Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

CALIFORNIA DATA PRIVACY REGULATIONS

Did You Know?

 
  • Specific factors determine breach reportability
  • Comprehensive requirements for notifications and provision of identity theft prevention
  • Limited methods of notification delivery
  • Data owners are responsible for reporting and notifications
  • 15 day deadline for medical breaches
  • State attorney general with specific information
  • Violations can result in civil action, penalties/fines, and enjoinment
  • Laws also cover data protection, data disposal, and record retention

Who Me?

 

California breach and notification laws may apply if you are a person or business that:

  • Conducts business in California and owns or licenses computerized data that includes PII
  • Maintains computerized PII that you do not own 

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

What is PII?

 

PII is personally identifiable information.  PII relevant to a breach in California includes an individual’s name with one or more of the following:

  • Social Security Number
  • Driver's license or identification number
  • Financial account numbers or credit/debit card numbers with security or access codes or passwords
  • Medical information
  • Health insurance information
  • A username or email address in combination with a password or security question and answer which would permit access to an online account

‚ÄčPII may also include signature, physical characteristics, address, or telephone, passport, insurance policy numbers, or education, employment history, etc.

LAWS

APPLICABLE LAWS

A few of these laws include, but are not limited to:

  • For Businesses: Civil Code / Division 3. / Part 4. / Title 1.81 / Customer Records / 1798.80 – 1798.84
  • For State Agencies: Civil Code / Division 3. / Part 4. / Title 1.8 / Chapter 1 / Article 7. Accounting Of Disclosures / 1798.29
  • For Medical: Health And Safety Code / Division 2. / Chapter 2. Health Facilities / Article 3. Regulations / 1280.15

Although not laws, CA has many “recommended practices”

RELATED LAWS

A few of these laws include, but are not limited to:

  • Civil Code / Division 3. / Part 4. / Title 1.8, 1.80, 1.81
  • California has issued a handbook for state record retention.
  • Laws regulate medical and health records.
  • California’s Office of Privacy Protection: “Recommended Practices on Notice of Security Breach Involving Personal Information”
  • Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements

PENALTIES

CALIFORNIA GRANTS THE RIGHT TO CIVIL ACTION

California grants the right to civil action to recover a civil penalty not to exceed three thousand dollars ($3,000) per violation or $500 per violation. The business may be enjoined. Violations involving patient medical information: penalties of $100 per day, to a maximum of $250,000.

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If it was acquired by an unauthorized person

TIME LIMITS

Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. All notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will impede a criminal investigation. CA’s Office of Privacy Protection recommends that notice be provided within 10 business days. Medical breaches have a time limit of 15 days.

CONSUMER NOTIFICATION

Notifications to the consumer may require detailed information and sometimes provision of services. The notifications must be sent or delivered in a specific manner.

Disclosure may only be made by written notice, telephone or electronically with stipulations. A substitute notice, with specific requirements, may be used if the person demonstrates that the cost of providing the notice would exceed $250,000 or the persons to be notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR