California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals “without unreasonable delay.” Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.

Continue Reading 2026 Data Breach Law Updates – California and Oklahoma