California’s New Breach Notification Requirements: A Plain Language Overview

Senate Bill 446 amended California Civil Code section 1798.82. Before SB 446, the statute required notice “in the most expedient time possible and without unreasonable delay,” which gave organizations more room to move at the pace their investigation allowed.

After SB 446, that room narrowed. There is now an outer deadline of 30 calendar days from discovery or notification of the breach.

The investigation still has to happen. The exceptions for law enforcement delay and scope determination still exist. What changed is that those exceptions now operate against a defined deadline rather than a vague standard. That puts much more pressure on incident readiness.

This piece explains what the law actually says, who it applies to, and what it means in practice for Greater Sacramento businesses.

The core change is the move from a subjective standard to a defined one. Under the old rule, organizations had more room to justify their timing based on the facts of the investigation. Under the new rule, that room is much narrower.

This is not a complete overhaul of the law. Most of what the statute required before still applies. What changed is the timing standard and the addition of a specific AG submission deadline for larger breaches.

The law applies to any individual or business that conducts business in California and owns or licenses computerized data that includes personal information. There is no small-business exemption in the statute. If you operate in California and hold covered personal information, the law applies to you.

There is also a separate obligation for entities that maintain personal information they do not own. If your organization stores personal data on behalf of another business and that data is compromised, you are required to notify the data owner or licensee immediately following discovery. The notification obligation then passes to them.

One aspect of scope that frequently gets overlooked: the law applies to employees, not just customers. Employees are California residents. A breach that compromises payroll data, direct deposit banking information, Social Security numbers, or health insurance records triggers the same 30-day notification obligation as a customer data breach. An HR system compromise or a payroll platform breach is not a separate category. It is the same law, the same deadline, and the same AG submission requirement if more than 500 people are affected.

Not every piece of data your business holds triggers notification obligations if compromised. The statute has a specific definition, and understanding it prevents both overreaction and underreaction when an incident occurs.

The law is triggered when a person’s first name or first initial and last name is combined with any of the following unencrypted data elements:

• Social Security number
• Driver’s license number or California identification card number
• Financial account number, credit or debit card number with any required access code or password
• Medical information
• Health insurance information
• Biometric data
• Automated license plate recognition data
• Genetic data

The statute separately covers a username or email address combined with a password or security question and answer that would permit access to an online account, even without a name attached.

Good-faith access by an employee or agent for legitimate business purposes does not constitute a breach under the statute, as long as the data is not used or disclosed improperly.

The statute defines a breach as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the individual or business.

Unauthorized acquisition is the operative phrase. A misconfigured server, a ransomware event, or a phishing incident does not automatically become a reportable breach. The question is whether personal information, as defined by the statute, was actually or reasonably believed to have been acquired by an unauthorized person. That determination now has to happen inside a 30-day window.

The statute is specific about notice content. It must be written in plain language, titled “Notice of Data Breach,” and organized under defined headings. This is not optional formatting guidance. It is part of the statute.

At minimum the notice must include the business’s contact information, the types of personal information involved, the date or estimated date or date range of the breach if known, whether notice was delayed because of law enforcement if applicable, and a general description of what happened if known.

When Social Security numbers or driver’s license numbers are involved, the notice must also include contact information for major credit bureaus.

If more than 500 California residents receive notification, a single sample copy of the notice must be submitted electronically to the California Attorney General within 15 calendar days of notifying those individuals. That submission goes through the AG’s data breach reporting portal.

The law is easier to explain now. It is also harder to improvise around.

Under the old standard, an organization that needed six weeks to complete its investigation had more room to argue that the timeline was reasonable given the complexity of what it was dealing with. Under the new standard, that argument is harder to make. The deadline is 30 days and the exceptions are narrow.

What that creates is pressure on the things that have to happen before a breach ever occurs. To meet a 30-day notification deadline, an organization generally needs to know what data it holds and where it lives, have logging in place that lets investigators determine what was accessed, have a defined incident response process so nobody is figuring out the steps for the first time, and know which California residents would be affected and how to reach them.

None of those things can be built during an active incident. They have to exist before one happens. Organizations that have them will have a realistic path to meeting the 30-day window. Organizations that do not will be attempting to build visibility, determine scope, draft a compliant notice, and notify affected individuals simultaneously, under a clock that does not stop.