Latest Insights/Back to Generator
By the Legal Policy Generator team · Published 2026-04-10

Data Breach Notification Laws: Your Complete US State-by-State Guide (2026)

If your website collects names, emails, passwords, or payment details, a data breach is not just an IT problem — it triggers legal obligations. There is no single US federal breach-notification law for general businesses. Instead, all 50 states, several federal sector laws, and the EU's GDPR each set their own rules on who you must tell, how fast, and what happens if you stay silent. This guide covers the requirements that most often apply to a typical online business.

This article is general information for educational purposes, not legal advice. Breach-notification statutes are detailed and change frequently; consult a qualified attorney about your specific situation before acting.

Who Data Breach Notification Laws Apply To

Most state breach-notification statutes apply to any person or business that owns or licenses computerized data containing personal information about a resident of that state — not just large companies. Coverage turns on whose data you hold, not where your business is located, so customers in California, New York, and Florida can subject you to all three states' laws from one breach.

"Personal information" is typically a person's name combined with a sensitive data element — a Social Security number, driver's license number, financial-account or card number, or, under newer laws, medical information, biometric data, or online account credentials. California's statute defines a breach as the unauthorized acquisition of computerized data that compromises the security of such personal information (Cal. Civ. Code § 1798.82).

How Fast You Must Notify: Key Deadlines

Notification deadlines are where the laws diverge most. Some states require notice "in the most expedient time possible," while others set a hard clock. The deadlines below come directly from the governing statutes and regulators:

  • California: Notice to affected residents must be made within 30 calendar days of discovery or notification of the breach. If a single breach affects more than 500 California residents, the business must also submit a sample copy of the notice to the Attorney General within 15 calendar days of notifying consumers (Cal. Civ. Code § 1798.82(f)).
  • Florida: Notice to affected individuals and to the Florida Department of Legal Affairs must be made as expeditiously as practicable but no later than 30 days after determination of the breach (Fla. Stat. § 501.171).
  • New York: Under the SHIELD Act, notice must be made "in the most expedient time possible and without unreasonable delay" (N.Y. Gen. Bus. Law § 899-aa).
  • HIPAA (health data): Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery, and must notify the HHS Secretary within 60 days for breaches affecting 500 or more individuals (HHS Breach Notification Rule).
  • GDPR (EU residents): A controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a breach that poses a risk to individuals' rights and freedoms (GDPR Article 33).

Because one incident can trigger several of these clocks at once, the practical rule is to work to the shortest applicable deadline. If you hold EU data, the 72-hour GDPR window will usually be the binding constraint.

Penalties for Missing Your Notification Deadline

Late or missing breach notifications don't just anger customers — they invite regulatory enforcement. Key penalties across major jurisdictions, per the governing statutes:

  • California (CCPA): Administrative fines of up to $2,500 per violation, or up to $7,500 per intentional violation, assessed by the California Privacy Protection Agency (CPPA) through administrative enforcement action (Cal. Civ. Code § 1798.155). Separately, consumers may recover statutory damages of not less than $100 and not greater than $750 per consumer per incident under the CCPA's private right of action when unencrypted personal information is breached due to a failure to maintain reasonable security (Cal. Civ. Code § 1798.150).
  • New York (SHIELD Act): For failure to provide timely notice, a court may impose a civil penalty of the greater of $5,000 or up to $20 per instance of failed notification, not to exceed $250,000 (N.Y. Gen. Bus. Law § 899-aa(6)(a)).
  • Florida: Civil penalties of $1,000 per day for the first 30 days of a violation, then $50,000 for each subsequent 30-day period (or portion) for up to 180 days, capped at $500,000 if the violation continues beyond 180 days (Fla. Stat. § 501.171(9)).
  • HIPAA: Tiered civil money penalties based on culpability, subject to a maximum annual cap for all violations of an identical provision in a calendar year, with potential criminal liability in cases of willful neglect (HHS Enforcement Rule). The per-tier dollar amounts are adjusted for inflation each year.
  • GDPR: Breach-notification failures under Article 33 fall in the lower fine tier of up to €10 million or 2% of total worldwide annual turnover, whichever is higher; the most serious violations carry the higher tier of up to €20 million or 4% of turnover (GDPR Article 83).

Notification timeliness is one factor regulators weigh, so a documented, on-time response can materially reduce exposure even when the breach itself was not your fault.

What to Do When a Breach Happens: Practical Steps

The statutes assume a basic response sequence, and preparing for it in advance is the most useful step you can take:

  1. Contain and preserve. Stop the ongoing exposure (revoke credentials, isolate systems) and preserve logs and evidence before anything is overwritten.
  2. Assess scope and risk. Determine what data was involved, how many people, and where they reside — this drives every downstream deadline.
  3. Identify your deadlines. Map the incident to each applicable law and calendar the shortest one. The GDPR 72-hour authority clock applies if any EU residents are affected (GDPR Article 33).
  4. Notify regulators and individuals. Send compliant notices to consumers and, where required, to attorneys general or the HHS Secretary within the deadlines above.
  5. Document everything. Keep a written record of the facts, your risk assessment, and remedial steps — GDPR Article 33 expressly requires controllers to maintain such documentation so the authority can verify compliance.

Frequently Asked Questions About Data Breach Notification Laws

What if the breach only affects a handful of people?

Most states do not set a minimum number of affected individuals before notification is required. However, many states allow you to forgo consumer notification if a documented risk assessment concludes that the breach is not reasonably likely to cause harm. Where this exception is available, keep that determination in writing as part of your breach records.

Is email notification enough, or do I need to send physical mail?

It varies by statute. Many states accept electronic notice where you have an existing email relationship with the individual, alongside written notice as an option. If contact information is unavailable, the affected class is very large, or notification costs would exceed a statutory threshold, most states permit "substitute notice" — typically a conspicuous notice posted on your website plus notification to statewide media. The exact thresholds and accepted methods are set by each state's law, so confirm the rule for every state where affected residents live before choosing a notification channel.

Does encrypting my data eliminate breach notification obligations?

In many states, yes — most breach statutes apply only to unencrypted personal information, so a breach of properly encrypted data (where the encryption key was not also compromised) may not trigger notification. Strong encryption at rest is therefore a meaningful safeguard. Document your encryption standard and key-management practices, because an encryption-based exemption is difficult to rely on after the fact if it isn't documented.

Build Your Legal Foundation Before a Breach Hits

A breach response starts with the documents you had in place before it happened. Regulators examine your privacy policy, data processing agreements, and terms of service to assess whether your practices — and your notification response — matched your stated commitments.

  • Privacy Policy Generator — GDPR, CCPA, and state-law compliant; includes data security and breach notification disclosures
  • DPA Generator — defines breach notification obligations between you and every processor that handles your users' data
  • Terms of Service Generator — sets liability limits and dispute resolution terms before any incident occurs

Generate all three in under five minutes — free, no signup required.

Generate Your Free Privacy Policy Now →