California Civil Code
§ 1798.82
CIV § 1798.82 Effective Jan 1, 2026Div. 3 · Title 1.81 · Part 4
Statute text
View on leginfo.ca.gov(a)(1) An individual or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.
(2)(A) Subject to subparagraph (B), the disclosure required by this subdivision shall be made within 30 calendar days of discovery or notification of the data breach.
(B)An individual or business may delay the disclosure required by this subdivision to accommodate the legitimate needs of law enforcement, pursuant to subdivision (c), or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
…
Legislative history
Amended by Stats. 2025, Ch. 319, Sec. 1. (SB 446) Effective January 1, 2026.