California Privacy Update: SB-1121 and the Consumer Privacy Act

As Californians gear up to vote in this week’s primary elections, the state’s businesses and voters should be aware of two separate privacy law developments: SB-1121 and the Consumer Privacy Act.

SB-1121 and Increased Liability for Data Breaches

On May 30, 2018, the California Senate recently voted to send SB-1121 to the state Assembly. The proposed amendment to the state’s current data breach laws (codified at Sections 1798.80-1798.84 of the Civil Code) would increase corporate liability for data breaches. The key provisions are as follows:

  • California “consumers,” not just “customers,” will be able to sue businesses under California’s data-breach protection laws. Under the existing rules, a California resident can only sue a business for a data breach if it provided information to the business for the purpose of buying products or services. This amendment would cover all businesses that maintain the personal data of California residents, regardless of the relationship between the business and the resident. The expansion of liability to consumers is in part responsive to the Equifax hack. In that situation, the credit agency reported that the records for about 148 million Americans were compromised, but very few of those people would be considered “customers” of Equifax.
  • California residents will be able to sue for a minimum of $200 in penalties per violation, without proof of consumer injury. This poses the risk of large-scale consumer class actions, for even minor data breaches, even where no one was harmed by the breach.
  • SB-1121 sets a 4-year statute of limitations “from the time the person discovered, or, through the exercise of reasonable diligence, should have discovered” a data privacy violation.The senate vote on SB-1121 passed by a narrow 21-13 majority, just one vote above the 21-vote threshold for passing the bill. Opposition to SB-1121 is fierce, and it remains to be seen whether the bill will face amendments in the Assembly.

The Consumer Right to Privacy Act

In early May, 2018 the group “Californians for Consumer Privacy” collected over 600,000 signatures for the Consumer Right to Privacy Act (CRPA), twice the number needed to qualify for the November 2018 ballot. The key provisions of this ballot initiative are as follows:

  • California consumers would have the “right to know” the categories of information a business has collected about them or their children, and the names and contact information of third parties to whom a business has sold or disclosed personal information. Consumers will be able to make these “right to know” requests on an annual basis.
  • Consumers will have the option to ask businesses to stop selling their personal information upon a consumer’s request, and businesses will not be able to modify, deny, or charge more for services based on a consumer’s opt-out or “right to know” request.
  • Similar to SB-1121, the CRPA would allow California consumers the ability to sue, without proof of injury. Consumers can bring an action for statutory damages for a minimum of $1,000 for each violation. The CRPA also provides for enforcement by the Attorney General, whereby businesses could be liable for up to $2,500 per violation, and in the case of intentional violations, up to $7,500 per violation.
  • The ballot initiative would apply to businesses that (i) have a gross revenue over $50 million, (ii) annually sell the personal information of 100,000 or more consumers or devices, or that (iii) derive more than 50% of its annual revenue from selling consumer’s personal information.

These twin proposals by the California legislature and California residents highlights the state’s growing appetite for privacy regulation. Given the potential penalties and operational costs of these two proposed laws, companies that do business in California should closely follow SB-1211 and CRPA’s developments.