Changes to California’s Data Breach Notification Law

On October 3, 2025, California Governor Gavin Newsom approved an amendment to modify the state’s data breach notification requirements, Section 1798.82 of the California Civil Code (Senate Bill No. 446), mandating individuals or businesses who own or license data that includes personal information of California residents to notify such residents within 30 days upon discovering a breach of their personal information. For breaches involving over 500 California residents, the amendment also requires notice to the California Attorney General’s office within 15 calendar days of notifying the affected residents. The new law goes into effect on January 1, 2026.

Specifically, California’s data breach notification law requires any individual or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (Cal. Civ. Code §1798.82(a)). Prior to the change, there was no specific deadline for notice. An entity subject to the statute would have been required to provide notification to affected individuals in the “most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” (Cal. Civ. Code §1798.82(a)).

While the new law stipulates an express notice deadline, it provides an exception allowing delayed disclosure to individuals, beyond 30 days, “if a law enforcement agency determines that the notification will impede a criminal investigation” or “as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” (Amended Cal. Civ. Code §1798.82(a)(2)(B); §1798.82(c)).

With these changes, California will join an increasing number of states that impose a 30-day notice deadline upon discovering a breach of personal information, including Colorado, Florida, Maine, New York, and Washington. This reflects the growing expectation from regulators nationwide that organizations respond swiftly to assess and, if needed, provide notice of data breaches to individuals whose information is at risk.

Organizations in all industries, no matter how large or small, should evaluate their current cybersecurity posture and the data that they maintain. Additionally, organizations should regularly review internal policies and procedures to account for and track changes to existing legislation.

If you have questions about the latest legislative updates, how to keep your organization in compliance, or if you would like to discuss proactive measures to protect against cyber threats, reach out to a member of our national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.