Private Right of Action
Definition
The ability of individual consumers to file lawsuits directly against businesses for privacy violations, rather than relying on the state attorney general to enforce the law. Most state privacy laws do NOT include a private right of action. California's CCPA has a limited private right of action only for data breaches.
Legal Definition
Under the CCPA (Cal. Civ. Code 1798.150): consumers may bring a civil action for unauthorized access, theft, or disclosure of nonencrypted or nonredacted personal information resulting from a business's failure to implement reasonable security measures. Damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
State Laws Using This Term
Practical Example
A retailer suffers a data breach because it failed to encrypt customer Social Security numbers. Affected consumers can file a class action lawsuit under the CCPA seeking $100-$750 per person without needing the AG to bring the case.
Related Terms
Frequently Asked Questions
Which states have a private right of action for privacy violations?
California has a limited private right of action for data breaches under the CCPA. Minnesota's MCDPA includes a private right of action. Most other states rely exclusively on attorney general enforcement, which is a deliberate choice to limit litigation exposure for businesses.