Effective January 1, 2026, new legislation in California and Oklahoma will introduce important updates to each state’s breach notification requirements. These changes may significantly impact breach response obligations for businesses operating in or handling data related to residents of these states. Below is a summary of the key provisions under each law.
California – Senate Bill 446 (SB 446)
California recently enacted SB 446, which amends its existing breach notification statute to include more defined timing requirements:
- 30-Day Timeframe for Individual Notification. Previously, California law required notification to affected residents “in the most expedient time possible and without unreasonable delay,” subject to law enforcement needs and efforts to assess and contain the breach. Under SB 446, however, covered entities must now notify affected California residents within 30 calendar days of discovering—or being informed of—a reportable breach. This timeline remains subject to the same foregoing limited exceptions for law enforcement or efforts to restore system integrity.
- 15-Day Timeframe for AG Notification. Entities notifying 500 or more California residents are currently required to notify the California Attorney General (AG) and provide a sample copy of the notice sent to affected individuals. SB 446 now mandates that this disclosure occur within 15 calendar days of notifying such individuals.
Oklahoma – Senate Bill 626 (SB 626)
Oklahoma will implement substantial changes to its data breach notification framework through SB 626, reflecting a broader national trend toward enhanced cybersecurity and consumer protection. Key provisions include:
- Expanded Definition of Personal Information. SB 626 broadens the scope of what constitutes reportable personal information to now include:
- Government-issued unique identification numbers (e.g., state ID or passport numbers);
- Electronic identifiers and credentials that permit access to financial accounts (e.g., routing codes combined with passwords or access codes); and
- Biometric data.
- New AG Notification Requirements. Entities that experience a breach affecting 500 or more Oklahoma residents must now notify the Oklahoma AG within 60 days of notifying affected individuals. This notice must include the date and nature of the breach, type of data impacted, number of affected residents, any reasonable safeguards the entity has implemented, and the estimated monetary impact of the breach, if determinable.
- Sector-Specific Exemptions. SB 626 provides limited exemptions from individual notice content requirements for entities subject to GLBA, HIPAA, or the Oklahoma Hospital Cybersecurity Protection Act; notably, however, these entities must still notify the AG if a breach affects 500 or more residents.
- Affirmative Defense for Reasonable Safeguards. Entities that implement “reasonable safeguards” tailored to their size, operations, and the sensitivity of data held may invoke an affirmative defense against civil penalties. Entities that fail to implement such safeguards but comply with notice requirements may still face penalties of $75,000 plus actual damages, while those without safeguards or proper notice may be subject to civil penalties of up to $150,000 per breach.
Next Steps for Businesses
To prepare for compliance with these new laws, businesses should consider the following actions:
- Review and update data inventories to identify newly covered data elements.
- Reevaluate security policies to ensure alignment with Oklahoma’s “reasonable safeguards” standard.
- Develop or revise incident response plan and related notification protocols to meet the new timing and content requirements for both individual and regulatory notices.
