In October, California Governor Gavin Newson signed into law Senate Bill No. 446 (“SB 446”), amending the state’s data breach notification statute, California Civil Code Section 1798.82. SB 446 passed the California Senate and State Assembly unanimously. The law will go into effect on January 1, 2026, meaning that individuals or companies doing business in California will need to ensure their incident response plans are updated for the new year.
California’s updated law modifies the deadline for disclosure of a data breach. Previously, the law required notification to affected California residents “in the most expedient time possible and without unreasonable delay,” a potentially subjective standard that could lead to argument about whether notice was unreasonably delayed. The bill’s sponsor, state Senator Melissa Hurtado, called this issue a “critical loophole” in California’s data breach notification law, and stated that SB 446 was aimed to ensure timely notice to consumers while retaining certain flexibility.[1] SB 446 changes the data breach notification timeframe, setting an exact deadline: covered entities will have 30 calendar days to notify affected California residents, starting from the date of discovery or notification of the data breach. The amendment maintains the exceptions in the current law that allow for delayed disclosure to accommodate the needs of law enforcement or as necessary to determine the scope of the breach and restore “reasonable integrity” to the data system.
In addition to changing the notification deadline to affected residents, SB 446 also changes the deadline for notification to the California Attorney General for breaches impacting more than 500 California residents. The law previously lacked a deadline for such notification. Under SB 446, disclosure to the Attorney General of such a security breach must now be made within 15 days of notifying affected consumers.
SB 446 does not change the definition of “personal information,” nor does it change the form of or content to be included in the notification letter to consumers.
Although California is often a trendsetter in privacy law, with this modification, the state joins several others that already have specific timelines for disclosure of data breach to consumers written into their laws. These states include New York, Colorado, and Florida, each of which require notice to affected individuals within thirty days.[2]
As noted above, companies doing business in California will need to be prepared to comply with these updated requirements in the new year. Doing so will likely require updating any relevant incident response plans to reflect these new notification deadlines before the end of 2025.
[1] See Sen. Melissa Hurtado, California Senate Judiciary Committee, SB 446 Bill Analysis (March 28, 2025), available at https://leginfo.legislature.ca.gov/faces/billAnalysisClient.xhtml?bill_id=202520260SB446#.
[2] See N.Y. Gen. Bus. § 899-aa(2); Colo. Rev. Stat. § 6-1-716; and Fla. Stat. § 501.171(3)(a).
