Action Needed to Stop Consumer Litigation Bill

The California Chamber of Commerce and a large coalition are working to stop a job killer proposal that will subject businesses and nonprofits to massive liability for data breaches, even if no consumer was injured and no data was actually extracted during a breach.

SB 1121 (Dodd; D-Napa) passed the Assembly Judiciary Committee on Tuesday, despite strong opposition pointing out that the drastic increase in liability would fail to provide any corresponding benefit to California consumers. The only beneficiaries would be consumer class action attorneys.

Recent amendments to SB 1121 fail to address major concerns of opponents and include confusing language that will prompt even more litigation, the CalChamber and coalition pointed out in a letter to the committee.

More Civil Liability/Penalties

SB 1121’s expansion of civil liability will be costly for businesses and nonprofit groups.

The bill imposes a minimum of $200 and a maximum of $1,000 in damages per person, per incident—without requiring any proof of consumer injury. Such damage awards would be enough to put companies out of business.

For example, a small business with just 1,000 customers that suffers a data breach will face civil liability of up to
$1 million just in statutory damages.

Moreover, SB 1121 explicitly makes these new penalties cumulative to penalties that already exist in current law. If adopted, this will create a complicated overlay of state, federal, and potential new fines that will make the entity breached liable multiple times over for the same incident.

For example, the November privacy ballot initiative, if passed, would impose $1,000 in statutory damages per person, per incident of data breach. If the ballot initiative passes and SB 1121 is adopted, the small business referenced above with 1,000 customers will face civil liability for at least $2 million just in statutory damages if it suffers a data breach.

SB 1121 also vastly expands the scope of who can sue companies for data breaches. Under current law, a California customer who has been injured by a data breach can bring a lawsuit to recover.

In addition to removing the injury requirement, SB 1121 creates a new, private right of action for any consumer whose data has been breached. Even non-California residents will be able to sue the state’s businesses and nonprofits.

‘Shakedown Lawsuits’

SB 1121 will cause “shakedown” data breach lawsuits as businesses and nonprofits faced with the risk of such massive damages are leveraged into immediate settlement—regardless of the strength of their defense.

The bill is an attempt to bypass the will of the voters, who approved Proposition 64 in 2004 by an 18-point margin. Proposition 64 limits private lawsuits against businesses under the state’s Unfair Competition Law (UCL) to individuals who have actually been injured.

Existing Requirements

Businesses and nonprofits already have significant incentives to prevent data breaches, which already result in private and public lawsuits, as well as enforcement actions.

Current law requires companies to immediately report a data breach to California consumers—even if no harm has been detected. (Many states require a showing of harm to trigger their data breach reporting requirement.)

Once reported, news of a data breach results in damage to a company’s relationship with its customers, as well as its brand and its reputation. It also opens a company up to UCL lawsuits by customers who can allege injury.

Moreover, if a data breach involves more than 500 California consumers, businesses and nonprofits must report the breach immediately to California’s Attorney General. This means the reporting businesses and nonprofits may be subjected to a civil enforcement action brought by the Attorney General or another government enforcement agency.

Finally, current law already requires businesses that have been breached to provide free identity theft and mitigation measures, like credit reporting services, to their customers for at least one year.

Key Vote

The June 19 vote in Assembly Judiciary was 6-3:

Ayes: M. Stone (D-Scotts Valley), Chiu (D-San Francisco), Gonzalez Fletcher (D-San Diego), Holden (D-Pasadena), Kalra (D-San Jose), Reyes (D-Grand Terrace).

Noes: Cunningham (R-Templeton), Kiley (R-Granite Bay), Maienschein (R-San Diego).

No vote recorded: Chau (D-Monterey Park).

Action Need

SB 1121 will be considered next by the Assembly Privacy and Consumer Protection Committee.

The CalChamber is asking members to contact their Assembly representatives and members of Assembly Privacy and Consumer Protection to urge them to oppose SB 1121.

For an easy-to-edit sample letter, visit

Staff Contact: Sarah Boot

Previous articleHealth Care Treatment Mandate Amended, Removed from Job Killer List
Next articleNew Recycling/Composting Requirements Moving in Legislature
Sarah R. Boot served as a CalChamber policy advocate from March 2018 to December 2019. She specialized in privacy/technology, telecommunications, economic development, and taxation issues. Before joining CalChamber, Boot was a top adviser to now-Senate President Pro Tem Toni G. Atkins, serving as the senator’s legislative director and as lead staffer on legal, privacy, telecommunications, business, and technology issues, among many others. Boot also was principal consultant to Atkins during her time as Assembly Speaker and Speaker Emeritus. For three years, Boot was an assistant U.S. attorney in the Southern District of California. She prosecuted a broad array of federal crimes, including bank robbery, sex trafficking of minors, and narcotics trafficking. In private practice, Boot spent three years litigating complex civil and intellectual property litigation, primarily representing Internet and technology companies. Boot earned her J.D. from the University of Michigan Law School. She graduated from the University of Michigan with an honors degree in political science and a minor in Spanish