KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to California

SB-446 • 2026

Data breaches: customer notification.

Data breaches: customer notification.

Enacted

This bill passed the Legislature and reached final enactment based on the latest official action.

Sponsor
Hurtado
Last action
2025-10-03
Official status
Chaptered by Secretary of State. Chapter 319, Statutes of 2025.
Effective date
Not listed

Plain English Breakdown

The official source material did not provide specific details on penalties for non-compliance with the new time limits.

Data Breaches: Customer Notification

This law sets a time limit for businesses to inform customers about data breaches and report them to the government.

What This Bill Does

  • Requires companies to notify affected individuals within 30 days after discovering a data breach, unless they need more time due to legitimate law enforcement needs or to determine the scope of the breach.
  • Businesses must send a copy of their notification letter to the Attorney General if over 500 people are affected by the same data breach and this report should be submitted within 15 days after notifying customers.

Who It Names or Affects

  • Businesses that operate in California and handle personal information of Californians
  • Customers whose personal information is compromised in a data breach

Terms To Know

Data Breach
An incident where someone gains unauthorized access to or steals sensitive, protected, or confidential information.
Personal Information
Information that can be used to identify a specific individual, such as name, address, social security number, etc.

Limits and Unknowns

  • Does not specify the consequences for businesses that do not comply with the new time limits.
  • It is unclear if this law applies to all types of personal information or only certain kinds.

Bill History

  1. 2025-10-03 California Legislative Information

    Chaptered by Secretary of State. Chapter 319, Statutes of 2025.

  2. 2025-10-03 California Legislative Information

    Approved by the Governor.

  3. 2025-09-03 California Legislative Information

    Enrolled and presented to the Governor at 11 a.m.

  4. 2025-08-28 California Legislative Information

    In Senate. Ordered to engrossing and enrolling.

  5. 2025-08-28 California Legislative Information

    Read third time. Passed. (Ayes 74. Noes 0. Page 2776.) Ordered to the Senate.

  6. 2025-08-21 California Legislative Information

    Read second time. Ordered to consent calendar.

  7. 2025-08-20 California Legislative Information

    From committee: Do pass. Ordered to consent calendar. (Ayes 15. Noes 0.) (August 20).

  8. 2025-07-09 California Legislative Information

    From committee: Do pass and re-refer to Com. on APPR. with recommendation: To consent calendar. (Ayes 12. Noes 0.) (July 8). Re-referred to Com. on APPR.

  9. 2025-06-25 California Legislative Information

    From committee: Do pass and re-refer to Com. on JUD. with recommendation: To consent calendar. (Ayes 15. Noes 0.) (June 24). Re-referred to Com. on JUD.

  10. 2025-06-05 California Legislative Information

    Referred to Coms. on P. & C.P., JUD., and APPR.

  11. 2025-05-28 California Legislative Information

    In Assembly. Read first time. Held at Desk.

  12. 2025-05-28 California Legislative Information

    Read third time. Passed. (Ayes 39. Noes 0. Page 1297.) Ordered to the Assembly.

  13. 2025-05-15 California Legislative Information

    Read second time. Ordered to third reading.

  14. 2025-05-14 California Legislative Information

    Ordered to second reading.

  15. 2025-05-14 California Legislative Information

    Read third time and amended.

  16. 2025-04-22 California Legislative Information

    Read second time. Ordered to third reading.

  17. 2025-04-21 California Legislative Information

    From committee: Be ordered to second reading pursuant to Senate Rule 28.8.

  18. 2025-04-08 California Legislative Information

    Set for hearing April 21.

  19. 2025-04-03 California Legislative Information

    Read second time and amended. Re-referred to Com. on APPR.

  20. 2025-04-02 California Legislative Information

    From committee: Do pass as amended and re-refer to Com. on APPR. (Ayes 12. Noes 0. Page 610.) (April 1).

  21. 2025-03-25 California Legislative Information

    Set for hearing April 1.

  22. 2025-02-26 California Legislative Information

    Referred to Coms. on JUD. and APPR.

  23. 2025-02-19 California Legislative Information

    From printer. May be acted upon on or after March 21.

  24. 2025-02-18 California Legislative Information

    Introduced. Read first time. To Com. on RLS. for assignment. To print.

Official Summary Text

SB 446, Hurtado.
Data breaches: customer notification.
Existing law requires an individual or a business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was compromised, as specified, and requires that disclosure to be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
This bill would require that data breach disclosure to be made within 30 calendar days of discovery or notification of the data breach but would authorize an
individual or business to delay the disclosure to accommodate the legitimate needs of law enforcement, as specified, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Existing law also requires an individual or business that is required to issue the security breach notification described above to more than 500 California residents as a result of a single breach of the security system to electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.
This bill would require that submission to the Attorney General to be made within 15 calendar days of notifying
affected consumers of the security breach.

Current Bill Text

Read the full stored bill text 
Download Bill PDF