SB 446 updates California’s data‑breach notification law to require businesses that own or license computerized personal information about California residents to notify affected residents after a breach and to follow a standardized notice format. The bill also expands the statutory definition of personal information to explicitly include biometric data, genetic data, and automated license plate recognition (ALPR) data, and it creates rules for when encrypted data triggers disclosure.
The statute matters because it moves beyond ad hoc notices: it prescribes headings, minimum type size, a model form, substitute‑notice triggers, and a single sample submission to the Attorney General for large incidents. For entities that hold sensitive identifiers or novel data types (biometric/genetic/ALPR), the compliance, forensic and communications work required by this text will be concrete and prescriptive rather than discretionary.
At a Glance
What It Does
Requires businesses that own or license computerized personal information about California residents to disclose breaches in a plain‑language notice and establishes minimum content and visual requirements for that notice. It treats encrypted data as potentially reportable if the encryption key or credential was compromised and allows limited delays for law enforcement or incident response.
Who It Affects
Any individual or business that conducts business in California and owns or licenses computerized data about California residents — especially online platforms, data brokers, companies that store biometric/genetic data, operators of ALPR systems, and firms that authenticate accounts with usernames and passwords.
Why It Matters
The bill standardizes what breach notices must look like and widens the sweep of protected data, forcing many organizations to integrate forensic, legal and communications workflows sooner and more consistently. It also sets substitute‑notice thresholds and an Attorney General reporting step that increase public oversight of large breaches.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 446 imposes a duty to notify California residents when their personal information held in computerized form is acquired by an unauthorized person. The notification duty applies to unencrypted personal information, and it also applies to encrypted personal information if the business reasonably believes the encryption key or security credential that would render the data usable was or may have been acquired by an unauthorized person.
The statute uses a "reasonable belief" trigger, so organizations must make and document factual judgments early in the incident response process.
The bill requires notices to be written in plain language, carry the title "Notice of Data Breach," and present specific content under five named headings: "What Happened?" "What Information Was Involved?" "What We Are Doing," "What You Can Do," and "For More Information." Notices must be clearly displayed, use at least 10‑point type, and may follow a prescribed model form (for written or electronic notices) to satisfy the requirement. The statute also permits certain additional content—such as biometric remediation instructions or identity‑theft mitigation offers—where relevant.Timing and process rules are prescriptive.
The default deadline is 30 calendar days after discovery or notification of the breach, but businesses may delay notice to accommodate law enforcement requests or to determine the breach scope and restore the integrity of systems. If a third party maintains data the business does not own, that third party must immediately notify the data owner upon discovery.
For large incidents affecting many Californians, the bill requires a single sample copy of the notice (with PII removed) to be electronically submitted to the Attorney General within 15 calendar days of consumer notification.SB 446 also defines covered data in detail. "Personal information" includes combinations of name plus sensitive identifiers (e.g., Social Security numbers, driver’s license numbers, account numbers with security codes), medical and health insurance information, unique biometric data used for authentication, genetic data, ALPR data, and login credentials (username or email plus password or security question). The statute provides methods for delivering notice—written, electronic (per E‑Sign rules), or substitute notice when the cost exceeds $250,000, the affected class exceeds 500,000 people, or contact information is missing—and contains particular rules for breaches that only involve online account credentials (including a prohibition on notifying a breached email address when that address is the compromised credential).
Finally, the bill treats HIPAA‑covered entities that complied with the applicable HITECH notice rule as meeting the notice content requirements, but it does not exempt them from other parts of the statute.
The Five Things You Need to Know
The bill requires notice to affected California residents within 30 calendar days of discovery or notification of a breach, subject to limited delays for law enforcement or to determine scope and restore systems.
If a single breach affects more than 500 California residents, the reporting entity must submit one redacted sample copy of the consumer notice to the California Attorney General within 15 calendar days of notifying consumers.
Substitute notice (email, conspicuous website posting for 30 days, and notice to major statewide media) is allowed when the cost of direct notice exceeds $250,000, the affected class exceeds 500,000 people, or the business lacks sufficient contact information.
The statute explicitly treats biometric data, genetic data, and automated license plate recognition (ALPR) data as personal information and requires specific remediation guidance for biometric breaches where feasible.
If the reporting entity was the source of the breach and the incident exposed Social Security numbers or government ID numbers, the entity must offer appropriate identity‑theft prevention and mitigation services at no cost for at least 12 months.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Who must notify and what triggers notice
This subsection imposes the basic duty: any individual or business that conducts business in California and owns or licenses computerized data with personal information must notify residents when unencrypted personal information is acquired, or when encrypted data was acquired and the encryption key/credential was also acquired or could render the data readable. Practically, this creates an early decision point in incident response — teams must determine whether encrypted data plus a compromised key meet the "reasonable belief" threshold for notification.
Timing — 30‑day default with limited exceptions
This subsection sets a 30‑calendar‑day deadline after discovery or notification for issuing consumer notice, but it permits delay to accommodate law enforcement or to scope and remediate the incident. Organizations must document the factual basis for any delay and balance the statutory deadline against operational needs; the text does not prescribe how much delay is reasonable in practice, leaving room for judgment and potential regulatory scrutiny.
Required notice content and format
The statute prescribes a plain‑language, titled notice with five specific headings and minimum content items (including contact info, types of breached data, dates, descriptions, and credit‑reporting contact numbers when SSNs or driver’s license numbers are exposed). Notices must be visually prominent, use at least 10‑point type, and may rely on a provided model form to comply. That degree of prescription narrows legal exposure for organizations that adopt the form but creates fixed expectations about what consumers will receive.
Attorney General sample submission and substitute notice mechanics
For breaches affecting more than 500 California residents, the entity must submit a single redacted sample notice to the Attorney General within 15 calendar days of consumer notification. The methods of notice include written, electronic (consistent with federal E‑Sign rules), and substitute notice when cost exceeds $250,000, the class exceeds 500,000, or contact information is insufficient. Substitute notice combines email (if available), a conspicuous 30‑day website posting, and statewide media notice — a tiered approach intended to preserve consumer reach where direct contacts are impracticable.
Expanded definitions: biometric, genetic, ALPR, and encryption concepts
The statute expands "personal information" to include unique biometric data used for authentication, genetic data from biological analysis, and data collected via automated license plate recognition systems. It also defines "encrypted" and clarifies that an "encryption key" or "security credential" is what makes encrypted data readable; loss or compromise of those keys can convert an otherwise nonreportable, encrypted dataset into reportable personal information. Compliance therefore requires cryptographic and forensic assessment capabilities.
Interaction with HIPAA/HITECH and acceptance of internal procedures
HIPAA‑covered entities that complied fully with HITECH’s breach notice provision are deemed to have met the notice content requirements here, though they remain subject to other parts of the section. Separately, an entity that maintains its own notification procedures consistent with the timing requirements may rely on them to comply. These provisions allow some regulatory deference to existing federal compliance regimes and mature enterprise policies.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California residents whose data is compromised — the law increases the chances they receive timely, standardized information about what happened and how to respond.
- Consumers with biometric or genetic data — the explicit inclusion of these categories forces custodians to address remediation and to provide specific guidance where biometric authentication is implicated.
- Attorney General’s office and regulators — the required redacted sample notice for large breaches and standardized notice content improve oversight and pattern analysis across incidents.
- Organizations with mature incident response and documented notification policies — these entities benefit from the statute’s acceptance of internal procedures and the availability of a model form that limits litigation risk if followed.
Who Bears the Cost
- Any business that conducts business in California and holds resident data — they must build or expand forensic, legal and communications workflows to meet the notice, documentation, and reporting requirements.
- Small and mid‑sized companies with limited security staff — prescribed timing and content requirements, plus potential obligations to fund free identity‑protection services, create material compliance costs.
- Identity‑theft mitigation providers and notice vendors — demand for 12‑month free services and mass notification capabilities will rise after large incidents.
- State Attorney General’s office — large‑incident redacted submissions and potential follow‑up inquiries create administrative and analytic workload without a funding mechanism in the text.
Key Issues
The Core Tension
SB 446 balances two legitimate priorities — the public’s right to timely, clear information about data exposures and the practical needs of investigators and incident responders — but favors transparency through tight formatting, content rules, and early notice expectations; that emphasis increases operational and technical burdens for organizations responsible for protecting and explaining access to increasingly sensitive categories of data.
There are several implementation and policy tensions that the statute leaves unresolved. First, the 30‑day default pushes organizations to make quick determinations about scope and impact; yet the law explicitly permits delay for law enforcement or remediation, without defining reasonable lengths or evidentiary standards for those delays.
Expect disputes about when a delay is justified and how long it may last.
Second, the "reasonable belief" threshold for encrypted data plus a compromised key, and the separate definition of "encryption key" as something that "could render that personal information readable or usable," require technical, often expert, assessments early in an investigation. Not all entities—particularly smaller firms—have the cryptographic expertise to make reliable judgments, increasing the risk of over‑ or under‑notification.
Third, the substitute‑notice and damage‑threshold rules create incentives: the $250,000 and 500,000‑person thresholds may shift how organizations maintain contact databases or structure incident communications, and reliance on website posting and media notice can produce uneven reach to affected persons.
Finally, the statute’s expansion of covered categories to include biometric and genetic data and ALPR data raises difficult remediation questions. You cannot "reset" a breached fingerprint or genetic marker; the statute's requirement that entities provide instructions for other parties that used the same biometric authenticator to stop relying on it will be hard to operationalize in federated systems.
Likewise, the HITECH cross‑reference simplifies compliance for covered entities, but the bill leaves open how overlapping federal and state obligations interact when timing or content differs.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.