US-California

What must a company do if my personal data is breached?

45 days
Notification deadline
$1,000
Max civil penalty per violation
30 days
Notice to AG if >500 residents affected
12 months
Credit monitoring required if SSN/ID exposed
The Short Answer

If your personal data is breached, a company in California must notify you without unreasonable delay, generally within 45 days, and provide specific information about the breach, including what data was exposed and what the company is doing to fix it.

What the Law Says

California law imposes strict requirements on businesses that experience a breach of personal information. The key statute is the California Data Breach Notification Law, which defines what constitutes a breach, who must be notified, and when.

A 'breach of security' means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.

Personal information includes your first name or initial and last name combined with one or more of the following: Social Security number, driver’s license number, account number with access code, medical information, health insurance information, or unique biometric data.

If a breach occurs, the business must notify affected California residents 'in the most expedient time possible and without unreasonable delay,' but no later than 45 calendar days after discovering the breach — unless law enforcement determines notification will impede a criminal investigation.

The notice must include the name and contact information of the reporting business, a list of the types of personal information disclosed, the date or date range of the breach (if known), and contact information for major credit reporting agencies. If Social Security number or driver’s license number was compromised, the business must also offer 12 months of free identity theft prevention and mitigation services.

Statutory Text

Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data…

Civil Code § 1798.82(a) — Notice of security breach
Statutory Text

The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement… and no later than 45 days after the discovery of a breach.

Civil Code § 1798.82(g) — Notice of security breach
Statutory Text

If the person or business providing notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided to the person whose personal information was subject to the breach… for not less than 12 months.

Civil Code § 1798.82(i)(2) — Notice of security breach

What to Do

1

Check your notice for the type of data exposed (e.g., Social Security number, medical info).

2

If your SSN or driver’s license number was compromised, accept the free 12-month identity theft protection offered.

3

Place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, TransUnion).

4

Monitor your bank and credit accounts closely for suspicious activity for at least 12 months.

5

Report identity theft to the FTC at IdentityTheft.gov and file a police report if needed.

Sources

statuteCivil Code § 1798.82 — Notice of security breach

Same Question, Other Jurisdictions

CanadaAustraliaIrelandSingaporeEuropean UnionIndiaSouth KoreaUKUS-New YorkCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.