CA Adopts 30-Day Deadline for Data Breach Notifications

California updated its data breach notification law and will require covered entities to generally disclose data breaches to California residents within 30 calendar days of discovery or notification of the breach.  Previously, California required that data breach disclosures occur “without unreasonable delay.”

The law requires individuals and businesses conducting business in California and owning or licensing data on personal information to disclose data breaches to consumers when their unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Breaches of encrypted personal information would also need to be disclosed when the unauthorized person acquires the encryption key or security credential rendering the personal information readable.

Covered entities may delay notifications to accommodate law enforcement investigations when a law enforcement agency determines that the notification will impede a criminal investigation.  They may also delay notifications if doing so is necessary to determine the scope of the breach and restore integrity of the data system.

The notification must meet certain requirements, including being written in plain language.  The law includes a model security breach notification.

If more than 500 California residents are issued security breach notifications related to a single breach, the covered entity must submit a sample copy of the notification to the California Attorney General within 15 calendar days of notifying affected consumers.

California further requires those individuals or businesses that maintain data for others to notify the owner or licensee of the data immediately following discovery of a breach, if the personal information was, or is believed to have been, acquired by an unauthorized person.

The law goes into effect January 1, 2026.