Certified Information Privacy Professional (CIPP): US - Private Right of Action Under State Laws, CCPA, BIPA

What This Is

The private right of action is a statutory provision that lets individuals sue a company directly when a privacy law is violated, rather than relying solely on enforcement agencies. In the U.S., several state statutes—most notably the California Consumer Privacy Act (CCPA/CPRA) and the Illinois Biometric Information Privacy Act (BIPA)—grant consumers the ability to bring civil actions for certain harms (e.g., data breaches, unlawful biometric collection).

Real?world scenario: A California?based e?commerce retailer uses facial?recognition kiosks in its stores without posting a conspicuous notice or obtaining a written release. A shopper discovers her biometric data was captured and later sold to a marketing firm. Under BIPA, she can file a private lawsuit for statutory damages, while the retailer could also face a CCPA?based action for failing to provide the required notice and opt?out rights.

Key Terms & Provisions

• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): California law (effective 2020, amended 2023) that gives consumers rights to know, delete, and opt?out of the sale of personal information. It creates a private right of action for statutory damages when a non?encrypted or non?redacted breach occurs.
• Biometric Information Privacy Act (BIPA): Illinois statute (740?ILCS?14/1?et?seq.) requiring a written notice and a written release before collecting, storing, or disclosing biometric identifiers (e.g., fingerprints, facial scans). Violations trigger a private right of action with $1,000–$5,000 per negligent violation and $5,000–$25,000 per reckless/intentional violation.
• Statutory Damages: Pre?determined monetary awards set by law, not tied to actual harm. In BIPA, each separate collection or disclosure can be a distinct violation, potentially multiplying damages.
• Data Breach Exception (CCPA): A private right of action only applies if the breach involves personal information that was not encrypted or redacted at the time of the incident.
• “Sale” of Personal Information (CCPA/CPRA): Any disclosure of personal information to a third party for monetary consideration. The definition is broad; even sharing data with a service provider for a fee can be a “sale.”
• Written Release (BIPA): A signed, informed consent that must be obtained before any biometric data is captured, stored, or transmitted. The release must describe the purpose and duration of the collection.
• Opt?Out Mechanism (CCPA/CPRA): Consumers must be given a clear, free method (e.g., “Do Not Sell My Personal Information” link) to prevent the sale of their data. Failure to provide a functional opt?out can trigger private actions.
• Reasonable Security Measures (BIPA & CCPA): Both statutes require entities to implement safeguards (encryption, access controls). Lack of reasonable security can be the basis for a breach?related private action.
• Pre?Litigation Notice (BIPA): Some courts require a notice of intent to sue before filing a BIPA claim, but the requirement varies by jurisdiction and case law (e.g., Rogers v. BNSF Railway).
• Attorney’s Fees & Costs: Both CCPA and BIPA allow prevailing plaintiffs to recover attorneys’ fees, making private actions financially attractive for consumers and class?action firms.

Step?by?Step / Process Flow

1. Identify the Trigger – Receive a complaint, breach notice, or discover a biometric collection practice.
2. Assess Applicability – Determine whether the activity falls under CCPA (California consumer, personal information, sale) or BIPA (Illinois resident, biometric identifier).
3. Verify Compliance Controls –
4. For CCPA: confirm encryption/redaction status, opt?out availability, and privacy notice adequacy.
5. For BIPA: check for a written release, notice of purpose, and secure storage.
6. Document Findings – Log the date, systems examined, and any gaps. This documentation is critical if a private lawsuit is filed.
7. Remediate Immediately –
8. Encrypt or redact exposed data (CCPA).
9. Halt biometric collection until a proper release is obtained (BIPA).
10. Prepare for Litigation –
11. Preserve all relevant records (emails, consent forms, logs).
12. Coordinate with legal counsel to evaluate potential damages and defense strategies.

Common Mistakes

• Mistake: Assuming “opt?out” only applies to online ads.
  Correction: CCPA/CPRA requires an opt?out for any sale of personal information, including data shared with analytics or fulfillment partners.

• Mistake: Believing a single biometric scan equals one violation under BIPA.
  Correction: Each collection, disclosure, or sale is a separate violation; multiple scans per employee can multiply damages dramatically.

• Mistake: Relying on “reasonable security” as a vague defense.
  Correction: Document concrete safeguards (encryption algorithms, access logs) because courts evaluate reasonableness against industry standards.

• Mistake: Ignoring the breach?related private right of action if the data was encrypted.
  Correction: Even if encrypted, failure to reasonably encrypt (e.g., using outdated algorithms) can still be deemed non?compliant.

• Mistake: Assuming BIPA applies only to “high?tech” companies.
  Correction: Any entity that captures biometric data—schools, gyms, employers—must comply, regardless of industry.

CIPP Exam Insights

1. Statutory vs. Regulatory Remedies – Exams often ask you to differentiate the private right of action (consumer?initiated) from enforcement actions by the Attorney General (CCPA) or the Illinois Attorney General (BIPA).
2. Scope of “Sale” – Remember that the CCPA’s definition of “sale” is broader than a traditional transaction; sharing data for a service fee can trigger the private right.
3. BIPA’s “Written Release” Requirement – A frequent test point: the release must be informed and specific (purpose, duration, and retention). A generic privacy policy does not satisfy BIPA.
4. Damages Calculation – Be ready to calculate potential exposure: BIPA’s per?violation caps ($1,000–$5,000 negligent; $5,000–$25,000 reckless) versus CCPA’s $100–$750 per consumer per incident (or $2,500 for statutory damages).

Quick Check Questions

1. Question: A California retailer experiences a breach of encrypted customer data. Can a consumer sue under the CCPA’s private right of action?
   Answer: No. The private right only applies when the breached data was not encrypted or redacted at the time of the breach.

2. Question: An Illinois university collects fingerprint scans for library access without a signed release. A student sues. What statutory damages could the university face per scan if the court finds the violation reckless?
   Answer: $5,000–$25,000 per scan. BIPA imposes $5,000 for negligent and $25,000 for reckless violations per biometric identifier collected.

3. Question: A California?based SaaS provider shares user data with a third?party analytics firm for $0.01 per record. Does this constitute a “sale” under CCPA?
   Answer: Yes. Any monetary consideration for personal information, even a nominal fee, meets the CCPA’s definition of “sale,” triggering opt?out and potential private actions.

Last?Minute Cram Sheet (10 One?Liners)

1. CCPA Private Action: Only for unencrypted or unredacted breaches of personal information.
2. CCPA Statutory Damages: $100–$750 per consumer per incident; up to $2,500 for statutory damages if no actual injury.
3. BIPA Per?Violation Caps: $1,000–$5,000 (negligent) / $5,000–$25,000 (reckless/intended) per biometric collection, disclosure, or sale.
4. BIPA Written Release: Must be informed and specific—generic privacy policies do not satisfy the requirement.
5. CCPA “Sale” Definition: Any transfer of personal information for monetary consideration, even a service fee.
6. Opt?Out Requirement (CCPA/CPRA): Must be a conspicuous “Do Not Sell My Personal Information” link on the homepage.
7. Reasonable Security (BIPA): Courts look at industry?standard encryption, access controls, and retention policies.
8. Attorney?General Enforcement (CCPA): AG can bring actions in addition to private lawsuits; private right is not exclusive.
9. BIPA Pre?Litigation Notice: Some courts (e.g., Rogers v. BNSF) require a notice of intent before filing, but it’s not uniform across Illinois.
10. Statutory Damage Aggregation: In BIPA, each biometric capture can be a separate violation—damages can quickly reach millions.