ARTICLE
31 October 2025

2026 Data Breach Law Updates – California And Oklahoma

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
California recently passed an amendment accelerating how quickly businesses must notify following a data breach.
United States California Oklahoma Privacy
Kathryn Smith and Julia K. Kadish
Your Author LinkedIn Connections
This article from Sheppard, Mullin, Richter & Hampton LLP is most popular:
  • within Privacy topic(s)
  • in United States
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

Listen to this post

California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals "without unreasonable delay." Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.

Oklahoma also amended its data breach law with Senate Bill 626 earlier this year, with the amendment to also take effect January 1, 2026. This marks the first time Oklahoma has updated its breach notification law since its original passage in 2008. The law significantly broadens the types of personal information that could trigger notification. In addition to names and account numbers, now, government-issued identification numbers, unique electronic identifiers, and biometric data such as fingerprints and iris scans are also "personal information". Entities will also need to notify the Attorney General when a breach affects 500 or more residents within 60 days of notifying affected individuals. This aligns with several other states that require AG or regulator notification.

Putting it into Practice: For businesses operating in these states, these changes signal the growing focus on incident response times. As 2026 approaches, now is a good time for businesses to review their incident response processes—from detection and assessment to addressing notification, communication, and regulatory submission requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kathryn Smith
Kathryn Smith
Photo of Julia K. Kadish
Julia K. Kadish
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More