California Governor Gavin Newsom has signed Senate Bill 446, a new law tightening the state’s data breach notification rules and setting one of the nation’s strictest timelines for alerting consumers about compromised personal information.

Authored by Senator Melissa Hurtado, SB 446 amends California’s Civil Code to require that businesses and individuals notify affected residents within 30 calendar days of discovering a data breach. The bill, approved October 3, 2025, aims to enhance transparency and consumer protection as cyberattacks and privacy breaches continue to rise across industries.

Under the new law, companies can only delay notifications to meet legitimate law enforcement needs or to determine the scope of the breach and restore data system integrity. Previously, state law required notification “in the most expedient time possible,” a standard critics said was too vague and often led to long delays before the public learned their personal data had been exposed.

SB 446 also tightens reporting requirements for large-scale incidents. Businesses that notify more than 500 California residents must submit a sample of their breach notice to the state attorney general within 15 days of informing consumers, ensuring state oversight of major data incidents. SB 446 takes effect January 1, 2026.

California already has some of the toughest privacy laws in the United States, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). SB 446 builds on this framework by establishing clear accountability standards for timely breach disclosure and by reinforcing the importance of consumer trust in the digital economy.

SB 446 takes effect January 1, 2026.

Need Help?

If you’re concerned or have questions about how to navigate California’s AI regulations, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.