California State Law
Following are some Sections of California Code that pertain to Information Security.
However, this is only a sampling and other Sections may also apply. A short abstract of each
and Section is given after each underlined heading. Click on the underlined heading to view the
California Code and Section. Consult with appropriate legal counsel for the latest California Code
updates if legal action is contemplated.
California Civil Code
California Penal Code
AB 1950 Privacy: Personal Information —
Requires most businesses that own or license personal information about a California
resident to implement and maintain reasonable security procedures and
practices to protect personal information from unauthorized access,
destruction, use, modification, or disclosure. Also requires a business that
discloses personal information to a nonaffiliated third party to require by contract that
those entities maintain reasonable specified security procedures.
- 1798.82 & 1798.29
SB 1386 California Mandatory Disclosure Law —
Requires a state agency, or a person or business that conducts business in California, that
owns or licenses computerized data that includes personal information, as defined, to disclose
in specified ways, any breach of the security of the data, as defined, to any resident of California
whose unencrypted personal information was, or is reasonably believed to have been, acquired by an
unauthorized person. Permits the notifications required by its provisions to be delayed
if a law enforcement agency determines that it would impede a criminal investigation.
Requires an agency, person, or business that maintains computerized data that includes personal
information owned by another to notify the owner or licensee of the information of any breach of
security of the data, as specified. States the intent of the Legislature to preempt all local
regulation of the subject matter of this bill.
- 1798.85 - 1798.89
Confidentiality of Social Security Numbers —
Limits the use of social security numbers by restricting public posting and display to others, as for example,
in printed or mailed materials unless required by law, on identification cards, and over the Internet without
proper security measures. January 1, 2005 - January 1, 2010
California Business and Professions Code
California Penal Code section 530.5 et. seq. —
Makes it a crime to willfully obtain and use the personal identifying information of another person
for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, or medical
information without their consent.
Cyber Piracy —
It is unlawful to register, traffic in, or use a domain name, that is identical or confusingly
similar to the personal name of another living person or deceased personality, without regard
to the goods or services of the parties.
Restrictions On Unsolicited Commercial E-mail Advertisers —
It is unlawful to initiate or advertise in an unsolicited commercial e-mail advertisement
(a) from California or advertise in an unsolicited commercial e-mail advertisement sent from California, or
(b) to a California electronic mail address or advertise in an unsolicited commercial e-mail
advertisement sent to a California electronic mail address.
Consumer Protection Against Computer Spyware Act —
This lengthy Act prohibits unauthorized persons from causing computer software to be copied onto the computer
of a consumer in California and using the software, through intentionally deceptive means, to do any of the following:
The Act also prohibits unauthorized persons from inducing an authorized consumer in California
to install a software component onto the computer by intentionally misrepresenting that installing
software is necessary for security or privacy reasons or to open, view, or play a particular type
- Modify settings related to the computer's access to or use of the Internet
- Collect personally identifiable and sensitive information
- Prevent an authorized user's efforts to block the installation of or to disable software
- Allow an authorized user to uninstall or disable software with knowledge that the
software will not in fact be uninstalled or disabled
- Remove, disable, or render inoperative security, antispyware, or antivirus software
installed on the computer
- Take control of the consumer's computer.
- 22948 - 22948.3
SB 355 Anti-Phishing Act of 2005 —
Prohibits any person, through the Internet or other electronic means, to solicit, request, or take any
action to induce another person to provide identifying information by representing itself to be a business
without the approval of that business.
Note: For a similar listing of California laws, but from the viewpoint of a California educational institution, click
here. 15 Aug 2018
Last updated 15 Aug 2018 by Dan Hancock