Highlights

Covered Entities: Persons or businesses that conduct business in California, and agencies, that own or license computerized data that includes personal information.

Consumer Notification: Notification must be provided to any California resident whose “unencrypted personal information was, or is reasonably believed to have been, acquired” without authorization.

Regulatory Notification: Notification must be provided to the California Attorney General where “more than 500 California residents” are required to be notified of a breach.

Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay …”

Data Format: Electronic.

Citations: Cal. Civ. Code §§ 1798.29, 1798.82, 1798.150, 1798.84.

More Details

Definitions:

• Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
• Personal Information (PI):
  • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
    • Social Security number;
    • Driver’s license number or California identification card number;
    • Tax identification number, passport number, military identification number, or other unique, government-issued identification number used to verify identity;
    • Financial account or payment card number plus a security code, access code, or password that would permit access thereto;
    • Medical / health insurance information;
    • Unique biometric data;
    • Information collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5; or
    • Genetic data.
  • A username / email address in combination with a password or security question and answer that would permit access to an online account.
• Medical Information: Information regarding medical history, mental or physical condition, or medical treatment or diagnosis.
• Health Insurance Information: Health insurance policy number or subscriber identification number, unique identifier used by a health insurer to identify an individual, or information in an individual’s application and claims history. 

Safe Harbors:

• Encryption: Notification is not required where the potentially impacted PI was encrypted, so long as the encryption key or security credential was not also acquired thereby rendering the PI readable / usable.
• Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
• Risk of Harm: N/A
• Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Direct Notice:

• Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
• Format: Notification letters must be titled “Notice of Data Breach,” written in plain language, and printed in no smaller than 10-point font. Notification letters must clearly and conspicuously include the following headings:
  • “What Happened”
  • “What Information Was Involved”
  • “What We Are Doing”
  • “What You Can Do”
  • “For More Information
• Content: Notification letters must include, at a minimum, the following (if available):
  • Name and contact information for the reporting entity;
  • Types of PI that were, or are reasonably believed to have been, impacted;
  • Estimated date / date range of the breach and date of notification;
  • Whether notification was delayed for a law enforcement investigation;
  • A general description of the breach incident;
  • Toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a Social Security number, driver’s license number, or California identification card number;
• Method: Notification letters must be provided in written form unless provided electronically if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001.

Substitute Notice:

An entity may provide substitute notice if (1) the cost of direct notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. It must include: (1) email notice, where an email address is available; (2) conspicuous posting, for at least 30 days, on the entity’s webpage; and (3) notice to statewide media. 

Remediation Services:

If the breach impacted Social Security numbers, driver’s license numbers, or California identification card numbers, the entity must offer to provide identity theft protection and mitigation services at no cost to the affected persons for at least 12 months. 

Regulatory Notice:

Notification must be provided to the California Attorney General where “more than 500 California residents” are required to be notified. 

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

A person, business, or agency that maintains computerized data including PI that the person, business, or agency does not own must notify the owner or licensee of the PI of a “breach” immediately following discovery. 

HIPAA:

A “covered entity” for purposes of the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with relevant notice content requirements if it has complied with Section 13402(f) of the Health Information Technology for Economic and Clinical Health Act.

Private Action:

A consumer whose PI is subject to “unauthorized access and exfiltration, theft, or disclosure” due to an entity’s failure to implement and maintain reasonable security practices and procedures may institute a civil action.

Associated Regulations:

• Information Security Standards (Cal. Civ. Code §§ 1798.81, 1798.81.5);
• Cal. Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-1798.194)

California - Health & Safety Code

Highlights

Covered Entities: A clinic, health facility, home health agency, or hospice licensed pursuant to Cal. Health & Safety Code Section 1204, 1250, 1725, or 1745.

Consumer Notification: A clinic, health facility, home health agency, or hospice shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the affected patient or the patient’s representative no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.

Regulatory Notification: Notification must be provided to the California Department of Public Health no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.

Notification Timeline: Notification must be made no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.

Data Format: Electronic or paper.

Citations: Cal. Health & Safety Code § 1280.15.

More Details

Definitions:

• Breach: Unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information.
• Personal Information (PI): N/A.
• Medical Information: Any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment.
  • "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity.
• Health Insurance Information: N/A.

Safe Harbors:

• Encryption: N/A.
• Good Faith: Internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services shall not constitute unauthorized access to, or use or disclosure of, a patient’s medical information.
• Risk of Harm: N/A.
• Law Enforcement Delay: Notification may be delayed if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements would likely impede the law enforcement agency’s investigation that relates to the unlawful or unauthorized access to, and use or disclosure of, a patient’s medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made.

Direct Notice:

• Timing: Notification must be made no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected.
• Format: N/A.
• Content: N/A.
• Method: To the affected patient or the patient’s representative at the last known address, or by an alternative means or at an alternative location as specified by the patient or the patient’s representative in writing pursuant to Section 164.522(b) of Title 45 of the Code of Federal Regulations. Notice may be provided by email only if the patient has previously agreed in writing to electronic notice by email.

Substitute Notice:

N/A

Remediation Services:

N/A

Regulatory Notice:

A clinic, health facility, home health agency, or hospice shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the California Department of Public Health no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

N/A

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

N/A

California Consumer Privacy Act of 2018 (CCPA)

[As amended by California Privacy Rights Act of 2020]

Cal. Civ. Code 2018 TITLE 1.81.5. [1798.100 - 1798.199.100]

Highlights

Applicability:

A for profit entity that: (1) conducts business in California; (2) controls or processes personal information of consumers residing in California; and (3) satisfies one or more of the following thresholds:

• Has an annual gross revenue in excess of twenty-five million dollars ($25,000,000); or
• Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California consumers; or
• Derives fifty percent (50%) or more of its annual revenue from selling or sharing consumer’s personal information.

However, certain categories of information are excluded from the scope of the Act. Among other exclusions, the act excludes medical information and providers of health care governed by the California Confidentiality of Medical Information Act, protected health information collected by a covered entity under the privacy, security and breach notification rules under HIPAA and HITECH, information collected as part of research study subject to the Federal Policy for the Protection of the Human subjects, information subject to the Fair Credit Reporting Act, the federal Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, warranty and recall information subject to the Vehicle Code, certain education information subject to the Education Code. The act further excludes the providers of health care governed by the Confidentiality of Medical Information Act, and non-profits.

Business Obligations:

• Comply with the obligations of transparency with respect to its privacy practices informing the consumers at or before the collection of information of the categories of personal information collected, the purpose for the collection, and whether such information is sold or shared. Further, if collecting sensitive personal information, a Business must inform the consumer of the categories of sensitive personal information collected, purpose of collection and whether such information is sold or shared.
• Inform the consumer of the length of the time it intends to retain each category of information including sensitive personal information or the criteria used to determine such retention, and as such maintain internal policies or procedures to define such retention periods.
• Only collect personal information that is reasonably necessary and proportionate to achieve the purpose for which the information was collected.
• Execute contractual agreements with service providers and/or third parties that clearly outline the obligations of the third-party or service provider as required by law.
• Display the required information regarding its privacy practices prominently and conspicuously on its website by means of a website privacy policy and other disclosures including outlining the individual rights.
• Implement reasonable security procedures and practices commensurate with the nature of the personal information so as to protect the information from unauthorized or illegal access, destruction, use, modification or disclosure.
• Comply with individual data subject requests in a timely and efficient manner free of charge, within 45 days from the receipt of a request (which may be extended to an additional 45 days when reasonably necessary).
• Provide consumers with two or more means to exercise certain data subject rights, at minimum a toll-free number, unless the business operates exclusively online and has a direct relationship with the consumer, or if the business operates online enable consumers to submit requests through the website.
• If the Business sells/shares personal information and/or uses and discloses sensitive personal information other than the permitted purposes, provide consumer with two or more designated methods for submitting requests to Opt-out of the Sale/Sharing of personal information and /or requests to limit the use and disclosure of sensitive personal information.
• Conduct annual cybersecurity audits when processing certain personal information presents a heightened risk.
• Perform an assessment of the businesses’ current data privacy notices, if they exist, and identify which type of personal information is being collected and determine how it is being collected and used.

Consumer Rights:

Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of personal information and sensitive personal information, subject to certain exceptions, including consumers':

• Right to request deletion of personal information;
• Right to correct inaccurate personal information;
• Right to know and access personal information being collected;
• Right to obtain personal information in a format that is generally portable, readily usable, and transmittable;
• Right to know what personal information is sold or shared and to whom;
• Right to opt out of the sales or sharing of Personal Information;
• Right to limit the use and disclosure of sensitive personal information;
• Right to non-discrimination and no retaliation as a result of the decision to opt out or exercise of another right.

Security Breaches:

Businesses must take reasonable precautions to protect consumers personal information from security breaches and be accountable for any security breaches of consumer information they hold. A Business is required to notify consumers if their personal information has been subject to a security breach. A security breach that results in the compromise of consumer personal information may give right to a Private Right of action as further elaborated below.

More Details

Definitions:

• Business: A legal entity that is organized or operated for profit, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and satisfies the required thresholds.
• Consumer: A natural person who is a California resident and either acting in an individual or household context; as an employee, job applicant, or independent contractor; or an employee of a company or entity acting in a business capacity.
• Cross Context Behavioral Advertising: The targeting of advertising to a consumer based on the consumers personal information obtained from their activity across businesses, websites, and services with which the consumer interacts.
• Personal Information: Information that identifies, relates to, describes or is capable of being associated with or could be linked to or reasonably linkable to an identified or identifiable individual or household¹. Personal information excludes: de-identified aggregate consumer information, and publicly available information (defined as information lawfully made available from federal, state, or local government records, and information that a business has a reasonable basis to believe the consumer has lawfully made available to the general public, but does not include biometric information collected about the consumer without the consumer's knowledge).
• Sale of Personal Information: The exchange of personal information for monetary or other valuable consideration by the business to a third party. For example, the trade of personal information for analytics and the trade of personal information for an advertising option constitute a sale. Sale excludes the following from this definition: (i) made upon a consumer's direction for the business to disclose the personal information or interact with the third party (ii) when a business shares an identifier for a consumer for purposes of alerting persons that the consumer has opted out of the sale or sharing of personal information or limited the use of the consumer's sensitive personal information; (iii) a disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the business; and (iv); disclosures made by a consumer to the general public via mass media.
• Sensitive Personal Information: Personal information revealing: social security, driver’s license, state identification card or passport number; account log-in, financial account, credit or debit card in combination with access code; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; content of email or text messages; genetic data; biometric data; information concerning health; and sex life or sexual orientation.
• Sharing Personal Information: Making available orally, in writing or by other means a consumer’s personal information to a third party for cross context behavioral advertising, whether or not for monetary or another valuable consideration.

Penalties:

Violations of the CCPA constitute an unfair trade practice and may be enforced by the California Attorney General or California Privacy Protection Agency. The maximum civil penalty for violations is $2,500 per violation or $7,500 for intentional violations involving personal information of consumers under 16 years of age.

Private Action:

Yes, an individual may institute a civil action if: (a) if the individual's nonencrypted and nonredacted personal information as defined in Section 1798.81.5 is subject to an unauthorized access and exfiltration, theft or disclosure, and (b) the unauthorized access or disclosure is a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.

Associated Regulations:

• California Consumer Privacy Act Regulations, 11 CCR §§ 7000 et seq.

California Privacy Protection Agency:

The California Privacy Rights Act (CPRA) amended the CCPA, included establishing the California Privacy Protection Agency (CPPA). The CPPA’s responsibilities include implementing and enforcing the law and educating the public on consumers’ rights and businesses’ obligations under the law. 

The CPPA is responsible for implementing and enforcing the CCPA as well as the Delete Act, which creates additional requirements unique to data brokers. To fulfill its duties, the Agency is authorized to adopt and amend regulations through the Administrative Procedures Act rulemaking process under both laws.

The CPPA has adopted six rulemaking documents for regulations:²

• Data Broker Registration Fee Regulation (December 2024)
• Data Broker Registration Regulations (December 2024)
• Data Broker Registration Fee Regulation (January 2024)
• California Consumer Privacy Act Regulations (March 2023)
• Transfer of Rulemaking Authority & New Division for CPPA Regulations (April 2022)
• Conflict of Interest Code Regulation (February 2022)

Effective Date:

January 1, 2023

Enforcement Date:

July 1, 2023

¹Personal information may include one or more of the following: name, address, unique personal identifier, email address, account name, social security number, driver's license number, passport number, or other similar identifiers, commercial information, biometric information, internet or other electronic network activity information, geolocation data. audio, electronic, visual, thermal, olfactory, or similar information, employment-related information, education information, or inferences drawn from this information to create a profile about a consumer reflecting the consumer's preferences.

²At the time of this update, the CPPA had voted unanimously on July 24, 2025 to finalize rules for CCPA Updates, Insurance, Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology (ADMT) Regulations. Approval by California’s Office of Administrative Law (OAL) pending.

Highlights

Covered Entities: Any insurance institution, agent, or insurance-support organization that:

• In the case of life or disability insurance (1) collects, receives, or maintains information in connection with insurance transactions which pertain to California residents or (2) engages in insurance transactions with applicants, individuals, or policyholders who are California residents.
• In the case of property or casualty insurance (1) collects, receives, or maintains information in connection with insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in California (2) engages in insurance transactions involving policies, contracts, or certificates of insurance delivered, issued for delivery, or renewed in California.

This Act does not apply to title insurance or certain home protection companies.

Security Standard: N/A

Consumer Notification: Any insurer, insurance producer, or insurance support organization must comply with the California Data Breach Notification Statute (Cal. CCode § 1798.82), as applicable.

Regulatory Notification: Any insurer, insurance producer, or insurance support organization must provide the Insurance Commissioner with any notices or information submitted to the Attorney General’s Office in accordance with Civil Code § 1798.82(f), as well as sample copies, excluding personal information, of any security breach notices provided to consumers. The Attorney General requires notice of any data breach that involves notification to 500 or more California consumers. Copies of notices or information should be sent to the following email: DataBreach@insurance.ca.gov

Notification Timeline: With respect to consumers, notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Civil Code § 1798.82(a).
There is no timeline for notification to the Insurance Commissioner.

Citations: Cal Ins. Code § 791 et seq.

More Details

Definitions:

• Agent: Any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section 1831).
  
• Insurance Institution: Any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act.
  
• Insurance-Support Organization: Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including either of the following:
  
  • The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.
  • The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity.
• Insurance Transaction: Any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following:
  
  • The determination of an individual’s eligibility for an insurance coverage, benefit, or payment.
  • The servicing of an insurance application, policy, contract, or certificate.

Regulatory Notice:

Any insurer, insurance producer, or insurance support organization must provide the Insurance Commissioner with any notices or information submitted to the Attorney General’s Office in accordance with Civil Code § 1798.82(f), as well as sample copies, excluding personal information, of any security breach notices provided to consumers.
Copies of notices or information should be sent to the following email:
DataBreach@insurance.ca.gov

Content Requirements:

When notifying the Insurance Commissioner, any insurer, insurance producer, or insurance support organization must provide all notices or information submitted to the Attorney General’s Office, as well as sample copies, excluding personal information, of any security breach notices provided to consumers. Cal. Civ. Code § 1798.82 provides specific content requirements for consumer notification.

Penalties:

If the Insurance Commissioner determines that an insurer has violated this section, the commissioner may, after appropriate notice and opportunity for hearing in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code), by order, assess a civil penalty not to exceed five thousand dollars ($5,000) for each violation, or, if a violation was willful, a civil penalty not to exceed ten thousand dollars ($10,000) for each violation. The commissioner shall have the discretion to determine the acts or omissions that constitute a violation of this section.

Associated Regulations:

• Civil Code § 1798.82

Highlights

Covered Entities: Any business (including a sole proprietorship, partnership, corporation, association, or other group), whether or not organized to operate at a profit, that owns, licenses, or maintains personal information about a California resident.

First Party Security Standard: A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Third Party Security Standard: A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to the requirements above shall require by contract that the third party implement and maintain reasonable security procedures and practices to protect the personal information.

Disposal/Destruction Standard: A business shall take reasonable steps to dispose, or arrange for the disposal, of customer records containing personal information when they are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.

Data Format: Electronic and physical.

Citations: Cal. Civ. Code §§ 1798.80, 1798.81, 1798.81.5

More Details

Definitions:

Personal Information (PI): An individual’s first name / first initial and last name in combination with one or more of the following data elements:

• Social Security number;
• Driver’s license number or California identification card number;
• Tax identification number, passport number, military identification number, or other unique government-issued identification number used to verify identity;
• Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account;
• Medical information;
• Health insurance information;
• Unique biometric data; or
• Genetic data.

A username or email address in combination with a password or security question and answer that would permit access to an online account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Methods of Compliance:

The statute does not define what constitutes reasonable security procedures and practices.

Exclusions:

• Health Care: These requirements do not apply to providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act. These requirements similarly do not apply to HIPAA covered entities.
• Financial: These requirements do not apply to financial institutions as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act.
• Other: These requirements do not apply to a business regulated by state or federal law providing greater protection to personal information.

Enforcement/Penalties:

A California resident may bring a civil action for a violation of these requirements. A resident injured by a violation may recover damages.

Associated Regulations:

N/A