CCPA Security FAQs: Do businesses have to report data breaches to the state of California?

September 10, 2019


While the CCPA does not require that companies report data breaches to the state of California, California’s data breach notification statute, enacted in 2003, requires that some data breaches that involve certain sensitive categories of information, such as Social Security numbers, driver’s license numbers, financial account numbers, medical information, or health insurance information, be reported to the California Attorney General if information of more than 500 California residents is impacted.1

For more information and resources about the CCPA visit

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code § 1798.82(f).