Virtually every company operating in California is covered by the California Data Breach Law. The law requires businesses to protect personal information and follow a strict process for reporting data breaches.
Even if you haven't experienced a data breach (yet), it's important to understand the law so you'll be prepared if (or when) this happens.
This article explains how the California Data Breach Law applies, what it requires, and how it interacts with other important California and federal privacy laws.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What are the Data Breach Laws in California?
- 2. Who is Covered by the California Data Breach Law?
- 3. Who is Exempt From the California Data Breach Law?
- 4. What is "Personal Information" Under the California Data Breach Law?
- 5. What is a 'Data Breach' Under the California Data Breach Law?
- 6. When Must California Residents Be Notified of a Data Breach Under the California Data Breach Law?
- 7. What's the Notification Deadline Under the California Data Breach Law?
- 8. When Must You Notify the Attorney General Under the California Breach Law?
- 9. What Should You Include in Your Breach Notification Under the California Data Breach Law?
- 10. How Must You Notify California Residents of a Data Breach Under the California Data Breach Law?
- 11. What is the Notification Process for Email or Account Credential Breaches Under the California Data Breach Law?
- 12. Is there an Obligation to Maintain Reasonable Security Under the California Data Breach Law?
- 13. What are the Penalties for Violating the California Data Breach Law?
- 14. Summary of the California Data Breach Law
What are the Data Breach Laws in California?
This article focuses on California's main data breach law, informally called the "California Data Breach Law", which sits at Section 1798.80 - 1798.84 of the California Civil Code.
California has another data breach law, at Section 1280.15 of the California Health and Safety Code. That law applies to clinics and healthcare facilities regulated by the California Department of Public Health (CDPH).
The California Consumer Privacy Act (CCPA) also has implications for data security and breach notification, which we'll explain towards the end of the article.
Who is Covered by the California Data Breach Law?
Different parts of the California Data Breach Law apply slightly differently. We'll focus on the law's impact on "businesses," which includes non-profits in this context.
According to Section 1798.82, you're covered by the California Data Breach Law if:
- You conduct business in California
- You own or license computerized data, and
- The computerized data includes personal information
Essentially, you "own" or "license" data if you use it to directly conduct transactions with a consumer.
Parts of the law also apply to companies that "maintain" but don't "own" personal information. Such companies typically provide services to other businesses (for example, cloud services providers and data analytics companies).
The law applies regardless of whether your business has any physical presence in California or the United States.
Who is Exempt From the California Data Breach Law?
The following types of organizations are exempt from the California Data Breach Law:
- Healthcare providers subject to the Confidentiality of Medical Information Act (available here)
- Financial institutions subject to the California Financial Information Privacy Act (available here)
- Covered entities under the federal Health Insurance Portability and Accountability Act (HIPAA)
- Entities that obtain information via an agreement under Article 3 of the Vehicle Code and that are subject to that law's confidentiality requirements
- Businesses that are subject to a state or federal law that provides greater personal information protection than the California Data Breach Law
The law also applies differently to consumer credit agencies and state agencies.
What is "Personal Information" Under the California Data Breach Law?
The California Data Breach Law defines two types of personal information.
The first type of personal information is an individual's first name or first initial and last name, in combination with any one or more "data elements," when either the name or the data elements are not encrypted or redacted.
Here are the "data elements":
- Social security number
- Driver's license number
- California identification card number
- Tax identification number
- Passport number
- Military identification number
- Other unique identification number issued on a government document
- Account number or credit or debit card number, in combination with any other information required to access an individual's financial account
- Medical information
- Health insurance information
- Unique biometric data
- Information or data collected via an automated license plate recognition system
- Genetic data
The second type of personal information is "a username or email address in combination with a password or security question and answer that would permit access to an online account."
Information that has been lawfully made available to the general public via government records doesn't count as personal information.
What is a 'Data Breach' Under the California Data Breach Law?
The California Data Breach Law calls a data breach a "breach of the security of the system."
Here are the elements of a "breach of the security of the system":
- It is the unauthorized acquisition of computerized data
- It compromises the "security, confidentiality, or integrity" of personal information
- It is not "good faith acquisition" of personal information by an employee or agent
When Must California Residents Be Notified of a Data Breach Under the California Data Breach Law?
You must notify any California resident about a data breach if:
- Their personal information has been acquired by an unauthorized person, or
- Their personal information is reasonably believed to have been acquired by an unauthorized person
This requirement does not apply if the personal information was encrypted, unless:
- The encryption key or security credential has been (or is reasonably believed to have been) acquired by an unauthorized person, and
- You reasonably believe that the key or credential could render the information "readable or usable"
So, if the personal information is encrypted and the key is secure, you won't need to notify anyone about the breach.
Here's what the law says about notifying California residents about a breach of the security system:
A business that maintains personal information that it does not own must notify the owner or licensee of the personal information immediately following discovery of the breach:
What's the Notification Deadline Under the California Data Breach Law?
Once you discover a breach (or suspected breach), you must notify individuals "in the most expedient time possible" and "without unreasonable delay."
These terms are not defined under California law. But essentially: Don't delay. Get your breach notification out as quickly as you reasonably can.
There are two exceptions.
First, if a law enforcement agency determines that the notification will "impede a criminal investigation", you can wait as long as the agency requires. Once the law enforcement agency gives you the green light for notification, you must make the notification "promptly.
Second, you can delay notification if you need to take measures to "determine the scope of the breach and restore the reasonable integrity of the system."
In other words: You can give notification after you've figured out whose personal information has been affected or after you've fixed any immediate vulnerabilities that caused the breach.
When Must You Notify the Attorney General Under the California Breach Law?
Under certain circumstances, you must notify the California Attorney General as well as the affected California residents.
If you provide breach notification to more than 500 California residents, you must submit a single sample copy of the notification (after removing any personally identifiable information) to the California Attorney General.
You must use this form to notify the Attorney General. There's no explicit deadline for notifying the Attorney General.
What Should You Include in Your Breach Notification Under the California Data Breach Law?
California is very specific about how a breach notification letter should look, both in terms of its form and its contents.
Your notification must:
- Be written in plain language
- Designed to draw the reader's attention
- Contain a clear and conspicuous title and headers
- Use at least size 10 font
The notification must follow the following format:
- The title must be: "Notice of Data Breach"
-
The notice must include the following headings:
- "What Happened"
- "What Information Was Involved"
- "What We Are Doing"
- "What You Can Do"
- "For More Information"
The law itself provides a template form you can use to meet these requirements.
You must include the following information under the appropriate headings:
- A name and contact information for your business
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach
-
If possible, either:
- The date of the breach
- The estimated date of the breach, or
- The date range within which the breach occurred
- The date of the notice
-
If possible:
- Whether notification was delayed as a result of a law enforcement investigation
- A general description of the breach incident
- If the breach involved a social security number, driver's license, or California ID card number: The toll-free phone numbers and addresses of the major credit reporting agencies.
You might also have to offer residents free identity theft services for 12 months. You only have to offer identity theft services if:
- Your business was "the source of the breach," and
-
The breach exposed or may have exposed the resident's:
- Social security number
- Driver's license number
- California identification card number
- Tax identification number
- Passport number
- Military identification number
- Other unique identification number issued on a government document commonly used to verify the identity of a specific individual
If this section applies, your notification letter should provide all the necessary information to enable the consumer to take advantage of your offer.
Finally, the law also provides some optional information your notice can also include.
If you wish to do so, you can also provide:
- Information about what you've done to mitigate the breach
- Advice on any steps that residents can take
- If the breach involves biometric data, how residents can notify other organizations that use the same biometric data about the breach
How Must You Notify California Residents of a Data Breach Under the California Data Breach Law?
Once you've written your breach notification, there are further rules about how you deliver the letter to residents.
This section does not apply if the breach only involves email or account credentials. We'll cover that below.
California law recognizes three main types of "notice."
You may give notification via the following methods:
- Written notice (via mail)
- Electronic notice, as long as you can meet the requirements under 15 USC § 7001, which requires businesses to obtain consent for certain electronic communications (with certain exceptions)
-
Substitute notice (under certain conditions), which consists of all of the following:
- Emailing residents (if you have their email address)
- Posting the breach notification on your website for at least 30 days, with a conspicuous link to the notice on your home page
- Notifying major statewide media
You may only give "substitute notice" if you can demonstrate that either:
- Providing individual notice would cost more than $250,000
- You need to notify more than 500,000 residents
- You don't have enough contact information to notify individual residents
What is the Notification Process for Email or Account Credential Breaches Under the California Data Breach Law?
The rules are different if the breach only involves usernames or email addresses, in combination with any required password or security question and answer.
If the breach involves only account credentials, you don't need to follow the exact form and method requirements described above. You can notify the person "in electronic or other form" that they must change their password or security question.
If the breach involves only email account credentials, you must not notify any individual via a compromised email address. You can notify them via one of the other methods above, or via their online account if they are logged in from a known IP address or location.
Is there an Obligation to Maintain Reasonable Security Under the California Data Breach Law?
The California Data Breach Law requires businesses to avoid data breaches in the first place.
If you own or license California residents' personal information, you must implement and maintain "reasonable security procedures and practices appropriate to the nature of the personal information."
If you disclose California residents' personal information to a third party that isn't subject to the above requirement, you must require that third party to apply reasonable security procedures and practices via contract.
What's "reasonable"? The law doesn't say. However, in 2016, then-California Attorney General Kamala Harris said:
"The 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet."
What are the Penalties for Violating the California Data Breach Law?
If you violate the California Data Breach Law, you might get sued.
The law provides a "private right of action" which means California residents have the explicit right to recover any damages they incur as a result of a business violating the law.
If you're covered by the California Consumer Privacy Act (CCPA), enforcement gets a lot more serious.
The CCPA cross-references the California Data Breach Law. The CCPA's "private right of action" allows consumers to sue businesses that fail to protect their personal information (as defined under the California Data Breach Law, rather than the CCPA).
Under this CCPA provision, consumers can sue a CCPA-covered business to recover their "actual damages" plus extra "statutory damages" of between $100 and $750 per consumer, per violation.
And unlike the California Data Breach Law, the CCPA is enforced by two regulators, the California Attorney General and the recently-established California Privacy Protection Agency (CPPA), either of which can impose civil penalties of between $2,500 and $7,500 per violation.
Summary of the California Data Breach Law
The California Data Breach Law directly applies to anyone doing business in California who owns or licenses computerized personal information, unless they fall under an exemption.
There are two broad types of "personal information" under the law:
- A person's name in combination with one or more specified "data elements"
- Online or email account credentials
You must notify any California resident whose personal information was subject to a "breach of the security of the system," which involves the unauthorized acquisition of a California resident's personal information.
If you have to notify more than 500 California residents, you must also notify the California Attorney General.
You can provide breach notification in writing, or electronically under certain conditions. In the event of a very large breach, you might be able to post a breach notification on your website and via statewide media instead.
The law provides very specific requirements for the content of your breach notification, which must explain certain aspects of the breach. You must also maintain reasonable security procedures and practices to protect personal information.
If you violate the law, you might get sued.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.