the misconduct;
  • Length of time over which the misconduct occurred;
  • Willfulness of the defendant’s misconduct; and
  • Defendant’s assets, liabilities, and net worth.2

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code 1798.150(a)(1).

2. Cal. Civil Code 1798.150(a)(2).