← All US breach laws·CA

California data breach notification law

California's data breach notification requirements under Cal. Civ. Code §§1798.29 (state agencies), 1798.82 (businesses), 1798.84 (private action). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Cal. Civ. Code §§1798.29
Enforcer
California Attorney General + California Privacy Protection Agency (CPPA)
AG notification
Required
Private right of action
Yes — residents can sue

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore reasonable system integrity
Notify the state regulator
Yes — if more than 500 California residents are affected, electronically submit a copy of the security breach notification to the AG's online portal
Notify consumer reporting agencies
Yes — if more than 500 residents and SSN/DL was breached, notify the three nationwide CRAs

When is notification required?

Trigger / harm threshold
California is a 'no-harm-threshold' state — notification is REQUIRED whenever covered PI is acquired by an unauthorized person, regardless of likelihood of harm
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under California law

First name/initial + last name with SSN, DL/CA ID, financial account + access code, medical info, health-insurance info, biometric data, geolocation, tax ID, passport number, military ID, unique electronic identifier, or genetic data; PLUS username/email + password or security Q&A granting account access (1798.82(d)(2))

Penalties and enforcement

CCPA enforcement: up to $2,500 / unintentional and $7,500 / intentional violation. §1798.84 private right of action: $100–$750 per consumer per incident or actual damages, whichever is greater
Enforced by: California Attorney General + California Privacy Protection Agency (CPPA). Official regulator page →

Common pitfalls

California is NO-HARM-THRESHOLD — many counsel default to 'no harm = no notice' from other states; that is wrong for California
If notifying more than 500 residents, you MUST submit the notice to the AG's portal — failure to file is its own enforcement hook
Statutory private right of action means class-action plaintiffs frequently sue under §1798.150 (CCPA) even before regulators act

Frequently asked questions

How long do I have to notify California residents after a data breach?
In the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore reasonable system integrity
Do I have to notify the California Attorney General?
Yes — if more than 500 California residents are affected, electronically submit a copy of the security breach notification to the AG's online portal
Does California require notification to nationwide consumer reporting agencies?
Yes — if more than 500 residents and SSN/DL was breached, notify the three nationwide CRAs
Is encrypted data exempt from California's breach notification requirement?
Yes — California has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can California residents sue me directly for a data breach?
Yes — California allows a private right of action. Affected residents may sue for actual damages and, in some cases, statutory damages or attorneys' fees. Class actions are common.
What counts as 'personal information' under California law?
First name/initial + last name with SSN, DL/CA ID, financial account + access code, medical info, health-insurance info, biometric data, geolocation, tax ID, passport number, military ID, unique electronic identifier, or genetic data; PLUS username/email + password or security Q&A granting account access (1798.82(d)(2))
What are the penalties for failing to comply with California's breach notification law?
CCPA enforcement: up to $2,500 / unintentional and $7,500 / intentional violation. §1798.84 private right of action: $100–$750 per consumer per incident or actual damages, whichever is greater

Related state breach laws

Arizona (AZ)
Ariz. Rev. Stat. §18-552
Arkansas (AR)
Ark. Code §§4-110-101 to 4-110-108
Colorado (CO)
Colo. Rev. Stat. §6-1-716
Connecticut (CT)
Conn. Gen. Stat. §36a-701b

Pre-empt the California breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against California's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit