State notification register
California data breach notification law: within 30 calendar days of discovery (effective 1 january 2026.
California's breach-notification obligations are set by Cal. Civ. Code 1798.82. This page summarises the deadline to notify affected residents, the attorney general notification threshold, whether a private right of action exists, and the penalties for late or missing notification. Every provision is cited to its source statute and was verified in June 2026.
Individual deadline
30 days
From discovery / determination
AG notification
500
More than 500 California residents
Private action
Yes
Under CCPA Civ. Code 1798.150 for breaches from failure to maintain reasonable security
Statute
CA
Cal. Civ. Code 1798.82
Section CA.1
What the statute requires
Under Cal. Civ. Code 1798.82, a business that owns or licenses computerized personal information of California residents must notify affected individuals within 30 calendar days of discovery (effective 1 january 2026, sb 446).
Attorney general or state-agency notification is more than 500 california residents. Where required, the timeline is: within 15 calendar days after notifying affected consumers.
Recent change: SB 446 introduced the 30-day individual deadline and 15-day AG deadline, effective January 2026.
Section CA.2
What triggers notification
Like most US state statutes, notification is triggered by the unauthorized acquisition of unencrypted, unredacted computerized personal information that compromises its security, confidentiality, or integrity. Two concepts recur across the states and apply here.
Encryption safe harbor
Personal information that was encrypted, and where the encryption key was not also acquired, generally does not trigger notification. A stolen device with full-disk encryption is typically a non-event; an unencrypted record, or an encrypted record where the key was exposed alongside it, is a reportable breach.
Who must be notified
- [1] Affected California residents: 30 days
- [2] Attorney general / state agency: more than 500 california residents
- [3] Consumer reporting agencies where the breach is large-scale
Section CA.3
Penalties and enforcement
CCPA civil penalties of $2,500 per violation, $7,500 per intentional violation; CCPA private right of action for security-failure breaches.
Private right of action: Yes. Under CCPA Civ. Code 1798.150 for breaches from failure to maintain reasonable security; $100-$750 per consumer per incident.
Primary source:California statute Cal. Civ. Code 1798.82; verified June 2026 against state statutory summaries and the underlying statute text.
Section CA.4
How this compares to the strictest states
The strictest US deadlines are 30 days (California, Florida, Washington, Colorado, Maine, New York, New Jersey). The majority of states use a qualitative "without unreasonable delay" standard with no fixed day cap. Here is where California sits.
California imposes a fixed 30-day deadline. That places it among the strictest states in the country.
Cross-references
Index / All 50 states + DC
→The full register: deadline and AG threshold for every state.
Schedule 09 / Notification laws
→Global frameworks and the cost of notification.
01 / Breach cost calculator
→Estimate your California breach exposure, including notification cost.
Regulation / GDPR
→The 72-hour clock and 4%-of-revenue fine framework.
Cost / Notification
→Why notification is roughly 6% of total breach cost.
Schedule F / Reference Q&A
Frequently Asked Questions
Primary source:California data breach notification statute (Cal. Civ. Code 1798.82). Provisions verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's chart, and the underlying statute text.