California Attorney General Cybersecurity Enforcement Actions and Guidance

The California Attorney General (AG) holds statutory authority to investigate and enforce compliance with the state's primary cybersecurity and privacy statutes, including the California Consumer Privacy Act (CCPA) and the California Data Breach Notification Law under Civil Code § 1798.29 and § 1798.82. This page covers the scope of that enforcement authority, the mechanisms through which investigations and actions proceed, the scenarios most likely to trigger formal AG attention, and the boundaries that distinguish AG jurisdiction from other state and federal regulators. Understanding AG enforcement patterns matters because the office has issued interpretive guidance that shapes how obligations are understood beyond the text of the statute itself.

Definition and scope

The California AG's cybersecurity enforcement authority derives primarily from three statutory pillars:

  1. California Consumer Privacy Act (CCPA) / CPRA — Civil Code §§ 1798.100–1798.199.100, which grants the AG authority to bring civil enforcement actions for violations and to publish regulations (California Department of Justice, CCPA enforcement).
  2. California Data Breach Notification Law — Civil Code §§ 1798.29 and 1798.82, requiring businesses and government agencies to notify affected residents within a reasonable time, with the AG empowered to bring actions for non-compliance.
  3. California Unfair Competition Law (UCL) — Business and Professions Code § 17200, allowing the AG to pursue unfair or deceptive business practices, which includes inadequate security practices that harm consumers.

The California Privacy Rights Act (CPRA), effective January 1, 2023, transferred rulemaking authority from the AG to the California Privacy Protection Agency (CPPA), but the AG retained exclusive civil enforcement authority for CCPA/CPRA violations.

What this authority covers: For-profit businesses meeting CCPA thresholds (annual gross revenues exceeding $25 million, data on 100,000 or more consumers annually, or deriving 50% or more of annual revenues from selling personal information (Civil Code § 1798.140(d))), nonprofit organizations under specific breach statutes, and state agencies under the government-sector breach notification statute.

What falls outside AG scope: Federal entities and federally preempted sectors such as national banks under OCC oversight, healthcare entities exclusively governed by HIPAA (though California breach law may overlap), and telecommunications carriers regulated by the FCC. The AG does not govern inter-state commerce enforcement in isolation — the FTC retains concurrent authority over deceptive data practices under Section 5 of the FTC Act. Sectors such as California financial sector cybersecurity and California healthcare cybersecurity involve parallel regulatory bodies whose jurisdiction is not replaced by AG enforcement.

How it works

AG cybersecurity enforcement follows a structured process:

  1. Complaint intake and investigation initiation — The AG receives complaints from consumers, advocacy organizations, or through monitoring. The office may also initiate investigations based on media reports or observed breach notifications.
  2. Pre-litigation notice (30-day cure period) — Under Civil Code § 1798.155(b), prior to initiating a CCPA enforcement action, the AG must provide a 30-day written notice identifying alleged violations. If the business cures the violation within 30 days and provides written confirmation, no civil action may be brought for that specific violation. This cure mechanism does not apply to breach notification failures.
  3. Civil action filing — If violations are not cured, or where no cure period applies, the AG files a civil action in California Superior Court.
  4. Penalty assessment — Civil penalties reach $2,500 per unintentional violation and $7,500 per intentional violation (Civil Code § 1798.155(a)). Violations involving minors under 16 carry the $7,500 rate automatically.
  5. Guidance publication — Separate from enforcement actions, the AG publishes cybersecurity guidance documents, including the 2016 California Data Breach Report, which recommended the CIS Critical Security Controls (then called SANS Top 20) as the reasonable security standard for California businesses.

The AG's 2016 breach report explicitly stated that failure to implement the Center for Internet Security (CIS) Controls constitutes a lack of reasonable security, creating a de facto standard that courts and litigants have cited in subsequent private litigation under the California Customer Records Act.

For a broader operational picture of how these statutes fit together, see how California cybersecurity works and the regulatory context for California cybersecurity.

Common scenarios

Breach notification failures are the most frequent trigger for AG action. Violations typically involve delayed notifications — Civil Code § 1798.82 specifies notification "in the most expedient time possible and without unreasonable delay." The AG's public breach log reflects dozens of annual incident reports from covered entities.

Inadequate security leading to breach — Where a business suffers a breach and the AG determines the entity failed to implement reasonable security procedures, UCL claims under Business and Professions Code § 17200 may accompany CCPA actions.

CCPA opt-out and data sale violations — Businesses that continue selling consumer personal information after a consumer exercises a Do Not Sell request face intentional violation classifications at the $7,500 per-violation penalty rate.

Children's data violations — The AG has signaled heightened attention to platforms collecting data on users under 16, consistent with the California Age-Appropriate Design Code Act (AB 2273, 2022). For sector-specific implications, see California K-12 student data privacy and security.

IoT security non-compliance — California SB 327 (effective January 1, 2020) requires "reasonable security features" for connected devices (California IoT Security Regulations). AG enforcement authority extends to manufacturers that fail this standard.

For precise terminology used across these enforcement frameworks, refer to California cybersecurity terminology and definitions.

Decision boundaries

Two critical contrasts define how AG enforcement authority intersects with other California oversight bodies:

AG vs. California Privacy Protection Agency (CPPA): The CPRA created the CPPA as an independent regulatory agency with rulemaking authority and, after a transitional period, enforcement authority concurrent with the AG for CPRA violations. The AG retains independent enforcement authority but the CPPA's emergence means that for post-CPRA violations, dual-enforcement is possible. The California Privacy Protection Agency cybersecurity role covers the CPPA's distinct mandate in detail.

AG vs. Private Right of Action: Civil Code § 1798.150 grants consumers a private right of action for data breaches resulting from a business's failure to implement reasonable security. This private action runs parallel to, not through, the AG. A consumer suing under § 1798.150 does not require AG involvement; conversely, an AG enforcement action does not preclude private suit. Statutory damages in private actions range from $100 to $750 per consumer per incident, or actual damages if greater (Civil Code § 1798.150(a)(1)).

Preemption and federal overlay: Where HIPAA governs, California breach notification requirements may still apply to non-HIPAA-covered data elements within the same incident. The AG does not preempt federal enforcement but can act concurrently on California-specific obligations. This intersection is addressed in california-data-breach-notification-law.

The site index provides navigation to all sector-specific enforcement and compliance topics within this reference network.

References

📜 7 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Types of California Cybersecurity Regulations & Safety Regulatory Context for California Cybersecurity Tools & Calculators Password Strength Calculator FAQ California Cybersecurity: Frequently Asked Questions