Quick Summary & Key Takeaways
| What You Need to Know | Details |
|---|---|
| Statutory damages | $100–$750 per consumer per incident (or actual damages if greater) |
| Notification trigger | Unauthorised access to unencrypted personal information |
| Notification timeline | "Most expedient time possible" — typically interpreted as 30–45 days |
| Who can sue | Individual consumers via private right of action |
| AG enforcement | 30-day cure period before AG action; no cure period for breaches |
| Key defence | "Reasonable security" — documented security programme |
Table of Contents
- Executive Summary
- What Qualifies as a Data Breach Under CCPA?
- CCPA vs CPRA: What Changed for Data Breaches?
- Notification Requirements: Who, When, and How
- Penalties and Statutory Damages
- The "Reasonable Security" Defence
- 7-Step Data Breach Response Framework
- Real-World CCPA Breach Cases
- Reducing Your Breach Liability
- Top 5 CCPA Breach Mistakes
- Conclusion: Prepare Before the Breach
Reading time: 19 min read
Executive Summary
California's privacy laws—the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA)—include some of the most powerful data breach provisions in the United States. Unlike most state breach notification laws, CCPA creates a private right of action that allows individual consumers to sue businesses directly for data breaches.
The financial exposure is significant:
Statutory damages of $100 to $750 per consumer, per incident—regardless of whether the consumer suffered actual harm.
For a breach affecting 100,000 California residents, that's potential exposure of $10 million to $75 million in statutory damages alone—before accounting for actual damages, legal fees, regulatory penalties, or remediation costs.
This guide explains:
- What constitutes a breach under CCPA/CPRA
- When and how you must notify affected consumers
- How statutory damages are calculated
- What "reasonable security" means as a defence
- A step-by-step framework for breach response
- How to reduce your liability before and after a breach occurs
"California consumers have a right to expect that businesses will protect their personal information. When breaches occur, the notification requirements under the CCPA ensure that consumers can take timely action to protect themselves."
— Rob Bonta, California Attorney General, oag.ca.gov
The Core Principle
CCPA's breach provisions aren't just about notification—they're about accountability. The private right of action exists because California legislators wanted to give consumers real power to hold businesses responsible for failing to protect their data. Understanding this context helps explain why the requirements are strict and the penalties are high.
Preparing for CCPA compliance? Our CPRA Compliance course covers consumer rights, data security requirements, and breach response obligations.
What Qualifies as a Data Breach Under CCPA?
Not every security incident triggers CCPA's breach provisions. The law applies specifically to:
The Legal Definition
CCPA Section 1798.150(a) creates liability when:
"Nonencrypted and nonredacted personal information... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures."
Breaking Down the Elements
| Element | What It Means |
|---|---|
| Nonencrypted and nonredacted | Data that wasn't protected by encryption or redaction at the time of the breach |
| Personal information | Specific categories defined in California Civil Code § 1798.81.5 (see below) |
| Unauthorised access | Access by someone not authorised to view or obtain the data |
| Exfiltration, theft, or disclosure | The data was actually taken or exposed—not just accessed |
| Violation of duty | The business failed to maintain "reasonable security procedures" |
What Personal Information Is Covered?
CCPA's breach provisions apply to specific categories of personal information (defined in California Civil Code § 1798.81.5):
| Category | Examples |
|---|---|
| Social Security number | Full SSN |
| Driver's license / ID number | State-issued identification |
| Financial account information | Account number + access code, password, or security question |
| Medical / health information | Health insurance information, medical history |
| Biometric data | Fingerprint, retina scan, facial recognition data |
| Username + password | Online account credentials |
| Login credentials + security questions | Email + security Q&A combination |
What's NOT Covered (No Private Right of Action)
| Scenario | Why It's Not Covered |
|---|---|
| Encrypted data breach | Data was encrypted at rest and in transit |
| Publicly available information | Information already lawfully available to the public |
| Non-California residents | CCPA only protects California consumers |
| No actual exfiltration | Access alone without theft/disclosure may not trigger liability |
| Reasonable security in place | If security was "reasonable," no duty was violated |
CCPA vs CPRA: What Changed for Data Breaches?
The California Privacy Rights Act (CPRA), effective January 1, 2023, amended and expanded CCPA. Here's what changed for data breaches:
Key CPRA Changes
| Area | CCPA (Original) | CPRA (Current) |
|---|---|---|
| Covered data | Personal information per Civil Code § 1798.81.5 | Same definition, but CPRA adds email + password/security question |
| Enforcement | Attorney General only | New California Privacy Protection Agency (CPPA) + AG |
| Cure period | 30 days to cure before AG action | No cure period for data breaches specifically |
| Audit authority | Limited | CPPA can conduct audits, especially for high-risk processing |
| Security requirements | "Reasonable security" | Same, but regulations may specify requirements |
The Critical Change: No Cure Period for Breaches
Under original CCPA, businesses had 30 days to "cure" violations before the Attorney General could take action. CPRA eliminated this cure period for data breaches.
This means:
- You cannot "fix" a breach after it happens to avoid liability
- The private right of action is available immediately upon breach
- Prevention and preparation are the only effective strategies
Notification Requirements: Who, When, and How
Who Must Be Notified?
| Recipient | When Required | Method |
|---|---|---|
| Affected California residents | When breach involves their covered PI | Written notice (mail or email) |
| California Attorney General | When breach affects 500+ California residents | Online submission via AG portal |
| Credit reporting agencies | When breach affects 500+ California residents | Written notice |
| Media | When breach affects 500+ California residents and substitute notice is used | Press release or prominent posting |
Notification Timeline
California law requires notification in the "most expedient time possible and without unreasonable delay" — but what does that mean in practice?
| Benchmark | Guidance |
|---|---|
| Statutory language | "Most expedient time possible and without unreasonable delay" |
| Safe harbour | No specific day count in statute |
| Industry practice | 30–45 days from breach discovery |
| AG expectation | Notification within 45 days is generally considered reasonable |
| Best practice | Begin notification process within 72 hours of confirming breach |
Exceptions That May Delay Notification
| Exception | Duration | Requirement |
|---|---|---|
| Law enforcement delay | As requested by law enforcement | Written request from law enforcement |
| Investigation needs | Reasonable time to determine scope | Must be actively investigating |
| Multi-state coordination | Reasonable time | Must be coordinating with other jurisdictions |
Required Notification Content
California Civil Code § 1798.82 specifies what breach notifications must include:
| Required Element | Description |
|---|---|
| 1. Description of incident | What happened, in general terms |
| 2. Types of PI involved | Which categories of data were affected |
| 3. Timeline | When the breach occurred and when discovered |
| 4. Steps taken | What you're doing to respond and protect consumers |
| 5. Contact information | How consumers can get more information |
| 6. Credit monitoring | If SSN or financial data involved, offer free monitoring |
| 7. FTC contact | Information about contacting the FTC |
Sample Notification Framework
[COMPANY LETTERHEAD]
NOTICE OF DATA BREACH
Dear [Consumer Name],
We are writing to inform you of a data security incident that may have
affected your personal information.
WHAT HAPPENED
[Clear, factual description of the incident]
WHAT INFORMATION WAS INVOLVED
[Specific categories of personal information affected]
WHAT WE ARE DOING
[Steps taken to respond, investigate, and prevent future incidents]
WHAT YOU CAN DO
[Recommended steps for consumers to protect themselves]
FREE CREDIT MONITORING
[Details of credit monitoring offer, if applicable]
FOR MORE INFORMATION
[Contact details for questions]
[Company signature]
Need to build a breach response plan? Our CPRA Compliance course includes notification templates and response frameworks.
Penalties and Statutory Damages
CCPA creates three distinct penalty mechanisms for data breaches:
1. Private Right of Action (Consumer Lawsuits)
| Damage Type | Amount | Calculation |
|---|---|---|
| Statutory damages | $100–$750 per consumer, per incident | Regardless of actual harm |
| Actual damages | Greater than statutory if provable | Must demonstrate actual harm |
| Injunctive relief | Court order to change practices | As ordered by court |
| Attorney's fees | Recoverable if consumer prevails | As determined by court |
Example calculation:
| Scenario | Consumers Affected | Statutory Damages Range |
|---|---|---|
| Small breach | 1,000 | $100,000 – $750,000 |
| Medium breach | 50,000 | $5 million – $37.5 million |
| Large breach | 500,000 | $50 million – $375 million |
| Major breach | 5,000,000 | $500 million – $3.75 billion |
2. Attorney General Enforcement
| Violation Type | Penalty |
|---|---|
| Unintentional violation | Up to $2,500 per violation |
| Intentional violation | Up to $7,500 per violation |
Note: "Per violation" can mean per consumer affected, potentially multiplying penalties significantly.
3. CPPA Administrative Enforcement
The California Privacy Protection Agency (CPPA) can:
- Investigate complaints and conduct audits
- Issue administrative fines
- Refer cases to the Attorney General
- Pursue civil penalties up to $7,500 per intentional violation
Factors Courts Consider for Statutory Damages
When determining where in the $100–$750 range to set damages, courts consider:
| Factor | Impact on Damages |
|---|---|
| Nature of the breach | More sensitive data = higher damages |
| Number of consumers affected | Larger scale may reduce per-person damages |
| Business size and resources | Ability to pay may be considered |
| Duration of exposure | Longer exposure = higher damages |
| Response quality | Poor response may increase damages |
| Prior violations | History of breaches may increase damages |
| Deterrence value | Courts may set damages to deter future breaches |
The "Reasonable Security" Defence
The most important defence against CCPA breach liability is demonstrating that you maintained "reasonable security procedures and practices." If your security was reasonable, you haven't violated the duty—and no private right of action exists.
What Is "Reasonable Security"?
California hasn't defined "reasonable security" by statute, but guidance comes from:
| Source | Guidance |
|---|---|
| California AG | References to CIS Controls, NIST frameworks |
| Court decisions | Industry-standard security practices |
| FTC enforcement | Reasonable security = risk-based approach |
| California law (AB 1950) | Security "appropriate to the nature of the information" |
The 20 CIS Critical Security Controls
The California Attorney General has specifically referenced the Center for Internet Security (CIS) Controls as a benchmark for reasonable security:
| Control Category | Key Controls |
|---|---|
| Basic Controls (1-6) | Inventory of hardware/software, continuous vulnerability management, controlled admin privileges, secure configuration, audit logs, email/browser protections |
| Foundational Controls (7-16) | Malware defences, data recovery, network security, access control, penetration testing, incident response, security training |
| Organisational Controls (17-20) | Security management programme, application security, incident response management, penetration tests |
Building Your "Reasonable Security" Defence
| Step | Action |
|---|---|
| 1. Document your programme | Written security policies and procedures |
| 2. Implement frameworks | Adopt CIS Controls, NIST CSF, or ISO 27001 |
| 3. Conduct risk assessments | Regular evaluation of security risks |
| 4. Test your controls | Penetration testing, vulnerability scanning |
| 5. Train employees | Regular security awareness training |
| 6. Monitor and respond | Active security monitoring and incident response |
| 7. Keep records | Evidence of all security activities |
What "Reasonable Security" Is NOT
| Misconception | Reality |
|---|---|
| "We have antivirus" | A single control is not a programme |
| "We're compliant with X" | Compliance ≠ reasonable security |
| "We've never had a breach" | Past luck doesn't prove future security |
| "We're too small to be targeted" | Size doesn't affect the duty |
| "We outsourced security" | You remain responsible for vendor security |
7-Step Data Breach Response Framework
When a breach occurs, a structured response is critical. Here's a framework designed for CCPA compliance:
Step 1: Contain and Assess (Hours 0–24)
Immediate Actions:
- Isolate affected systems to prevent further data loss
- Preserve evidence for investigation and potential litigation
- Activate your incident response team
- Begin preliminary assessment of scope
Key Questions:
- What systems were affected?
- What data may have been accessed?
- Is the breach ongoing or contained?
- Are California residents potentially affected?
Step 2: Investigate and Scope (Days 1–7)
Investigation Activities:
- Forensic analysis of affected systems
- Log review to determine access patterns
- Identify specific data elements compromised
- Determine number of consumers affected
- Timeline of the incident
- Systems and data involved
- Attack vector (if applicable)
- Evidence preservation chain of custody
Step 3: Legal Assessment (Days 3–10)
Legal Review:
- Does breach trigger CCPA notification requirements?
- Are other state laws triggered?
- What federal requirements apply (HIPAA, GLBA, etc.)?
- Is law enforcement notification required or advisable?
Privilege Considerations:
- Engage outside counsel to direct investigation
- Maintain attorney-client privilege over sensitive findings
- Consider separate tracks for legal vs. operational response
Step 4: Notification Preparation (Days 7–21)
Notification Planning:
- Draft consumer notification letters
- Prepare AG notification (if 500+ Californians affected)
- Coordinate credit reporting agency notification
- Plan media response if needed
Content Development:
- Clear, accurate description of incident
- Specific data elements affected
- Concrete steps for consumer protection
- Credit monitoring offering (if applicable)
Step 5: Notification Execution (Days 21–45)
Notification Delivery:
- Send notifications to affected consumers
- Submit AG notification via online portal
- Notify credit reporting agencies
- Issue press release if required
Communication Management:
- Staff call centre for consumer inquiries
- Prepare FAQ documents
- Monitor social media and media coverage
- Track notification delivery and responses
Step 6: Remediation (Days 30–90)
Security Remediation:
- Fix vulnerabilities that enabled the breach
- Implement additional security controls
- Update policies and procedures
- Conduct security re-assessment
Consumer Support:
- Process credit monitoring enrollments
- Respond to consumer inquiries
- Address identity theft claims
- Document all consumer interactions
Step 7: Post-Incident Review (Days 60–120)
Lessons Learned:
- Root cause analysis
- Response effectiveness assessment
- Policy and procedure updates
- Training improvements
Documentation:
- Complete incident report
- Evidence of remediation
- Updated security posture documentation
- Board/executive briefing
Real-World CCPA Breach Cases
Case Study 1: Major Retailer Settlement (2024)
| Aspect | Details |
|---|---|
| What happened | Credential stuffing attack exposed customer accounts |
| Data affected | Names, emails, encrypted passwords, purchase history |
| Consumers affected | ~1.3 million California residents |
| Settlement | $8.5 million fund + security improvements |
| Per-consumer payment | ~$50–$100 for affected consumers |
| Key lesson | Credential reuse across platforms created vulnerability |
Case Study 2: Healthcare Provider (2023)
| Aspect | Details |
|---|---|
| What happened | Ransomware attack, data exfiltration before encryption |
| Data affected | SSNs, medical records, insurance information |
| Consumers affected | ~240,000 California patients |
| Outcome | Class action lawsuit pending; offered 2 years credit monitoring |
| Key lesson | Healthcare data commands highest damages |
Case Study 3: SaaS Company (2024)
| Aspect | Details |
|---|---|
| What happened | Misconfigured cloud storage exposed customer data |
| Data affected | Business contact information, some financial data |
| Consumers affected | ~85,000 California users |
| Outcome | $2.1 million settlement, security audit required |
| Key lesson | Cloud configuration errors are a leading breach cause |
Litigation Trends
| Trend | Implication |
|---|---|
| Class action consolidation | Most CCPA breach cases become class actions |
| Early settlement pressure | Defendants often settle to avoid discovery |
| Statutory damage negotiation | Courts typically approve settlements at $50–$150/person |
| Security improvement requirements | Settlements often include mandatory security upgrades |
Learn incident response best practices. Our CPRA Compliance course covers breach response, notification requirements, and litigation preparation.
Reducing Your Breach Liability
Before a Breach: Prevention
| Action | Benefit |
|---|---|
| Implement encryption | Encrypted data isn't covered by private right of action |
| Adopt security framework | CIS Controls or NIST CSF demonstrate "reasonable security" |
| Conduct regular assessments | Documented risk assessments show diligence |
| Train employees | Security awareness reduces human error breaches |
| Test your defences | Penetration testing identifies vulnerabilities before attackers |
| Minimise data collection | Less data = less exposure |
| Maintain documentation | Evidence of your security programme is your defence |
After a Breach: Mitigation
| Action | Benefit |
|---|---|
| Respond quickly | Rapid response demonstrates good faith |
| Be transparent | Clear, honest communication reduces anger and litigation |
| Offer meaningful remediation | Credit monitoring shows you take responsibility |
| Fix the problem | Demonstrable improvements may reduce damages |
| Cooperate with regulators | AG cooperation can lead to better outcomes |
| Document everything | Response quality may affect damage calculations |
Insurance Considerations
| Coverage Type | What It Covers |
|---|---|
| Cyber liability | Breach response costs, notification, credit monitoring |
| Privacy liability | Defence costs, settlements, judgments |
| Regulatory defence | AG investigation and enforcement defence |
| Business interruption | Lost revenue during incident |
| Extortion coverage | Ransomware payments (where legal) |
Top 5 CCPA Breach Mistakes
1. Assuming Encryption Solves Everything
The mistake: Believing that any encryption implementation protects against liability.
The reality: Encryption must be effective at the time of the breach. Data encrypted at rest but decrypted during the attack isn't protected.
The fix: Implement encryption at rest AND in transit, with proper key management. Document your encryption practices.
2. Delayed Notification
The mistake: Waiting too long to notify consumers while "completing the investigation."
The reality: Courts and regulators expect notification within 30–45 days. Extended delays increase liability and damage trust.
The fix: Begin notification preparation immediately upon confirming a breach. Notify what you know, with updates to follow.
3. Generic Security Claims
The mistake: Claiming you have "reasonable security" without evidence.
The reality: Courts will scrutinise your actual security practices. Generic claims without documentation are easily challenged.
The fix: Document your security programme, including policies, controls, assessments, testing, and training.
4. Ignoring California-Specific Requirements
The mistake: Treating California like any other state for breach notification.
The reality: CCPA's private right of action makes California breaches uniquely dangerous. California residents may sue directly.
The fix: Build California-specific considerations into your breach response plan.
5. Underestimating Class Action Risk
The mistake: Assuming most affected consumers won't take action.
The reality: Plaintiffs' attorneys actively seek CCPA breach cases. Even small breaches become class actions.
The fix: Prepare for class action litigation from day one of any breach affecting California residents.
Conclusion: Prepare Before the Breach
The question isn't whether your organisation will face a data security incident—it's when, and how prepared you'll be. CCPA's data breach provisions create significant financial exposure, but they also provide a roadmap for reducing that exposure:
- Implement reasonable security — The best defence is a documented, comprehensive security programme
- Encrypt sensitive data — Properly encrypted data isn't subject to the private right of action
- Prepare your response — A breach response plan enables rapid, effective action
- Know your obligations — Understanding notification requirements prevents costly delays
- Document everything — Evidence of your security practices and response is your defence
The organisations that fare best after a breach are those that invested in security before it happened, responded quickly and transparently when it did, and could demonstrate to courts and regulators that they took their responsibilities seriously.
Strategic Takeaways for 2026
| Priority | Action |
|---|---|
| Immediate | Audit your current security against CIS Controls or NIST CSF |
| Short-term | Develop or update your breach response plan |
| Medium-term | Implement encryption for all covered personal information |
| Ongoing | Conduct regular security assessments and training |
| Critical | Document all security activities for potential litigation defence |
Ready to build CCPA-compliant data protection?
CompliQuest's CPRA Compliance course covers consumer rights, data security requirements, and breach response—everything you need to protect your organisation and California consumers.
Browse All Courses · Contact Us
Frequently Asked Questions
What is a data breach under the CCPA?
Under the CCPA, a data breach is specifically defined as the unauthorised access to and exfiltration, theft, or disclosure of a consumer's nonencrypted and nonredacted personal information, resulting from a business's failure to implement and maintain reasonable security procedures. Not every security incident qualifies. The breach must involve specific categories of personal information defined in California Civil Code Section 1798.81.5, including Social Security numbers, driver's licence numbers, financial account data with access codes, medical information, biometric data, and login credentials. Crucially, the data must have been unencrypted at the time of the breach, and the business must have failed to maintain "reasonable security"—meaning properly encrypted data breaches and incidents where security was adequate do not trigger CCPA's private right of action. The California Attorney General's office provides guidance on breach reporting.
What are the CCPA data breach notification requirements?
When a breach occurs involving covered personal information of California residents, businesses must notify affected consumers in the "most expedient time possible and without unreasonable delay." In practice, this is interpreted as within 30 to 45 days of breach discovery. If the breach affects 500 or more California residents, the business must also notify the California Attorney General via the AG's online portal, credit reporting agencies, and potentially the media. Notification letters must include a description of the incident, the types of personal information involved, a timeline of the breach, steps the business is taking to respond, contact information for further questions, and an offer of free credit monitoring when SSN or financial data is involved. The California Attorney General's data breach reporting portal provides templates and submission instructions.
What are the penalties for a CCPA data breach?
CCPA creates three distinct penalty mechanisms for data breaches. First, the private right of action allows individual consumers to sue for statutory damages of $100 to $750 per consumer per incident, regardless of whether they suffered actual harm—for a breach affecting 100,000 Californians, that represents $10 million to $75 million in potential exposure. Second, the Attorney General can pursue civil penalties of up to $2,500 per unintentional violation or $7,500 per intentional violation, calculated per consumer affected. Third, the California Privacy Protection Agency (CPPA) can investigate, audit, and impose administrative fines up to $7,500 per intentional violation. Notably, CPRA eliminated the 30-day cure period for data breaches, meaning businesses cannot "fix" a breach to avoid liability. The CPPA's enforcement page tracks recent actions.
Who can sue under the CCPA for a data breach?
California consumers whose nonencrypted and nonredacted personal information was subject to unauthorised access, exfiltration, theft, or disclosure due to a business's failure to maintain reasonable security can bring a private lawsuit under CCPA Section 1798.150. This private right of action is narrower than the CCPA's broader consumer rights provisions (which only the Attorney General and CPPA can enforce). To file suit, consumers must first provide the business with 30 days' written notice identifying the specific CCPA provisions violated. If the business cannot cure the violation (and breaches generally cannot be "cured"), the consumer may proceed with litigation. Most CCPA breach cases become class actions consolidated by plaintiffs' attorneys, which significantly increases the financial exposure for businesses. The California Courts Self-Help Guide provides resources for understanding the litigation process.
How can businesses prevent CCPA data breaches?
The most effective breach prevention strategy under CCPA is implementing and documenting a comprehensive security programme. Start by adopting a recognised security framework such as the CIS Critical Security Controls or the NIST Cybersecurity Framework—the California Attorney General has specifically referenced CIS Controls as a benchmark for "reasonable security." Key measures include encrypting personal information at rest and in transit (properly encrypted data is exempt from the private right of action), implementing multi-factor authentication, conducting regular vulnerability assessments and penetration testing, maintaining access controls based on least privilege, training employees on security awareness, minimising data collection and retention, and documenting all security activities. Regular risk assessments and independent audits help identify gaps before they are exploited. The Center for Internet Security provides the CIS Controls framework at no cost.
What is the difference between CCPA and CPRA?
The California Privacy Rights Act (CPRA) is not a separate law but an amendment and expansion of the CCPA, effective January 1, 2023. For data breaches specifically, CPRA made several important changes: it expanded the definition of covered personal information to include email addresses combined with passwords or security questions; it created the California Privacy Protection Agency (CPPA) as a new enforcement body alongside the Attorney General; and most critically, it eliminated the 30-day cure period for data breaches, meaning businesses can no longer fix a violation after the fact to avoid liability. CPRA also grants the CPPA authority to conduct audits of businesses engaged in high-risk processing. The broader privacy provisions (not breach-specific) added new consumer rights including correction, opt-out of automated decision-making, and restrictions on sensitive personal information. The CPPA's website provides the current regulatory text and guidance.
Related Insights
- What Is a Privacy Impact Assessment? — Complete guide to PIAs and DPIAs.
- BSA/AML Risk Assessment Guide — Risk assessment methodology for financial institutions.
- How to Become a Compliance Officer — Skills, certifications, and career path.
Our Compliance Training Courses
- CPRA Compliance — California privacy law requirements and breach response.
- GDPR Incident Response — European breach notification and response.
- Cybersecurity Compliance — NIS2, NIST, and security frameworks.
- Data Protection Training — GDPR and privacy fundamentals.