Organizations must notify the Attorney General if a breach of security affects more than 500 California residents. A sample copy of the consumer notification (redacting personal information) must be provided to the Attorney General. If the breach involves Social Security numbers or other unique identification numbers (e.g., driver’s license, state issued, tax, passport, or military identification numbers), the business who is the source of the breach must offer identity theft prevention and mitigation services to each person affected by the breach at no cost for at least 12 months.

Organizations must send breach notification to all affected state residents without delay when their personal information is found to have been or reasonably believed to have been acquired by an unauthorized individual. In the event of a breach involving consumer biometric data, a business must provide consumers with instructions on notifying other entities who use the same biometric data to no longer rely on it for authentication purposes. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Organizations are prohibited from denying goods or services or charging different prices for or a different level of service to consumers who exercise their rights under the CCPA. Organizations must have a link on their website home page titled “DO NOT SELL MY PERSONAL INFORMATION” allowing consumers to opt-out of the sale of their personal information at any time.

Organizations must provide consumers with a minimum of two methods to submit data access requests, and must respond to verified data access requests within 45 days. Organizations operating exclusively online with a direct consumer relationship can receive data access requests by email or through their existing online account.

Under California’s Civil Code Customer Records section, “an entity that disposes of records” is included in the definition of “business”.

The Attorney General began enforcing provisions of the CCPA on July 1, 2020. Businesses and service providers must cure violations within 30 days of a notice of noncompliance. Enforcement includes civil actions for injunction and/or penalties up to $2,500 for each violation or $7,500 for each intentional violation. Consumers have a private right of action against a business that experiences a breach involving their personal information. Organizations may be fined or penalized for Vendor violations.

California passed a Genetic Information Privacy Act  (GIPA), effective January 1, 2022, applicable to direct-to-consumer genetic testing companies. The Act requires consumers receive notice and have the ability to revoke consent for the use, collection, or disclosure of the consumer’s genetic data.

A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to the regulator and consumer notification. A non-affiliated third party handling personal information on behalf of a business must be contracted and must implement and maintain reasonable data protection security procedures and practices.

California Privacy Rights Act (CPRA) which amends the California Consumer Privacy Act (CCPA), passed Nov. 3, 2020, and takes effect on January 1, 2023, creates an omnibus privacy regulation in California. CPRA creates a data protection authority agency charged with enforcing privacy rights known as the California Privacy Protection Agency (CPPA).