ARTICLE
10 October 2025

California Sets 30 Day Deadline For Data Breach Notifications

JL
Jackson Lewis P.C.

Contributor

Focused on employment and labor law since 1958, Jackson Lewis P.C.’s 1,000+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients’ goals to emphasize inclusivity and respect for the contribution of every employee.
Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California's data breach notification requirements.
United States California Privacy
Jackson Lewis P.C. are most popular:
  • within Intellectual Property, Law Practice Management and Compliance topic(s)

Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California's data breach notification requirements. The bill establishes deadlines for notifying consumers and the state's Attorney General when personal information of California residents has been involved in a data breach.

What's Changed Under SB 446

Previously, California law required businesses to notify affected individuals of data breaches "without unreasonable delay." Under SB 446, businesses must notify affected individuals within 30 calendar days of discovering or being notified of a data breach. However, the law includes some flexibility to accommodate the practical realities of incident response. Specifically, businesses may delay notification when necessary for legitimate law enforcement purposes or to determine the full scope of the breach and restore the integrity of data systems.

For breaches affecting more than 500 California residents, existing law requires businesses to notify the California Attorney General. SB 446 adds a deadline for those notifications. Specifically, the California Attorney General must be notified within 15 calendar days of notifying affected consumers of a security breach (again, for breaches affecting more than 500 California residents).

Considerations for Businesses

All 50 states and several cities have breach notification laws, as well as notification requirements under federal law, such as HIPAA and banking regulations. Over the years, many of those laws have been updated in several respects – notification deadlines, definitions of personal information, requirements to provide ID theft services and credit monitoring, etc. It is imperative to stay on top of these legal and compliance obligations in order to help maintain preparedness.

SB 446 takes effect January 1, 2026, giving businesses a few months to review and update their incident response plans. Organizations handling California residents' personal information should act now to ensure they can meet the 30-day notification requirement. This includes establishing clear internal procedures for breach detection, assessment, documentation, and notification.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More