PRIA Logo
CaliforniaSB 4462025-2026 Regular SessionSenateWALLET

Data breaches: customer notification.

Sponsored By: Melissa Hurtado (Democratic)

Signed by Governor

Your PRIA Score

Score Hidden

Personalized for You

How does this bill affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Bill Overview

Analyzed Economic Effects

7 provisions identified: 5 benefits, 0 costs, 2 mixed.

Clearer notices and free ID protection

Breach notices must be in plain language, titled “Notice of Data Breach,” use at least 10‑point type, and include clear headings like “What Happened?,” “What Information Was Involved?,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Notices must list the business name and contact, the data types involved, the breach date or range, the notice date, whether police delayed notice, and a general description. If Social Security or driver’s license numbers were exposed, notices must include toll‑free contacts for major credit bureaus. If the business was the source of the breach and sensitive data was exposed or may have been exposed, it must offer free identity‑theft protection for at least 12 months and explain how to use it. Businesses may add extra helpful steps, and for biometric breaches, they may tell others to stop using that biometric.

Large breaches reported to Attorney General

If more than 500 California residents are notified from a single breach, the business must send one sample copy of the notice to the California Attorney General within 15 days of telling people. The sample must not include personal data.

Faster breach notices to Californians

Businesses that do business in California must tell affected residents about a data breach within 30 days after they discover it or are told about it. They must notify people if unencrypted data was taken, or if encrypted data was taken and a key or credential could make it readable. If a company keeps personal data it does not own, it must tell the data owner right away after discovery. Notices can be delayed only if law enforcement says notice would harm an investigation, or to scope the breach and restore systems, and then must go out promptly when the delay ends.

Special rules for account logins

If only a username or email and a password or security answer were exposed, the notice can be short and must tell you to change your password and security answers and secure related accounts. If the breached login is for an email account the business gave you, it cannot send the notice to that same email. It must use another allowed method or show a clear notice when you sign in from a known location.

Health and policy compliance safe harbors

If a HIPAA‑covered entity fully follows the HITECH Act’s breach notice rule, the state treats that as meeting the state’s notice step. The entity still must follow the other parts of state law. Also, if a business has written breach‑notice procedures in its security policy, follows them, and they meet this law’s timing, it is treated as compliant.

What counts as a reportable breach

A breach means someone got computerized personal data without permission and it compromised security or confidentiality. Good‑faith employee access for work is not a breach if the data is not misused or shared. Personal information includes name plus items like Social Security or driver’s license numbers, financial account data with access codes, medical or genetic data, and biometric data. It also includes a username or email with a password or security answer. Public government records are excluded. Encrypted data needs notice only if the key or security credential was compromised.

How businesses may deliver notices

Businesses may send breach notices by mail or electronically under e‑sign rules. They may use substitute notice if individual notice would cost over $250,000, more than 500,000 residents are affected, or they lack enough contact details. Substitute notice must include email (if available), a clear website posting for at least 30 days, and notice to major statewide media.

Sponsors & Cosponsors

Sponsor

  • Melissa Hurtado

    Democratic • Senate

Cosponsors

There are no cosponsors for this bill.

Roll Call Votes

All Roll Calls

Yes: 167 • No: 0

House vote 8/28/2025

Item 141 — Assembly AFLOOR

Yes: 74 • No: 0

legislature vote 8/20/2025

Vote in CX25

Yes: 15 • No: 0

legislature vote 7/8/2025

Vote in CX13

Yes: 12 • No: 0

legislature vote 6/24/2025

Vote in CX32

Yes: 15 • No: 0

Senate vote 5/28/2025

Item 93 — Senate SFLOOR

Yes: 39 • No: 0

legislature vote 4/1/2025

Vote in CS53

Yes: 12 • No: 0

Actions Timeline

  1. Chaptered by Secretary of State. Chapter 319, Statutes of 2025.

    10/3/2025Senate

  2. Approved by the Governor.

    10/3/2025legislature

  3. Enrolled and presented to the Governor at 11 a.m.

    9/3/2025legislature

  4. In Senate. Ordered to engrossing and enrolling.

    8/28/2025Senate

  5. Read third time. Passed. (Ayes 74. Noes 0. Page 2776.) Ordered to the Senate.

    8/28/2025House

  6. Read second time. Ordered to consent calendar.

    8/21/2025House

  7. From committee: Do pass. Ordered to consent calendar. (Ayes 15. Noes 0.) (August 20).

    8/20/2025House

  8. From committee: Do pass and re-refer to Com. on APPR. with recommendation: To consent calendar. (Ayes 12. Noes 0.) (July 8). Re-referred to Com. on APPR.

    7/9/2025House

  9. From committee: Do pass and re-refer to Com. on JUD. with recommendation: To consent calendar. (Ayes 15. Noes 0.) (June 24). Re-referred to Com. on JUD.

    6/25/2025House

  10. Referred to Coms. on P. & C.P., JUD., and APPR.

    6/5/2025House

  11. In Assembly. Read first time. Held at Desk.

    5/28/2025House

  12. Read third time. Passed. (Ayes 39. Noes 0. Page 1297.) Ordered to the Assembly.

    5/28/2025Senate

  13. Read second time. Ordered to third reading.

    5/15/2025Senate

  14. Ordered to second reading.

    5/14/2025Senate

  15. Read third time and amended.

    5/14/2025Senate

  16. Read second time. Ordered to third reading.

    4/22/2025Senate

  17. From committee: Be ordered to second reading pursuant to Senate Rule 28.8.

    4/21/2025Senate

  18. Set for hearing April 21.

    4/8/2025Senate

  19. Read second time and amended. Re-referred to Com. on APPR.

    4/3/2025Senate

  20. From committee: Do pass as amended and re-refer to Com. on APPR. (Ayes 12. Noes 0. Page 610.) (April 1).

    4/2/2025Senate

  21. Set for hearing April 1.

    3/25/2025Senate

  22. Referred to Coms. on JUD. and APPR.

    2/26/2025Senate

  23. From printer. May be acted upon on or after March 21.

    2/19/2025Senate

  24. Introduced. Read first time. To Com. on RLS. for assignment. To print.

    2/18/2025Senate

Bill Text

  • Chaptered

    10/3/2025

    HTML

  • Enrolled

    8/29/2025

    HTML

  • Amended Senate

    5/14/2025

    HTML

  • Amended Senate

    4/3/2025

    HTML

  • Introduced

    2/18/2025

    HTML

Related Bills

Back to State Legislation