California's 30-Day Deadline for Data Breach Reporting Begins Thursday
A California bill amending the state’s current data breach notification law becomes effective Thursday, creating a 30-day timeline for reporting a discovered breach. The change puts a premium on prompt response and preparation, lawyers told us, including complying with a 15-day reporting requirement under certain circumstances.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The update fixes "what the [state] legislature believed was an ‘indefinite timeline,'" said Jared Slater, a privacy lawyer at Ervin Cohen. He noted that the original law required organizations to report breaches in the “most expedient time possible" and "without unreasonable delay, consistent with legitimate needs of law enforcement.”
But SB-446, signed by the governor in October (see 2510060033), introduces a 30-day timeline that removes the “flexibility or luxury” of reporting a breach, he said. SB-446 “really just tightens up what I believe the legislature perceived to be a loophole for employers.”
The change “is very much needed,” said Emory Roane, associate director of policy at Privacy Rights Clearinghouse, in an email to Privacy Daily. Consumers have often been “left in the dark for many months that a breach has even occurred, making it even harder for them to take the few steps available post-breach to protect their own personal information,” he said. “It was great seeing California take this step.”
Data from Privacy Rights Clearinghouse “shows the results of that ambiguity,” Roane said (see 2510070028). Between 2020 and 2025 in California, the average reporting time to consumers was 192 days, and the median was 136 days. “It's difficult to see how those timelines squared with the statutory requirement for notification ‘in the most expedient time possible,’” Roane added.
Slater said the amendment “is really a matter of trying to affect and improve on the broadest types of groups possible,” like Amazon or Uber -- “the big companies that have tons and tons” of California consumers' data -- to make “sure that they don't have in their discretion an indefinite time to report what otherwise might be important.”
For breaches involving more than 500 Californians, the amendment also requires companies to notify the state attorney general’s office within 15 calendar days of notifying affected residents, said Kelly Campbell, a data privacy and cybersecurity lawyer at McDonald Hopkins, in an email. “The better that organizations are able to manage and understand the contents of the data that they maintain, including the extent of any sensitive or personally identifiable information, the more equipped they will be to satisfy these tight timeframes for notice.”
In addition, SB-446 includes a requirement that businesses have a notice form prepared and explicitly lays out what needs to be in that form, Slater said. He recommended that employers “have that template ready” so that in the event of an incident, it can be completed with specifics well within the required time frame.
Having a “third-party forensic team” on standby to conduct an investigation is helpful, Slater added. “You can't delay anymore” with this 30-day deadline -- “you need to figure out what's going on very, very quickly, and so having that team in place already to assist you at a moment's notice will be extremely critical.”
Slater suggested that lawyers with breach disclosure experience can help businesses report promptly.
A Varied State Landscape
California hasn't been the only state with delayed breach notifications. Of 13,805 breach events from 2020-25 that included information on both when the breach occurred and when consumers were notified, 28% fell within “the most common notification window” of 91-180 days, Roane said. “Nearly a quarter” of breach notifications take six to 12 months to reach consumers, and 7% take more than a year.
“Consumers whose information has been exposed remain unaware and unable to take protective steps while bad actors exploit stolen data,” Roane added.
However, Campbell said, “many states impose deadlines for notifying impacted residents of a breach and for notifying a state agency.” She pointed to Colorado, Florida and Washington, which have 30-day time frames, while Alabama has a 45-day requirement and Delaware allows 60 days.
Other states also have different deadlines for notifying state agencies, rather than the 15-day window that SB-446 will require in California. Indiana requires notice to its attorney general within 45 days, and Maryland mandates that the AG be informed before affected individuals, Campbell said.
Slater also cited Illinois’ Personal Information Protection Act as a state statute that's similarly comprehensive to California’s law.
California likes being “at the forefront of all these different types of consumer and employee protections,” he said. “This law is designed to protect residents and consumers,” so it “tracks” with the state's reputation.