Data Breach Notification Laws: A 50-State Survey (2026 Edition)

Posted: January 28 2026

This survey analyzes and compares data breach notification laws across all 50 U.S. states and the District of Columbia. Using a standardized framework of 50 questions, we examined each jurisdiction's requirements for breach notification timing, covered data types, notification recipients, enforcement mechanisms, and consumer remedies.

This survey reflects statutes enacted as of January 1, 2026.

Explore the Data

Use the interactive map below to explore how breach notification requirements vary across the country. Click any state to view its complete analysis, or use Compare mode to visualize how states differ on specific questions—from notification deadlines to private rights of action.

Key Findings

Notification Timing

20 states (39%) specify numeric deadlines for consumer notification, ranging from 30 to 60 days. The remaining 31 states use qualitative language such as "without unreasonable delay."

  • 30 days: California, Colorado, Florida, New York, Washington
  • 45 days: Alabama, Arizona, Indiana, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Vermont, Wisconsin
  • 60 days: Connecticut, Delaware, Louisiana, South Dakota, Texas

Personal Information Coverage

States vary significantly in what triggers notification:

  • Biometric data: 22 states explicitly cover biometric identifiers
  • Medical information: 24 states cover medical/health data
  • Paper records: Only 9 states (18%) cover paper record breaches

The Transparency Gap

36 states (71%) require entities to report breaches to the Attorney General or another state agency. Yet only 21 states make that data publicly accessible through searchable online portals.

Consumer Remedies

  • 24 states (47%) provide a private right of action for breach notification violations
  • 6 states (12%) require free credit monitoring for affected consumers

Methodology

This survey analyzes data breach notification statutes using 50 standardized questions. For each state, we reviewed the full statutory text and documented responses with verbatim quotes and Bluebook citations.

Explore the interactive dashboard above or download the full report to see complete responses for each state, including links to official code sections and the latest legislative amending instruments.

Group 1: Definitions, Data Types & Covered Entities (Q1–14)

Definitions (Q1–2)

  1. What is the definition of "breach," "data breach," "security incident" or the event that triggers notification?
  2. What is the definition for "Personally Identifiable Information" or the information that is covered by the law?

Data Type Coverage (Q3–10)

  1. Can biometric information contribute to triggering breach notification requirements?
  2. Can government-issued IDs and/or passports contribute to triggering breach notification requirements?
  3. Can medical information contribute to triggering breach notification requirements?
  4. Can paper records contribute to triggering breach notification requirements?
  5. Can deidentified information contribute to triggering breach notification requirements?
  6. Can publicly available information contribute to triggering breach notification requirements?
  7. Can encrypted information (if the decryption key was NOT exposed) trigger notification requirements?
  8. Can encrypted information (if the decryption key WAS exposed) trigger notification requirements?

Covered Entities (Q11–14)

  1. Are businesses subject to notification requirements?
  2. Are persons (or individuals) subject to notification requirements?
  3. Are state government agencies subject to notification requirements?
  4. Are local governments subject to notification requirements?

Group 2: Timing, Methods & Content (Q15–36)

Notification Triggers & Timing (Q15–21)

  1. Is notification triggered immediately after the discovery of the breach?
  2. Does the law require a risk assessment before notification is required?
  3. Are there permitted delays for notification, and if so, under what conditions?
  4. Does the statute specify numeric day limits for breach notification to individuals?
  5. What is the notification timeframe for businesses/persons to notify affected individuals (in days)?
  6. What is the notification timeframe for government agencies to notify affected individuals (in days)?
  7. What is the notification timeframe for third-party processors to notify data owners/licensees (in days)?

Notification Methods (Q22–26)

  1. Does the law permit substitute notice under certain conditions?
  2. Does the law specify mail as a valid notification method?
  3. Does the law specify email as a valid notification method?
  4. Does the law specify website posting as a valid notification method?
  5. Does the law specify media notification as a valid notification method?

Notification Content & Recipients (Q27–36)

  1. Does the law specify what information about the breach must be included in notifications?
  2. Is notification to the impacted individual required?
  3. Does the law require sending a breach notification to a Credit Reporting Agency?
  4. Is notification to the Attorney General/state agency required, and what is the threshold?
  5. Does any statute require the receiving state agency to publish breach notifications publicly?
  6. Must breach notifications include the specific number of individuals affected?
  7. Does the law require a description of how the breach occurred?
  8. Does the law require notifications to include information about response actions?
  9. Does the law require notifications to specify types of personal information compromised?
  10. Does the law require follow-up notifications if scope changes?

Group 3: Third-Party Obligations, Exceptions & Enforcement (Q37–50)

Third-Party Processor Requirements (Q37–39)

  1. Does the law require third-party processors to directly notify individuals, or only notify the contracting entity?
  2. If processors must notify the contracting entity, what is the timeframe?
  3. Does the law permit processors to provide breach notifications on behalf of the contracting entity?

Federal Compliance Exemptions (Q40–44)

  1. Does the law provide an exemption for entities complying with HIPAA?
  2. Does the law provide an exemption for entities complying with GLBA?
  3. Does the law provide an exemption for entities complying with other federal breach notification regulations?
  4. Does the law provide an exemption for entities with their own equivalent notification procedures?
  5. Does the law provide safe harbors beyond federal compliance?

Enforcement & Consumer Remedies (Q45–50)

  1. Does the law provide enforcement measures?
  2. Does the law provide an explicit private right of action for breach notification violations?
  3. If a private right of action exists, does recovery require proof of actual damages, or are statutory damages available?
  4. If a private right of action exists, are there limitations or exemptions that restrict it?
  5. Can the Attorney General seek injunctive or other remedies?
  6. Does the law require credit monitoring or identity-theft protection?

Limitations

This survey analyzes statutory text only. It does not capture Attorney General guidance, regulatory interpretations, or case law that may affect how these statutes are applied in practice. 

Download the Full Report

For the full detailed state-by-state analysis—including statutory definitions, notification requirements, legal citations, links to official code sections, and the latest legislative amending instruments—download the complete survey report:

Download the Full Report