Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws
California Statutory Damages (CCPA/CPRA)
In 2020 California became the first state to let consumers recover statutory damages for breaches: $100 to $750 per incident where the breach resulted from failure to implement and maintain reasonable security. A 30-day cure period can bar statutory damages. Enacted via the CCPA, updated by the CPRA.
Because actual damages are hard to prove in breaches, California created statutory damages - dispensing with the need to prove loss. Consumers may recover $100 to $750 per incident, actual damages, or other remedies, where the breach resulted from the business's failure to implement and maintain reasonable security procedures and practices.
⚠️ The 30-day cure
A consumer seeking statutory damages must give the business a chance to cure. If the business successfully cures within 30 days, the consumer cannot pursue statutory damages. Note: simply implementing reasonable security after the breach does not count as a cure.
This framework was passed in the CCPA private right of action and updated in the CPRA (Chapter 6). It ties recovery to California's data breach notification law definition of personal information.
Key terms - quick answers
What is “Statutory damages”?
A set amount fixed by statute (in California, $100 to $750 per incident) that consumers can recover without proving actual loss.
What is “CCPA”?
California Consumer Privacy Act; its private right of action created statutory damages for breaches caused by failure to maintain reasonable security.
What is “CPRA”?
California Privacy Rights Act; updated the CCPA, including its statutory-damages framework (see Chapter 6).
What is “30-day cure period”?
California provision allowing a business to cure an alleged violation within 30 days; a successful cure bars the consumer from pursuing statutory damages.