California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals "without unreasonable delay." Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.
Oklahoma also amended its data breach law with Senate Bill 626 earlier this year, with the amendment to also take effect January 1, 2026. This marks the first time Oklahoma has updated its breach notification law since its original passage in 2008. The law significantly broadens the types of personal information that could trigger notification. In addition to names and account numbers, now, government-issued identification numbers, unique electronic identifiers, and biometric data such as fingerprints and iris scans are also "personal information". Entities will also need to notify the Attorney General when a breach affects 500 or more residents within 60 days of notifying affected individuals. This aligns with several other states that require AG or regulator notification.
Putting it into Practice: For businesses operating in these states, these changes signal the growing focus on incident response times. As 2026 approaches, now is a good time for businesses to review their incident response processes—from detection and assessment to addressing notification, communication, and regulatory submission requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
