In 2003, California was the first state to enact a data breach reporting statute. The state continues its trend of being a leader in privacy regulation by enacting a new law that provides residents with stronger data protections and exposes companies to new liabilities.
On October 8, California Governor Jerry Brown approved Senate Bill 178, known as the California Electronic Communications Privacy Act (CalECPA). This landmark law requires any state law enforcement agency or other investigative entity to obtain a search warrant or wiretap before accessing private communications and location data stored on smartphones, tablets, and other digital devices. The enactment of CalECPA came after three years of Brown refusing to sign similar versions of the law due to his concern that it could impede ongoing criminal investigations.
CalECPA is the most comprehensive privacy law of any of the states as it covers digital content, metadata, location data, and searches of devices. CalECPA even requires a stricter standard than the federal Electronic Communications Privacy Act (“ECPA”), which requires a warrant only for digital content that is less than 180 days old.
While providing California residents with greater protection, plaintiffs may try to use CalECPA for new class action lawsuits. For example, lawsuits arising from the scanning and analyzing of users’ communications for business practices such as spam filtration and targeted advertising have previously been filed pursuant to the federal ECPA. Because CalECPA provides a more stringent standard than the federal ECPA, the new law could be attractive to similar class action plaintiffs.
With CalECPA slated to take effect on January 1, 2016, California continues to be at the forefront of digital privacy not only among the states, but also at the federal level.