California’s SB 446: What Every Business Needs to Know About New Data Breach Notification Rules
Starting January 1, 2026, California’s SB 446 introduces stricter timelines for data breach notifications, replacing the old “without unreasonable delay” standard with firm deadlines. If your organization handles personal data of California residents, this law affects you.
Key Requirements
- 👉 Notify Affected Californians:
Within 30 calendar days of discovering a breach involving unencrypted or compromised encrypted personal information. - 👉 Notify the Attorney General:
If 500 or more Californians are impacted, submit a sample consumer notice (excluding personal details) to the California Attorney General within 15 calendar days of notifying consumers.
Exceptions
- 👉 Delay allowed only if:
- ✔ Law enforcement certifies that notification would impede an investigation, or
- ✔ Additional time is needed to accurately assess the breach or restore system integrity.
Why This Matters
SB 446 aligns California with other states adopting strict timelines, addressing past delays where notifications took months or years. Compliance is now a legal obligation, not a best practice.
Action Steps for Businesses
- Update Incident Response Plans to include 30-day and 15-day deadlines.
- Automate Compliance Workflows for breach detection and notifications.
- Engage Legal Counsel for delay exceptions and law enforcement coordination.
- Ensure Notification Content meets clarity and completeness standards.
Bottom Line:
If you experience a data breach, the clock starts ticking immediately. Prepare now to avoid penalties and protect consumer trust.
✅ Don’t Wait Until It’s Too Late
Cybersecurity incidents happen fast—and the law starts the clock immediately. US Service Center can help you prepare now, ensuring preventative measures are in place so you’re not scrambling during an urgent breach.
👉 Contact us today to build a proactive compliance and cybersecurity strategy.