Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- up to $7,500 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Organizations must send breach notification to all affected state residents without delay when their personal information is found to have been or reasonably believed to have been acquired by an unauthorized individual.
  • Organizations must notify the Attorney General if a breach of security affects more than 500 California residents.  A sample copy of the consumer notification (redacting personal information) must be provided to the Attorney General.
  • In the event of a breach involving consumer biometric data, a business must provide consumers with instructions on notifying other entities who use the same biometric data to no longer rely on it for authentication purposes.
  • If the breach involves Social Security numbers or other unique identification numbers (e.g., driver’s license, state issued, tax, passport, or military identification numbers), the business who is the source of the breach must offer identity theft prevention and mitigation services to each person affected by the breach at no cost for at least 12 months.
  • A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to regulator and consumer notification.
  • If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Consumers have a private right of action against a business who experiences a breach involving their personal information.
  • Organizations must contract with vendors for the disclosure of personal information and must contractually require the vendors to have security procedures and practices in place for the protection of the information.
  • Organizations and Vendors who hold personal information about a California resident must implement and maintain reasonable security procedures and practices to protect the personal information.
  • Under California’s Civil Code Customer Records section, “an entity that disposes of records” is included in the definition of “business”.
  • Vendors in the business of disposing of records must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
  • Organizations need to provide a privacy notice to consumers and employees at or before the point of collection, specifying the categories of personal information collected and purposes for which it will be used.
  • Organizations must update their privacy notice annually or sooner if there is a material change in data management practices.
  • Organizations must have a link on their website home page titled “DO NOT SELL MY PERSONAL INFORMATION” allowing consumers to opt-out of the sale of their personal information at any time.
  • Organizations are prohibited from denying goods or services or charging different prices for or a different level of service to consumers who exercise their rights under the CCPA.
  • Organizations must provide consumers with a minimum two methods to submit data access requests; and must respond to verified data access requests within 45 days.
  • Organizations operating exclusively online with a direct consumer relationship can receive data access requests by email or through their existing online account.
  • Organizations must conduct training on privacy policies for all employees who handle consumer inquiries and requests.
  • The Attorney General began enforcing provisions of the CCPA on July 1, 2020. Businesses and service providers must cure violations within 30 days of a notice of noncompliance. Enforcement includes civil actions for injunction and/or penalties up to $2,500 for each violation or $7,500 for each intentional violation.
  • Organizations may be fined or penalized for Vendor violations.
  • California Privacy Rights Act (CPRA) which amends the California Consumer Privacy Act (CCPA), passed Nov. 3, 2020 and takes effect on January 1, 2023, creates an omnibus privacy regulation in California.
  • CPRA creates a data protection authority agency charged with enforcing privacy rights known as the California Privacy Protection Agency (CPPA).
Statutes and Laws
  • Cal. Civ. Code § 1798.80 Definitions
  • Cal. Civ. Code § 1798.81 Disposal of Records
  • Cal. Civ. Code § 1798.81.5 Data Protection
  • Cal. Civ. Code § 1798.82 Disclose a breach of the security of the system
  • Cal. Civ. Code § 1798.83 Disclosure of personal information to third parties
  • Cal. Civ. Code § 1798.84 Enforcement and penalties
  • Cal. Civ. Code §§ 1280.15 Unlawful or unauthorized access to, and use or disclosure of, patients’ medical information
  • California has issued a handbook for state record retention. It can be found at: HTTPS://ARCHIVES.CDN.SOS.CA.GOV/PDF/CALRIM-RECORDS-RETENTION-HANDBOOK.PDF
  • Cal. Civ. Code § 1798.100 – 1798.199 California Consumer Privacy Act of 2018
BAck to map