John, a California resident, receives notification that a major corporation with $500 million in annual revenue has experienced a data breach. John’s personal information in their possession has been stolen, including his full name and social security numb. John also learns that the corporation did not have reasonable cybersecurity measures in place to safeguard his personal information.
Which of the following answers most accurately reflects John’s ability to pursue a legal claim against the corporation under the California Consumer Privacy Act (CCPA)?
A. John has no right to sue the corporation because the CCPA does not address any data breach rights.
B. John cannot sue the corporation for the data breach because only the state’s Attoney General has authority to file suit under the CCPA.
C. John can sue the corporation for the data breach but only to recover monetary damages he actually suffered as a result of the data breach.
D. John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm.
Answer: C