California’s proposed legislation Senate Bill 446 will become effective January 1, 2026. This means that California will require that data breach notifications be issued within 30 calendar days. Herein we discuss the law’s provisions and best preparations for businesses to undertake. Employers desiring further advice regarding these or any other issues may contact the experienced counsel at MNK Law, APC, by e-mail at info@mnklawyers.com, or telephone at 562.362.6437.
California Data Breach Notification Requirements and SB 446’s effects
California businesses are already currently required to provide notifications of any data breach to the affected individuals “in the most expedient time possible and without unreasonable delay.” If a breach requires notice to more than 500 California residents, the business must provide a copy of the notification, to the Attorney General, who will make public the notification on its website.
SB 446, taking effect on January 1, 2026, increases employers’ responsibilities and potential liabilities by establishing clear notification deadlines for data breaches. SB 446 requires that consumer data breach notifications must be made within 30 calendar days of discovery or notification of the data breach. Notices regarding breaches involving more than 500 Californians must be made within 15 calendar days thereafter to the Attorney General.
Pursuant to SB 446, any failure to provide required notice within these periods could be used as evidence of a violation of the law. Businesses regulated by the California Consumer Privacy Act (CCPA) can face regulatory fines for data breaches resulting from a business’s failure to implement reasonable security measures. In 2025, the related fines were at least $2,663 for each unintentional violation, or $7,988 for each intentional violation and violations involving the personal information of consumers whom the violator has knowledge are under 16 years of age. Risk of the latter instance is enhanced because employers may have the data of employees’ dependents on their networks for health insurance or other routine purposes. California law also provides that a private citizen may seek legal action for violations and recovery of damages thereto, up to $799 per consumer per incident, or actual damages, whichever is greater.
Employer Takeaways
- California businesses will need to revise their data breach processes to ensure that notice is provided to consumers within 30 calendar days unless a covered exemption applies. The 30-day notification deadline present new challenges for employers in their ongoing compliance efforts. This is especially true as data breaches can require detailed forensic investigations to determine the scope of the incident and the data impacted. These timelines could force employers to issue premature or incomplete notifications.
- Prevention of a data breach in the first place is the best method to avoid having to worry about SB 446’s notification provisions. California employers should reexamine and possibly fortify their safety and security protocols to ensure that employee and consumer data is adequately safeguarded.
- However, in the event of a violation, employers should be ready to take quick action in notification. Businesses should therefore update incident response plans as necessary, to ensure adherence to the new deadlines, in the event of an incident that would require notice. Internal processes and procedures should be confirmed to ensure compliance with the potential more specific timeframe. This might include creating processes for prompt communication regarding data breaches from any third-party vendors, if not previously undertaken.
MNK Law, APC can further help employers prepare for these and other upcoming changes taking place on January 1, 2026. Contact us by email at info@mnklawyers.com or by phone at 562.362.6437.
