That's actually one of the features of CCPA. If there's a data breach, the company can be sued by each affected individual for $100-$750.
This is entirely separate from strict liability, though. The main issue is damages. Even if a company is strictly liable, they are only liable for the dollar value of damages caused by the data breach. And your data privacy has a dollar value of zero dollars until a law like CCPA says otherwise.
Under current legal theory, if your data is stolen, you can sue a company for the cost of identity theft that is provably caused by that data breach. But if you are not the victim of identity theft (or if you are, but can't connect that to the data breach in a court of law), then you don't have damages. A company has nothing to fear from strict liability if they are liable for zero damages.
tl;dr CCPA addresses severe problem in the existing system.
According to [1], one of the requirements for statutory damages is negligence. (The other two are very narrow definitions of private data and that it must be nonencrypted and nonredacted)
> “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
This is entirely separate from strict liability, though. The main issue is damages. Even if a company is strictly liable, they are only liable for the dollar value of damages caused by the data breach. And your data privacy has a dollar value of zero dollars until a law like CCPA says otherwise.
Under current legal theory, if your data is stolen, you can sue a company for the cost of identity theft that is provably caused by that data breach. But if you are not the victim of identity theft (or if you are, but can't connect that to the data breach in a court of law), then you don't have damages. A company has nothing to fear from strict liability if they are liable for zero damages.
tl;dr CCPA addresses severe problem in the existing system.