California’s Data Breach Notification Law Gets a Major Overhaul in 2025: What Businesses Need to Know In 2003, California became the first state to mandate consumer notifications after data breaches a groundbreaking move that set the standard for transparency in cybersecurity. Over two decades later, the law has evolved into one of the strictest in the U.S., and in 2025, it received its most significant update yet: a hard 30-day notification deadline for organizations handling the personal data of California residents. ### The Law’s Core Requirements Under Civil Code 1798.82, any business, government agency, or nonprofit that owns, licenses, or maintains unencrypted personal information about California residents must notify affected individuals if that data is or is reasonably believed to be accessed by an unauthorized party. The law applies regardless of where the organization is based; if it holds data on even one California resident, compliance is mandatory. What counts as personal information? The law defines it broadly, covering: - Names paired with Social Security numbers, driver’s license numbers, or financial account details - Medical or health insurance information - Login credentials (usernames/emails + passwords or security questions) - Biometric data (fingerprints, facial recognition data, etc.) - Standalone login credentials (even without a name attached) ### The 2025 Game-Changer: SB 446 and the 30-Day Deadline Before 2025, California’s law required notifications to be sent "in the most expedient time possible and without unreasonable delay" a vague standard that many organizations stretched to 60, 90, or even 120 days. SB 446, signed into law in October 2025, eliminated this ambiguity by imposing a firm 30-calendar-day deadline from the moment a breach is discovered. Key changes under SB 446: - No exceptions for breach size whether 50 or 5 million records are exposed, the 30-day clock applies. - The only delay permitted? A formal law enforcement request to pause notifications for an active investigation. - Discovery, not occurrence, triggers the deadline organizations can’t claim ignorance if they should have detected the breach sooner. ### Who Must Comply? The law casts a wide net: - Businesses of all sizes (no small-business exemption) - Government agencies (under Civil Code 1798.29) - Nonprofits and educational institutions - Healthcare providers (must comply with both HIPAA and California’s stricter 30-day rule) - Companies outside California if they hold data on California residents ### What a Compliant Notification Must Include California’s law is prescriptive about notification content. A breach letter must: - Be titled "Notice of Data Breach" - Clearly state what happened, when, and what data was exposed - Provide contact information for the organization - Explain steps the organization is taking in response - Offer guidance for affected individuals (e.g., credit monitoring, fraud alerts) - Include credit bureau contacts if financial or SSN data was compromised For breaches affecting 500+ residents, organizations must also submit a copy of the notification to the California Attorney General’s office, which publishes it in a public breach database a permanent record that regulators, journalists, and customers can access. ### Penalties for Non-Compliance Failing to meet the 30-day deadline carries severe consequences: - Civil penalties of $2,500 per violation (unintentional) or $7,500 per violation (intentional), with each affected individual counting as a separate violation. - Private lawsuits affected individuals can sue for damages, including identity theft costs. - Reputational damage being listed in the California DOJ’s public breach database can erode trust and trigger regulatory scrutiny. ### Real-World Breaches Under the New Law Several high-profile incidents in 2025 highlighted the law’s impact: - Blue Shield of California faced a 4.7 million-record breach after a misconfigured Google Analytics tool exposed member data for nearly three years. A class-action lawsuit followed within days of notification. - Delta Dental of California was criticized for waiting five months to notify 7 million members of a MOVEit-related breach, a delay that would now violate the 30-day rule. - PowerSchool, a major K-12 education software provider, disclosed a 62 million-record breach in 2024, with attackers later extorting schools using stolen data. The California AG issued guidance for affected families. ### Why the 30-Day Deadline Matters The shift from a flexible timeline to a strict 30-day rule reflects a growing recognition that delayed notifications harm consumers. Studies show that breached data is often traded on the dark web within hours, leaving victims unaware while criminals exploit their information. California’s update forces organizations to prioritize detection, containment, and transparency or face steep penalties. For businesses, the message is clear: Compliance is no longer optional, and the clock starts ticking the moment a breach is discovered. Organizations that fail to prepare risk not just legal consequences but lasting damage to their reputation.

The Washington State Office of the Attorney General reported a data breach involving Delta Air Lines, Inc. on April 11, 2018. The breach occurred at [24]7.ai from September 26, 2017, to October 12, 2017, potentially affecting approximately 24,563 residents in Washington State, with impacted information including names and payment card details.