California

Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only, and the data may not be up to date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.

Last Updated California breach law summary was last updated on 06/26/2017
Statute Cal. Civ. Code §§ 1798.82 et seq.   [View Source]   [Download PDF]
Covered Entities"Business" means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution, and an entity that disposes of records.
Covered Information"Personal Information" includes EITHER: First Name (or First Initial) and Last Name PLUS one of the following:
  • Social security number
  • Driverís License number or state issued ID card number
  • Account number, Credit Card number, or Debit Card number combined with any Security Code, Access Code, PIN, or Password needed to access an account
  • Medical information
  • Health insurance information
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
OR
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Form of InformationElectronic
Breach TriggerA person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Encryption Safe HarborNo. A person or business shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
Risk of Harm AnalysisNone.
Consumer NoticeA person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California
Government Agency NoticeYes. More than 500 residents. A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within subdivision (f) of Section 6254 of the Government Code.
Credit Agency NoticeThe security breach notification shall include, at a minimum: The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driverís license or California identification card number.
PenaltiesNone. Allows a private cause of action.
Private Cause of ActionYes. 1798.84(b) Any customer injured by a violation of this title may institute a civil action to recover damages.