California already has rules governing data breaches and breach notification in sections 80–84 of the California Civil Code,182 which deal with the maintenance of “customer records.”

Section 82(a) deals with data breach notifications for a business, and it covers several areas. First, there are requirements that apply to an organization that “owns or licenses computerized data that includes personal information.” Any “person or business that conducts business in California” that owns or licenses such information is required to disclose a data security breach to California residents. Here, a “breach” is defined as the unauthorized acquisition of unencrypted personal information. A breach may also include the loss ...

Get The California Privacy Rights Act (CPRA) – An implementation and compliance guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.