California data breach law tightens with 30-day deadline, raises stakes for companies

On Oct. 3, 2025, Gov. Gavin Newsom signed Senate Bill 446, amending the state's current data breach notification statute. See generally Cal. Civ. Code Section 1798.82. Starting Jan. 1, 2026, any company doing business in California that experiences a data breach must notify California residents within 30 calendar days of discovering or being notified of the breach, and must provide the California attorney general a sample breach notification form within 15 days. See Cal. Civil Code Section 1798.82(a)(2), (f).

From "without unreasonable delay" to a 30-day clock

Prior to the amendment, the statute only required that notice to residents be made "in the most expedient time possible and without unreasonable delay." This vague and subjective standard gave companies extensive discretion. But no longer. SB 446's author, Sen. Melissa Hurtado, contends that the amendments "clos[ed] a critical loophole" by "uphold[ing] transparency and accountability while ensuring that residents are not left in the dark about threats to their data." This amendment puts California's data breach notification law in line with states such as New York, Texas, Colorado and Florida that all already require notification within 30 days of breach discovery.

The amendments permit disclosure delays in two circumstances: (1) when a law enforcement agency determines that the notification will impede a criminal investigation (disclosure must be made as soon as a risk of compromise no longer exists); or (2) when more time is necessary to determine the scope of the breach and reasonably restore the data system's integrity. See Cal. Civil Code Section 1798.82(a)(2)(B). So, although the new deadline is short and puts pressure on businesses to quickly publicize breach details, there are reasonable exceptions carved out that account for the complexity of responding to a breach in real time, identifying the threat actor and ensuring the system is secure and functioning.

Enforcement examples: Delay can be costly

Regulators carefully review data breach notifications, and companies risk paying steep penalties for faulty disclosures. For example, in 2024, the attorney general secured a $6.75 million settlement against a software company over a May 2020 breach involving names, social security numbers, bank account information and medical information. The company had initially reported that no consumer data was accessed in the breach, later learned that such data was compromised and then waited over a month before providing an update about the extent of the breach -- a delay that was deemed unreasonable.

Such scrutiny is consistent nationwide. In August 2025, the Massachusetts attorney general secured a $795,000 settlement with a property management company over five breaches that occurred between November 2019 and September 2021 as a result of phishing. These breaches involved names, social security numbers, bank account information and driver's license numbers. Two of these breaches were only reported seven months after they occurred. Likewise, in 2022, 46 attorneys general obtained a $1.25 million multistate settlement with a cruise line operator for a breach involving names, passport numbers, driver's license numbers, payment card information and health information, where notifications were delayed 10 months.

Downplaying the extent of a breach or delaying disclosure can have costly consequences.

New deadline for attorney general submission

The statute continues to require companies that experience a single breach affecting over 500 California residents to provide a sample copy of a security breach notification to the attorney general, excluding any personally identifiable information. But as amended, the statute adds a new deadline -- requiring submission to the attorney general within 15 days of breach discovery. See Cal. Civil Code Section 1798.82(f).

Contents of notification remain unchanged

The contents of the notification remain the same. Notification must include the following headings, as provided by the statute:

(1) "What Happened?"

(2) "What Information was Involved?"

(3) "What We Are Doing"

(4) "What You Can Do"

(5) "For More Information"

This ensures that notifications maintain uniformity and provide consumers with sufficient information to understand what happened to their data and next steps.

Definition of "personal information" remains unchanged

The amendments also do not alter the definition of personal information under the statute, which includes, but is not limited to, names combined with social security numbers, driver's license numbers or biometric data, or a username or email address combined with a password or security question.

Preparing for 2026

With the amendments to SB 446 going into effect in less than two months, companies will soon need to be better prepared than ever to quickly identify, investigate and understand breaches to meet the new notification deadlines. Now is the time to work with counsel to review and make any necessary updates to data breach response policies to ensure compliance is seamless should a breach occur.