California employers are facing a significant update to their data privacy responsibilities. SB 446, recently signed into law and effective January 1, 2026, overhauls the state’s data breach notification requirements — imposing strict new deadlines, clearer standards, and added accountability for businesses that handle personal information. 

Historically, California’s data breach laws required companies to notify affected individuals in “the most expedient time possible and without unreasonable delay.” That vague standard led to delays in notification — sometimes lasting months or years — potentially leaving consumers vulnerable to identity theft and other harms. 

SB 446 changes this landscape. Under the new legislation, businesses and organizations that “own or license computerized data” containing personal information must notify affected California residents within 30 calendar days of discovering or being notified of a breach. Should a breach affect more than 500 California residents, the company must also submit a sample copy of the notification to the state Attorney General within 15 days of notifying those affected. 

The law includes two important exceptions: 

• Notification may be delayed if required for law enforcement purposes. 

• It may also be delayed to determine the full scope of the breach or restore system integrity. 

Additionally, SB 446 codifies a model breach notice format with clear headings — “What Happened,” “What Information Was Involved,” “What We Are Doing,” and “What You Can Do” — setting a compliance standard for both written and electronic notices. 

What Does it Mean 

This legislation significantly elevates the obligations of California employers on three fronts: 

• Acceleration of response time: Businesses must now act quickly when they suspect a breach. The 30-day clock starts ticking as soon as the breach is discovered — not later. Delays due to “reasonable investigation time” will require firms to prove that they were needed to determine the breach’s scope or to comply with law enforcement. 

• Stricter oversight and reporting: By mandating disclosure to the Attorney General for large-scale breaches, the law increases transparency and potential regulatory oversight. 

• Standardized disclosure format: Employers must comply with the prescribed plain-language structure for breach notices. Failure to use consistent headings or adequately describe the breach may constitute a compliance risk. 

It is also important to note that a failure to provide the required notice within the 30 calendar-day period could be used as “per se” evidence of a violation of the law. Further, under California law, businesses regulated by the California Consumer Privacy Act (CCPA) could face both regulatory fines and a private right of action for data breaches resulting from a business’s failure to implement reasonable security measures. 

Employers should treat the revised statute as an opportunity to upgrade their privacy and data security protocols. The following best practices can aid compliance: 

• Maintain a ready-to-implement breach response plan. Develop and regularly test a breach response that triggers investigation, communications, and notifications quickly. The plan should include legally vetted notice templates aligned with SB 446 requirements. 

• Establish robust monitoring and detection systems. Because 30 days is such a short response period, early detection is critical. Consider initiating intrusion detection tools, conducting regular audits, and implementing strong logging and alert systems to shorten discovery times. 

• Mandate Training on data privacy obligations. Employees should understand how breaches occur (and how best to prevent them), their reporting obligations, and the importance of swift escalation. 

• Update Third-Party Vendor Agreements.  To assist in meeting notification response deadlines, be sure to review all third-party vendor agreements to ensure they impose an obligation on the vendor to provide you with immediate notification in the event of a breach.  

SB 446 makes clear that California considers timely data breach notification a cornerstone of consumer protection. For employers, it raises the stakes by replacing vague timing standards with specific deadlines and penalties for noncompliance. As cybersecurity evolves, compliance will require more than just legal wordsmithing — it will require proactive planning, rapid response, and clear communication with affected individuals and state regulators alike.