California 30-Day Data Breach Notification Law: What SB 1223 Means for Your Business

California Now Requires Breach Notification Within 30 Days

Effective January 1, 2025, California SB 1223 fundamentally changed the state's data breach notification requirements. The previous standard—“the most expedient time possible and without unreasonable delay”—has been replaced with a firm 30 calendar day deadline from the date a breach is discovered. This makes California one of the strictest states in the country for breach notification timing.

For businesses that handle California residents' personal information, this law demands a well-rehearsed incident response plan. A vague commitment to “notify promptly” is no longer sufficient. You need a concrete process that can execute within 30 days. Use our Privacy Law Calculator to check which other state privacy laws apply to your business.

Who Must Comply With California's Breach Notification Law

California Civil Code §1798.82 applies to any person or business that conducts business in California and owns or licenses computerized data that includes personal information of California residents. This includes:

• Businesses headquartered in California
• Out-of-state businesses that serve California customers or collect their data
• Government agencies operating in California
• Any entity that maintains personal information of California residents in electronic form

There is no minimum size threshold—even small businesses must comply if they hold covered personal information. This is broader than the CCPA's applicability thresholds, which require meeting revenue or data-volume triggers.

What Triggers a Notification Obligation

Under California law, a breach notification is required when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Key points:

• Encryption safe harbor: If the breached data was encrypted and the encryption key was not compromised, notification is generally not required
• Good-faith employee access: Unauthorized access by an employee or agent acting in good faith within the scope of their duties does not trigger notification, as long as the information is not further used or disclosed improperly
• Risk of harm is not a factor: Unlike some states, California does not include a risk-of-harm exception. If unencrypted personal information is acquired without authorization, you must notify

What Personal Information Is Covered

California Civil Code §1798.81.5 defines “personal information” for breach notification purposes as an individual's first name (or initial) and last name combined with any of the following unencrypted data elements:

• Social Security number
• Driver's license or California ID card number
• Financial account, credit, or debit card number (with any required security code or password)
• Medical information or health insurance information
• Unique biometric data (fingerprint, retina, iris image)
• Tax identification number
• Passport number, military ID, or other government-issued unique ID
• Genetic data

Additionally, a username or email address combined with a password or security question/answer that would permit access to an online account is independently covered, even without a name.

What Your Notification Must Include

Under §1798.82(d), breach notifications to California residents must be written in plain language and include:

• The name and contact information of the notifying entity
• A list of the types of personal information that were or are reasonably believed to have been compromised
• The date of the breach (if known), the estimated date, or the date range within which the breach occurred
• The date of the notice
• Whether notification was delayed due to a law enforcement investigation
• A general description of the breach incident
• The toll-free numbers and addresses of the major credit reporting agencies (if SSN, DL, or California ID was compromised)

If notification must be provided to more than 500 California residents, you must also submit an electronic copy of the notification to the California Attorney General. Our Deletion Request Generator can help you understand the format expectations California regulators prefer.

Penalties for Non-Compliance

Failing to provide timely breach notification carries significant legal exposure in California:

• Civil penalties: The California AG can bring an action for civil penalties up to $7,500 per violation under the Unfair Competition Law
• Private right of action: Affected consumers can sue under Civil Code §1798.84 for actual damages, injunctive relief, or statutory damages
• CCPA overlap: If the breach involves categories of personal information defined under CCPA §1798.150, consumers have an additional private right of action with statutory damages of $100–$750 per consumer per incident (or actual damages, whichever is greater). This can result in class action exposure of millions of dollars for large breaches

Recent CPPA enforcement actions demonstrate California's aggressive stance on privacy compliance. The PlayOn Sports $1.1M fine and Disney $2.75M settlement show that regulators are willing to pursue substantial penalties. Review the full landscape of state privacy law penalties and fines.

How CCPA's Private Right of Action Intersects With Breach Notification

The CCPA’s private right of action under §1798.150 applies specifically to data breaches involving certain categories of personal information “as a result of the business's violation of the duty to implement and maintain reasonable security procedures.” This creates a dual-exposure scenario:

• Late notification under the breach notification statute exposes you to AG enforcement and private suits under Civil Code §1798.84
• The underlying breach itself—if caused by inadequate security—independently exposes you to CCPA class action claims with statutory damages
• The new CCPA cybersecurity audit requirements (effective January 1, 2026) add a third layer: businesses that fail to conduct required audits face additional regulatory exposure

Your 30-Day Incident Response Plan

With only 30 calendar days from discovery, every hour matters. Here is a practical timeline:

Days 1–3: Detection and Containment

• Confirm the breach and contain it immediately
• Preserve evidence (logs, access records, affected systems)
• Activate your incident response team
• Engage outside counsel (to preserve privilege) and a forensic investigator

Days 4–10: Investigation and Scoping

• Determine what data was accessed or exfiltrated
• Identify affected individuals and their states of residence
• Assess whether the data was encrypted
• Begin mapping notification obligations across all applicable states (use our state breach notification law guide for comparison)

Days 11–20: Notification Preparation

• Draft notification letters complying with §1798.82(d) requirements
• Set up a toll-free call center or dedicated email for consumer inquiries
• Arrange credit monitoring or identity theft protection services (if applicable)
• Prepare the AG notification (if 500+ California residents affected)
• Review DSAR response obligations that may arise from notified consumers

Days 21–27: Distribution

• Send written notifications via mail or email to all affected California residents
• Submit electronic notification to the California AG (if required)
• If substitute notice is used (for breaches affecting 500,000+ residents or costing over $250,000 to notify), publish prominently on your website and notify major statewide media

Days 28–30: Documentation and Follow-Up

• Document all notification activities with timestamps
• Monitor for consumer inquiries and respond promptly
• Conduct a post-incident review to prevent future breaches
• Update your privacy policy if your data practices have changed

How California Compares to Other States

California’s 30-day deadline is among the strictest in the nation, but not unique. Several states now impose specific timeframes:

• Colorado: 30 days (tied with California for strictest)
• Florida: 30 days to individuals, 30 days to AG
• Oregon: 45 days
• Connecticut: 60 days
• Texas: 60 days
• Most other states: “Most expedient time possible” or 45–90 days

If your business operates in multiple states, you should plan for the shortest applicable deadline. Use our State Privacy Law Comparison Tool to see how requirements differ across jurisdictions.

Frequently Asked Questions

When does the 30-day clock start?

The 30 calendar day clock starts from the date the breach is discovered—the date you know or should reasonably have known that a breach occurred. This is not the date the breach happened but the date you became aware of it. Willful ignorance does not stop the clock.

Can law enforcement delay the notification?

Yes. If a law enforcement agency determines that notification would impede a criminal investigation, the notification may be delayed at the agency’s request. Once the agency notifies you that delay is no longer needed, the notification must be made promptly. You must note the delay in your notification letter.

Does a ransomware attack trigger notification?

Generally yes, if there is evidence that unencrypted personal information was accessed or acquired. Even if data was not exfiltrated, unauthorized access that compromises confidentiality can trigger the obligation. If the data was encrypted and the encryption key was not compromised, the safe harbor may apply.

Do I need to notify for a breach of only usernames and passwords?

Yes. California specifically covers “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.” This category does not require a name to trigger notification.

What if I'm not sure how many people were affected?

You should notify all individuals whose information you reasonably believe was compromised. If you determine that more than 500 California residents were affected, you must also notify the AG. If the number is uncertain, err on the side of notification. Under-notification creates significantly more legal risk than over-notification.

Last updated: March 31, 2026.