California — Breach Notification

California's breach notification law is codified in Civil Code § 1798.82 and applies to any individual or business that conducts business in California and that owns or licenses computerized data that includes personal information of California residents. The statute, enacted in 2002 as the first state breach notification law in the United States, imposes a notification obligation when unencrypted (or encrypted with a compromised key) personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Who is covered. Section 1798.82(a)(1) sweeps broadly: any "individual or business that conducts business in California" falls within scope if that entity owns or licenses computerized personal information about California residents. The statute does not require physical presence, incorporation, or a minimum volume threshold. If your database holds the personal information of even one California resident and a breach occurs, you trigger the notification duty. A parallel statute, Cal. Civ. Code § 1798.29, imposes identical obligations on state and local government agencies.

Entities that maintain but do not own personal information—typically service providers, processors, or vendors—face a separate, immediate notification duty to the owner or licensee under § 1798.82(b). A cloud provider or payroll processor that discovers a breach must notify the data owner "immediately following discovery" if personal information was or is reasonably believed to have been acquired by an unauthorized person.

Breach trigger. The statute defines "breach of the security of the system" in § 1798.82(g) as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Encryption provides a safe harbor: if the data was encrypted and the encryption key or security credential was not also acquired (or could not render the data readable), no notification is required. Good-faith acquisition by an employee or agent for legitimate business purposes, provided the data is not used or further disclosed, also falls outside the breach definition under § 1798.82(g).

What is personal information. Section 1798.82(h) defines personal information as:

1. An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

• Social Security number
• Driver's license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify identity
• Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to the account
• Medical information (health insurance information)
• Unique biometric data (e.g., fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data)

1. A username or email address in combination with a password or security question and answer that would permit access to an online account.

Personal information does not include publicly available information lawfully made available from federal, state, or local government records.

Recent amendments—SB 446 (effective January 1, 2026). On October 3, 2025, Governor Newsom signed SB 446, which amended § 1798.82 to replace the prior flexible standard ("in the most expedient time possible and without unreasonable delay") with specific statutory deadlines. Under the amended statute, entities must notify affected California residents within 30 calendar days of discovery or notification of the breach (§ 1798.82(a)(2)(A)). Two exceptions permit delayed disclosure: (1) to accommodate the legitimate needs of law enforcement, or (2) as necessary to determine the scope of the breach and restore the reasonable integrity of the data system (§ 1798.82(a)(2)(B)).

SB 446 also imposed a new obligation to notify the California Attorney General within 15 calendar days of notifying affected consumers when a breach affects more than 500 California residents (§ 1798.82(f)). Previously, the statute required Attorney General notification for breaches exceeding 500 residents but set no deadline.

The California Attorney General is the primary enforcement authority. The AG maintains a public breach notification database logging all incidents affecting more than 500 residents, accessible at the California DOJ website, and routinely investigates delayed notifications, incomplete disclosures, and failures to notify.

Source: Cal. Civ. Code § 1798.82 Source: SB 446 (2025–2026), Data breaches: customer notification

California imposes detailed, prescriptive content and formatting requirements for breach notifications sent to consumers. These rules, codified in Cal. Civ. Code § 1798.82(d), govern both what information must appear in the notice and how the notice must be structured, including mandatory headings, plain-language requirements, and minimum font sizes. SB 446, effective January 1, 2026, revised the mandatory headings to use question format.

## Mandatory structure and format

Every security breach notification must meet the following structural requirements under § 1798.82(d)(1):

• Title: "Notice of Data Breach" — clearly and conspicuously displayed.
• Plain language: The entire notice must be written in plain language accessible to the affected residents.
• Five mandatory headings (as amended by SB 446): The notice must organize the information under the following headings, in this order:

1. "What Happened?" (changed from "What Happened" by SB 446)
2. "What Information Was Involved?" (changed from "What Information Was Involved")
3. "What We Are Doing"
4. "What You Can Do"
5. "For More Information"

• Minimum font size: 10-point type for the text of the notice and any other notice provided under the statute.
• Conspicuous display: The format must be designed to call attention to the nature and significance of the information; the title and headings must be clearly and conspicuously displayed.

Additional information may be provided as a supplement to the notice, but the core elements must be organized under the five mandatory headings. A written notice that uses either the model security breach notification form prescribed in the statute or the five headings with the minimum required information in plain language is deemed compliant. For electronic notices, use of the five headings with the required information in plain language satisfies the content requirements.

## Minimum required information

Under § 1798.82(d)(2), the breach notification must include at a minimum:

(A) Name and contact information. The name and contact information of the reporting individual or business subject to § 1798.82.

(B) Types of personal information. A list of the types of personal information that were, or are reasonably believed to have been, the subject of the breach. The statute does not require disclosure of specific individual data elements (e.g., the actual Social Security number); the requirement is to identify the categories of data compromised (e.g., "Social Security numbers," "driver's license numbers," "financial account numbers").

(C) Date information (if possible to determine). If the information is possible to determine at the time the notice is provided, any of the following:

• the date of the breach,
• the estimated date of the breach, or
• the date range within which the breach occurred.

The notification must also include the date of the notice itself.

(D) Law enforcement delay disclosure. Whether notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.

(E) General description of the breach incident. A general description of the breach incident, if that information is possible to determine at the time the notice is provided.

(F) Credit reporting agency contact information (if SSN or ID exposed). The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a Social Security number or a driver's license or California identification card number. This element is mandatory when those specific data types are compromised; it is not required for breaches involving only other categories of personal information (e.g., financial account numbers alone, medical information, biometric data).

## Optional additional content

At the discretion of the person or business, the breach notification may also include (§ 1798.82(d)(3)):

• Information about what the person or business has done to protect individuals whose information has been breached.
• Advice on steps that the person whose information has been breached may take to protect themselves.

These elements are permissive, not mandatory, but are standard practice in most breach notifications and directly align with the "What We Are Doing" and "What You Can Do" mandatory headings.

## Identity theft prevention services requirement

When a breach exposes Social Security numbers or driver's license numbers, § 1798.82(i) imposes an additional substantive obligation beyond notification content: the business or person must offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost to the affected person, for not less than 12 months, along with all information necessary to take advantage of the offer. The offer must be made in the breach notification itself. Failure to make this offer, or failure to provide the services to consumers who accept, can give rise to a private right of action if a California resident suffers identity theft as a result of the breach during the 12-month period.

## Statutory safe-harbor model notice

Section 1798.82(d)(1)(D) references a model security breach notification form prescribed in the statute. The model form, if used for a written notice, is deemed compliant with the content and formatting requirements. The statute itself does not reproduce the full model form in its text as enacted, but directs covered entities to use the headings and structure described in subdivision (d)(1) and (2). In practice, compliance is straightforward: use the five mandatory headings in the prescribed order, include the six minimum elements listed in (d)(2)(A)–(F), write in plain language, use at least 10-point type, and display the title and headings conspicuously.

## Effective date of SB 446 heading changes

The revised headings using question format ("What Happened?" rather than "What Happened") became effective January 1, 2026 under SB 446. Notifications sent after that date must use the question-format headings. The content elements themselves (name, contact, types of data, dates, description, credit agency info) did not change; only the heading punctuation was revised.

Source: Cal. Civ. Code § 1798.82 Source: SB 446 (2025–2026), Data breaches: customer notification

California prescribes three primary methods for delivering breach notifications to affected residents under Cal. Civ. Code § 1798.82(j): written notice, electronic notice, and substitute notice. The choice of method depends on cost, the size of the affected class, the availability of contact information, and the nature of the compromised data. Each method carries specific statutory requirements that must be satisfied for the notification to be compliant.

## Written notice — § 1798.82(j)(1)

Written notice is the baseline, traditional method: a physical letter mailed to the last known postal address of the affected California resident. The statute does not define "written notice" further, but the notification must comply with all content and formatting requirements set forth in § 1798.82(d), including the mandatory "Notice of Data Breach" title, the five question-format headings (as amended by SB 446), plain language, and 10-point minimum type. Written notice is appropriate when the entity has reliable postal addresses for the affected individuals and the cost and size of the affected class do not trigger the substitute-notice thresholds described below.

## Electronic notice — § 1798.82(j)(2)

Electronic notice is permitted if the notice complies with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code (the federal Electronic Signatures in Global and National Commerce Act, or "E-SIGN Act"). Under 15 U.S.C. § 7001(c), a consumer must have affirmatively consented to receive electronic records, and the business must have provided the consumer with a clear and conspicuous statement informing the consumer of the right to receive a paper copy, the right to withdraw consent, and the procedures for doing so.

In practice, this means that electronic notice (typically email) is compliant when:

• The affected individual has previously agreed to receive electronic communications from the entity in a manner that satisfies E-SIGN consent requirements, or
• The entity can demonstrate that the consumer's prior relationship and communication pattern with the entity satisfies E-SIGN.

Electronic notice must use the same content and formatting requirements as written notice, including the five mandatory headings. The statute explicitly states in § 1798.82(d)(1)(E) that for electronic notices, "use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance."

## Substitute notice — § 1798.82(j)(3)

Substitute notice is a fallback method available when one or more of three statutory triggers is met. Under § 1798.82(j)(3), a person or business may use substitute notice if it demonstrates that:

1. Cost exceeds $250,000. The cost of providing written or compliant electronic notice would exceed two hundred fifty thousand dollars ($250,000), or
2. Affected class exceeds 500,000. The affected class of subject persons to be notified exceeds 500,000 individuals, or
3. Insufficient contact information. The person or business does not have sufficient contact information to provide written or electronic notice.

The entity bears the burden of demonstrating that one of these conditions is satisfied. In practice, the $250,000 threshold is rarely reached except in very large breaches, because postage and printing costs for even 100,000 letters typically fall well below that amount. The 500,000-person threshold and the insufficient-contact-information trigger are more commonly invoked.

Components of substitute notice

Substitute notice is not a single method but rather a three-part package. Section 1798.82(j)(3) requires that substitute notice "shall consist of all of the following" (emphasis added):

(A) Email notice when the person or business has an email address for the subject persons. If the entity possesses email addresses for any portion of the affected class, it must send email notifications to those individuals. Email notice under this prong must comply with the content requirements of § 1798.82(d).

(B) Conspicuous posting of the notice on the internet website of the person or business, if the person or business maintains one, for a minimum of 30 days. The statute defines "conspicuous posting" in § 1798.82(j)(3): the entity must provide a link to the notice on the home page or first significant page after entering the website. The link must be in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text by symbols or other marks that call attention to the link. This ensures that a visitor to the website will immediately see the breach notice link without having to navigate or search.

(C) Notification to major statewide media. The entity must notify major statewide media outlets. The statute does not define "major statewide media" or prescribe a particular list, but standard practice is to issue a press release or direct notification to the largest newspapers, television stations, and wire services with statewide circulation and viewership in California (e.g., the Los Angeles Times, the San Francisco Chronicle, the Associated Press California bureau, major TV network affiliates in Los Angeles and San Francisco).

All three components are mandatory when substitute notice is used. An entity that posts the notice on its website and sends email to those for whom it has addresses, but fails to notify major statewide media, has not satisfied the substitute-notice requirements and remains in violation of the statute.

## Special rule for email account breaches — § 1798.82(j)(5)

When a breach involves personal information defined in paragraph (2) of subdivision (h) — that is, login credentials consisting of a username or email address in combination with a password or security question and answer that would permit access to an online account — and the breached credentials are for an email account furnished by the person or business, the statute imposes a prohibition on using that compromised email address for notification.

Specifically, § 1798.82(j)(5) provides that the person or business shall not comply with this section by providing the security breach notification to that email address. Instead, the entity may comply by:

• Providing notice by another method described in subdivision (j) (written notice, a different email address if known, or substitute notice), or
• Providing clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the person or business knows the resident customarily accesses the account.

This rule reflects the practical reality that if an attacker has compromised the login credentials to a user's email account, sending the breach notification to that same email account is ineffective — the attacker may intercept or delete the notice, and the legitimate account holder may never see it.

## Alternative streamlined notice for online account password breaches — § 1798.82(j)(4)

Section 1798.82(j)(4) provides a narrow streamlined option for breaches involving only login credentials for an online account (personal information under subdivision (h)(2)) and no other personal information defined in subdivision (h)(1) (i.e., no Social Security number, driver's license number, financial account number, medical information, or biometric data).

In such a case, the person or business may comply with the notification requirement by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached promptly to change the person's password and security question or answer, as applicable, or to take other appropriate steps.

This provision is designed for the common scenario in which an online service suffers a credential-stuffing attack or password database compromise that exposes usernames and passwords but no other sensitive personal information. The entity may satisfy the breach-notification statute by, for example:

• Sending an email (if not the compromised email account itself) instructing the user to reset the password immediately,
• Displaying an in-app or on-login notice that the user must change the password and security question before proceeding, or
• Forcing a password reset on the user's next login with an explanation that a security incident occurred.

The notification must still be timely (within 30 days under SB 446, effective January 1, 2026) and must comply with the content requirements to the extent applicable, but the statute permits a more operational, directive tone ("Change your password now") rather than the full five-heading structure prescribed in § 1798.82(d)(1).

Important limitation: This streamlined method is available only when the breach involves login credentials alone. If the breach also exposed even one element of personal information under subdivision (h)(1) — for example, a name plus partial credit card number, or a driver's license number — then the full notification requirements of § 1798.82(d) and (j)(1)–(3) apply, and the streamlined password-reset notice is insufficient.

## Hybrid approach and compliance in practice

Many large breaches use a hybrid approach: the entity provides written notice to individuals for whom it has reliable postal addresses, electronic notice to individuals who have validly consented under E-SIGN, and substitute notice when the thresholds are met. For example, a breach affecting 600,000 California residents where the entity has addresses for 400,000 might trigger the substitute-notice option based on the 500,000-person threshold; the entity would then send written or email notice to the 400,000 for whom it has contact information, post conspicuously on its website for 30 days, and notify major statewide media — satisfying all three substitute-notice components.

The choice of method does not alter the timing requirement. Under SB 446, notification by any method must occur within 30 calendar days of discovery or notification of the breach (§ 1798.82(a)(2)(A)), subject to the two statutory exceptions for law enforcement needs or forensic investigation. Written notice is deemed provided when mailed; electronic notice when sent; substitute notice when all three components (email, posting, media) are completed.

Source: Cal. Civ. Code § 1798.82 Source: 15 U.S.C. § 7001 (E-SIGN Act)

California's breach notification statute creates a dual enforcement regime: the California Attorney General (and other public prosecutors) may pursue injunctive relief and civil penalties through California's unfair business practices statutes, and affected individuals possess a private right of action for damages under Cal. Civ. Code § 1798.84. This combination of public and private enforcement distinguishes California's breach notification law from the majority of state breach notification statutes, which rely primarily on public enforcement.

## Private right of action — § 1798.84(b)

Cal. Civ. Code § 1798.84(b) provides that "any customer injured by a violation of this title may institute a civil action to recover damages." The statute applies to violations of the entire title governing customer records (Cal. Civ. Code §§ 1798.80–1798.84), which includes the breach notification requirements in § 1798.82, the duty to maintain reasonable security under § 1798.81.5, and the record destruction requirements under § 1798.81.

Scope. The private right is limited to customers who can demonstrate they were "injured by a violation." The statute does not define "customer" or "injured," and does not create a statutory damages remedy. A plaintiff bringing a claim under § 1798.84(b) for breach notification violations must prove (1) that the plaintiff was a customer of the defendant whose personal information was subject to the breach, (2) that the defendant violated one or more provisions of the title (for example, failed to notify, notified late, or provided an incomplete notification), and (3) that the plaintiff suffered actual damages as a result of the violation. The statute does not permit recovery for speculative future harm or risk of identity theft alone.

The statute permits plaintiffs to recover damages—the statute does not specify whether this includes only economic damages or also non-economic damages, and does not authorize punitive damages or statutory damages for breach notification violations. The absence of a statutory damages provision means that each plaintiff must prove individualized harm, which has practical implications for class certification and settlement value in breach litigation.

Injunctive relief. Section 1798.84 separately provides that "any business that violates, proposes to violate, or has violated this title may be enjoined." This language authorizes courts to issue injunctions compelling a business to comply with the notification requirements, implement or improve security practices, or take other corrective measures. The injunctive-relief provision does not require proof of damages and applies to prospective violations ("proposes to violate"), allowing plaintiffs or the Attorney General to seek preventive relief before harm occurs.

Waiver prohibition. Section 1798.84(a) states that "any waiver of a provision of this title is contrary to public policy and is void and unenforceable." A contract term purporting to waive a customer's rights under § 1798.84 or to limit a business's notification obligations under § 1798.82 is unenforceable under California law. This prohibition does not address arbitration clauses or class-action waivers, which are governed by separate bodies of law (the Federal Arbitration Act and state unconscionability doctrine).

No statutory damages or civil penalties under § 1798.84. Unlike the private right of action under the California Consumer Privacy Act (§ 1798.150, discussed below), § 1798.84 does not authorize statutory damages or civil penalties for breach notification violations. The only monetary recovery available to private plaintiffs under § 1798.84 is compensatory damages for actual harm suffered.

## CCPA private right of action — Cal. Civ. Code § 1798.150

California's Consumer Privacy Act (CCPA), codified at Cal. Civ. Code §§ 1798.100 et seq., created a separate private right of action for data security failures. Under Cal. Civ. Code § 1798.150(a)(1), any consumer whose "nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5," or whose "email address in combination with a password or security question and answer that would permit access to the account" is subject to an "unauthorized access and exfiltration, theft, or disclosure" as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information may institute a civil action.

Statutory damages. Section 1798.150(a)(1)(A) authorizes statutory damages of not less than one hundred dollars ($100) and not greater than seven hundred fifty dollars ($750) per consumer per incident, or actual damages, whichever is greater. Unlike § 1798.84, the CCPA private right provides a statutory damages remedy that does not require proof of actual financial harm. The availability of statutory damages significantly increases potential exposure in large-breach class actions.

Covered personal information. The CCPA private right of action under § 1798.150 applies only to the categories of personal information defined in Cal. Civ. Code § 1798.81.5(d)(1)(A): an individual's first name or first initial and last name in combination with one or more of the following data elements: (i) Social Security number, (ii) driver's license number or California identification card number, (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (iv) medical information, (v) health insurance information, or (vi) information or data collected through the use or operation of an automated license plate recognition system. Section 1798.150 also covers email address in combination with a password or security question and answer. A breach involving only other categories of personal information (for example, biometric data under § 1798.82(h)(1)(E) or genetic data under § 1798.82(h)(1)(H)) does not trigger the CCPA private right of action under § 1798.150, though it does trigger the notification obligation under § 1798.82.

Cure provision. Section 1798.150(b) requires that prior to initiating any action for statutory damages under subdivision (a), a consumer must provide the business with 30 days' written notice identifying the specific provisions of the CCPA the consumer alleges have been violated. If the business actually cures the noticed violation and provides the consumer with an express written statement that the violations have been cured and that no further violations will occur, the consumer is barred from initiating an action for statutory damages against the business. The cure provision applies only to statutory damages claims; it does not bar claims for actual damages. The cure provision does not apply to violations of § 1798.84 (the general breach notification private right), only to CCPA claims under § 1798.150.

Reasonable security duty. The CCPA private right of action is predicated on the business's failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect personal information, as required by Cal. Civ. Code § 1798.81.5(b). Section 1798.81.5(b) provides that a business that owns, licenses, or maintains personal information about a California resident "shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." The statute does not define "reasonable security procedures and practices" or specify particular technical controls, encryption standards, or security frameworks. Reasonableness is a fact-specific inquiry.

## Attorney General enforcement — UCL civil penalties and injunctive relief

The California Attorney General is the primary enforcement authority for the breach notification statute under Cal. Civ. Code § 1798.82. The statute itself does not create administrative penalties or a direct AG enforcement mechanism. Instead, the AG brings actions under California's Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §§ 17200 et seq., alleging that a business's failure to comply with breach notification requirements constitutes an unlawful, unfair, or fraudulent business practice.

Who may enforce. Under the UCL, the following public prosecutors have authority to bring enforcement actions: the Attorney General, any district attorney, any county counsel authorized by agreement with the district attorney, and any city attorney of a city having a population in excess of 750,000 (currently, only Los Angeles). Cal. Bus. & Prof. Code § 17204. Private plaintiffs may also bring UCL actions but are limited to injunctive relief; only public prosecutors may seek civil penalties. Cal. Bus. & Prof. Code § 17206.

Civil penalties. Cal. Bus. & Prof. Code § 17206(a) authorizes a court to impose a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation. Section 17206(b) provides that for violations that the court determines are willful, intentional, or knowing, the court may impose a civil penalty not to exceed seven thousand five hundred dollars ($7,500) for each violation. The statute does not define what constitutes a single "violation" in the context of a breach notification failure. A court may treat each affected individual as a separate violation, each day of delay as a separate violation, or the entire notification failure as a single violation; the statute leaves this determination to the court's discretion.

Injunctive relief. In addition to civil penalties, the AG routinely seeks injunctive relief under the UCL and under the independent injunctive authority in § 1798.84. Courts may order a business to implement specific security practices, establish or revise incident response and breach notification procedures, submit to monitoring or third-party audits, or provide extended credit monitoring or identity theft services to affected consumers. The scope of injunctive relief is within the court's equitable discretion.

What the AG monitors. The California Attorney General maintains a public data security breach database at oag.ca.gov/privacy/databreach/list, logging all breach notifications submitted under § 1798.82(f) (breaches affecting more than 500 California residents). Any person or business required to issue a security breach notification to more than 500 California residents as a result of a single breach must electronically submit to the Attorney General a single sample copy of the security breach notification. Under SB 446 (effective January 1, 2026), this submission must occur within 15 calendar days of the date that notification is provided to affected consumers. § 1798.82(f).

## Attorney General enforcement triggers and practice

Unable to confirm as of 2026-06-01.

## Relationship to CCPA enforcement

The California Consumer Privacy Act has its own enforcement regime. Under Cal. Civ. Code § 1798.155(b), any business, service provider, or other person that violates the CCPA is subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation. These penalties may be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General (and, as of July 1, 2023, the California Privacy Protection Agency).

A single data breach that violates both the breach notification statute (§ 1798.82) and the CCPA's security duties (§ 1798.81.5 / § 1798.150) may give rise to both UCL penalties for the notification failure and CCPA penalties for the security failure. The statutes do not specify whether penalties under both regimes may be stacked or whether a court must elect one.

## Safe harbor for proper record destruction

Cal. Civ. Code § 1798.84 references a safe harbor related to proper disposal of customer records. Section 1798.81 requires a business to take all reasonable steps to dispose of customer records containing personal information when the records are no longer to be retained by the business, by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable. A business that properly disposes of records in compliance with § 1798.81 eliminates the breach notification obligation for those records because there is no longer personal information in the business's custody or control that can be subject to unauthorized acquisition.

## Current state as of June 2026

As of June 1, 2026, California breach notification enforcement operates under the SB 446 amendments (effective January 1, 2026), which impose:

• A 30-calendar-day consumer notification deadline from discovery or notification of the breach (§ 1798.82(a)(2)(A)), subject to two exceptions: (i) delay necessary to accommodate the legitimate needs of law enforcement, or (ii) delay necessary to determine the scope of the breach and restore the reasonable integrity of the data system (§ 1798.82(a)(2)(B)).
• A 15-calendar-day Attorney General notification deadline measured from the date consumer notifications are sent, when the breach affects more than 500 California residents (§ 1798.82(f)).

The public breach database maintained by the California Department of Justice is accessible at oag.ca.gov/privacy/databreach/list.

Source: Cal. Civ. Code § 1798.84 Source: Cal. Civ. Code § 1798.82 Source: Cal. Civ. Code § 1798.150 (CCPA private right of action) Source: Cal. Bus. & Prof. Code § 17206 (UCL civil penalties) Source: California DOJ Data Security Breach Reporting

California's breach notification statute imposes a separate, immediate notification obligation on entities that maintain but do not own computerized data containing personal information. Under Cal. Civ. Code § 1798.82(b), any individual or business that maintains computerized data that includes personal information that the individual or business does not own must notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

This provision creates a vertical notification duty running from the service provider, processor, vendor, or subcontractor (the entity maintaining the data) to the data owner (the entity that owns or licenses the personal information). It operates in parallel with, but is distinct from, the horizontal consumer-notification obligation imposed on data owners under subdivision (a). The practical effect is a two-stage notification cascade: the service provider notifies the owner immediately upon discovery, and the owner then has 30 days (as amended by SB 446, effective January 1, 2026) to notify affected California residents.

## Who is a maintainer vs. an owner

Owners or licensees under § 1798.82(a) are entities that conduct business in California and that own or license the computerized personal information. A retailer that collects customer payment-card and contact information in its own database is an owner. A healthcare provider that collects patient medical records is an owner. A bank that holds account information for its depositors is an owner. Ownership typically flows from the direct customer relationship and the purpose for which the data was originally collected.

Maintainers under § 1798.82(b) are entities that possess, store, process, or otherwise maintain computerized personal information on behalf of the owner, but do not themselves own or license that information. Common examples include:

• Cloud service providers (AWS, Azure, Google Cloud) hosting a customer's database containing personal information.
• Software-as-a-service vendors (payroll processors, CRM platforms, email marketing services) that process personal information submitted by the data owner's end users.
• Third-party data centers, colocation facilities, and backup providers that store copies of an owner's data.
• Subcontractors and sub-processors engaged by a primary service provider to perform discrete processing tasks (e.g., a cloud provider's infrastructure vendor, an analytics subcontractor).
• Managed security service providers (MSSPs) and IT service providers that administer, monitor, or secure systems containing an owner's personal information.

The distinction turns on custody and control versus ownership and purpose. If the entity holds the data only because a separate entity engaged it to provide hosting, processing, or technical services, and the data serves the purposes of that separate entity (not the maintainer's independent business purposes), the entity is a maintainer. The same data set may have multiple maintainers in a supply chain (e.g., a SaaS vendor that subcontracts hosting to a cloud provider and backup to a separate vendor).

## Immediate notification trigger and timing

Section 1798.82(b) uses the phrase "immediately following discovery" to describe the timing requirement. This is materially different from the owner-to-consumer notification deadline. Under SB 446 (effective January 1, 2026), owners notifying consumers have 30 calendar days from discovery or notification of the breach. Maintainers notifying owners have no grace period—the statute mandates immediate notification.

What "immediately" means. The statute does not define "immediately" or provide a specific hour or day threshold. California courts and the Attorney General have not published bright-line guidance. In practice, the term is interpreted to mean as soon as practicable after the maintainer confirms that a breach has occurred or is reasonably believed to have occurred, and typically no later than 24–48 hours after internal confirmation. The duty arises upon discovery, which for a maintainer means the point at which a person within the organization with responsibility for data security becomes aware of facts indicating that personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

A maintainer that delays notification to complete a forensic investigation, determine the full scope of affected records, or await law enforcement clearance risks noncompliance with subdivision (b). The statute permits law enforcement delay under subdivision (c) ("The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation"), but that delay applies only when law enforcement affirmatively requests it, and the statute requires that notification be made promptly after the law enforcement agency determines that it will not compromise the investigation. A maintainer may not unilaterally decide to delay owner notification pending its own internal investigation; the duty is to notify the owner immediately so that the owner can make its own determination about consumer notification timing under subdivision (a).

## Content of the service provider notice

The statute does not prescribe specific content requirements for the maintainer-to-owner notification under subdivision (b), in contrast to the detailed content and formatting mandates for owner-to-consumer notifications under subdivision (d). A compliant service provider notice typically includes:

• Identity of the maintainer (name, contact information, responsible individual).
• Description of the breach incident: when it was discovered, when it is believed to have occurred, the nature of the incident (ransomware, credential compromise, unauthorized access, exfiltration, etc.).
• Types of personal information involved: categories of data elements reasonably believed to have been compromised (e.g., "names and Social Security numbers," "email addresses and passwords," "driver's license numbers and addresses"). The maintainer should identify data categories even if it does not have visibility into all individual records; the owner needs this information to assess its own notification obligations under subdivision (a) and the CCPA.
• Scope and volume: number of records or individuals affected, if known or reasonably estimable. If the maintainer cannot yet determine the scope, it should say so explicitly and commit to supplemental updates as the investigation progresses.
• Actions taken: containment measures, forensic investigation status, whether law enforcement has been notified, whether the breach has been remediated.
• Point of contact for the owner to request additional information or coordinate response efforts.

The absence of statutory content requirements does not relieve the maintainer of the duty to provide sufficient detail for the owner to assess its own downstream obligations. An owner cannot determine whether it must notify consumers, the Attorney General, and credit reporting agencies unless the maintainer discloses the categories of personal information compromised and a reasonable estimate of the affected population. A bare-bones notice ("We experienced a security incident; investigation ongoing") does not satisfy subdivision (b) if it leaves the owner without the information necessary to comply with subdivision (a).

## Law enforcement delay — § 1798.82(c)

Subdivision (c) provides that "the notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation." The delay applies to both maintainer-to-owner notifications under subdivision (b) and owner-to-consumer notifications under subdivision (a). The statute requires that notification be made "promptly after the law enforcement agency determines that it will not compromise the investigation."

The law enforcement delay is permissive, not mandatory. If the FBI or a local district attorney asks the maintainer or owner to delay notification, the entity may do so without violating the statute. The entity is not required to delay notification even if law enforcement requests it, though in practice most entities cooperate. The delay must be based on an affirmative determination by a law enforcement agency, not the entity's unilateral judgment that notification might interfere with an investigation. A maintainer that believes law enforcement may wish to investigate should contact the appropriate agency (FBI for federal crimes, local or state police, the California Attorney General's eCrime Unit) and document the request and the agency's subsequent clearance.

## Does SB 446's 30-day deadline apply to maintainers?

No. SB 446 (effective January 1, 2026) amended subdivision (a) to require that owners notify affected California residents "within 30 calendar days of discovery or notification of the breach." The amendment did not change subdivision (b). The service provider notification duty remains governed by the original "immediately following discovery" standard.

The distinction is intentional. Owners need time to evaluate the breach, determine the scope, coordinate with forensic investigators, comply with content and formatting requirements, arrange for credit monitoring services, and execute the logistics of large-scale notification. Service providers, by contrast, serve a relay function: their duty is to alert the data owner to the breach so the owner can begin its own response. The maintainer does not notify consumers and does not bear the content, formatting, or logistical burdens of consumer notification. The immediate trigger reflects the maintainer's limited role.

## Relationship to CCPA service provider obligations

Entities that qualify as service providers under the California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100 et seq., are subject to additional breach-related duties. Under the CCPA, a service provider is a business that processes personal information on behalf of a business (the "controller") pursuant to a written contract, and that receives, processes, or retains personal information solely to perform services for the business. The CCPA requires that the service provider contract prohibit the service provider from retaining, using, or disclosing personal information for any purpose other than performing the specified services, and the service provider must notify the business if it determines that it can no longer meet its obligations under the CCPA (Cal. Civ. Code § 1798.100(d), (e)).

A CCPA service provider that discovers a breach affecting personal information is typically also a maintainer under § 1798.82(b) if it does not own the personal information. Both statutes impose immediate or prompt notification duties to the data owner. The CCPA does not prescribe a specific notification timeline, but the service provider's general duty to assist the business in responding to consumer requests and to notify the business of compliance issues implies a prompt-notification standard similar to § 1798.82(b).

A service provider that also qualifies as a processor under the GDPR or UK GDPR faces a third parallel obligation: GDPR Article 33(2) requires that a processor notify the controller "without undue delay after becoming aware of a personal data breach." The California immediate-notification rule, the CCPA assistance duty, and the GDPR without-undue-delay standard align in practice, though the CCPA and GDPR impose additional contractual and documentation obligations not found in § 1798.82.

## Enforcement and consequences of noncompliance

The statute does not create a separate penalty structure for violations of subdivision (b). Maintainers that fail to notify owners immediately are subject to the same enforcement mechanisms that apply to violations of the entire breach notification statute:

• Attorney General enforcement under California's Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §§ 17200 et seq., seeking injunctive relief and civil penalties of up to $2,500 per violation ($7,500 per intentional violation).
• Private right of action under Cal. Civ. Code § 1798.84(b), which permits "any customer injured by a violation of this title" to institute a civil action to recover damages. A data owner injured by a maintainer's failure to notify (for example, an owner that incurs regulatory penalties, litigation costs, or remediation expenses because it was not timely informed of a breach) may bring a damages claim under § 1798.84. Individual California residents whose personal information was breached typically cannot bring a § 1798.84 claim against the maintainer directly, because the maintainer's duty under subdivision (b) runs to the owner, not to the end-user consumers. However, if the owner's delayed consumer notification (caused by the maintainer's failure to notify the owner) results in injury to consumers, those consumers may sue the owner, and the owner may seek indemnification or contribution from the maintainer under contract or common-law principles.
• Contractual liability and indemnification. Most service agreements between data owners and maintainers include breach notification covenants, indemnification clauses, and liability caps. A maintainer that violates subdivision (b) typically also breaches its service contract, exposing it to contractual damages, indemnification claims for third-party losses (consumer class actions, regulatory fines assessed against the owner), and potential termination. The contractual exposure often exceeds the statutory exposure.

The California Attorney General has not published specific guidance on maintainer notification duties or enforcement priorities under subdivision (b), and public enforcement actions specifically alleging violations of the service provider notification duty are rare. Most AG enforcement actions focus on failures to notify consumers, inadequate notification content, or unreasonable delay under subdivision (a). However, a maintainer's failure to notify the owner immediately can be cited as an aggravating factor in an enforcement action against the owner (the owner's delay in notifying consumers was caused or exacerbated by the vendor's noncompliance), and the AG retains authority to pursue the maintainer directly under the UCL.

## Safe harbor for proper security and encryption

Section 1798.82(b) incorporates the same breach definition and encryption safe harbor that apply to owners under subdivision (a). A maintainer must notify the owner only if personal information was, or is reasonably believed to have been, acquired by an unauthorized person. If the data was encrypted and the encryption key or security credential was not also acquired (or could not render the data readable), no breach occurred and no notification is required. Cal. Civ. Code § 1798.82(g), (h).

Similarly, good-faith acquisition of personal information by an employee or agent of the maintainer for legitimate business purposes, provided the information is not used or further disclosed without authorization, is not a breach. § 1798.82(g). If a maintainer's engineer accidentally exports a database containing personal information to a development environment for testing, discovers the mistake, and deletes the data without using or disclosing it, the incident does not trigger the notification duty under subdivision (b).

Maintainers should encrypt personal information at rest and in transit as a standard practice. Encryption not only protects against unauthorized acquisition but also eliminates the notification obligation when a device, backup tape, or cloud storage bucket is lost or accessed without authorization. The statute does not mandate encryption, but Cal. Civ. Code § 1798.81.5(b) requires businesses that own, license, or maintain personal information to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" to protect it from unauthorized access. For high-sensitivity data (Social Security numbers, financial account credentials, medical information), encryption is widely considered a baseline reasonable security practice, and the California Attorney General has stated in public remarks that failure to encrypt such data may constitute negligence or an unreasonable security practice.

Source: Cal. Civ. Code § 1798.82