California Amends Data Breach Notification Requirements

California was the first state to enact a data breach notification law in 2003, requiring businesses to notify individuals when their personal information had been compromised. With new guidelines on AI regulations approved on October 1, 2025, followed by updated data breach notification requirements, California appears to be preparing to raise the bar again for data protection standards in the new year. 

On October 3, 2025, Governor Gavin Newsom signed Senate Bill 446, creating reporting changes to the state’s data breach notification statute. The updates focus on clearer deadlines and reporting requirements for businesses handling the personal information of California residents. 

A quick overview of changes to California’s data breach notification status

Previously, businesses were required to notify affected individuals of data breaches “without unreasonable delay,” setting an unclear notification standard. As previously written, the law left significant room for interpretation and employer discretion, leading to inconsistent timelines and even the possibility of putting consumers at greater risk.  

What has changed 

Under the amendment, definitions for personal information remain the same. SB 446 takes effect on January 1, 2026, primarily focusing on requiring businesses to comply with new reporting timeline standards:  

• Standardized timeline for notifying the Attorney General: Under SB 446, a single electronic sample copy of the consumer notice must be submitted to the Attorney General if a breach affects over 500 California residents: 
  • Within 15 days of notifying affected consumers 
  • Excluding any personally identifiable information 
• Consumer reporting timeline clarification: The new regulations also provide clarity on consumer reporting timelines, stating that data breaches must be reported within 30 calendar days of discovery. 

Exceptions 

The amendment does acknowledge that the new 30-day timeline is not always possible and allows two exceptions: 

1. To accommodate the legitimate needs of law enforcement. 
2. When necessary, to determine the scope of the breach and restore the reasonable integrity of the data system. 

To learn more about the changes made to the California data breach notification statute, take a closer look here.

Why this matters beyond California

Although SB 446 applies specifically to residents in the state, California has been known to set the precedent for privacy and data protection laws, such as the first statewide data breach notification law in 2003, the California Consumer Privacy Act in 2018, and the California Privacy Rights Act in 2020. HR professionals in all states should pay attention, as similar requirements could potentially emerge in other jurisdictions. Employers with operations involving California resident or employee consumer data should consult with their legal counsel to determine how these changes may impact their business.