Data Breach Notification Law in California


What are the data breach notification laws in California?

Statute Codes

In California, there are quite a few applicable breach laws covered under Cal. Civ. Code § 1798.29; 1798.80 et seq. S.B. 1386 was signed into law on September 25, 2002, and made effective July 1, 2003. S.B. 24 was signed into law on August 31, 2011, and made effective January 1, 2012. S.B. 46, was signed into law on September 27, 2013, and made effective January 1, 2014. AB-1710 was signed into law on September 30, 2014, and made effective January 1, 2015. Additionally, A.B. 964, S.B. 570, and S.B. 34 were signed into law on October 6, 2015, and became effective January 1, 2016.

Legal Requirements for Data Breach Notification Law in California

This law applies to entities (persons, businesses, and state agencies) who own or license computerized data which includes PI. Even if the entities are located out of state, if they have PI of California residents, associated law applies to them. A security breach takes place when a party or parties obtain access to PI without authorization. Good faith provision of PI isn’t a breach, provided the PI isn’t misused under the statute’s guidelines. The PI breach must threaten security, integrity, or confidentiality of affected parties.

PI is defined as a first and last name, or a first initial coupled with the last name, proceeded by sensitive information. If this data is unencrypted and becomes available, that’s a breach. Examples of associated sensitive information include SSNs, driver’s license and state ID numbers, any financial information like account numbers, PINs, or passwords, medical information, health insurance data, or information that’s been collected through a license plate recognition system that’s automated. Pertaining to license plate recognition, specifically, this refers to a database resulting from cameras that utilize algorithms to categorize license and registration data.

Breach Reporting in California

Entities covered under the statute must notify affected CA residents when unencrypted PI was or is believed to have been compromised. They must notify residents if encrypted data is compromised which may include a decryption key. Reasonable suspicion of compromise also predicates notification obligation. The AG must be notified if more than 500 California residents are compromised. This is done through electronic submission of the notification as it is intended to be distributed to affected parties. This submission will constitute a sample, and not contain any contact information of affected parties.

Notification must take place as swiftly as possible, avoiding any delay deemed unreasonable by the statute. When law enforcement or investigation requires a delay in notification, this is permissible. Restoration of a network’s integrity is also a permissible delay. The means of notification may be through written or electronic notice, provided electronic outreach is in compliance with the E-Sign Act (15 U.S.C. § 7001). If an email address is breached, notice may not be provided by this method. Additional means of notification include direct notification to residents at a trusted IP address and location.


Any client of an entity that’s injured by violations of this statute is entitled to a civil action for damage recovery. Businesses that violate, or make a proposition to violate, or who have violated this statute could become enjoined. Waivers are not permitted.

Contact Security Compliance Associates for More Information about Data Breach Notification Law in California

SCA has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.