Media Center

News Publications Articles Videos
If You Aren’t Worried about the CCPA, You Should Be
September 05, 2019


The California Consumer Privacy Act (CCPA) is unlike any privacy law in the United States. The Act allows people from California, the most litigious state in the nation, to form class action groups and sue companies for data breaches. The CCPA goes into effect January 1, 2020.

Prior to the creation of the CCPA, privacy laws did not allow consumers to sue a company for a data breach. Instead, most privacy laws allowed government regulators to pursue legal remedies against companies. Regulators committed their limited resources to larger breach events, largely ignoring smaller incidents. 

Consumers who attempted to sue companies for a data breaches failed. Consumers could demonstrate a loss of their information and they could show misuse of their information, but they could not connect the dots between the breach and the misuse of their information. Without that connection, plaintiffs could not demonstrate that they had been harmed by the data breach. Accordingly, courts dismissed those cases in the early stages of litigation.

How is the CCPA Different?


The CCPA allows consumers to sue companies for data breaches and guarantees a monetary recovery. If a company loses personal information, it can expect to pay those affected between $100 and $750 per entity. That means a minor data breach of 1,000 people could cost between $100,000 and $750,000 before adding legal fees, lost revenue, brand recuperation efforts and costs to notify those affected about the data breach.

The statutory damage also prevents companies from dismissing plaintiffs’ cases.  Because the statute provides damages, plaintiffs do not need to show that they were harmed. Instead, plaintiffs can rely on the statute to provide their damages.    

Companies need to draft and implement policies and procedures to create a privacy program. This process can be time consuming, and companies should start now. Without appropriate policies and procedures in place, a company lacks an adequate legal defense.