Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search

California

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: NO
Deadline for Consumer Notice: Most expedient time possible and without unreasonable delay
Government Notification Required: YES, if >500 residents notified

Cal. Civ. Code § 1798.82

More Details

Scope of this Summary

Notification requirements applicable to persons or businesses that conduct business in the state and that own, license or maintain covered info. Some types of businesses may be exempt from some or all of these requirements and non-commercial entities may be subject to different requirements.

Covered Info

First name or first initial and last name, plus: Social Security number; driver's license or state identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; financial account, credit or debit card number, in combination with any required security or access code or password permitting access to individual's financial account; medical or health insurance info; unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual; this does not include a physical or digital photograph, unless used or stored for facial recognition purposes; info collected by automated license plate recognition systems; and genetic data.

Covered info also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Form of Covered Info

Electronic Only.

Encryption Safe Harbor

Statute does not apply to information that is encrypted, so long as the encryption key was not or is not reasonably believed to have been acquired.

Breach Defined

Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.

Consumer Notice

Timing: Must be made in the most expedient time possible and without unreasonable delay consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

Content: Notice must be in "plain language," use at least 10-point font, and organized by clearly and conspicuously displayed title ("Notice of Data Breach") and headings ("What Happened", "What Information Was Involved", "What We Are Doing", "What You Can Do", and "For More Information"). Notice must include: name and contact information of covered entity; types of covered info that were or reasonably believed to have been the subject of the breach; the date, estimated date, or date range of the breach; date of the notice; whether notice was delayed due to law enforcement; general description of the breach; and toll-free numbers and addresses of the major CRAs if Social Security numbers, drivers' license or state identification card numbers were exposed.

If Social Security, driver’s license or state identification card numbers are affected, and if the entity providing notice was the source of the breach, must offer appropriate identity theft prevention and mitigation services, if any, at no cost to resident for not less than 12 months.

Method: By written notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied. Alternative methods apply to breaches solely involving usernames or email addresses.


Delayed Notice

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation.

Government Notice

If more than 500 state residents are notified as result of a single breach, must also electronically submit a sample copy of the notification to the California Attorney General (excluding personal information).

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify them immediately following discovery of a breach.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on February 15, 2022

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.