California State Data Privacy Laws
Data breaches can be devastating for affected individuals and their families. Breaches are not only a violation of privacy but also an exposure to potential identity theft, extortion, and other harmful practices. Because of this, California has several laws in place to protect consumers and give them legal avenues for recourse in the event of a breach.
What Makes California’s Privacy Laws Unique?
With its sizable population and influential tech sector, California has emerged as a national leader in digital privacy protection. State laws in California affect both residents and businesses operating in the state with the goal of protecting consumers’ personal information from being accessed by unauthorized parties. California’s privacy laws—particularly the California Consumer Privacy Act—outline a number of rights for residents that many other states do not.
Overview of California’s Data Privacy Laws
California law requires businesses and government agencies to notify all California residents whose unencrypted personal information was acquired by an unauthorized person. The three main laws that protect consumer privacy in California are the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the California Data Breach Notification Law.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 gave California residents a host of new privacy rights to protect their personal information from being disclosed or accessed by unauthorized parties. These rights include:
- The right to know about the personal information a business collects from them and how it is used
- The right to delete personal information collected from them
- The right to opt out of the sale or sharing of their personal information
- The right to non-discrimination for exercising their CCPA rights
California Privacy Rights Act (CPRA)
The California Privacy Rights Act amended and expanded the CCPA by giving consumers several new privacy protections beginning in 2023. Under the CRPA, consumers now have the right to correct inaccurate personal information that a business has about them and to limit the use and disclosure of sensitive personal information collected about them.
California Data Breach Notification Law (Civil Code § 1798.82)
California’s civil code provides requirements for data breach notifications, requiring businesses in the state to disclose breaches of their security systems to affected residents “in the most expedient time possible.”
What Is Personal Information Under California Law?
Under California law, “personal information” includes both standard identifiers like Social Security numbers and driver’s license numbers and more modern data types like biometric information or geolocation data. The law also distinguishes between “personal information” and “sensitive personal information.”
- Personal information: full names, email addresses, purchase records, browsing history, general geolocation data, and fingerprints.
- Sensitive personal information: Social Security numbers, account logins, financial account information with passwords, precise geolocation, messaging contents, genetic data, biometric information, and health information.
When Must Companies Notify You of a Data Breach in California?
There is no set deadline for companies to notify consumers of most data breaches in California—under the law, the notification must be made “in the most expedient time possible.” If more than 500 California residents were affected by the breach, the company must notify the California Attorney General’s office and provide a sample copy of the notice.
A breach notice for consumers must include information on the data breach, including what information was affected, steps the company has taken to rectify the situation, contact information, and sometimes information on credit monitoring services. Some companies provide these services for free for a limited time after a breach occurs.
How To File a Complaint or Take Legal Action in California
If your California privacy rights have been violated by a data breach, your first action should be to change relevant passwords, enable two-factor authentication, and sign up for credit monitoring to ensure your identity is protected. You may then be able to take further action by filing a complaint with the California Privacy Protection Agency or joining a class action lawsuit against the company that was breached.
In order to file a lawsuit for a data breach in California, the personal information that was stolen must include your full name in combination with your Social Security number, other government identification numbers, financial account information, medical information, or biometric information. This information must have been stolen in a data breach as a direct result of the business’s failure to maintain reasonable security procedures and practices to protect it. By joining a class action lawsuit, you may be able to receive compensation for the harm you suffered with minimal time and effort.
Recent Data Breaches Impacting Californians
Blue Shield of California Breach
In February 2025, health insurer Blue Shield of California discovered a years-long data breach involving nearly five million people. The insurer notified consumers that between April 2021 and January 2024, certain protected health information had been shared with Google Ads via Google Analytics, potentially exposing names, insurance plan details, account numbers, and medical information. A class action lawsuit was filed against Blue Shield of California for the breach in April 2025.
Coinbase Inc. Breach
In January 2025, cryptocurrency exchange company Coinbase discovered that a customer data leak at an outsourcing company connected to a larger breach exposed the names, addresses, emails, and more of nearly 70,000 customers. The breach is estimated to have cost Coinbase up to $400 million, and affected consumers filed a class action lawsuit in California federal court in May.
iHeartMedia Breach
In December 2024, an unauthorized actor viewed and obtained files stored on systems at several local iHeartMedia stations. The data breached included names, Social Security numbers, other government identification numbers, birth dates, financial account information, payment card information, and health information. In May 2025, consumers filed a class action lawsuit against iHeartMedia in New York federal court, citing the four-month delay between the discovery of the breach and the notification of those affected.
The Hertz Corporation Breach
In fall 2024, The Hertz Corporation, a car rental company, experienced a breach in which an unauthorized third party acquired its data. Hertz notified consumers of the breach in February 2025 and has since been hit with three class action lawsuits in two states, each alleging that the company failed to protect customers’ personal information from a ransomware attack.
California Privacy Laws FAQs
Who Enforces Data Privacy Laws in California?
Do California Privacy Laws Apply to Businesses Outside the State?
California privacy laws only apply to out-of-state businesses if they process personal data of California residents and meet certain revenue or data thresholds.
Can I Sue a Company Under the CCPA or CPRA?
In limited cases, California consumers may be able to sue corporations for failing to protect their data from a breach. However, for broader violations of data breach laws, enforcement typically rests with the state.
Stay Informed and Take Control of Your Data
As a California resident, knowing your privacy rights under state law is critical. If you have been notified of a data breach, monitor alerts about the breach, take steps to protect your personal information, and reach out to Class Action U to learn more about your legal options. At Class Action U, we aim to simplify the process of joining class action lawsuits, connecting data breach victims with our legal partners who are ready to handle their cases. Justice starts with knowledge–contact us to learn your rights today.
"*" indicates required fields
