California Breach Laws & CCPA Private Right of Action
Cal. Civ. Code §§1798.29 (government agencies) & 1798.82 (businesses):
| Element | Definition |
|---|---|
| Personal Information | Name + (SSN, driver's license, financial account info, medical info, health insurance info, biometric data, username+password/security Q&A) |
| Unauthorized Acquisition | Breach of security; data accessed/acquired by unauthorized person |
| Unencrypted/Unredacted | If data encrypted with key not compromised, no notification required |
| Likelihood of Harm | Some statutes (not CA) require notification only if "reasonable likelihood of harm" |
§1798.150 elements:
If you're a resident of another state, similar laws apply. Key variations:
| Right/Remedy | Legal Basis | What You Get |
|---|---|---|
| Timely notification | State breach laws | Notice of breach, what data was compromised, steps to protect yourself |
| Credit monitoring | Often offered voluntarily; may be required by settlement/AG action | 12–24 months free credit monitoring, identity theft insurance |
| Out-of-pocket loss reimbursement | Common law negligence, breach of contract | Documented expenses: fraudulent charges, credit freezes, time spent resolving identity theft |
| Statutory damages (CCPA) | Cal. Civ. Code §1798.150 | $100–$750 per incident (CA residents only, certain breach types) |
| Class action participation | Various theories | Share of settlement fund (often modest per-person recovery) |
To maximize recovery, document:
Individual demand/lawsuit if:
Join class action if:
Companies often offer free credit monitoring. You can demand:
| Section | Content |
|---|---|
| Breach identification | Date of breach, date you were notified, company's breach notice letter |
| What data was compromised | Type of personal information (SSN, financial accounts, medical, etc.) |
| Legal violations | State breach notification law, CCPA §1798.150 (if applicable), negligence, breach of implied contract |
| Your damages | Itemized out-of-pocket costs, time spent (hours × rate), emotional distress, increased risk |
| Demand | Credit monitoring (24 months, all bureaus), identity theft insurance, reimbursement of expenses ($X), compensation for time ($Y) |
| CCPA §1798.150 notice | If applicable: "This constitutes 30-day notice under Cal. Civ. Code §1798.150. If you do not cure within 30 days, I will pursue litigation for statutory damages." |
| Deadline | 30 days (if CCPA notice); 14-21 days for immediate relief demands |
Companies often respond with offers. Evaluate:
| Claim | Elements | Damages Available |
|---|---|---|
| CCPA §1798.150 | CA resident; unreasonable security; breach of nonencrypted PI; 30-day notice & no cure | $100–$750 per incident OR actual damages (whichever greater); injunctive relief |
| Negligence | Duty of care; breach (inadequate security); causation; damages | Actual damages (out-of-pocket losses, time, emotional distress) |
| Breach of implied contract | You provided PI; company implicitly promised to protect it; breach; damages | Contract damages (expectation, reliance) |
| Breach of fiduciary duty | Special relationship (e.g., healthcare, financial); duty to safeguard PI; breach; damages | Actual damages, possibly punitive if reckless |
| Unjust enrichment | Company benefited from collecting your data; failed to protect it; unjust to retain benefit | Restitution (value of services/data) |
Concrete injuries that establish standing:
Major breaches typically result in class actions:
Common breach settlement terms:
In addition to private litigation:
I represent consumers in data breach matters, including CCPA §1798.150 claims, class actions, and individual breach litigation. I also counsel businesses on breach response, notification obligations, and regulatory compliance.
Book a call to discuss your data breach matter. I'll review the breach facts, assess your legal claims, and recommend strategy for pursuing compensation or defending against claims.
Generate a professional demand letter, CA court complaint, or arbitration demand
Email: owner@terms.law
Estimate your potential recovery under CCPA Section 1798.150 and common law theories. This calculator helps quantify damages for data breach compensation demands.
If breach notification duties brought you here, see how I stress-test notice windows and privacy terms inside a live contract workroom. Change a breach-notice window or a marketing claim and watch the room flag the risk in real time: live preview with surgical yellow highlighting, click-any-clause comments, and track-changes style suggestions.
Open the live demo workroom How I build these for firms