New State Laws Tighten Data Breach Notification Rules by 2026
Several states propose or enact stricter breach notification deadlines and expanded data definitions.
Why it matters: Legal teams must keep pace with evolving state breach notification laws to comply promptly and reduce breach-related risks amid rising cybersecurity threats.
- California's SB 446 mandates a 30-day notification to residents and a 15-day notification to AG for breaches affecting 500+ people starting 2026.
- Connecticut's Raised Bill 117 proposes mandatory forensic reporting to the AG for breaches impacting 100,000 or more residents.
- Oklahoma's SB 626 expands personal information to include biometric data and requires reporting to its Attorney General starting 2026.
- As of 2026, 20 states specify numeric deadlines for notifying consumers, ranging from 30 to 60 days.
Effective January 1, 2026, California's Senate Bill No. 446 requires businesses to notify affected residents of data breaches within 30 calendar days of discovery. If the breach involves 500 or more California residents, businesses must also inform the Attorney General within 15 days of notifying consumers. This law tightens previous notification timelines and increases obligations for organizations handling personal data in the state. Details here.
Meanwhile, Connecticut introduced Raised Bill No. 117 in 2026. This new proposal goes beyond notification by requiring businesses to conduct mandatory forensic examinations and submit reports to the state Attorney General for breaches affecting at least 100,000 residents. This reflects the state's focus on strengthening investigative transparency and regulatory oversight. More information is available here.
Also starting in 2026, Oklahoma's Senate Bill 626 expands the legal definition of personal information to explicitly include biometric data. It also mandates breach notification to the Oklahoma Attorney General, increasing reporting requirements for organizations operating there. For a full overview, see this link.
Beyond these states, as of January 1, 2026, a total of 20 states specify numeric deadlines for notifying consumers following a data breach. These deadlines range from 30 to 60 days, complicating compliance for multistate organizations. This survey provides comprehensive coverage of these laws.
Joseph J. Lazzarotti notes, "Incident response planning increasingly needs to account not only for 'whether notice is required,' but also for hard timelines, regulator-facing deliverables, and the cost of consumer support services," underscoring the operational impacts of these evolving laws.
By the numbers:
- 30 days — California's deadline to notify residents of a breach starting in 2026
- 15 days — Deadline to notify California AG after notifying residents for breaches affecting 500+
- 100,000 residents — Threshold in Connecticut for mandatory forensic reporting to AG
- 20 states — Have numeric deadlines for consumer breach notifications between 30 and 60 days
Yes, but: While states are moving toward standardized timelines and expanded data definitions, varying thresholds and requirements may complicate multi-jurisdiction compliance efforts for organizations.
What's next: Organizations should monitor these state laws and prepare for implementation starting January 1, 2026, including adjusting incident response plans and legal monitoring strategies.