California Data Breach Notification Law for Online Businesses

An online business is essentially a processor and holder of user data. There are legal duties attached to this data in California, particularly when a data breach occurs, so let’s take a look at them.California Data Breach and Security Notification Law

Non-California Businesses

Does this law apply only to online businesses based in California? No. This data breach law applies to any person or company that:

  • Conducts business in California; and
  • Owns or licenses computerized data that includes the personal information of California residents.

[Cal. Civ. Code §1798.82(a).]

Any online business with a user in California is “conducting” business in the state. Given it is the rare site without a user from California, nearly every company must comply with the law.

Data and Security Breaches

What exactly are we talking about here with data and security breaches? A number of different things including, but not limited to:

  • Unintended disclosures,
  • Hacked data,
  • Data disclosed via malware,
  • Insider thefts,
  • Payment card fraud,
  • Physical loss such as losing a laptop with data,
  • Loss of portable data devices containing the data,
  • Loss of stationary devices such as the theft of a server, and
  • Uncategorized losses were data is being disclosed.

If this appears to be a broad list, it is. Unlike with federal law, California includes the right to privacy expressly in the state constitution and takes the notion very seriously. In fact, there have been over 3,800 data breaches reported under this law since 2005 with over 600 million individual records reported released due to breaches.

Personal Information

The law limits the disclosure requirements to particular types of data. This information includes:

  • An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted;
  • Social Security number;
  • Driver’s license number or California identification card number;
  • Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  • Medical information; or
  • Health insurance information.

Giving Notice

A company suffering a data breach must give notice to those California residents impacted by the failure. The notice can come in different forms, but usually should be reduced to a written communication. Phone calls and email communications are insufficient to satisfy the requirements of the law.

Any online business will have users located in other areas of the country and abroad. In such cases, the website operator should seek legal counsel to determine the requirements of each location. A compliance program can then be put instituted to facilitate the notice disclosures.


When must the notice of data breach be given? The basic rule requires it to be given without undue delay and in as expedient a time as possible. What this mean exactly is dependent on the situation in question. What is clear, however, is a company can delay the disclosure if law enforcement asks for the delay as part of a criminal investigation.

Information Provided

What information must the online business provide in its disclosure? The answer again depends on the nature of the data breach and the characteristics of the company. In general, the information may include:

  • The name and contact information of the reporting person or business;
  • A list of the types of personal information that are known or reasonably believed to be the subject of a breach of security;
  • The date or estimated date of the breach or the range of dates within which the breach might have occurred;
  • Whether the notification was delayed as a result of a law enforcement investigation;
  • A general description of the incident, if such information is known at the time of the distribution of the notice; and
  • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number, a driver’s license, or state identification card number.

Notification to State Attorney General

In certain situations, a website operator must notify the California State Attorney General of the breach in question. Contact me to learn more about the current requirements in this area.


Privacy is a very serious topic in California and website operators should realize as much. To minimize the pain of a future breach, plan for it now by creating a concrete procedure for complying with the data breach law. Contact me today to put such a plan in place to minimize your risk.

Richard A. Chapo, Esq.