California Data Breach Notification Laws: Reporting Rules & Timelines (2026)
California's data breach notification law is the original. When a hacker stole personal information from 265,000 state employees in 2002, California responded by passing SB 1386, the nation's first law requiring businesses to tell consumers when their data had been compromised. Every other state eventually followed California's lead.
More than two decades later, California continues to set the pace. SB 446, signed by the Governor on October 3, 2025, and effective January 1, 2026, added the one thing the original law lacked: a hard deadline. Businesses now have exactly 30 calendar days to notify affected Californians after discovering a breach. For a deeper look at all of California's privacy protections, see our [California Data Privacy Laws](/us-laws/data-privacy-laws/california-data-privacy-laws) overview.
Who Must Comply
California's breach notification law applies to two groups under separate but parallel statutes.
Cal. Civ. Code 1798.82 covers any person or business that conducts business in California and owns or licenses computerized data containing personal information. You do not need to be based in California. If you hold personal data belonging to California residents, the law applies to you.
Cal. Civ. Code 1798.29 imposes the same requirements on state and local government agencies.
Both statutes were amended by SB 446 with identical timeline requirements.
What Triggers a Notification
Notification is required when unencrypted personal information has been "acquired, or reasonably believed to have been acquired, by an unauthorized person." California does not require any showing of harm. If unauthorized access to personal information occurred, notification is mandatory.
This sets California apart from roughly 30 other states that require a risk-of-harm analysis before notification is triggered.
What Counts as Personal Information
California defines personal information broadly under Section 1798.82(h). The law covers two categories.
Category 1: Name Plus a Data Element
A person's first name or first initial and last name combined with any of the following:
- Social Security number
- Driver's license or California identification card number
- Financial account number, credit card number, or debit card number (combined with any required security code, access code, or password)
- Medical information
- Health insurance information
- Unique biometric data generated from measurements of human body characteristics (fingerprints, retina images, iris scans) used to authenticate identity
- Information collected through an automated license plate recognition system
- Tax identification number
- Passport number
- Military identification number
- Unique identification number issued on a government document used to verify identity
- Genetic data
Category 2: Online Account Credentials
A username or email address combined with a password or security question and answer that would permit access to an online account.
The statute specifically excludes publicly available information lawfully obtained from government records.
The 30-Day Notification Deadline
Before SB 446, California required notification "in the most expedient time possible and without unreasonable delay." That vague standard allowed some companies to wait months, or even over a year, before telling affected consumers.
Effective January 1, 2026, the law now requires notification within 30 calendar days of discovering or being notified of the breach.
Two Exceptions to the 30-Day Rule
The deadline can be extended in two situations:
- Law enforcement delay. If a law enforcement agency determines that notification would impede a criminal investigation, the business may delay notification until the agency says otherwise.
- Scope and integrity assessment. A business may take additional time "as necessary to determine the scope of the breach and restore the reasonable integrity of the data system."
These exceptions existed under the old law and carry over to the new timeline. However, businesses should expect the Attorney General to scrutinize claims of extended investigation timelines more closely now that a hard deadline exists.
Attorney General Notification
When a breach affects more than 500 California residents, the business must electronically submit a sample copy of the breach notification to the California Attorney General. This sample must exclude personally identifiable information.
SB 446 added a specific deadline: 15 calendar days after notifying affected consumers. Previously, no specific timeline existed for AG notification.
The AG maintains a searchable database of breach notifications that is publicly accessible. This public reporting creates additional accountability and reputational consequences for organizations that experience breaches.
Required Content of Breach Notices
California prescribes the format and content of breach notification letters more specifically than most states. Notices must be written in plain language using at least 10-point type and titled "Notice of Data Breach." The notice must present information under these required headings:
- What Happened (description of the breach incident and dates)
- What Information Was Involved (types of personal information compromised)
- What We Are Doing (steps the organization is taking in response)
- What You Can Do (actions the consumer can take to protect themselves)
- For More Information (contact details for the notifying entity)
Additional content requirements include:
- Toll-free phone numbers and addresses of major credit reporting agencies (when SSNs or driver's license numbers are involved)
- If the entity was the source of the breach, an offer of identity theft prevention and mitigation services at no cost for at least 12 months
- The name and contact information of the entity providing the notice
Methods of Notification
Organizations can notify affected individuals through:
- Written notice sent to the last known mailing address
- Electronic notice consistent with the federal E-SIGN Act
Substitute Notice
If the cost of direct notification exceeds $250,000, the affected class is larger than 500,000 people, or the organization does not have sufficient contact information, substitute notice is permitted. Substitute notice requires all three of the following:
- Email notice to affected individuals for whom the organization has an address
- Conspicuous posting on the organization's website
- Notification to major statewide media
Encryption Safe Harbor
California provides a safe harbor for encrypted data. Notification is not required if the breached personal information was encrypted using "generally accepted" encryption methodology, unless the encryption key or security credential was also acquired and could render the data readable or usable.
This safe harbor gives organizations a concrete incentive to encrypt personal information at rest and in transit. If encryption is properly implemented and keys are managed separately, a breach of the encrypted data alone does not trigger notification.
Enforcement and Penalties
California does not include a specific penalty provision in the breach notification statute itself. Instead, enforcement comes from multiple directions.
Attorney General Enforcement
The California Attorney General can bring civil actions for violations of the breach notification law under the state's unfair business practices statutes. The AG has been active in this area. Notable enforcement actions include a $6.75 million settlement with Blackbaud in 2024 over a data breach that exposed information belonging to millions of consumers, including students across 49 California school districts.
CCPA Private Right of Action (Cal. Civ. Code 1798.150)
The most significant enforcement mechanism comes from the California Consumer Privacy Act. Section 1798.150 gives individual consumers the right to sue when their unencrypted or unredacted personal information is exposed in a breach resulting from a business's "failure to implement and maintain reasonable security procedures and practices."
Consumers can recover:
- Statutory damages of $100 to $750 per consumer per incident
- Actual damages if they exceed the statutory amount
- Injunctive or declaratory relief
- Any other relief the court deems proper
Before filing suit for statutory damages, consumers must provide the business with 30 days' written notice. If the business cures the violation within that window and provides written confirmation, statutory damages are barred. However, actual damages claims do not require prior notice.
These statutory damages add up fast in class action litigation. A breach affecting 100,000 consumers could expose a business to $7.5 million to $75 million in statutory damages alone. Since the CCPA took effect in 2020, data breach class actions in California have increased substantially. According to industry analysis, the median settlement value in CCPA breach cases has been approximately $2.6 million.
General Breach Notification Remedies
Separately from the CCPA, consumers harmed by a failure to provide timely breach notification can pursue actual damages through civil litigation under the breach notification statute itself.
How California Compares to Other States
California's breach notification law stands out in several ways:
| Feature | California | Many Other States |
|---|---|---|
| First enacted | 2002 (first in nation) | 2003 to 2018 |
| Notification deadline | 30 days (as of Jan. 1, 2026) | Ranges from 30 to 90 days; some have no deadline |
| Harm threshold | None required | About 30 states require risk-of-harm showing |
| Private right of action | Yes, via CCPA 1798.150 | Most states lack a private right of action for breaches |
| Statutory damages | $100 to $750 per consumer | Few states provide statutory damages |
| Notice content format | Prescribed headings and format | Many states have minimal content rules |
| Identity theft services | 12 months minimum, free | Not universally required |
| AG reporting deadline | 15 days after consumer notice | Varies widely |
The combination of no harm threshold, a private right of action with statutory damages, and prescribed notice content makes California's law one of the most protective in the country. For businesses, this also means California breaches carry higher legal and financial exposure than breaches under most other state laws.
Practical Steps for Compliance
Organizations handling California residents' personal information should take several steps to prepare for the 30-day deadline under SB 446:
Build an incident response plan. Thirty days moves fast when you factor in forensic investigation, legal review, and notice drafting. Organizations should have a breach response plan ready before a breach happens.
Encrypt personal information. The encryption safe harbor provides a meaningful defense. Implement generally accepted encryption for personal data at rest and in transit, and store encryption keys separately.
Maintain reasonable security. The CCPA private right of action applies only when a breach results from a failure to maintain reasonable security. Documenting your security practices can be the difference between facing and avoiding a class action.
Prepare template notices. California's prescribed notice format means you can draft template notices in advance. Having templates ready saves valuable time during the 30-day window.
Know your AG reporting obligations. If your organization serves more than 500 California residents, build the 15-day AG reporting deadline into your response timeline from day one.
For related protections covering biometric data in California, see our guide to California biometric privacy laws.
More California Laws
- California Recording Laws
- California Data Privacy Laws
- California Data Privacy Laws
- California Data Privacy Laws
- California Data Privacy Laws
- California Data Privacy Laws
- California Recording Laws
- California Statute of Limitations
Sources and References
This article references California statutes and official government publications. For the full text of the breach notification law, visit Cal. Civ. Code 1798.82 and Cal. Civ. Code 1798.29 on the California Legislative Information website. For SB 446 bill text and history, see SB-446 Data breaches: customer notification. For Attorney General breach reporting requirements, visit the OAG Data Security Breach Reporting page. For the CCPA private right of action, see Cal. Civ. Code 1798.150.
This article provides general legal information about California data breach notification requirements. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official California government sources.
Sources and References
- Cal. Civ. Code 1798.82 - Breach notification for businesses(leginfo.legislature.ca.gov).gov
- Cal. Civ. Code 1798.29 - Breach notification for government agencies(leginfo.legislature.ca.gov).gov
- SB 446 - Data breaches: customer notification (2025)(leginfo.legislature.ca.gov).gov
- SB 1386 - Original breach notification law (2002)(leginfo.legislature.ca.gov).gov
- Cal. Civ. Code 1798.150 - CCPA private right of action(leginfo.legislature.ca.gov).gov
- OAG Data Security Breach Reporting(oag.ca.gov).gov
- OAG Searchable Breach Database(oag.ca.gov).gov
- Blackbaud $6.75M Settlement(oag.ca.gov).gov