Turn a Data Breach Into Cash: Your Legal Rights Under CCPA
California law lets you sue app makers for statutory damages without proving financial loss, making individual claims often more valuable than class actions.
When apps leak personal data, users have legal recourse under California's CCPA, which allows statutory damages of $100-$750 per incident without requiring proof of financial harm. Rather than automatically joining class actions, consumers can file individual demand letters and opt out of settlements to negotiate higher compensation. The strategy hinges on acting before a class is certified, and many states have similar consumer protection laws that may apply.
When that app leaked your chat log, it didn't just break your trust—it broke state law. Most people assume that unless a credit card number is stolen, they have no claim. That assumption is wrong. Under the California Consumer Privacy Act (CCPA), a breach of email addresses combined with a security question or password gives you a private right of action for statutory damages between $100 and $750 per incident per consumer, plus actual damages. No financial loss required. The 2022 Equifax data breach offers a useful precedent. After that hack, the D.C. Attorney General’s office informed consumers that they could request an identity protection PIN from the IRS—a concrete remedy that went far beyond the usual “monitor your credit” advice. State attorneys general have real leverage: they can investigate, fine companies, and force them to pay restitution. But you don’t have to wait for a state action. You can file a complaint with your state AG’s consumer protection division and, if you act quickly, opt out of any class settlement to pursue your own individual suit. The conventional wisdom says “join the class action; it’s free and easy.” The smarter move may be to file an individual demand letter first. Here is a script you can adapt immediately for any app that exposed your data:
To the customer service / legal department of [App Name]: I am a [user / small-business client] whose account data was exposed in the breach reported on [date]. Under California Civil Code § 1798.150 (the CCPA private right of action), I have a legal claim for statutory damages. I request a written audit of the data leaked, an explanation of the security lapse, and compensation of no less than $500 for the violation of my privacy. If I do not receive a satisfactory response within 30 days, I will refer the matter to the [Your State] Attorney General and reserve the right to sue individually.
Send it to the legal department by certified mail or tracked email. Most companies will ignore the first letter, but it creates a paper trail. Then file a complaint with your state AG’s consumer protection division—many have online portals. Include a copy of the letter and, if you have it, the breach notification from the app. The key is to act before a class action is certified. Once a class is certified, you are automatically included unless you opt out. Opting out gives you control: you can negotiate your own settlement or file a lawsuit seeking up to $750 per violation plus attorney’s fees. For a freelancer or small-business owner who lost client trust and revenue, that individual route can be far more valuable than a pro-rata class recovery. The CCPA is not alone; at least a dozen states have similar private rights of action. But California’s law is the clearest and most tested. Start there, even if you live elsewhere—the app’s terms of service likely include a California choice-of-law clause. If not, check whether your state has a consumer protection act that allows individual damages. In the end, the remedy is not just a password change. It is a legal weapon you can wield without a lawyer. File the complaint, opt out of the class, and demand compensation on your own terms. That is how you turn a broken trust into a recoverable loss.