- within Intellectual Property, Law Practice Management and Compliance topic(s)
Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California's data breach notification requirements. The bill establishes deadlines for notifying consumers and the state's Attorney General when personal information of California residents has been involved in a data breach.
What's Changed Under SB 446
Previously, California law required businesses to notify affected individuals of data breaches "without unreasonable delay." Under SB 446, businesses must notify affected individuals within 30 calendar days of discovering or being notified of a data breach. However, the law includes some flexibility to accommodate the practical realities of incident response. Specifically, businesses may delay notification when necessary for legitimate law enforcement purposes or to determine the full scope of the breach and restore the integrity of data systems.
For breaches affecting more than 500 California residents, existing law requires businesses to notify the California Attorney General. SB 446 adds a deadline for those notifications. Specifically, the California Attorney General must be notified within 15 calendar days of notifying affected consumers of a security breach (again, for breaches affecting more than 500 California residents).
Considerations for Businesses
All 50 states and several cities have breach notification laws, as well as notification requirements under federal law, such as HIPAA and banking regulations. Over the years, many of those laws have been updated in several respects – notification deadlines, definitions of personal information, requirements to provide ID theft services and credit monitoring, etc. It is imperative to stay on top of these legal and compliance obligations in order to help maintain preparedness.
SB 446 takes effect January 1, 2026, giving businesses a few months to review and update their incident response plans. Organizations handling California residents' personal information should act now to ensure they can meet the 30-day notification requirement. This includes establishing clear internal procedures for breach detection, assessment, documentation, and notification.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.