California Privacy Laws

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Up $7,500 per violation

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Up $7,500 per violation

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Up $7,500 per violation

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

California Privacy Law Information

  • Privacy Program

    Organizations must contract with vendors for the disclosure of personal information and must contractually require the vendors to have security procedures and practices in place for the protection of the information. Organizations and Vendors who hold personal information about a California resident must implement and maintain reasonable security procedures. Organizations must provide a privacy notice to consumers and employees at or before the point of collection, specifying the categories of personal information collected and purposes for its use. Organizations must conduct training on privacy policies for all employees who handle consumer inquiries and requests. Organizations must update their privacy notice annually or sooner if there is a material change in data management practices.

  • Definition of “Business”

    Under California’s Civil Code Customer Records section, “an entity that disposes of records” is included in the definition of “business”.

  • Data Subject Access Request

    Organizations must provide consumers with a minimum of two methods to submit data access requests, and must respond to verified data access requests within 45 days. Organizations operating exclusively online with a direct consumer relationship can receive data access requests by email or through their existing online account.

  • Consumer Rights

    Organizations are prohibited from denying goods or services or charging different prices for or a different level of service to consumers who exercise their rights under the CCPA. Organizations must have a link on their website home page titled “DO NOT SELL MY PERSONAL INFORMATION” allowing consumers to opt-out of the sale of their personal information at any time.

  • Breach Reporting

    Organizations must notify the Attorney General if a breach of security affects more than 500 California residents. A sample copy of the consumer notification (redacting personal information) must be provided to the Attorney General. If the breach involves Social Security numbers or other unique identification numbers (e.g., driver’s license, state issued, tax, passport, or military identification numbers), the business who is the source of the breach must offer identity theft prevention and mitigation services to each person affected by the breach at no cost for at least 12 months.

  • Consumer Notification

    Organizations must send breach notification to all affected state residents without delay when their personal information is found to have been or reasonably believed to have been acquired by an unauthorized individual. In the event of a breach involving consumer biometric data, a business must provide consumers with instructions on notifying other entities who use the same biometric data to no longer rely on it for authentication purposes. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

  • Industry Specific Laws

    California passed a Genetic Information Privacy Act  (GIPA), effective January 1, 2022, applicable to direct-to-consumer genetic testing companies. The Act requires consumers receive notice and have the ability to revoke consent for the use, collection, or disclosure of the consumer’s genetic data.

  • Vendor/Third Parties

    A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to the regulator and consumer notification. A non-affiliated third party handling personal information on behalf of a business must be contracted and must implement and maintain reasonable data protection security procedures and practices.

  • Fines & Penalties

    The Attorney General began enforcing provisions of the CCPA on July 1, 2020. Businesses and service providers must cure violations within 30 days of a notice of noncompliance. Enforcement includes civil actions for injunction and/or penalties up to $2,500 for each violation or $7,500 for each intentional violation. Consumers have a private right of action against a business that experiences a breach involving their personal information. Organizations may be fined or penalized for Vendor violations.

  • Additional Information

    California Privacy Rights Act (CPRA) which amends the California Consumer Privacy Act (CCPA), passed Nov. 3, 2020, and takes effect on January 1, 2023, creates an omnibus privacy regulation in California. CPRA creates a data protection authority agency charged with enforcing privacy rights known as the California Privacy Protection Agency (CPPA).

California

Statutes and Laws

CAL. CIV. CODE § 1280.15

Unlawful or unauthorized access to, and use or disclosure of, patient’s medical information

CAL. CIV. CODE § 1798.100 – 1798.199

California consumer privacy act of 2018

CAL. CIV. CODE § 1798.81

Disposal of records

CAL. CIV. CODE § 1798.81.5

Data protection

CAL. CIV. CODE § 1798.82

Disclose a breach of the security of the system

CAL. CIV. CODE § 1798.83

Disclosure of personal information to third parties

CAL. CIV. CODE § 1798.84

Enforcement and penalties

CALIFORNIA HAS ISSUED A HANDBOOK FOR STATE RECORD RETENTION.

IT CAN BE FOUND AT https://archives.cdn.sos.ca.gov/pdf/calrim-records-retention-handbook.pdf