Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- up to $7,500 per violation
None to minimal
Businesses must send breach notification to all affected state residents without delay when their personal information is found to have been or reasonably believed to have been acquired by an unauthorized individual.
Businesses must notify the Attorney General if a breach of security affects more than 500 California residents. A sample copy of the consumer notification (redacting personal information) must be provided to the Attorney General.
In the event of a breach involving consumer biometric data, a business must provide consumers with instructions on notifying other entities who use the same biometric data to no longer rely on it for authentication purposes.
If the breach involves Social Security numbers or other unique identification numbers (e.g., driver’s license, state issued, tax, passport, or military identification numbers), the business who is the source of the breach must offer identity theft prevention and mitigation services to each person affected by the breach at no cost for at least 12 months.
Vendors experiencing a breach must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Businesses that own, license, or maintain personal information about a California resident must implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.
Businesses must contract with vendors for the disclosure of personal information and must contractually require the vendors to have security procedures and practices in place for the protection of the information.
Businesses need to provide a privacy notice to consumers and employees at or before the point of collection, specifying the categories of personal information collected and purposes for which it will be used.
Businesses must update their privacy notice annually or sooner if there is a material change in data management practices.
Businesses must have a link on their website home page titled “DO NOT SELL MY PERSONAL INFORMATION” allowing consumers to opt-out of the sale of their personal information at any time.
Businesses are prohibited from denying goods or services or charging different prices for or a different level of service to consumers who exercise their rights under the CCPA.
Businesses must provide consumers with a toll-free number and/or website address to submit data access requests; and must respond to verified data access requests within 45 days.
Businesses operating exclusively online with a direct consumer relationship can receive data access requests by email or through their existing online account.
Businesses must conduct training on privacy policies for all employees who handle consumer inquiries and requests.
Businesses must obtain affirmative consent for the sale of personal information for consumers under the age of 16.
Motor Vehicle dealerships and vehicle manufacturers may sell, use or share consumer information for purposes of generating a repair under warranty or recall, but the information may not be further sold, shared or used for any other purpose.
Data Brokers must register annually with the Attorney General.
Consumers have a private right of action against a business who experiences a breach involving their unencrypted/unredacted personal information.
Enforcement actions on CCPA provisions can be brought by the Attorney General beginning July 1, 2020, if business or service provides fail to cure a violation within 30 days of a notice of noncompliance. Actions include civil actions for injunction and/or penalties up to $2,500 for each violation or $7,500 for each intentional violation.
Statutes and Laws
Cal. Civ. Code § 1798.82 Disclose a breach of the security of the system
Cal. Civ. Code § 1798.81 Disposal
Cal. Civ. Code § 1798.81.5 Personal Information about California residents protected
Cal. Civ. Code § 1798.83 Disclosure of personal information to third parties
Cal. Civ. Code § 1798.84 Enforcement and penalties
Cal. Civ. Code § 1798.100-1798.82.199 California Consumer Privacy Act of 2018 (CCPA)(effective January 1, 2020)
Cal. Civ. Code §§ 1280.15 Unlawful or unauthorized access to, and use or disclosure of, patients’ medical information