California Privacy Update: SB-1121 and the Consumer Privacy Act

As Californians gear up to vote in this week’s primary elections, the state’s businesses and voters should be aware of two separate privacy law developments: SB-1121 and the Consumer Privacy Act.

SB-1121 and Increased Liability for Data Breaches

On May 30, 2018, the California Senate recently voted to send SB-1121 to the state Assembly. The proposed amendment to the state’s current data breach laws (codified at Sections 1798.80-1798.84 of the Civil Code) would increase corporate liability for data breaches. The key provisions are as follows:

  • California “consumers,” not just “customers,” will be able to sue businesses under California’s data-breach protection laws. Under the existing rules, a California resident can only sue a business for a data breach if it provided information to the business for the purpose of buying products or services. This amendment would cover all businesses that maintain the personal data of California residents, regardless of the relationship between the business and the resident. The expansion of liability to consumers is in part responsive to the Equifax hack. In that situation, the credit agency reported that the records for about 148 million Americans were compromised, but very few of those people would be considered “customers” of Equifax.
  • California residents will be able to sue for a minimum of $200 in penalties per violation, without proof of consumer injury. This poses the risk of large-scale consumer class actions, for even minor data breaches, even where no one was harmed by the breach.
  • SB-1121 sets a 4-year statute of limitations “from the time the person discovered, or, through the exercise of reasonable diligence, should have discovered” a data privacy violation.
    Read More