Session:   
Updated:   2026-02-04

Home - Bills - Bill - Authors - Dates - Locations - Analyses - Organizations

Measure
Authors Hurtado  
Subject Data breaches: customer notification.
Relating To relating to personal information.
Title An act to amend Section 1798.82 of the Civil Code, relating to personal information.
Last Action Dt 2025-10-03
State Chaptered
Status Chaptered
Flags
Vote Req Approp Fiscal Cmte Local Prog Subs Chgs Urgency Tax Levy Active?
Majority No No No None No No Y
i
Leginfo Link  
Bill Actions
2025-10-03     Chaptered by Secretary of State. Chapter 319, Statutes of 2025.
2025-10-03     Approved by the Governor.
2025-09-03     Enrolled and presented to the Governor at 11 a.m.
2025-08-28     In Senate. Ordered to engrossing and enrolling.
2025-08-28     Read third time. Passed. (Ayes 74. Noes 0. Page 2776.) Ordered to the Senate.
2025-08-21     Read second time. Ordered to consent calendar.
2025-08-20     From committee: Do pass. Ordered to consent calendar. (Ayes 15. Noes 0.) (August 20).
2025-07-09     From committee: Do pass and re-refer to Com. on APPR. with recommendation: To consent calendar. (Ayes 12. Noes 0.) (July 8). Re-referred to Com. on APPR.
2025-06-25     From committee: Do pass and re-refer to Com. on JUD. with recommendation: To consent calendar. (Ayes 15. Noes 0.) (June 24). Re-referred to Com. on JUD.
2025-06-05     Referred to Coms. on P. & C.P., JUD., and APPR.
2025-05-28     Read third time. Passed. (Ayes 39. Noes 0. Page 1297.) Ordered to the Assembly.
2025-05-28     In Assembly. Read first time. Held at Desk.
2025-05-15     Read second time. Ordered to third reading.
2025-05-14     Ordered to second reading.
2025-05-14     Read third time and amended.
2025-04-22     Read second time. Ordered to third reading.
2025-04-21     From committee: Be ordered to second reading pursuant to Senate Rule 28.8.
2025-04-08     Set for hearing April 21.
2025-04-03     Read second time and amended. Re-referred to Com. on APPR.
2025-04-02     From committee: Do pass as amended and re-refer to Com. on APPR. (Ayes 12. Noes 0. Page 610.) (April 1).
2025-03-25     Set for hearing April 1.
2025-02-26     Referred to Coms. on JUD. and APPR.
2025-02-19     From printer. May be acted upon on or after March 21.
2025-02-18     Introduced. Read first time. To Com. on RLS. for assignment. To print.
Versions
Chaptered     2025-10-03
Enrolled     2025-08-29
Amended Senate     2025-05-14
Amended Senate     2025-04-03
Introduced     2025-02-18
Analyses TBD
Latest Text Bill Full Text
Latest Text Digest

Existing law requires an individual or a business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was compromised, as specified, and requires that disclosure to be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

This bill would require that data breach disclosure to be made within 30 calendar days of discovery or notification of the data breach but would authorize an individual or business to delay the disclosure to accommodate the legitimate needs of law enforcement, as specified, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Existing law also requires an individual or business that is required to issue the security breach notification described above to more than 500 California residents as a result of a single breach of the security system to electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.

This bill would require that submission to the Attorney General to be made within 15 calendar days of notifying affected consumers of the security breach.