November 19, 2025
1. What is SB 446?
At its core, SB 446 amends the California data-breach notification statute (specifically California Civil Code Section 1798.82) to put clear deadlines on when businesses must notify individuals and the Attorney General after a data breach. Moore & Van Allen+3LegiScan+3Digital Democracy | CalMatters+3<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com> Here are the key provisions:* If a business (or individual) that does business in California owns or licenses computerized data that includes personal information, and a breach of the security of the system occurs (meaning unauthorized acquisition of such data) ? the business must notify affected California residents. LegiScan+1<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
* Under SB 446: * Individual notification: must be made within 30 calendar days of discovery or notification of the breach. Digital Democracy | CalMatters+2Moore & Van Allen+2<https://calmatters.digitaldemocracy.org/bills/ca_202520260sb446?utm_source=chatgpt.com>
* If the breach affects more than 500 California residents, the business must submit a single sample copy of the notification to the California Attorney General within 15 calendar days of notifying the individuals. LegiScan+1<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
* The legislation retains the "exceptions" for delaying notification if law-enforcement says that immediate disclosure would impede investigation — or if more time is needed to determine the scope of the breach and restore integrity of the system. LegiScan+1<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
* SB 446 is effective January 1, 2026. Moore & Van Allen+1<https://www.mvalaw.com/data-points/california-amends-data-breach-notification-requirements?utm_source=chatgpt.com>
2. Why does this matter to you (your business)?
Let's be honest: most businesses don't want to go through a data breach — but if you do handle personal information of California residents (even if you're not based in CA), you're on the hook. Here's why SB 446 merits your attention:* Concrete deadline = more risk: Before, the law said "in the most expedient time possible and without unreasonable delay." That was vague; now we have "30 calendar days." That means less wiggle room. Moore & Van Allen<https://www.mvalaw.com/data-points/california-amends-data-breach-notification-requirements?utm_source=chatgpt.com>
* Operational impact: You'll need incident response plans tweaked. Your data inventory, your breach escalation process, your legal and IT workflow—all must align to hit that 30-day window. * Broader reach: If you're doing business with California residents (customers, employees, service dependents), you're covered. Doesn't matter if your HQ is somewhere else.
* Significant notification obligations: Not just to individuals, but if 500+ are impacted, to the California Attorney General within 15 days.
* Competitive/brand risk: Late or inadequate notification = reputational damage, trust loss, possibly litigation. My folks in Marines used to say: "shame is when your chain of command finds out you dropped the ball." It applies here too.
* Regulatory trend: California is often ahead of the curve with privacy/cyber laws. If you're compliant here, you're likely in a stronger spot for other states.
3. What exactly changed (vs. "old law")?
Here are the changes side-by-side:Feature
Prior law (pre-SB 446)
SB 446 changes
Timing for individual notice
"Most expedient time possible and without unreasonable delay" — vague. Digital Democracy | CalMatters<https://calmatters.digitaldemocracy.org/bills/ca_202520260sb446?utm_source=chatgpt.com>
Fixed deadline: 30 calendar days from discovery/notification. LegiScan+1<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
Timing for AG/sample notice (500+ impacted)
Required submission—but no specific fixed deadline. Moore & Van Allen<https://www.mvalaw.com/data-points/california-amends-data-breach-notification-requirements?utm_source=chatgpt.com>
Now requires sample notice to AG within 15 calendar days. LegiScan<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
Definition of "personal information" / scope
Some definitions already existed in Section 1798.82. LegiScan<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
SB 446 does not change the definition of personal information significantly. It focuses on timing and notification obligations. Moore & Van Allen<https://www.mvalaw.com/data-points/california-amends-data-breach-notification-requirements?utm_source=chatgpt.com>
Effective date
Existing law already in place.
New requirements go into effect Jan 1, 2026. Moore & Van Allen+1<https://www.mvalaw.com/data-points/california-amends-data-breach-notification-requirements?utm_source=chatgpt.com>
4. What you should do (action checklist for your business)
Ok so you know what's happening — now let's talk real steps. I don't know your business structure or exact operations, but here's a checklist you can walk through.1. Inventory your data
* What systems hold personal information of California residents?
* Who "owns" or "licenses" that data?
* Do you have subcontractors/vendors who handle that data?
* If you don't know, start asking the hard questions now.
2. Review your incident response plan
* Does your plan currently assume a "reasonable delay" but no fixed deadline? (That was fine before).
* Update the plan to reflect: when you discover a breach (or are notified of one) ? your clock starts for 30 days.
* Define roles: IT, Legal, PR, Data Protection, vendor management.
* Ensure you have procedures for "500+ impacted individuals" scenario and notifying your legal counsel and possibly the Attorney General.
3. Vendor & third-party management
* If vendors hold your data (or you hold theirs), ensure contracts reflect your obligations under SB 446.
* Do they have timely breach notification processes? Can they meet the 30-day/15-day deadlines?
4. Communication templates & legal review
* Update your breach notification templates: they must include headings as required ("What Happened", "What Information Was Involved", "What We Are Doing", "What You Can Do", "For More Information"). LegiScan<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
* Ensure your legal review covers California's amended law and that your notification is clear, in plain language, titles and headings as required.
5. Train your team
* Make sure your leadership, incident response team, and communications/PR know the 30-day rule.
* Conduct drills or tabletop exercises: find a scenario where your business has a breach affecting California residents. Walk through detection ? classification ? notification timeline.
6. Monitor and document
* Keep careful documentation of when the breach was discovered, when you notified each regulatory entity/individual, when you sent the sample to the AG if 500+ impacted.
* Document reasons for any delay (law-enforcement request, investigation ongoing) — since the law allows delay only for those limited reasons.
7. Risk assessment & insurance
* Review your cyber-liability and data breach insurance - coverage may need updating with the faster timeline.
* Evaluate your security controls: because quicker notification means less time to investigate, your preventive measures are even more important.
8. Communicate with stakeholders
* If you're public, or if you deal with clients/customers, consider communicating to them (proactively) that you've updated your policies in light of SB 446. That builds trust.
* Extend the message to clients/vendors: "we've revised our incident response plan so we can meet California's new 30-day notification law."
5. Key "gotchas" & things to watch
* Discovery vs. notification: The 30-day clock begins when you discover or are notified of the breach, whichever is earlier. So you must define "discovery" in your plan. LegiScan<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
* What counts as a breach? The law defines "breach of the security of the system" as unauthorized acquisition of computerized data that compromises confidentiality, integrity, or security. LegiScan+1<https://legiscan.com/CA/text/SB446/id/3201535?utm_source=chatgpt.com>
* Exceptions are narrow: You can delay notification only if a law-enforcement agency says the notice will impede a criminal investigation or you need more time to determine scope/restore system integrity. These are not broad catch-alls.
* 500+ impacted triggers AG notice: If more than 500 California residents' data are involved in a single breach, you must send a sample notice to the AG within 15 days of consumer notice.
* Penalties & litigation risk: While the law itself doesn't lay out specific fines for late notification in this statute, failure to comply may open the door to regulatory enforcement and civil liability. Some law-firm blogs note this. VensureHR<https://vensure.com/employment-law-updates/california/california-to-require-data-breach-notification-within-30-days-starting-january-2026/?utm_source=chatgpt.com>
* Cross-state implications: If you operate in multiple states, many states have similar but varying breach-notice deadlines. Your team needs to handle overlapping requirements (e.g., California's 30-day vs. maybe stricter or looser elsewhere).
* Effective date countdown: With January 1 2026 as the effective date, you're entering the home stretch. The time to update is now.
6. My point (and what I'd say if I were advising you)
If I were sitting across the table from you (maybe after a day at the range with my Marine buddy), I'd say: "Look, you already knew data-breach risk was real. What SB 446 does is raise the bar for HOW FAST you must act when the inevitable happens." There's no excuse for saying "we'll get to it later" when a timer is now clearly ticking. Five years ago, 'reasonable delay' might have been defensible; in 2026 you'll have a defined 30-day clock for California.
We owe it to our customers, our brand, our shareholders, and yes — ourselves — to be ready. It's not just about "we'll fix it after the crash." It's about building systems that anticipate the crash and respond rapidly.
7. Final "pre-mortem" checklist
Here's a quick wrap-up for your immediate action plan:* Update your incident response plan with 30-day deadline baked in.
* Align key stakeholders: legal, IT, security, communications.
* Review your vendor/third-party contracts for notification obligations.
* Refresh your breach-notification template to match the required headings and plain-language style.
* Train your team so everyone knows the "sound of the alarm" and the sequence after detection.
* Review your cyber-insurance, risk tolerances, and maybe consider whether your controls are good enough given faster deadlines.
* Mark your calendar: Jan 1, 2026 (when SB 446 takes effect). If you have business in California, treat this like a go-live event.
* Please consult with your legal counsel to determine the appropriate policies and procedures for your business.
