California Data Breach Notification Law: Requirements and Obligations
California's data breach notification statute, codified at California Civil Code §§ 1798.29 and 1798.82, establishes one of the most comprehensive mandatory disclosure frameworks in the United States. This page covers the legal scope, triggering conditions, notification timelines, classification rules, enforcement mechanisms, and operational obligations that apply to organizations handling California residents' personal information. Understanding these requirements is essential for any entity operating in or collecting data from California, given the statute's extraterritorial reach and the California Attorney General's active enforcement posture.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps (Non-Advisory)
- Reference Table or Matrix
- References
Definition and Scope
California Civil Code § 1798.82 imposes a mandatory breach notification obligation on any person or business that owns or licenses computerized data containing personal information about California residents (California Legislative Information, Civil Code § 1798.82). The statute applies regardless of where the business is incorporated or headquartered — an organization based in Texas, Germany, or Singapore must comply if it controls data belonging to California residents and suffers a qualifying breach.
"Personal information" under § 1798.82 includes a defined set of data element combinations: an individual's first name or first initial and last name combined with at least one of the following — Social Security number, driver's license number, California identification card number, financial account credentials, medical information, health insurance information, or unique biometric data. A 2016 amendment (SB 570) added login credentials (username or email address combined with a password or security question answer) as a standalone triggering category.
Scope and coverage limitations: This page addresses California state law exclusively. Federal breach notification frameworks — including the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule (45 CFR Part 164), the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and the FTC Act — operate in parallel and may impose additional or different requirements. Entities regulated by those federal schemes must satisfy both California's statute and applicable federal rules. Breaches affecting only non-California residents are not covered by § 1798.82, and purely internal data exposures that do not involve unauthorized acquisition are outside the statute's scope.
For a broader orientation to California's cybersecurity regulatory landscape, the conceptual overview of how California cybersecurity works provides essential context. The California cybersecurity terminology and definitions reference explains key statutory terms in detail.
Core Mechanics or Structure
The statute's mechanics hinge on three operative conditions: a qualifying "breach of the security of the system," a qualifying data element combination, and acquisition by an unauthorized person.
Triggering event: A "breach of the security of the system" is defined in § 1798.82(g) as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Unintentional acquisition by an employee or agent acting within the scope of employment does not constitute a breach if the information is not used or further disclosed.
Notification timeline: Notification must be provided "in the most expedient time possible and without unreasonable delay." The statute does not specify a fixed number of days, but California Attorney General guidance has consistently treated 30 to 45 days as a reasonable outer boundary in the absence of a law enforcement delay request. Law enforcement agencies may request a delay in notification when disclosure would impede a criminal investigation; this delay must be in writing.
Who must be notified: The affected California residents must receive notification. If a single breach affects 500 or more California residents (Civil Code § 1798.82(f)), the business must also submit an electronic copy of the notice to the California Attorney General. Substitute notice is permitted when the cost of direct notification would exceed amounts that vary by jurisdiction or the affected population exceeds 500,000 individuals.
Notice content requirements: The required notice format under § 1798.82(d) must include: the name and contact information of the reporting business; a list of the types of personal information compromised; the date or estimated date of the breach; a description of what the business is doing in response; and advice on steps affected individuals may take. When login credentials are the only compromised data element, the notification may be delivered electronically.
Causal Relationships or Drivers
California's breach notification statute exists within a layered regulatory environment that shapes enforcement pressure and organizational behavior. The regulatory context for California cybersecurity page maps the full spectrum of applicable state frameworks.
The primary driver of organizational compliance urgency is private right of action exposure. Under Civil Code § 1798.150 (introduced by the California Consumer Privacy Act of 2018, AB 375), consumers may bring civil actions for statutory damages of amounts that vary by jurisdiction to amounts that vary by jurisdiction per consumer per incident, or actual damages — whichever is greater — when a breach results from a business's failure to implement reasonable security. This private right of action does not require proof of actual harm, making it a significant litigation risk.
The California Attorney General's enforcement authority under § 1798.84 permits the AG to bring actions for civil penalties and injunctive relief. Penalties under the CCPA's enforcement provisions can reach amounts that vary by jurisdiction per intentional violation (Civil Code § 1798.155).
The California Privacy Protection Agency (CPPA), established by Proposition 24 (the California Privacy Rights Act of 2020), has assumed rulemaking authority that intersects with breach notification obligations. The California Privacy Protection Agency's cybersecurity role is examined separately.
Classification Boundaries
Not all data exposures trigger notification. The statute draws clear classification lines:
Encrypted data exemption: Disclosure of encrypted personal information does not trigger notification if the encryption key was not also acquired and the encryption meets current standards. This is the most significant carve-out in practice.
Redacted data exemption: Similarly, data that has been fully redacted — rendered unreadable or unusable — does not trigger the statute.
Good faith acquisition exemption: Internal acquisition by an employee acting within the scope of employment, with no subsequent misuse or unauthorized disclosure, is excluded.
Sector-specific overlay: Covered entities under HIPAA, financial institutions regulated under GLBA, and entities subject to the California Financial Information Privacy Act operate under parallel notification regimes. These entities are not exempt from § 1798.82 — they must comply with both their sector-specific rules and the California statute unless the California law expressly provides otherwise.
The boundary between "unauthorized acquisition" and "unauthorized access" matters significantly: mere access without confirmed data acquisition may not trigger the statute, though California Attorney General guidance encourages erring toward notification when acquisition cannot be ruled out.
Tradeoffs and Tensions
Speed versus accuracy: The "without unreasonable delay" standard creates tension between rapid notification (which limits harm to consumers) and thorough forensic investigation (which prevents inaccurate or incomplete notifications that may alarm recipients unnecessarily). Premature notification based on incomplete forensic findings can cause consumer panic and reputational harm disproportionate to the actual risk.
Encrypted data and key management: The encryption exemption incentivizes strong encryption practices, but the exemption disappears if the encryption key is also compromised. Organizations that encrypt data but store keys in the same environment as the encrypted data may find the exemption unavailable precisely when a breach is most severe.
Substitute notice and equity: When direct notification costs exceed amounts that vary by jurisdiction substitute notice via email, conspicuous website posting, or major statewide media is permitted. Critics of this provision note that populations less likely to monitor corporate websites — older adults, low-income individuals, non-English speakers — are least served by substitute notice mechanisms.
Private right of action scope: The § 1798.150 private right of action applies specifically to breaches resulting from failure to implement "reasonable security procedures." The meaning of "reasonable security" is not defined by statute, though the California Attorney General has pointed to the Center for Internet Security (CIS) Controls and the NIST Cybersecurity Framework (NIST CSF) as baseline references in enforcement guidance.
Common Misconceptions
Misconception: Only California-based companies are covered.
The statute applies to any business — anywhere in the world — that owns or licenses data about California residents. Geographic location of the business entity is irrelevant; what matters is whether the affected individuals are California residents.
Misconception: A breach must be confirmed before notification is required.
The statute does not require certainty of acquisition. When acquisition of personal information cannot be ruled out following a security incident, legal counsel and the California Attorney General's guidance consistently support providing notification rather than withholding it pending conclusive forensic findings.
Misconception: Notifying the Attorney General substitutes for individual notification.
AG notification (required only when 500 or more residents are affected) is supplemental — it does not replace the obligation to notify affected individuals directly.
Misconception: The 30-day figure is statutory.
No California statute sets a 30-day hard deadline. The "without unreasonable delay" standard is flexible and fact-dependent. The 30-to-45-day range comes from Attorney General enforcement practice and guidance, not from the text of § 1798.82.
Misconception: Encryption always eliminates notification obligations.
Encryption eliminates the obligation only when the encryption key was not also compromised. If the threat actor obtained both encrypted data and the decryption key, the exemption does not apply.
Checklist or Steps (Non-Advisory)
The following sequence reflects the phases typically involved in California breach notification compliance. This is a descriptive framework drawn from the statute and Attorney General guidance — not legal advice.
Phase 1: Detection and Containment
- Identify that a security incident has occurred involving computerized data
- Determine whether California residents' personal information was stored in affected systems
- Engage forensic investigation to assess whether unauthorized acquisition occurred
Phase 2: Legal Analysis
- Confirm whether the data elements involved meet the § 1798.82 personal information definition
- Assess whether the encrypted data or good-faith acquisition exemptions apply
- Determine whether a law enforcement delay request has been made in writing
Phase 3: Notification Preparation
- Identify the total number of California residents affected
- Draft notice content meeting all § 1798.82(d) required elements
- Determine notification method (direct mail, email, substitute notice) based on population size and cost thresholds
Phase 4: Notification Execution
- Deliver notices to affected California residents without unreasonable delay
- If 500 or more California residents are affected, submit electronic copy to the California Attorney General via the AG's data breach reporting portal
- Document notification timing, method, and content for compliance records
Phase 5: Post-Notification
- Preserve all breach-related records and forensic findings
- Assess whether § 1798.150 civil liability exposure exists
- Evaluate remediation of the security vulnerability that enabled the breach
For organizations planning their broader incident response structure, the California cybersecurity incident response planning page details the operational framework.
Reference Table or Matrix
California Data Breach Notification: Key Requirements at a Glance
| Requirement | Detail | Authority |
|---|---|---|
| Covered entities | Any person or business owning or licensing California residents' data | Civil Code § 1798.82 |
| Triggering condition | Unauthorized acquisition of unencrypted personal information | Civil Code § 1798.82(a) |
| Notification timeline | Most expedient time possible; without unreasonable delay | Civil Code § 1798.82(a) |
| AG notification threshold | 500 or more California residents affected | Civil Code § 1798.82(f) |
| Substitute notice cost threshold | Direct cost exceeds amounts that vary by jurisdiction | Civil Code § 1798.82(j) |
| Substitute notice population threshold | Affected population exceeds 500,000 | Civil Code § 1798.82(j) |
| Private right of action damages | amounts that vary by jurisdiction–amounts that vary by jurisdiction per consumer per incident, or actual damages | Civil Code § 1798.150 |
| Maximum civil penalty (intentional violation) | amounts that vary by jurisdiction per violation | Civil Code § 1798.155 |
| Encrypted data exemption | Applies only when encryption key was not also acquired | Civil Code § 1798.82(a) |
| Law enforcement delay | Permitted with written request from law enforcement | Civil Code § 1798.82(c) |
| Standalone login credential breach | Triggers notification; electronic-only notice permitted | Civil Code § 1798.82(b)(2) |
| Sector-specific overlay | HIPAA, GLBA entities must satisfy both federal and state requirements | Federal statutes and § 1798.82 |
Personal Information Categories Under § 1798.82
| Data Element | Standalone Trigger? | Notes |
|---|---|---|
| SSN + name | No (combination required) | Standard two-element trigger |
| Driver's license + name | No | Standard two-element trigger |
| Financial account + credentials + name | No | Account number with access code |
| Medical information + name | No | Defined broadly in Health & Safety Code § 56.05 |
| Health insurance information + name | No | Includes policy numbers |
| Biometric data + name | No | Fingerprints, retina scans, etc. |
| Login credentials (username + password) | Yes | Standalone trigger added by SB 570 (2016) |
For an overview of how breach notification interacts with the broader California cybersecurity authority framework, the californiasecurityauthority.com home page provides orientation. The California Attorney General's cybersecurity enforcement page covers enforcement actions in detail. Organizations in regulated industries should also consult the California healthcare cybersecurity and California financial sector cybersecurity pages for sector-specific overlays.
References
- California Civil Code § 1798.82 — California Legislative Information
- California Civil Code § 1798.150 — California Legislative Information
- California Civil Code § 1798.155 — California Legislative Information
- California Civil Code § 1798.29 — California Legislative Information
- California Attorney General — Data Breach Reporting
- California Privacy Protection Agency (CPPA)
- NIST Cybersecurity Framework (CSF)
- HIPAA Breach Notification Rule — 45 CFR Part 164, HHS
- AB 375 (California Consumer Privacy Act, 2018) — California Legislative Information
- [SB 570 (2016 Amendment to § 1798.82) — California Legislative Information](https://leginfo.legislature.ca.gov/faces/billNavClient.x