Heads up to entities doing business in California: your breach notification obligations are changing. Joseph Lazzarotti of JacksonLewis explains:
Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California’s data breach notification requirements. The bill establishes deadlines for notifying consumers and the state’s Attorney General when personal information of California residents has been involved in a data breach.
What’s Changed Under SB 446
Previously, California law required businesses to notify affected individuals of data breaches “without unreasonable delay.” Under SB 446, businesses must notify affected individuals within 30 calendar days of discovering or being notified of a data breach. However, the law includes some flexibility to accommodate the practical realities of incident response. Specifically, businesses may delay notification when necessary for legitimate law enforcement purposes or to determine the full scope of the breach and restore the integrity of data systems.
For breaches affecting more than 500 California residents, existing law requires businesses to notify the California Attorney General. SB 446 adds a deadline for those notifications. Specifically, the California Attorney General must be notified within 15 calendar days of notifying affected consumers of a security breach (again, for breaches affecting more than 500 California residents).
The law goes into effect January 1, 2026, so get busy preparing. Read more at Workplace Privacy, Data Management & Security Report