Abstract: Against the backdrop of increasing personal information breach, the United States has begun to use the unjust enrichment rules to remedy victims. Under the traditional path of tort relief, victims often find it difficult to obtain relief due to disputes over the determination of damages; even if the concept of “risk-based damage” is introduced, its theoretical flaws hinder practical application, including suppressing individual freedom of behavior, confusing the risk of damage occurrence with the risk of damage expansion, confusing risk prevention with risk damage compensation, and not complying with the “cost benefit” principle. US precedents indicate that the improper use of personal information by personal information processors constitutes “positive” unjust enrichment; the theories of overpayment and business opportunity can also be used to identify security fees improperly withheld by personal information processors as “negative” unjust enrichment; Its reasoning path also has applicability in China. Compared with tort relief, the path of unjust enrichment relief has obvious advantages, because identifying the loss of unjust enrichment is easier than identifying the damage of infringement; the amount of unjust enrichment returned shall not be limited by the principles of filling in and prohibiting enrichment; when significant downstream damage occurs, the victim can also request infringement compensation at the same time. In judicial practice, unjust enrichment can be flexibly determined according to different situations, and consumer civil public interest litigation can be used for reference to properly distribute the returned benefits among unspecified groups of victims.