DBN Statutes – California

Data Breach Notification Statutes – California

Last Updated: 02/28/2024

  • Applicable Statute: Cal. Civ. Code §§ 1798.81.5, 1798.82
  • Attorney General Notice Required: Yes – Notify Attorney General if more than 500 California residents notified.
    Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)
  • Consumer Notice Requirements:
    • Timing: Most expedient time possible and without unreasonable delay in accordance with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system.
    • Content: The security breach notification must be written in plain language, use at least 10-point font, and be titled “Notice of Data Breach.” Must present the information under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
    • Notice must include, at a minimum:
      • Name and contact information of the subject entity;
      • The types of personal information affected;
      • If available at the time of notice: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred.
      • Date of the notice;
      • Whether notification was delayed as a result of a law enforcement investigation;
      • A general description of the breach incident, if available at the time of notice;
      • If Social Security numbers, or driver’s license, or California identification card numbers were exposed, The toll-free telephone numbers and addresses of the major consumer reporting agencies must be provided;
      • If identity theft prevention and mitigation services are offered, they must be provided at no cost for not less than 12 months, and notice must contain all information necessary to take advantage of the offer.
    • Format: Must be designed to call attention to the nature and significance of the information; the title and headings must be clearly and conspicuously displayed; and use at least 10-point font.
    • Method: Written notice, or electronic notice if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. If the breach affects only a user name or email address, in combination with a password or security question and answer that would permit access to an online account and no other personal information, the subject entity can provide notice in electronic or other form directing the resident to change his or password or security question or answer, or take other steps to protect the account and other applicable accounts. Such notice of compromised email credentials cannot be made to the affected email address.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required