Subject Entities |
Businesses that own, license, or maintain personal information about a California resident. “Own” and “license” includes information retained as part of a customer account or for transactions with a person to whom the information relates. “Maintain” includes personal information that a business does not own or license. Does not apply to providers of health care, health care service plans, or contractors regulated by the Confidentiality of Medical Information Act, HIPAA covered entities, Financial Institutions regulated by the California Financial Information Privacy Act, or a business regulated by state or federal law providing greater protection to personal information. |
Security Standard |
Must implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. A business that discloses personal information not owned, licensed, or maintained by the business about a California resident pursuant to a contract with a nonaffiliated third party shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. |
Disposal/Destruction Standard |
Must take all reasonable steps to dispose or arrange for the disposal of customer records containing personal information. |
Types of Data Covered |
Electronic and Physical. |
Definitions |
“Personal information” means:
“Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional. “Health insurance information” means an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. |
Methods of Compliance |
Statute does not define “reasonable security procedures and practices,” but states that such procedures and practices must be appropriate to the nature of the information at issue. Compliance with Massachusetts information security standard recommended. If disclosing personal information pursuant to a contract with a nonaffiliated third party, must contractually require the third party to likewise implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Records containing personal information may be destroyed by shredding, erasing, or otherwise modifying to make the personal information unreadable or undecipherable. |
Enforcement |
Individuals have a private right of action and may bring a civil action for violations. May be subject to additional rights and remedies available under law. Violations may be subject to injunctive relief. |
Penalties |
A resident injured by a violation may recover damages. |
Last updated: January 2024