substitute notice

Substitute notice is a type of general notification communicated via website, media, and email that entities may be permitted to substitute for individual notices to affected consumers in the event of a data breach that results in their personal information being exposed.

On This Page

Additional Information

Essentially, substitute notice is less stringent, almost certainly less costly, and can be given in a more "general" fashion rather than requiring a breached company to notify each affected consumer individually. Many state data breach notification laws allow substitute notice to consumers if certain conditions are met regarding the data breach. The most common of these conditions are (1) when the expected cost of notifying individual consumers would exceed a certain threshold, (2) when there is a lack of sufficient contact information for affected consumers, or (3) when the number of affected consumers exceeds a certain threshold. If any one of these conditions is met, substitute notice may be provided, which typically entails all the following: (1) notice on the breached company's website, (2) conspicuous notice in print and broadcast media, and (3) emails to affected consumers. While more states have allowed substitute notice provisions in their laws over time, a significant number of state data breach notification laws still do not contain provisions of this sort.