California Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

California has the most comprehensive and layered data privacy regulatory framework of any U.S. state. Between the California Consumer Privacy Act, its CPRA amendments, the state's pioneering breach notification statute, CalOPPA, and sector-specific rules for healthcare and financial data, businesses operating in California face compliance obligations that rival those of European GDPR. The regulatory complexity is compounded by active enforcement from the California Attorney General and the newly established California Privacy Protection Agency.

For businesses of all sizes, understanding which California laws apply to your operations — and exactly what each statute requires — is the difference between defensible compliance and regulatory exposure. This guide walks through every major California cybersecurity and privacy law, the specific requirements each imposes, and the practical steps businesses must take to meet their obligations. For context on what happens when these protections fail, see our timeline of California data breaches.

California's Data Privacy & Cybersecurity Laws

California's privacy framework consists of several interlocking statutes, each addressing different aspects of data protection. Understanding the scope of each law is essential for determining your compliance obligations.

California Consumer Privacy Act (CCPA) — Civil Code §1798.100 et seq.

Enacted in 2018 and effective January 1, 2020, the CCPA grants California consumers the right to know what personal information businesses collect about them, the right to delete that information, the right to opt out of the sale of their data, and the right to non-discrimination for exercising these rights. The CCPA applies to for-profit businesses that collect California consumers' personal information and meet at least one threshold: annual gross revenue over $25 million, buying or selling personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenue from selling consumers' personal information.

California Privacy Rights Act (CPRA) — Effective January 2023

The CPRA amended and expanded the CCPA significantly. Key additions include the right to correct inaccurate personal information, the right to limit the use of sensitive personal information, expanded definitions covering geolocation and union membership data, mandatory data minimization requirements, and the creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body. The CPRA also introduced the concept of "contractors" alongside service providers, creating more granular categories for third-party data sharing agreements.

California Online Privacy Protection Act (CalOPPA)

CalOPPA, originally enacted in 2003 and codified in Business & Professions Code §22575–22579, was the first state law in the U.S. requiring commercial websites and online services to post a privacy policy. It requires operators to conspicuously post a policy identifying the categories of personal information collected, third parties with whom data is shared, the process for users to review and request changes to their data, and the effective date of the policy. CalOPPA applies to any website or online service that collects personally identifiable information from California consumers, regardless of where the operator is located.

California Consumer Records Act — Civil Code §1798.81.5

This statute requires businesses that own, license, or maintain personal information about California residents to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Critically, the California Attorney General's office has interpreted "reasonable security" by reference to the Center for Internet Security's Critical Security Controls, providing a practical benchmark for compliance.

Confidentiality of Medical Information Act (CMIA) — Civil Code §56 et seq.

The CMIA provides protections for medical information that in some respects exceed federal HIPAA requirements. It applies to healthcare providers, health plans, pharmaceutical companies, and contractors that handle medical information. The CMIA requires patient authorization for most disclosures, imposes strict limits on employer access to medical records, and provides a private right of action with statutory damages of $1,000 per violation plus actual damages and attorney fees.

Data Breach Notification Requirements

California's breach notification statute — Civil Code §1798.82 — was the first of its kind in the nation when enacted in 2003. It has since been amended to expand the definition of personal information and strengthen notification requirements.

Who Must Notify

Any person or business that conducts business in California and owns or licenses computerized data that includes personal information must notify affected California residents following a breach. This obligation extends to government agencies under Civil Code §1798.29.

What Triggers Notification

Notification is required when unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Personal information under the statute includes Social Security numbers, driver's license numbers, financial account numbers with access codes, medical information, health insurance information, biometric data, and login credentials paired with security questions and answers.

Notification Timing and Method

Notification must be made in the most expedient time possible and without unreasonable delay, consistent with any law enforcement investigation. When a breach affects more than 500 California residents, the organization must electronically submit a sample copy of the notification to the California Attorney General no later than 72 hours after discovery of the breach. Individual notifications may be delivered by written notice, electronic notice (if consistent with E-SIGN Act), or substitute notice if the cost exceeds $250,000 or affected individuals exceed 500,000.

Industry-Specific Compliance

Beyond California's general privacy and security statutes, businesses in certain sectors face additional compliance layers that interact with state law.

Healthcare — HIPAA and CMIA

California's healthcare sector — the largest in the nation — must comply with both federal HIPAA regulations and the state CMIA. Where the two conflict, the more protective standard applies, which in California often means the CMIA. Healthcare organizations must implement HIPAA's administrative, physical, and technical safeguards while also meeting CMIA's stricter consent and disclosure requirements. Given the volume of healthcare breaches in California, organizations in this sector should consider specialized managed IT services for healthcare that address both federal and state requirements.

Technology Companies — CCPA Unique Requirements

Tech companies face unique CCPA/CPRA challenges because their business models often revolve around collecting, processing, and monetizing consumer data. SaaS companies must implement data mapping to identify every category of personal information they process, honor opt-out requests across complex data pipelines, and maintain service provider agreements with every downstream processor. The CPRA's data minimization requirements are particularly significant for tech companies accustomed to collecting data speculatively.

Financial Services — CCPA and GLBA Intersection

Financial institutions in California navigate the intersection of the CCPA, the federal Gramm-Leach-Bliley Act (GLBA), and California Financial Information Privacy Act. While the CCPA partially exempts data covered by GLBA, the exemption is narrow and does not cover all data financial institutions hold. PCI-DSS compliance is additionally required for any entity that processes, stores, or transmits credit card data.

Websites and Online Services — CalOPPA

Any business with a website that collects personal information from California users must comply with CalOPPA's privacy policy requirements. This is particularly relevant for e-commerce companies, SaaS platforms, and mobile app developers. Non-compliance can result in enforcement action by the California Attorney General, with penalties of up to $2,500 per violation.

California Compliance Checklist

The following checklist covers the core compliance requirements across California's major privacy and cybersecurity statutes. Use it as a starting framework, then tailor it to your specific industry and data practices.

• Conduct a comprehensive data inventory: Map every category of personal information you collect, the sources, purposes, third parties with whom it is shared, and retention periods — this is the foundation for CCPA/CPRA compliance

• Implement reasonable security measures: Align your security program with the CIS Critical Security Controls, which the California AG has cited as the benchmark for "reasonable security" under §1798.81.5

• Update your privacy policy: Ensure your privacy policy meets both CalOPPA and CCPA/CPRA requirements, including disclosures about data categories, purposes, consumer rights, and the categories of third parties receiving data

• Build consumer rights infrastructure: Implement verified processes for handling access, deletion, correction, and opt-out requests within the 45-day response window required by CCPA/CPRA

• Execute data processing agreements: Ensure contracts with all service providers and contractors include CCPA-compliant terms restricting their use of personal information to the specified business purpose

• Establish a breach response plan: Document procedures for breach detection, containment, investigation, notification to individuals, and notification to the California AG within 72 hours when 500+ residents are affected

• Train your workforce: California law requires that employees handling personal information receive training on privacy obligations — document this training for compliance records

• Implement data minimization: Under CPRA, limit collection and retention of personal information to what is reasonably necessary and proportionate to the disclosed purpose

• Conduct annual risk assessments: The CPRA requires businesses engaged in processing that presents significant risk to consumer privacy to conduct regular cybersecurity audits and risk assessments

• Monitor regulatory updates: The CPPA continues to issue new regulations implementing the CPRA — assign responsibility for tracking and incorporating regulatory changes into your compliance program

How California Businesses Stay Compliant

Maintaining compliance across California's privacy framework requires ongoing operational commitment, not just a one-time policy update.

Risk Assessments and Gap Analysis

Start with a formal risk assessment that maps your current security and privacy practices against each applicable statute. Identify gaps between your current state and compliance requirements, prioritize remediation based on risk severity, and establish a timeline for implementation. Many organizations find that working with managed IT service providers provides the technical expertise needed to conduct thorough assessments without hiring specialized compliance staff.

CCPA Data Mapping

Data mapping is the single most important CCPA/CPRA compliance activity. You cannot honor consumer rights requests or maintain accurate privacy disclosures without a current, comprehensive inventory of your data flows. Document every system that stores personal information, every third party that receives it, every purpose for which it is processed, and every retention schedule that applies. Revisit this mapping quarterly as business processes change.

Security Program Development

California's Consumer Records Act explicitly ties liability to the reasonableness of your security program. Building a defensible program means implementing the CIS Critical Security Controls at a level appropriate to your organization's size and the sensitivity of data you handle. For many California businesses, managed IT security services provide the most cost-effective path to meeting this standard, especially for organizations without dedicated security teams.

Employee Training Programs

Privacy and security awareness training should cover CCPA consumer rights handling procedures, phishing recognition, data classification, incident reporting protocols, and secure data handling practices. Training must be documented and refreshed at least annually. For small businesses managing limited IT resources, outsourced training programs can fill this gap efficiently.

Frequently Asked Questions

Does the CCPA apply to small businesses?

The CCPA applies to for-profit businesses that meet at least one of three thresholds: $25 million or more in annual gross revenue, buying or selling personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenue from selling personal information. If your business does not meet any threshold, the CCPA's consumer rights provisions do not apply — but the breach notification law and the Consumer Records Act's reasonable security requirement still apply to every business handling California residents' data.

What is the difference between CCPA and CPRA?

The CPRA is not a separate law — it amended the CCPA. The CPRA added new consumer rights (correction, limitation of sensitive data use), introduced data minimization requirements, created the California Privacy Protection Agency as a dedicated enforcement body, expanded the definition of personal information, and established requirements for cybersecurity audits and risk assessments. All CPRA amendments are now part of the CCPA as codified in Civil Code §1798.100 et seq.

What are the penalties for CCPA violations?

The California Attorney General and the CPPA can impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Additionally, consumers have a private right of action for data breaches resulting from a business's failure to implement reasonable security, with statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater. Class-action lawsuits under this provision can result in significant aggregate liability.

How does California law interact with HIPAA?

HIPAA preempts state law only when the state law is less protective. Since the CMIA is more protective than HIPAA in several respects — including stricter consent requirements and a private right of action — California healthcare entities must comply with both. The CCPA partially exempts medical information governed by CMIA and health information covered by HIPAA, but this exemption applies to the information itself, not the entity, meaning healthcare companies may still have CCPA obligations for non-medical data they collect.

Do out-of-state companies need to comply with California privacy laws?

Yes. The CCPA applies to any for-profit entity that does business in California and meets the applicable thresholds, regardless of physical location. Similarly, the breach notification law applies to any business that owns or licenses data of California residents. If your website is accessible to California consumers and you collect their personal information, California law likely applies to your operations. Given California's evolving cyber threat landscape, compliance is both a legal obligation and a practical risk management strategy.