California Data Breach Laws: Steps To Take for Apps

By Benjy Schirm, J.D. | Reviewed by John Devendorf, Esq. | Last updated on June 23, 2026 Featuring practical insights from contributing attorney Adam D.H. Grant

In California, a business may face liability for certain data breaches if it failed to implement and maintain reasonable security procedures and practices. In some situations, consumers can sue to recover statutory damages for a qualifying data breach, for example, under the CCPA’s limited private right of action. Large-scale data breaches can result in class action litigation and reputational harm.

For legal advice about unauthorized access and data breaches involving your company, contact a California business litigation attorney.

California Data Protection Laws

California has implemented some of the strongest consumer protection laws. Companies doing business with California consumers must be aware of their rights and obligations under these data protection laws.

Hackers exploit mobile app vulnerabilities to target consumers’ personal data and commit identity theft. Phishing and malware cyberattacks can give identity thieves access to Social Security numbers, credit card numbers, and other financial information.

The primary state data protection law is the California Consumer Privacy Act (CCPA). The CCPA gives consumers certain rights over personal data collection. Businesses must limit data collection and use to what a consumer would reasonably expect, what is compatible with disclosures and consumer expectations, or what the consumer agrees to.

Protect Your Business’s Future When Facing Litigation

Whatever the dispute, if your business is involved in litigation, use the Super Lawyers directory to find the top business litigation attorneys near you.

Find a lawyer today

Business Mandatory Breach Notification

Under California’s data breach notification law, businesses generally must notify affected California residents as soon as possible, without unreasonable delay, after discovering a breach.

For phone app data breaches affecting more than 500 Californians, the company must also report the breach to the California Attorney General’s office within 15 days.

Which Businesses Must Follow the CCPA Protocols

The CCPA applies to for-profit businesses that do business in California, collect consumer information, and meet one of the following:

  • Gross annual revenue of more than $26.625 million
  • Collect or share personal information of 100,000 or more California residents or households
  • Derive 50% or more annual revenue from selling or sharing residents’ personal information

Mobile Phone App Security

For consumers, the best way to guard against security issues is to download apps from well-known mobile app developers, says Adam D.H. Grant, a business litigation attorney at Grant Shenon Almaraz in Sherman Oaks, California. This includes using Google Play for Android apps or the Apple App Store for iOS apps.

“There is a huge black-market industry of free apps that say they are for one purpose but are actually for another, more nefarious purpose, such as, ‘We can get you from one place to another but what we are really doing is taking all of your contacts without telling you, taking all of your photos without telling you, taking all of the passwords that are on your phone without telling you,'” says Grant.

“They are supposed to give a significant amount of privacy notices, or the privacy notices they give are not in sync with what they do. That happens frequently. Then your info shows up on the dark web and your identity goes up for sale.”

“The way people make money on free sites isn’t by selling a product, but on hyperlinking to other sites or other products. Each time you click on it, that click has value, is subject to a contract, and the person who owns the domain or URL gets money. If it’s popular, this can be big business. I’ve had clients who make millions of dollars per month on only clicks.”

On behalf of the company, I handle how you notify your customers that a breach has occurred. It’s equally a client management issue and a legal issue. Often, we will hire a crisis management PR firm to assist in managing a mobile data breach with a company.

Adam D.H. Grant

Mobile Application Security for Employees

Businesses that provide employees with mobile devices without vetting mobile app downloads open themselves up to vulnerabilities. Employers must enforce mobile app security best practices, including multifactor authentication and strong passwords.

Unrestricted mobile app use on company devices can lead to a data breach in which sensitive information, including company and customer data, is sold on the dark web.

“That’s when I’m called,” Grant says. “On behalf of the company, I handle how you notify your customers that a breach has occurred. It’s equally a client management issue and a legal issue. Often, we will hire a crisis management PR firm to assist in managing a mobile data breach with a company.”

Other Data Protection Laws

Is your mobile app used or website accessed by Europeans? Are you getting geolocation data and an email address from those contacts? Simple analytical tools will give you this information. If you offer goods or services to people in the EU, or monitor the behavior of people in the EU, you may be subject to the EU’s General Data Protection Regulation (GDPR), and need to comply with its data protection requirements.

The GDPR went into effect in 2018, and Grant says it can affect business owners in the U.S. “If you are using customers’ personally identifiable information and you are collecting and storing addresses or emails in some way, you definitely need to take steps to protect that information,” he says.

Your American company can be subject to that law and face fines for noncompliance. “It’s not an issue of whether you knew you were breaking this law or not. If you grabbed the information from a client and you don’t comply with the notice requirements, if they don’t have the opportunity to take it back, if you don’t have a digital privacy officer — all are violations. You don’t have to have used the information; you just have to have taken it without telling them what you’re doing with it.”

A best practice is having good IT providers on board who know your system and update your firewall and security protocols. Make sure you have cybersecurity insurance in place. Have an experienced, reputable data privacy attorney review these policies to ensure you have proper coverage.

Was this helpful?

What do I do next?

Enter your location below to get connected with a qualified attorney today.
Popular attorney searches: Antitrust Litigation Business/Corporate
0 suggestions available Use up and down arrow keys to navigate. Touch device users, explore by touch or with swipe gestures.

At Super Lawyers, we know legal issues can be stressful and confusing. We are committed to providing you with reliable legal information in a way that is easy to understand. Our legal resources pages are created by experienced attorney writers and writers that specialize in legal content in consultation with the top attorneys that make our Super Lawyers lists. We strive to present information in a neutral and unbiased way, so that you can make informed decisions based on your legal circumstances.

0 suggestions available Use up and down arrow keys to navigate. Touch device users, explore by touch or with swipe gestures.

Find top lawyers with confidence

The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.

Find a lawyer near you