California Data Breach Notification Law featured image

California Data Breach Notification Law

by John DiGiacomo

Partner

Data Breach

California law takes the privacy of its residents seriously. Privacy is an inalienable right guaranteed to California residents by the California Constitution. It was the first state to enact laws protecting the rights of Californians to be notified of data security breaches.

When it comes to data breaches in California, state agencies and businesses have a duty to protect customer information. California residents who are a victim of the data breach have a right to be notified if their unencrypted data was exposed.

Under California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a), state agencies and businesses have an obligation to notify California residents who have been the victim of an encrypted data security breach.

Who is Protected Under the California Data Breach Notification Law?

California’s data breach notification laws protect all Californians. Employees, consumers and residents of the Golden State are protected under these laws. Since California businesses and state agencies are required to notify all California residents of a data security breach, many non-residents are incidentally also notified of the data security breach as a byproduct of these laws.

What is Personal Information?

For the purposes of the California data breach notification law, “personal information” includes a person’s first name or first initial and the person’s last name, in conjunction with any of the following additional data elements:

  • The person’s social security number.
  • A driver’s license or California identification card number.
  • The person’s medical information or health insurance information.
  • A person’s account, credit card number, or debit card number, In combination with that account security code, password or access code, such that unauthorized access to these accounts could be achieved.
  • Information collected through an automated license recognition system.

If the data that was breached was encrypted data, Californians do not need to be notified. Encrypted meaning the data was rendered unusable, undecipherable, or unreadable to the unauthorized person who accessed the data.

Who Must Comply With the Data Breach Notification Laws?

People and companies that conduct business in California, along with California government agencies, are required to comply with the California data breach notification law.

This means that even companies who have their business headquarters in a state other than California are required to provide California residents with notification of a security data breach if they conduct any business in the state of California.

In essence, any business that has access to a California resident will be required to comply with the notification laws. On the other hand, businesses that do not have operations and do no business in the state of California are not required to comply with California’s data breach notification laws.

Requirements for Notification Compliance

State agencies and businesses in California that have had a data breach must satisfy certain notification requirements in order to be in compliance with the law. The notice must be in plain language. The font of the notice must be no smaller than 10-point size, and use clear and inconspicuous headings, such as “Notice of Data Breach”.

The notice must convey the following information:

  • Who is issuing the notification.
  • What happened, including the date range affected by the breach.
  • Identification of what information was involved in the data breach.
  • Whether there was a delay in providing the notification due to an investigation by law enforcement.
  • What the agency or business is doing to resolve the problem.
  • What victims can do to protect themselves.
  • Where to find more information about the data breach. 

Are There Sanctions and Remedies Available to Victims?

If California residents are notified of their involvement in a data security breach in a timely fashion, the victim could be entitled to damages through a private action or claim for liquidated damages.

Talk to a Data Breach Lawyer

Revision Legal understands the dynamic nature of cyber security. Revision Legal has worked with businesses of all sizes to assess data retention risks. When necessary, we provide counsel on the California data breach law. If you have concerns about your company’s exposure or have received a notification that you have been a victim of a data breach incident, contact the experienced data breach attorneys at Revision Legal.

Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact our internet lawyers using the form on this page or call us at 855-473-8474.

Photo credit to Flickr user Anh Dinh.

This post was originally published in November, 2015. It has been updated for clarity and comprehensiveness.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case