On October 3, 2025, California Governor Gavin Newsom approved Senate Bill 446 which amends California’s data breach notification statute, Cal Civ Code § 1798.82. The bill goes into effect January 1, 2026. The amendments would:
- Require that a data breach disclosure “be made within 30 calendar days of discovery or notification of the data breach,” but may be delayed “to accommodate the legitimate needs of law enforcement . . . or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Current law provides that disclosure of a breach of the security of a system to a California resident “shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Require that the sample copy of a security breach notification be electronically submitted to the Attorney General “within 15 days of notifying the affected consumers of the security breach.” Current Law requires that if a security breach notification must be made to more than 500 California residents as a result of a single breach, a sample copy of the notification must be electronically submitted to the Attorney General.
This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.