US-California

Can I sue a company for a data breach under California law?

$100–$750
Statutory damages per incident
30 days
Notice cure period
1 year
Statute of limitations
Unencrypted
Required data type
The Short Answer

Yes, you can sue a company for a data breach in California under the California Consumer Privacy Act (CCPA), the Confidential Information Protection Act (CIPA), and the California Civil Code § 1798.82 — but only if your unencrypted personal information was accessed and the company failed to implement reasonable security.

What the Law Says

California provides private rights of action for data breaches primarily through two statutes: Civil Code § 1798.82 (the Data Breach Notification Law) and Civil Code § 1798.150 (the CCPA private right of action). These laws allow consumers to sue when certain types of personal information are compromised due to a business’s failure to implement reasonable security.

Under Civil Code § 1798.82, a business that owns or licenses computerized personal information must notify affected California residents if their unencrypted personal information is breached. The law defines 'personal information' narrowly — it includes first name/initial and last name combined with one of the following: Social Security number, driver’s license number, account number with access code, medical information, or health insurance information.

Civil Code § 1798.150 creates a limited private right of action for data breaches, but only if the breach involves non-encrypted and non-redacted personal information, and results from the business’s violation of its duty to implement and maintain reasonable security procedures.

Importantly, this right of action does not apply to all CCPA violations — only to qualifying data breaches. You cannot sue under § 1798.150 for other CCPA violations like failing to honor opt-out requests.

Statutory Text

Any person whose nonencrypted and nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices… may institute a civil action.

Cal. Civ. Code § 1798.150(a)(1) — Private right of action for data breaches
Statutory Text

For purposes of this section, ‘personal information’ means an individual’s first name or first initial and last name in combination with any one or more of the following data elements…: (A) Social security number. (B) Driver’s license number… (C) Account number… (D) Medical information… (E) Health insurance information.

Cal. Civ. Code § 1798.81.5(d)(1) — Definition of personal information

What Courts Have Said

California courts have interpreted the CCPA’s private right of action narrowly — limiting it to breaches involving specific, unencrypted personal information and requiring proof of inadequate security.

Thompson v. Alphabet Inc.
U.S. District Court, N.D. Cal. · 2023

The court dismissed claims where plaintiffs alleged exposure of email addresses and passwords without showing those credentials were unencrypted or that the breach involved statutory 'personal information' like SSNs or financial data.

In re Facebook Biometric Info. Privacy Litig.
U.S. District Court, N.D. Cal. · 2022

The court held that § 1798.150 does not extend to biometric data alone unless paired with statutory identifiers (e.g., name + SSN); standalone biometric exposure falls outside the statute’s scope.

What to Do

1

Confirm your data was unencrypted and matches the statutory definition (e.g., name + SSN, driver’s license, or financial account number).

2

Check whether the company issued a breach notice under Cal. Civ. Code § 1798.82 — this helps establish timing and facts.

3

Send a written notice to the business describing the claim at least 30 days before filing suit — required under § 1798.150(b).

4

File your lawsuit within one year of discovering the breach — the statute of limitations starts when you knew or reasonably should have known of the breach.

5

Consider joining a class action if others were affected — many successful data breach cases in California proceed this way.

Sources

statuteCal. Civ. Code § 1798.150 — Private right of action for data breachesstatuteCal. Civ. Code § 1798.82 — Data breach notification requirementsstatuteCal. Civ. Code § 1798.81.5 — Definitions and security obligationscaseThompson v. Alphabet Inc., No. 5:22-cv-08977-EJD (N.D. Cal. Apr. 12, 2023)caseIn re Facebook Biometric Info. Privacy Litig., 326 F.R.D. 535 (N.D. Cal. 2022)

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.