The State of California has enacted Senate Bill № 446, which modifies the state’s data breach notification requirements. It took effect on January 1, 2026, and imposes clear, enforceable timelines for breach notifications by organizations that handle the personal information of California residents.
Key Changes
SB 446 amends Civil Code § 1798.82 to replace the existing subjective standard (“most expedient time possible and without unreasonable delay”) with specific deadlines for notifying affected individuals and the state Attorney General:
30-day deadline for notifying affected California residents after discovery or notification of a breach involving personal information. This applies regardless of encryption status if the encryption key or credential is also acquired or reasonably believed to have been acquired. Authorized delays are limited to defined exceptions.
15-day deadline for submitting a sample copy of the consumer breach notice to the California Attorney General for breaches affecting more than 500 California residents, counted from the date affected individuals are notified.
VenariX monitors data breaches and compares them to related notifications to see when and how organizations disclose incidents.
Tracking notification timelines is important because laws like California SB 446 require quick disclosure. By comparing when an incident is detected to when notification is issued, VenariX shows how long organizations take to notify and how disclosure timing varies across sectors, industries, or incident types.
Sign up for a free VenariX account to learn more.
Notification Content Requirements
SB 446 continues existing requirements for notice content and format. Notices must be written in plain language, clear and conspicuous, and include core elements such as:
What happened
Types of information involved
Actions taken by the organization
Steps individuals can take
Contact information for further questions
A range of additional details may be required, including estimated breach dates, the reason for delay (if law enforcement), and offers of identity protection services when the breached entity was the source of the breach.
What Qualifies as “Personal Information” Under SB 446
For purposes of breach notification, personal information generally includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when not encrypted or redacted:
Social Security number.
Driver’s license number or California identification card number.
Financial account number, credit card number, or debit card number, when combined with any required security code, access code, or password.
Medical information.
Health insurance information.
Biometric data (such as fingerprints, facial recognition data, or retinal scans)
Username or email address in combination with a password or security question and answer that would permit access to an online account.
The statute also applies to breaches involving encrypted data if the encryption key or credential was acquired by an unauthorized party, or is reasonably believed to have been acquired by one.
Exceptions and Practical Considerations
SB 446 allows limited delays to the notification deadlines when the delay is necessary to:
Accommodate a legitimate law enforcement request.
Determine the scope of the breach.
Restore the integrity of affected systems.
Implications for Cybersecurity and Legal Teams
SB 446 places defined notification timelines on breach response, which incident response processes should account for in practice. Incident response plans should:
Support timely breach identification, scoping, and decision-making within the 30-day notification window.
Address coordination between consumer notifications and California Attorney General submissions.
Define escalation paths for engaging legal counsel and law enforcement when a delay may be appropriate.
Reflect the revised timelines and notification content requirements in documentation, playbooks, and training.
Penalties and Enforcement Considerations
SB 446 does not establish new penalties. However, failure to meet the statutory notification deadlines may still trigger enforcement under existing California law. The change replaces the prior “without unreasonable delay” standard with a fixed timeline, reducing the flexibility for justifying delays. The California Attorney General may pursue enforcement actions, including under the Unfair Competition Law, where civil penalties of up to $2,500 per violation may apply. While late notification alone does not create a new private right of action, it has historically increased regulatory scrutiny and litigation risk during breach investigations.
Takeaway
SB 446 imposes strict, calendar-based deadlines on data breach notifications in California. Security and privacy leaders should assess incident response and legal processes, now that the law is in effect.