California Cybersecurity Terminology and Definitions

California's cybersecurity regulatory landscape spans multiple state statutes, agency standards, and overlapping federal frameworks — each carrying its own defined vocabulary that does not always align across contexts. This page maps the key terms used in California cybersecurity law, regulation, and practice, explaining where definitions originate, how they differ from federal or general-industry usage, and where ambiguity creates compliance risk. Readers seeking the broader legal and regulatory environment should consult the Regulatory Context for California Cybersecurity page.

Scope and Coverage Limitations

This page addresses terminology as it applies to entities operating under California jurisdiction — primarily under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the California Information Practices Act (Civil Code § 1798 et seq.), Penal Code § 502, and sector-specific standards enforced by California agencies. Definitions discussed here do not substitute for federal definitions under HIPAA, GLBA, FedRAMP, or NIST publications, although cross-references are noted where California law incorporates federal standards by reference. Entities operating exclusively outside California, or exclusively subject to federal preemption (such as certain federally chartered banks), fall outside the primary scope of California-specific definitions covered here.

How Terms Are Defined in Statute or Code

California cybersecurity terminology enters the legal record through three primary channels: direct statutory definition, regulatory adoption by an agency, and incorporation by reference of an external standard.

The CCPA/CPRA, codified at California Civil Code § 1798.100–1798.199.100, is the most frequently cited source for privacy and data-security definitions. It defines "personal information" to include 11 enumerated categories — ranging from real names and Social Security numbers to biometric data and browsing history — a scope considerably broader than the definition used in the pre-CPRA California breach notification statute (Civil Code § 1798.82), which covered a narrower set of data elements tied to identity theft risk.

The California Department of Technology (CDT) and the California Cybersecurity Integration Center (Cal-CSIC) adopt terminology drawn from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), particularly the five core functions: Identify, Protect, Detect, Respond, and Recover. State Agency Information Management Manual (SIMM) Section 5305-A explicitly references NIST SP 800-53 controls as the baseline standard for California executive branch agencies, meaning NIST's definitions of terms like "access control", "audit log", and "least privilege" carry quasi-regulatory weight for state entities even though California statute does not always reproduce those definitions verbatim.

Penal Code § 502, California's primary computer crime statute, defines "computer contaminant", "computer data", "computer network", and "computer system" within the statute itself. These definitions govern criminal liability for unauthorized access and are distinct from the civil-law definitions used in CCPA enforcement.

Terms with Jurisdiction-Specific Meanings

California assigns meanings to terms that diverge — sometimes sharply — from federal or industry-standard usage.

"Breach of the security of the system" under Civil Code § 1798.82 requires unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. This definition explicitly excludes good-faith acquisition by an employee or agent of the business, provided the information is not used or subjected to further unauthorized disclosure. The federal HIPAA breach definition (45 CFR § 164.402) uses a different threshold — a presumption of breach unless a risk assessment demonstrates low probability of compromise — creating a dual-standard environment for California-licensed healthcare entities covered under both frameworks. The Healthcare Cybersecurity California page examines this intersection in detail.

"Connected device" receives a statutory definition under California Civil Code § 1798.91.04 (enacted via SB 327, effective January 1, 2020), meaning any device or physical object capable of connecting to the internet, directly or indirectly, and assigned an Internet Protocol address or Bluetooth address. This definition is narrower than some federal IoT frameworks and explicitly drives the reasonable security feature requirements detailed on the California IoT Security Law SB-327 page.

"Reasonable security" is used in Civil Code § 1798.81.5 but is not defined with precision in statute. The California Attorney General's 2016 Data Breach Report identified the 20 controls of the Center for Internet Security (CIS) Controls (then called the CIS Critical Security Controls) as the minimum baseline for "reasonable security" — giving a published industry framework quasi-definitional status in California enforcement practice without formally incorporating it into statute.

Contested or Context-Dependent Definitions

Three terms generate consistent interpretive disputes in California cybersecurity compliance.

"Sale" of personal information under CCPA/CPRA has been contested since the law's 2020 effective date. The statute defines "sale" to include sharing personal information for monetary or other valuable consideration, which the California Privacy Protection Agency (CPPA) has interpreted broadly enough to capture data shared in advertising ecosystems — even absent a direct cash transaction. Businesses and privacy advocates have reached different conclusions about whether common analytics integrations constitute a "sale," and CPPA enforcement actions will continue to define the operational boundaries of the term.

"Deidentified data" is defined in Civil Code § 1798.140(m) with technical and contractual components — data that cannot reasonably be used to infer information about a consumer, combined with a business obligation to implement technical safeguards and contractual restrictions on reidentification. This contrasts with HIPAA's Safe Harbor method, which allows deidentification by removing 18 specified data elements. Data that qualifies as deidentified under HIPAA's Safe Harbor may not satisfy CCPA's standard.

"Security incident" versus "breach" represents an operational distinction that California frameworks inherit from NIST but apply unevenly. NIST SP 800-61 Rev. 2 defines a security incident as a violation or imminent threat of violation of security policies, whereas a breach requires confirmed unauthorized access to protected data. California's breach notification obligations under Civil Code § 1798.82 trigger only on confirmed breaches, not on incidents — but CPPA draft enforcement regulations have signaled interest in broader incident-level accountability for data processors.

Core Terms

The following definitions represent the foundational vocabulary for California cybersecurity compliance, drawn from named statutes and standards:

1. Personal Information (PI) — Defined in Civil Code § 1798.140(v) to include 11 categories of identifiable consumer data. Distinct from the narrower definition in § 1798.82 used for breach notification thresholds.

2. Sensitive Personal Information (SPI) — A CPRA-created subcategory (Civil Code § 1798.140(ae)) covering Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, biometric data, and health information, among others. SPI carries additional opt-out rights not applicable to general PI.

3. Data Broker — Defined under California Civil Code § 1798.99.80 (AB 1202) as a business that knowingly collects and sells to third parties the personal information of a consumer with whom it does not have a direct relationship. Registration with the California Attorney General's office is required annually.

4. Covered Business — Under CCPA/CPRA, a for-profit entity doing business in California that meets at least one of three thresholds: annual gross revenue exceeding $25 million (as adjusted), buying or selling the personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information (California Civil Code § 1798.140(d)).

5. Cybersecurity Audit — Referenced in CPPA draft regulations (proposed under Civil Code § 1798.185(a)(15)) as a systematic review of a business's security practices. The draft regulations would require covered businesses that pose significant risk to consumer data to conduct annual audits — but as of the CPPA's 2023 rulemaking cycle, the audit mandate had not yet been finalized.

6. Risk Assessment (Data Protection Assessment) — CPRA requires businesses to conduct data protection assessments before processing activities that present significant risk to consumers (Civil Code § 1798.185(a)(15)). The term maps conceptually to NIST's risk assessment process defined in SP 800-30 Rev. 1, though California's statutory language does not adopt NIST terminology verbatim.

7. Unauthorized Access — Used in Penal Code § 502(c) to describe the actus reus of California's primary computer crime, defined contextually by case law rather than a single statutory definition. Courts have interpreted "without permission" broadly to include access exceeding the scope of authorization, not only access with no authorization at all.

8. Contractor / Service Provider / Third Party — CPRA creates three distinct categories for entities receiving personal information from a covered business, each with different contractual obligations and data-use restrictions. This tripartite structure differs from CCPA's original two-category framework (service provider vs. third party) and from HIPAA's business associate model.

The framework governing how these definitions interact in practice is explained in the Process Framework for California Cybersecurity page, and the conceptual architecture connecting statutory definitions to operational controls is addressed in How California Cybersecurity Works. For an orientation to the full subject area covered on this site, the California Cybersecurity Authority index provides a structured entry point across all topic areas.