CCPA/CPRA Exposure Calculator
Estimate statutory-damages exposure under the CCPA/CPRA private right of action (Cal. Civ. Code §1798.150). Enter the number of affected California consumers; the tool shows the low and high ends of the $100–$750 per-consumer, per-incident range. These are published statutory figures (maximum exposure in private litigation), not a prediction of an actual award and not legal advice. Figures as of Jun 25, 2026 — sources.
Statutory damages vs administrative penalties
| Route | Who brings it | Amount | Modeled here? |
|---|---|---|---|
| Private right of action (§1798.150) | Affected consumers (often a class) | $100–$750 per consumer / incident | Yes |
| Administrative penalty | CPPA / Attorney General | $2,663 / violation ($7,988 if intentional or involving a minor) | No — shown for context |
Low exposure = consumers × $100 · High exposure = consumers × $750
(statutory damages per affected consumer, per incident — or actual damages, if greater)
How it works
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), is the broadest US state privacy law, and the part with the sharpest teeth for businesses is its private right of action in Cal. Civ. Code §1798.150. Unlike most of the statute, which only the state can enforce, this section lets individual consumers sue when their non-encrypted and non-redacted personal information is exposed in a breach that results from the business's failure to implement and maintain reasonable security procedures. Crucially, a plaintiff does not have to prove out-of-pocket loss: they may recover statutory damages set by the court at between $100 and $750 per consumer per incident, or their actual damages if those are greater.
Because the damages are per consumer and require no proof of individual harm, they scale linearly and aggregate quickly. The calculation itself is just multiplication: the low end of the exposure is the number of affected California consumers times $100, and the high end is that same count times $750. The reason this matters is the class action. A breach affecting tens of thousands of Californians turns a per-person figure that looks modest into an aggregate that can reach into the tens of millions, which is why §1798.150 is the provision plaintiff firms reach for first after a security incident.
It is important to keep two different CCPA exposures apart. The statutory damages modeled here flow from private litigation. Separately, the California Privacy Protection Agency and the Attorney General can impose administrative penalties — up to $2,663 per violation, rising to $7,988 for intentional violations or those involving the personal information of minors. Those administrative penalties are a separate track, shown in the table above for context but not included in the per-consumer figure. The two can both arise from the same breach.
This estimator is informational and is not legal advice. It reproduces the published statutory range so you can understand the maximum private-litigation exposure and plan for it. It does not predict any award. In setting statutory damages between $100 and $750, §1798.150 directs the court to weigh the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which it occurred, the defendant's willfulness, and the defendant's assets, liabilities and net worth. Many cases settle for less than the gross statutory exposure, and defenses — including questions about encryption, the scope of any cure period, and standing — can reduce or eliminate it. Treat the high end as a ceiling and consult qualified privacy counsel for any real matter.
A worked example
Suppose a breach exposes the unencrypted personal information of 50,000 California consumers.
- Low exposure = 50,000 × $100 = $5,000,000
- High exposure = 50,000 × $750 = $37,500,000
So a single incident affecting 50,000 Californians carries statutory-damages exposure of roughly $5,000,000 to $37,500,000 before any administrative penalty, settlement discount or defense. Change the consumer count above and both ends update instantly. Remember the input is the number of in-scope California residents with unencrypted data — encryption that renders the data unreadable is a recognized way to fall outside the private right of action, which is one reason encryption appears as a cost-mitigating control in the data breach cost estimator. To size the notification bill that typically accompanies a breach, use the breach notification cost calculator; for the federal health-data framework, the HIPAA penalty estimator.
Frequently asked questions
What is the CCPA private right of action?
Cal. Civ. Code §1798.150 lets California consumers sue a business when their non-encrypted, non-redacted personal information is breached as a result of the business failing to maintain reasonable security. Plaintiffs can recover statutory damages of $100 to $750 per consumer per incident, or their actual damages if greater. This tool multiplies the number of affected California consumers by both ends of that range.
Is this the same as a regulator fine?
No — and that distinction is important. The $100–$750 figures are statutory damages in private litigation, typically pursued as a class action by affected consumers. Separately, the California Privacy Protection Agency and the Attorney General can levy administrative penalties (up to $2,663 per violation, or $7,988 for intentional violations or those involving minors). This calculator models the private-litigation exposure.
Will a court award the maximum $750 per consumer?
Not automatically. In setting statutory damages between $100 and $750, §1798.150 directs the court to consider the nature and seriousness of the misconduct, the number of violations, its persistence, the length of time it continued, the defendant's willfulness, and its assets and net worth. Many cases settle. The figures here are the published statutory range for planning; they are informational and not legal advice, and do not predict any specific award.
Does a 30-day cure period apply?
Historically the statute gave businesses 30 days to cure before an individual could seek statutory damages, but the cure provision has been narrowed over time and its scope is contested. Whether a cure opportunity applies to a given breach is a live legal question — treat the gross exposure shown here as a ceiling and consult counsel on any defenses.
Who counts as an affected consumer?
For this exposure, an affected consumer is a California resident whose non-encrypted and non-redacted personal information was subject to the breach. People outside California, and records that were encrypted or redacted, generally fall outside the §1798.150 private right of action — so the input should be the count of in-scope California residents, not your whole customer base.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.