California Amends Its Data Privacy Breach Notification Regulations

California Amends Its Data Privacy Breach Notification Regulations

The General Data Protection Regulation (GDPR), enacted by the European Union in May 2018, has significant implications for U.S. companies, particularly those offering goods or services to, or monitoring the behaviour of, individuals within the EU. This comprehensive data protection law applies to a wide range of businesses, including social media platforms and email services.

One of the key principles of GDPR is transparency, which extends to data breach notifications. U.S. companies must disclose any security breach to affected individuals in the most expedient time possible and without unreasonable delay.

California, a state in the U.S., also has stringent data breach notification laws. Under California Civil Code Section 1798.29(a), a business must notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a data breach.

The key requirements for data breach notifications in California include:

1. Timely Notification: The business must disclose the breach in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or measures necessary to determine the scope of the breach and restore data integrity.
2. Affected Individuals: Notification must be provided to any California resident whose unencrypted personal information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person.
3. Content of Notification: The notice must include a description of the incident, the types of personal information involved, and recommended steps the consumer can take to protect themselves. The notification should also include toll-free numbers and addresses of the major credit reporting agencies.
4. Method of Notification: Notice is generally provided in writing, which may include by mail or email if the business has obtained the consumer’s consent to electronic communication. Substitute notice is allowed where there is insufficient contact information or if the cost of notice exceeds $250,000, notification must be made by email (if available), conspicuous posting on the website, and notification to statewide media.
5. Reporting to the Attorney General: If a breach affects more than 500 California residents, the business must submit a sample copy of the breach notice (and potentially other information) to the California Attorney General within 10 business days after the breach notification is sent to consumers.
6. Compliance with Related Laws: The business must ensure that any notification complies with updates in related privacy laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which have introduced more stringent data protection, breach liability standards, and possible statutory damages in case of non-compliance.

In summary, the disclosure process requires timely and clear notification to affected individuals, specifying what data may have been compromised and measures to mitigate harm, with an escalation to state authorities if the breach is large. Compliance is critical given recent enhancements to California’s privacy laws that increase both regulatory oversight and potential legal liability for data breaches.

U.S. companies must also comply with GDPR, which imposes stringent compliance requirements, including the appointment of a Data Protection Officer (DPO) under certain circumstances, and the implementation of appropriate technical and organizational measures to ensure the security of personal data. Non-compliance with GDPR can result in hefty fines.

[1] GDPR: https://gdpr-info.eu/ [2] California Civil Code Section 1798.29(a): https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.29 [3] California Consumer Privacy Act (CCPA): https://oag.ca.gov/privacy/ccpa [4] California Privacy Rights Act (CPRA): https://oag.ca.gov/privacy/ccpa/cpra [5] California Attorney General's Office: https://oag.ca.gov/privacy/data-breach/breach-notification

1. The principles of transparency in GDPR extend beyond just data breach notifications; they also apply to the finance industry, mandating U.S. companies to disclose any financial information breaches to affected individuals in a timely manner.
2. Given the stringent regulations in both the EU and California, technology companies need to prioritize data security and self-development in education, ensuring compliance with laws such as GDPR and California data breach notification laws.
3. General news outlets should report on the implications of data breaches in the business sector, highlighting not only the specific breach incident but also the recommended steps for affected individuals to protect themselves, as required by the California Civil Code.

Read also: