Data-Breach_1200x600_GettyImages-2210246405

Key Point: California’s existing breach notification statute was amended to include more decisive guidelines for reporting to individuals and regulators.

On October 5, 2025, California Governor Gavin Newsom signed SB-446 into law, which bill sponsor Sen. Melissa Hurtado (D-CA) indicates is aimed at “closing a critical loophole” in California’s existing breach notification statute. Below, we first provide a brief background on the scope of the law and then discuss the amendment.

Background

California’s breach notification statute applies to any person or business (or a “covered entity) that conducts business in California and owns or licenses computerized data that includes personal information. See Cal. Civ. Code § 1798.82(a)–(b). It imposes certain notification obligations on covered entities that discover or receive notice of a “breach of the security of the system” (i.e., unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information).

Personal information is defined broadly to include the below categories of data belonging to a natural person:

  • (1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
    • (A) Social Security number.
    • (B) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
    • (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
    • (D) Medical information.
    • (E) Health insurance information.
    • (F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
    • (G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
    • (H) Genetic data.
  • (2) A username or email address, in combination with a password or security question and answer that would permit access to an online account. Cal. Civ. Code § 1798.82(h)(1)–(2).

SB-446 Amendments

As articulated within SB-446, the new iteration of California’s breach notification statute includes amended timing and content requirements for notification to individuals and/or regulators.

Updated Individual Notice Requirements

Timing. Presently, the breach notification statute requires covered entities to notify affected California residents “in the most expedient time possible and without unreasonable delay” following discovery or notification of the breach consistent with “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system” and the needs of law enforcement, if any. See Cal. Civ. Code § 1798.82(a). Now, SB-446 articulates a specific timeframe for individual notice and requires covered entities to notify California residents within 30 days following discovery of a breach. However, this requirement still allows for delays if necessary to accommodate law enforcement needs or to fully assess the breach and restore system integrity. Practically speaking, these steps should be completed as diligently as possible. Once these tasks are finished, businesses can assume that the notification timeline will begin.

Although this is a recent change in California, the amendment aligns with many other U.S. breach notification laws, which allow organizations time to evaluate the incident before notifying individuals.

Content. Currently, California’s breach notification statute has comprehensive content requirements indicating what must be or should be included in a notification letter and how the letter itself must be structured. For example, a notification letter must be clearly and conspicuously titled “Notice of Data Breach,” be in 10-point font or larger, in plain language, and organized under specific headings. See Cal. Civ. Code § 1798.82(d). Although the majority of California’s content requirements remain unchanged, the following heading formats have been updated:

  • What Happened. > What Happened?
  • What Information Was Involved. > What Information Was Involved?

Updated Regulatory Notice Requirements

Timing. The current version of the breach notification statute requires covered entities to report a breach affecting more than 500 residents by electronically submitting notice to the California Attorney General (AG) via its breach notification portal. See Cal. Civ. Code § 1798.82(f). However, there is no specific deadline for when this disclosure must be made. SB-446 imposes a 15-calendar-day notification requirement, meaning that, moving forward, covered entities must notify the California AG about breaches affecting more than 500 California residents within 15 calendar days of notifying those residents.

What You Should Do

California’s amended breach notification statute is set to take effect on January 1, 2026. Between now and then, companies should take measures to ensure they remain compliant with state notification obligations should they be required to notify individuals and the California AG about a breach. Specifically, companies should consider reviewing their current Incident Response Plan (IRP) to determine whether it should be modified in consideration of the newly articulated notification timeframes. In general, for efficient notification to individuals and regulators, companies should:

  • Be attentive to response timelines and be prepared to explain any potential delay in reporting. Documenting activities that occur throughout incident response will help companies provide accurate responses to regulatory inquiries.
  • Streamline internal decision-making by designating team members to handle certain tasks throughout incident response. Responsibilities should be clearly articulated within a company’s IRP, and it helps to test the functionality of an IRP by participating in a tabletop exercise that simulates a real-life, applicable breach scenario.
  • Consider pre-selecting third-party resources (e.g., breach counsel, forensic investigation firms); companies with cyber insurance should speak with their carrier or broker about what panel vendors are approved under their policy and put in place approved “break glass if needed” engagement materials.
  • Update any standard individual notification letter templates on file so that they reflect new content requirements.