What Is Data Breach Notification? GDPR and US Rules Explained

What is data breach notification? See the GDPR 72-hour rule, the 50-state US patchwork, required notice content, and who you must tell.


by Riad Us Salehin • 4 July 2026


Data breach notification is the legal duty to tell affected individuals and regulators when personal data has been exposed, lost, or accessed without authorization. Timelines vary by jurisdiction: GDPR gives EU regulators a 72-hour window, while the United States runs a state-by-state patchwork with no single federal deadline.

Below, the specific rules for who you must notify, when, and what the notice has to say, under both GDPR and US law.

What Counts as a Personal Data Breach?

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data. Two questions decide whether it must be reported: does it create a real risk of harm, and was the data encrypted or otherwise unreadable.

Not every incident triggers a notification duty, but every breach should still be documented internally.

A breach can happen through hacking, a lost laptop, a misdirected email, or a misconfigured database left open to the public. What matters legally is not how it happened, but whether personal data was actually exposed to someone unauthorized to see it.

Two gating questions determine reportability:

  • Is there a real risk of harm to the people affected? GDPR and most US state laws only require notification when the exposure creates a genuine risk. A purely theoretical risk does not count.
  • Was the data encrypted or otherwise unreadable? Encrypted data that stays unintelligible to the person who accessed it commonly falls under an encryption safe harbor. That safe harbor removes the notification trigger.

Even when a breach is not reportable, it still belongs in your internal breach register. GDPR requires controllers to document every breach internally, regardless of whether formal notification was required, so the record exists if a regulator ever asks.

Who Must You Notify, and When?

A breach can trigger duties to two different audiences, on two different timelines. You may owe a notice to the regulator, a notice to the affected individuals, or both, depending on the severity of the breach. If you process data on behalf of a client, you likely owe that client a notice first, before either public notice goes out.

The table below sets every notification clock side by side, so you can see which deadline applies to your breach. All timelines below reflect the rules in force as of 2026.

Notification dutyDeadlineApplies when
GDPR: to the supervisory authority (Art. 33)Without undue delay, within 72 hours where feasibleAny qualifying personal data breach
GDPR: to affected individuals (Art. 34)Without undue delay, no fixed hourOnly when the breach is likely to cause high risk
US state law: to affected residentsWithout unreasonable delay, commonly 30 to 60 daysUnencrypted personal information exposed
US state law: to the state attorney generalSet by each state, often alongside the resident noticeAffected residents cross a threshold, such as 500 in California
HIPAA: to individuals and, at 500+, the HHS SecretaryWithout unreasonable delay, no later than 60 daysA breach of protected health information
CCPA: consumer lawsuit for statutory damages30-day cure notice before filingUnencrypted data exposed through failure to maintain reasonable security

Notifying the Regulator

Most frameworks require notifying a government authority once a qualifying breach occurs. Under GDPR, that is the supervisory authority, the data protection authority (DPA) for your jurisdiction, within 72 hours of becoming aware of the breach.

In the United States, many states require notice to the state attorney general or a state agency once a resident-count threshold is crossed. California sets that threshold at 500 or more residents. Large breaches of Social Security or financial data can also require notice to the major consumer credit bureaus, Equifax, Experian, and TransUnion. HIPAA adds a sector-specific rule for healthcare entities. They must notify the HHS Secretary within 60 days when 500 or more individuals are affected. Prominent media notice is also required in any state where 500 or more residents are hit.

Notifying Affected Individuals

Individuals must be told when a breach is likely to cause them real harm. GDPR requires this notice "without undue delay," but only when the breach poses a high risk to their rights and freedoms. Unlike the regulator notice, it carries no fixed-hour deadline. US state laws use similar "without unreasonable delay" language, commonly translating to a 30-to-60-day window from discovery.

GDPR Article 34 carves out three exceptions to the individual-notice duty. A controller can skip it if the data was encrypted or otherwise unintelligible to the person who accessed it. The same applies if the controller has since taken measures that remove the high risk. A third exception covers disproportionate effort: when direct notice is impractical, a public communication substitutes instead.

The GDPR 72-Hour Rule (Articles 33 and 34)

Under GDPR Article 33, a data controller must notify its supervisory authority of a qualifying breach without undue delay. Where feasible, that means within 72 hours of becoming aware of it.

The clock starts at awareness, not at the moment the breach technically occurred. A breach discovered weeks after the fact still gives the controller a fresh 72-hour window from discovery. If a controller misses the window, the notification must explain the reasons for the delay.

Article 33 and Article 34 answer two different questions, and the 72-hour figure applies to only one of them.

To the supervisory authority (Art. 33)To affected individuals (Art. 34)
TriggerAny qualifying personal data breachOnly when the breach is likely to cause high risk
DeadlineWithout undue delay, within 72 hours where feasibleWithout undue delay, no fixed hour limit
Who actsThe data controllerThe data controller

A data processor that discovers a breach must alert its controller without undue delay; the processor does not notify the authority or individuals directly. Data controllers must document every breach internally, even ones that never cross the notification threshold.

Breach-notification failures fall under the lower GDPR fine tier: fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. That is distinct from the higher EUR 20 million or 4% tier for other GDPR violations, such as failing to obtain valid consent.

Read more about the regulation these deadlines come from in our GDPR guide.

US Data Breach Notification Laws: A 50-State Patchwork

The United States has no single federal law governing data breach notification for general personal data. Instead, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands each enforce their own breach-notification statute.

Federal sector rules layer on top for specific industries: HIPAA for health data, the Gramm-Leach-Bliley Act for financial data.

Despite the patchwork, most state laws share a common structure. Businesses must notify affected residents without unreasonable delay, typically within a window of 30 to 60 days from discovery. Many states also require notice to the state attorney general or a central agency once affected residents cross a threshold, 500 or more in California. Encrypted data is exempt from notification in most states, the same encryption safe harbor GDPR applies.

For the specifics that apply to your customers' states, see our US state privacy laws breakdown instead of tracking all 50 statutes by hand.

The CCPA Private Right of Action for Breaches

California's CCPA gives consumers something most US privacy laws do not: a private right of action for data breaches. Consumers can sue a business directly if unencrypted personal information is stolen in a breach caused by the business's failure to maintain reasonable security.

Statutory damages run $100 to $750 per consumer per incident, or actual damages if higher, under California Civil Code 1798.150. Before suing, a consumer must give the business written notice of the violated CCPA sections and 30 days to cure it.

This private right of action is rare among US breach laws. Most state statutes are enforced only by regulators, not by the consumers whose data was exposed. That gap is exactly why CCPA breach exposure drives so much class-action activity in California specifically.

What a Breach Notification Must Contain

A compliant breach notice covers a consistent set of elements under both GDPR and most US state laws.

  • What happened and when: the nature of the incident, plus the discovery date
  • Scope of exposure: the categories and approximate number of people and records affected
  • Likely consequences: what could realistically happen to the exposed data
  • Response steps: what the organization is doing to investigate, contain, and mitigate the breach
  • A contact point: a Data Protection Officer or other named contact for follow-up questions
  • Actionable advice: concrete steps individuals can take, such as resetting passwords or placing a credit freeze

GDPR Article 33(3) and most US state notice-content rules overlap heavily on these elements. A notice built to satisfy one regime covers most of what the other requires too.

How Data Breach Notification Differs Under GDPR and US Law

GDPR applies one harmonized, risk-based rule across the EU and EEA: notify the regulator within 72 hours, notify individuals only on high risk. US law is the opposite: a state-by-state patchwork with no single federal law, different deadlines by state, plus separate sector rules layered on top.

GDPRUS state laws
Who you notifyThe supervisory authority (DPA) in every qualifying caseThe state AG above a resident threshold; individuals in most cases
Deadline to the regulator72 hours, where feasibleVaries by state; commonly 30 to 60 days
Deadline to individualsWithout undue delay, only on high risk, no fixed hourWithout unreasonable delay, commonly 30 to 60 days
Who enforcesThe national or regional supervisory authorityState attorneys general; the CCPA also gives consumers a private right of action
Maximum penaltyUp to EUR 10 million or 2% of global turnoverVaries by state; CCPA statutory damages of $100 to $750 per consumer

A site serving both EU and US visitors needs to track both clocks at once. A single breach can trigger the GDPR's 72-hour authority deadline and a separate US state deadline for the same incident.

A Practical Data Breach Response Checklist

Responding to a suspected breach follows a consistent sequence, regardless of which laws apply. This is general guidance, not legal advice; consult counsel for your specific situation.

  1. Contain the incident. Secure affected systems and stop additional data loss immediately.
  2. Preserve evidence. Start documenting what happened before you fix anything that might destroy forensic evidence.
  3. Assess the risk. Determine what data was exposed, how many people are affected, and whether the exposure creates real risk of harm.
  4. Identify which laws apply. Check whether GDPR applies, which US states your affected residents live in, and whether a sector rule like HIPAA applies.
  5. Notify the regulator within the applicable deadline. For GDPR, that means within 72 hours of becoming aware of the breach.
  6. Notify affected individuals if the risk warrants it. Include the required content: what happened, what was exposed, and what to do next.
  7. Notify your client or controller first if you are a processor. A processor's duty runs to its controller, not directly to the public.
  8. Log the breach in your internal register, even if no external notice was required.

Breach discovery itself often lags the actual incident, sometimes by months. That is exactly why the legal clock starts at the moment of awareness, not the moment the breach technically occurred. Waiting to notify until you are legally forced to is not a compliance strategy: the clock is already running the moment you know.

For the full path to becoming compliant, see how to make your website GDPR compliant.

What to Do If You Receive a Data Breach Notification

If a company tells you your data was exposed, confirm the notice is genuine before you act on it. Breach-themed phishing emails are common, so go to the company's official site or a known contact number rather than clicking links in the notice itself.

Once you have confirmed the notice is real, take these steps:

  1. Verify legitimacy. Check the sender against the company's official communications rather than trusting the email alone.
  2. Change affected passwords. Update credentials on the breached account and anywhere you reused that password.
  3. Enable two-factor authentication on the affected account and any related accounts.
  4. Place a fraud alert or credit freeze with Equifax, Experian, and TransUnion if financial or identity data was exposed.
  5. Watch your financial statements for unauthorized charges or new accounts you did not open.

Companies that offer free credit monitoring after a breach are worth taking up on. This matters most when Social Security numbers or financial account details were part of the exposure.

How Consently Supports Your Broader Privacy Compliance

Consently is a consent-management platform, not breach-response or incident-response software. It does not detect, investigate, or report a data breach, and nothing here should be read as breach-response coverage.

What Consently does provide is part of the broader privacy hygiene that reduces breach exposure. It also supports documentation a regulator or a breach notice will reference.

Strong day-to-day consent practices, clear records of what data you collect, and documented lawful bases all shrink the surface area a breach can expose. They also give you evidence to point to when a regulator asks how you handle personal data generally.

Two features back that documentation directly. Consent logs give you an audit-ready, timestamped record of what consent you held and when. That record is useful evidence of lawful processing if a regulator or a breach notice ever asks how a specific visitor's data was collected.

Consently's customer-facing Data Processing Agreement, with a subprocessor list and Standard Contractual Clauses, documents where your data actually lives and who processes it. You need that information on hand well before any incident occurs. The cookie, privacy, and terms policy generators back this up by keeping your public-facing disclosures current. Consently also hosts EU customer data in Frankfurt, a data-residency signal worth having on record for GDPR purposes.

Try Consently free to see the consent logs and DPA details in your own dashboard. Pair it with Consently's GDPR cookie consent solution for the day-to-day compliance layer breach notification sits on top of.

FAQs

What is the purpose of a data breach notification?

A data breach notification alerts regulators and affected individuals that their personal data was exposed. It exists so people can take protective steps quickly and so regulators can hold organizations accountable for how they handled the incident.

How long do you have to report a data breach?

Under GDPR, you have 72 hours from becoming aware of a breach to notify your supervisory authority. Under most US state laws, the deadline to notify affected individuals runs 30 to 60 days from discovery, described as "without unreasonable delay."

Do all data breaches have to be reported?

No. Most frameworks only require notification when the breach creates a real risk of harm to the people affected. Encrypted data that stayed unreadable to the person who accessed it commonly falls under an encryption safe harbor. It still belongs in your internal breach register.

Do companies have to tell you if your data is breached?

Yes, in most cases. GDPR requires notice when a breach poses a high risk to your rights and freedoms. Nearly every US state requires notice once your personal information is exposed in a breach, subject to each state's specific thresholds and exceptions.

Is a data breach notification letter legitimate or a scam?

It can be either. Breach-themed phishing is common, so verify the notice through the company's official website or a known contact number, not the links inside the email itself. A genuine notice will not ask you to enter sensitive information to "confirm" your identity.

What happens if a company fails to report a data breach?

Under GDPR, failing to notify a qualifying breach can bring fines of up to EUR 10 million or 2% of global turnover, whichever is higher. In the US, state attorneys general can bring enforcement actions. California's CCPA additionally lets affected consumers sue directly for statutory damages of $100 to $750 per incident.

Does GDPR apply to US companies for breach notification?

Yes, if the company processes the personal data of individuals in the EU or EEA, regardless of where the company itself is based. A US-based business with EU customers or site visitors falls under GDPR's breach-notification rules for that data, on top of any applicable US state laws.

Data breach notification sits within a wider set of data privacy laws that govern how organizations handle personal information day to day. These deadlines and thresholds change how you handle the trackers and cookies on your site too. Our guide to the cookie consent rules the GDPR sets covers that side.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.