On October 3, California Governor Gavin Newsom signed Senate Bill 446, which strengthens California’s existing data-breach disclosure requirements. The law requires businesses and individuals that conduct business in the state to notify affected consumers of a data breach within 30 calendar days of discovering or being notified of the incident. It also shortens the timeline for reporting large-scale breaches to the California Attorney General.
The amendments accelerate consumer-notification timelines and clarify coordination with law-enforcement investigations, signaling California’s continued tightening of privacy and cybersecurity obligations for all sectors handling personal data.
Specifically, the new law:
- Establishes a 30-day notification requirement. Businesses must notify affected California residents within 30 calendar days after discovering or being notified of a breach involving unencrypted or compromised encrypted personal information.
- Permits limited delay for investigations. Disclosure may be postponed if law enforcement determines that notice would impede an active investigation or if delay is needed to assess the breach’s scope and restore system integrity.
- Adds a 15-day Attorney General submission window. Companies required to notify more than 500 California residents of a single breach must electronically submit a sample copy of the consumer notice to the Attorney General within 15 calendar days of notifying affected individuals.
- Maintains content and format standards for consumer notices. Notices still must be titled “Notice of Data Breach,” written in plain language, and include required headings describing what happened, what data was involved, and contact information for credit reporting agencies.
Putting It Into Practice: Senate Bill 446 does not create new categories of personal information or expand enforcement authority. However, it does shorten existing timelines for notifying consumers. Companies should review and update their incident response procedures to ensure investigations, law enforcement coordination, and consumer notifications can be completed within the new statutory timeframes.
