California Data Breach Notification Law

Notification deadline: Most expedient time possible (typically interpreted as 72 hours)

Enforcement: California Attorney General, California Privacy Protection Agency

Overview

California was the first state to enact a data breach notification law in 2002. The law requires businesses to notify California residents when their unencrypted personal information has been acquired by an unauthorized person. California also has additional requirements under the CCPA/CPRA for consumer data rights.

Who Must Be Notified

• • Affected California residents
• • California Attorney General (if 500+ residents affected)

Covered Data Types

Social Security number, Driver's license or state ID number, Financial account numbers with access codes, Medical/health information, Health insurance information, Biometric data, Online account credentials, Passport number, Taxpayer ID

Notification Requirements

• • Must be written in plain language
• • Must include: what happened, what information was involved, what you're doing about it
• • Must include contact information
• • If breach involves credentials, must direct users to change passwords
• • Must offer 12 months of free identity theft protection if SSN exposed

Exemptions

• • Encrypted data (if encryption key not compromised)
• • Publicly available information
• • HIPAA-covered entities (follow HIPAA instead)

Penalties

Civil penalties up to $7,500 per violation under CCPA/CPRA. Private right of action allows affected consumers to sue for $100-$750 per consumer per incident, or actual damages.