California passed a bill amending the state’s notice requirements with respect to a breach of security. Under existing law, a person that conducts business in California and that owns or licenses computerized data that includes personal information must disclose a breach of security in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system to any California resident whose unencrypted personal information was, or is reasonably believed to have been, accessed by an unauthorized person. Under the bill, the security breach disclosure must now be provided within 30 calendar days of discovery or notification of the data breach to a California resident. Also, the bill now requires that the security breach notification which was required to be provided to the Attorney General, be provided to the Attorney General within 15 calendar days of notifying affected California residents of the security breach (previously, there was no timing requirement for notification). The bill becomes effective January 1, 2026.

Click to view the CA SB 446: https://www.tenaco.com/wp-content/uploads/2025/10/CA-SB-446-10-07-25.pdf