California Data Breach Notification Law featured image

California Data Breach Notification Law

by John DiGiacomo

Partner

Data Breach

California law takes the privacy of its residents seriously. Privacy is an inalienable right guaranteed to California residents by the California Constitution. It was the first state to enact laws protecting the rights of Californians to be notified of data security breaches.

When it comes to data breaches in California, state agencies and businesses have a duty to protect customer information. California residents who are a victim of the data breach have a right to be notified if their unencrypted data was exposed.

Under California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a), state agencies and businesses have an obligation to notify California residents who have been the victim of an encrypted data security breach.

Who is Protected Under the California Data Breach Notification Law?

California’s data breach notification laws protect all Californians. Employees, consumers and residents of the Golden State are protected under these laws. Since California businesses and state agencies are required to notify all California residents of a data security breach, many non-residents are incidentally also notified of the data security breach as a byproduct of these laws.

What is Personal Information?

For the purposes of the California data breach notification law, “personal information” includes a person’s first name or first initial and the person’s last name, in conjunction with any of the following additional data elements:

  • The person’s social security number.
  • A driver’s license or California identification card number.
  • The person’s medical information or health insurance information.
  • A person’s account, credit card number, or debit card number, In combination with that account security code, password or access code, such that unauthorized access to these accounts could be achieved.
  • Information collected through an automated license recognition system.

If the data that was breached was encrypted data, Californians do not need to be notified. Encrypted meaning the data was rendered unusable, undecipherable, or unreadable to the unauthorized person who accessed the data.

Who Must Comply With the Data Breach Notification Laws?

People and companies that conduct business in California, along with California government agencies, are required to comply with the California data breach notification law.

This means that even companies who have their business headquarters in a state other than California are required to provide California residents with notification of a security data breach if they conduct any business in the state of California.

In essence, any business that has access to a California resident will be required to comply with the notification laws. On the other hand, businesses that do not have operations and do no business in the state of California are not required to comply with California’s data breach notification laws.

Requirements for Notification Compliance

State agencies and businesses in California that have had a data breach must satisfy certain notification requirements in order to be in compliance with the law. The notice must be in plain language. The font of the notice must be no smaller than 10-point size, and use clear and inconspicuous headings, such as “Notice of Data Breach”.

The notice must convey the following information:

  • Who is issuing the notification.
  • What happened, including the date range affected by the breach.
  • Identification of what information was involved in the data breach.
  • Whether there was a delay in providing the notification due to an investigation by law enforcement.
  • What the agency or business is doing to resolve the problem.
  • What victims can do to protect themselves.
  • Where to find more information about the data breach. 

Are There Sanctions and Remedies Available to Victims?

If California residents are notified of their involvement in a data security breach in a timely fashion, the victim could be entitled to damages through a private action or claim for liquidated damages.

Talk to a Data Breach Lawyer

Revision Legal understands the dynamic nature of cyber security. Revision Legal has worked with businesses of all sizes to assess data retention risks. When necessary, we provide counsel on the California data breach law. If you have concerns about your company’s exposure or have received a notification that you have been a victim of a data breach incident, contact the experienced data breach attorneys at Revision Legal.

Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact our internet lawyers using the form on this page or call us at 855-473-8474.

Photo credit to Flickr user Anh Dinh.

This post was originally published in November, 2015. It has been updated for clarity and comprehensiveness.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side