You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.

For all other violations of the CCPA, only the Attorney General or the California Privacy Protection Agency may take legal action against non-compliant entities. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint. Starting on July 1, 2023, you also will be able to file complaints with the California Privacy Protection Agency for violations of the CCPA, as amended, occurring on or after that date.