California Modifies its Data Privacy Incident Reporting Regulation
In a move to protect the privacy of California residents, a new law has been introduced that requires businesses to notify affected individuals promptly and transparently in the event of a data breach. The law, California Civil Code section 1798.29(a), applies to data breaches involving personal information such as unencrypted consumer data like name combined with Social Security number, driver's license number, or financial account information.
The law mandates businesses to disclose any data breach "in the most expedient time possible and without unreasonable delay," consistent with the legitimate needs of law enforcement or measures necessary to determine the breach's scope.
The key points of the breach notification under s. 1798.29(a) include:
- Scope: The law applies to data breaches involving personal information.
- Timing: Notification must be made as soon as possible, without unreasonable delay after discovering the breach, unless a law enforcement agency directs a delay to avoid interfering with a criminal investigation.
- Method: Notification to California residents can be made by written notice, electronic notice (if consented), or substitute forms of notice if certain criteria are met.
- Information to Provide: The notice must describe the nature of the breach, types of information compromised, the date or approximate date of the breach, steps consumers can take to protect themselves, and contact information for the business.
This law is part of California’s broader consumer privacy protections, which also include the California Consumer Privacy Act (CCPA) and related regulations that impose further data security and transparency requirements on businesses handling personal information.
Meanwhile, the European Union has enacted the General Data Protection Regulation (GDPR), a comprehensive data protection law that applies to companies based outside the EU if they offer goods or services to, or monitor the behavior of, individuals within the EU. The GDPR requires companies to obtain explicit consent from individuals before collecting and processing their personal data. Companies found non-compliant with GDPR may face significant fines.
The GDPR gives individuals within the EU greater control over their personal data. It grants individuals the right to access, correct, or erase their personal data, as well as the right to data portability, allowing them to easily transfer their data from one service provider to another. The GDPR aims to strengthen and unify data protection for all individuals within the EU.
In summary, California's Civil Code s. 1798.29(a) mandates businesses to notify affected California residents promptly and transparently after a data breach involving their personal information, barring law enforcement-related delays. The GDPR, enacted by the European Union, requires companies to obtain explicit consent from individuals before collecting and processing their personal data, giving individuals greater control over their data and imposing significant fines for non-compliance.
The new law in California requires businesses to disclose any data breach involving personal information, such as finance or technology-related details, in the most expedient time possible and without unreasonable delay. Compliance with the General Data Protection Regulation (GDPR) in the European Union, on the other hand, mandates companies to obtain explicit consent before collecting and processing personal data, which may include industry-related details like financial information.
