California recently signed into law Senate Bill No. 446, which amends its data breach notification law, Section 1798.82 of the Civil Code, to require covered companies to notify affected California residents within 30 calendar days of discovery of the data breach. The amendment takes effect January 1, 2026.

In summary, the amendment:

• Requires notice to affected California residents within 30 calendar days of discovery of the data breach.  Where the victim of the breach is not the owner of the data, they must notify the data owner or licensee of the data breach, who in turn must notify affected individuals within 30 days of such notification. 
• Permits delayed notice as necessary to accommodate the legitimate needs of law enforcement, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system. 
• Requires businesses that must notify the attorney general (i.e. where more than 500 California residents are affected), to do so within 15 calendar days after notifying affected individuals. 

30-Day Individual Notification Window

California was the first state to enact a data breach notification law in 2002 and since then, Section 1798.82 has required businesses and state agencies to notify individuals “in the most expedient time possible and without unreasonable delay.”  SB 446 replaces this flexible, reasonableness standard with a specific 30‑day deadline.  Given California’s historic role as a leading privacy regulator, this move may prompt more states to adopt firm notice timelines. 

Several states already impose specific notice timeframes (typically ranging 30 to 60 days), including New York (30 days), Texas (30 days), Colorado (30 days), Florida (30 days), and Delaware (60 days).  Some states require notice to the attorney general either simultaneously with, or prior to, notice to the individual, which is more stringent than California’s new requirement to notify the attorney general within 15 days of notice to individuals.  In practice, many businesses make any required regulatory notices close in time to individual notices to address differing state obligations.

Our Take

Our team has previously opined that shorter notice timelines do not necessarily improve notification outcomes.  Although the overall goal of notifying individuals of incidents much sooner may appear reasonable at face value, this change may not be feasible in many complex cybersecurity events.  Even weeks after discovery of the incident, victims of a data breach may not know the scope of the impact, affected data types, or geographic residence of individuals.  This is true even where the business has brought to bear considerable resources to investigate the incident. 

Although many state breach notification laws – including California’s as amended – exempt disclosure where necessary to determine the scope of the breach, this view is not universal.  The Connecticut Attorney General, for example, has issued guidance clarifying that Connecticut’s 60-day notice requirement, “runs from the date that a company becomes aware of suspicious  activity, not the date it determines the full impact to personal information.” 

Companies in highly regulated sectors such as critical infrastructure, insurance, and banking often face even shorter notice periods of as short as 72 hours.  These regulators have fined companies for untimely reporting, creating added compliance pressure in these industries.

Keeping this in mind, companies should consider assessing and updating their incident response procedures, particularly for larger and more complex incidents, to consider how to meet shorter disclosure expectations.