ARTICLE
17 October 2025

California Enacts 30-Day Data Breach Notification Deadline

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
On October 3, California Governor Gavin Newsom signed Senate Bill 446, which strengthens California's existing data-breach disclosure requirements.
United States California Privacy
A.J. Dhaliwal,Mehul Madia, and Maxwell Earp-Thomas
Your Author LinkedIn Connections
This article from Sheppard, Mullin, Richter & Hampton LLP is most popular:
  • in United States
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

On October 3, California Governor Gavin Newsom signed Senate Bill 446, which strengthens California's existing data-breach disclosure requirements. The law requires businesses and individuals that conduct business in the state to notify affected consumers of a data breach within 30 calendar days of discovering or being notified of the incident. It also shortens the timeline for reporting large-scale breaches to the California Attorney General.

The amendments accelerate consumer-notification timelines and clarify coordination with law-enforcement investigations, signaling California's continued tightening of privacy and cybersecurity obligations for all sectors handling personal data.

Specifically, the new law:

  • Establishes a 30-day notification requirement. Businesses must notify affected California residents within 30 calendar days after discovering or being notified of a breach involving unencrypted or compromised encrypted personal information.
  • Permits limited delay for investigations. Disclosure may be postponed if law enforcement determines that notice would impede an active investigation or if delay is needed to assess the breach's scope and restore system integrity.
  • Adds a 15-day Attorney General submission window. Companies required to notify more than 500 California residents of a single breach must electronically submit a sample copy of the consumer notice to the Attorney General within 15 calendar days of notifying affected individuals.
  • Maintains content and format standards for consumer notices. Notices still must be titled "Notice of Data Breach," written in plain language, and include required headings describing what happened, what data was involved, and contact information for credit reporting agencies.

Putting It Into Practice: Senate Bill 446 does not create new categories of personal information or expand enforcement authority. However, it does shorten existing timelines for notifying consumers. Companies should review and update their incident response procedures to ensure investigations, law enforcement coordination, and consumer notifications can be completed within the new statutory timeframes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Photo of Mehul Madia
Mehul Madia
Photo of Maxwell Earp-Thomas
Maxwell Earp-Thomas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More