ARTICLE
17 October 2025

California Enacts 30-Day Data Breach Notification Deadline

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
On October 3, California Governor Gavin Newsom signed Senate Bill 446, which strengthens California's existing data-breach disclosure requirements.
United States California Privacy
A.J. Dhaliwal,Mehul Madia, and Maxwell Earp-Thomas
Your Author LinkedIn Connections
A.J. Dhaliwal’s articles from Sheppard Mullin Richter & Hampton are most popular:
  • within Privacy topic(s)
Sheppard Mullin Richter & Hampton are most popular:
  • within Energy and Natural Resources topic(s)

On October 3, California Governor Gavin Newsom signed Senate Bill 446, which strengthens California's existing data-breach disclosure requirements. The law requires businesses and individuals that conduct business in the state to notify affected consumers of a data breach within 30 calendar days of discovering or being notified of the incident. It also shortens the timeline for reporting large-scale breaches to the California Attorney General.

The amendments accelerate consumer-notification timelines and clarify coordination with law-enforcement investigations, signaling California's continued tightening of privacy and cybersecurity obligations for all sectors handling personal data.

Specifically, the new law:

  • Establishes a 30-day notification requirement. Businesses must notify affected California residents within 30 calendar days after discovering or being notified of a breach involving unencrypted or compromised encrypted personal information.
  • Permits limited delay for investigations. Disclosure may be postponed if law enforcement determines that notice would impede an active investigation or if delay is needed to assess the breach's scope and restore system integrity.
  • Adds a 15-day Attorney General submission window. Companies required to notify more than 500 California residents of a single breach must electronically submit a sample copy of the consumer notice to the Attorney General within 15 calendar days of notifying affected individuals.
  • Maintains content and format standards for consumer notices. Notices still must be titled "Notice of Data Breach," written in plain language, and include required headings describing what happened, what data was involved, and contact information for credit reporting agencies.

Putting It Into Practice: Senate Bill 446 does not create new categories of personal information or expand enforcement authority. However, it does shorten existing timelines for notifying consumers. Companies should review and update their incident response procedures to ensure investigations, law enforcement coordination, and consumer notifications can be completed within the new statutory timeframes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Photo of Mehul Madia
Mehul Madia
Photo of Maxwell Earp-Thomas
Maxwell Earp-Thomas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More