California privacy law updates take effect January 1, 2026

The California Consumer Privacy Act will implement significant updates on January 1, 2026, according to documentation posted by the California Privacy Protection Agency in December 2025. Assembly Bills 137 and 566 have modified the landmark privacy legislation that first took effect in 2020.

The updated regulations expand requirements around consumer consent, particularly for businesses that collect and transfer personal information to third parties. Companies must now enter into agreements with any third party, service provider, or contractor receiving consumer data. These contracts must specify that information transfers occur only for limited purposes and obligate recipients to provide equivalent privacy protections required under the statute.

New contractual obligations for data transfers

Businesses selling or sharing personal information face stricter contractual requirements under the amendments. According to the updated text, agreements must grant businesses "the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information."

The modifications require third parties receiving data to notify businesses if they determine they can no longer meet their obligations under the privacy law. This notification trigger gives businesses authority to intervene when contractors or service providers fail compliance requirements.

California's privacy framework has undergone multiple iterations since voters approved Proposition 24 in 2020, which created the California Privacy Rights Act. The latest amendments continue the state's expansion of consumer rights around personal data collection, processing, and transfer.

Recent enforcement actions demonstrate California's commitment to privacy compliance. The state secured a $1.55 million settlement with Healthline Media LLC in July 2025 for failing to honor opt-out requests. In November 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with mobile gaming company Jam City for violations including failure to provide opt-out mechanisms across 21 mobile applications.

Impact on advertising technology platforms

The updated requirements affect digital advertising platforms that rely on consumer data sharing for targeted advertising. Businesses must disclose whether personal information categories are sold or shared at or before the point of collection. Companies cannot collect additional categories of personal information or use data for purposes incompatible with initial disclosures without providing updated consumer notice.

For sensitive personal information categories, businesses face parallel disclosure requirements. The law defines sensitive data to include social security numbers, account credentials with security codes, precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail or email contents, genetic data, and neural data.

Neural data represents a recent addition to protected categories. According to the statute, neural data means "information that is generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from nonneural information."

The amendments also address biometric information processing. When businesses process biometric data "for the purpose of uniquely identifying a consumer," this activity triggers sensitive personal information protections. Health data and information about sex life or sexual orientation also receive heightened protection status.

Consumer rights expansion

The updated law maintains and clarifies existing consumer rights to know, delete, and correct personal information. Businesses must respond to verifiable consumer requests within 45 days, with possible 45-day extensions when reasonably necessary.

Consumers retain the right to request that businesses disclose categories of personal information collected, sources from which information is gathered, business purposes for collection or sale, and categories of third parties receiving disclosures. For specific pieces of information requests, businesses must provide data in readily useable formats allowing transmission to other entities without hindrance.

The deletion right extends to service providers and contractors. When businesses receive verified deletion requests, they must notify service providers and contractors to delete consumer information from their records. Businesses must also notify third parties to whom they sold or shared information to delete that data "unless this proves impossible or involves disproportionate effort."

California has demonstrated sustained enforcement activity across business sectors. Following Data Privacy Day in January 2025, Attorney General Bonta emphasized the Global Privacy Control mechanism allowing consumers to signal opt-out preferences through browser-based automation rather than individual website requests.

Browser and operating system requirements

Although Governor Gavin Newsom vetoed Assembly Bill 3048 in September 2024, which would have mandated privacy opt-out settings in browsers and mobile operating systems, businesses face requirements to honor opt-out preference signals. The statute permits businesses to comply with consumer opt-out rights either through dedicated web page links or by responding to opt-out preference signals sent through platforms, technologies, or mechanisms.

Section 1798.136 of the updated code addresses browser functionality directly. Starting January 1, 2027, businesses cannot develop or maintain browsers that lack consumer-configurable functionality enabling opt-out preference signal transmission. The functionality must be "easy for a reasonable person to locate and configure."

Financial incentive program limitations

Businesses offering financial incentives for personal information collection, sale, or retention face new restrictions. Consumer opt-in consent must clearly describe material program terms and consumers may revoke consent at any time.

The amendments prohibit businesses from requesting opt-in consent more frequently than once every 12 months after consumers refuse participation. According to the statute, businesses "shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature."

Discrimination protections prevent businesses from denying goods or services, charging different prices, providing different quality levels, or retaliating against consumers who exercise privacy rights. However, businesses may offer different prices or service levels when differences are "reasonably related to the value provided to the business by the consumer's data."

Service provider and contractor distinctions

The updated law maintains distinctions between service providers and contractors. Both categories involve entities that receive consumer personal information for business purposes under written contracts. Contracts must prohibit selling or sharing information, restrict use to specified business purposes, and prevent retention outside direct business relationships.

Service providers and contractors that engage other persons to assist with processing personal information must notify businesses of such arrangements. Sub-processing agreements must bind additional parties to the same requirements as primary service providers or contractors.

The California Privacy Protection Agency holds authority to adopt regulations further defining business purposes for which service providers and contractors may use consumer information. Regulatory authority extends to identifying purposes for which these entities may use information for their own business purposes "with the goal of maximizing consumer privacy."

Implementation and enforcement timelines

Administrative and civil enforcement of provisions added or amended by the California Privacy Rights Act began July 1, 2023, applying only to violations occurring on or after that date. Enforcement of California Consumer Privacy Act provisions amended by the rights act remained in effect during the transition period.

The California Privacy Protection Agency, established in 2020, exercises full administrative power to implement and enforce the privacy framework. The five-member board includes appointments from the Governor, Attorney General, Senate Rules Committee, and Speaker of the Assembly.

Administrative fines reach up to $2,500 per violation or $7,500 per intentional violation and violations involving personal information of consumers under 16 years of age. These amounts adjust pursuant to Consumer Price Index changes for California.

For security breaches involving unauthorized access and exfiltration of personal information, consumers may institute civil actions seeking statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, plus injunctive or declaratory relief.

Global privacy context

California's privacy framework exists within broader United States privacy legislation trends. AdSense updated privacy messaging in June 2024 for compliance with privacy laws in California, Virginia, Colorado, Connecticut, and Utah. Multiple states have enacted comprehensive consumer privacy legislation following California's lead.

The statute explicitly states that provisions are "intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution."

Exemptions exist for information governed by sector-specific federal laws including the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, and Driver's Privacy Protection Act. Healthcare providers maintaining information in the same manner as protected health information receive exemptions for that data.

The amendments affect businesses meeting threshold criteria: annual gross revenues exceeding $25 million, buying or selling personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenues from selling or sharing consumer personal information. The revenue threshold adjusts for cost-of-living changes.

Timeline

• 2018: California Consumer Privacy Act passes, becoming first comprehensive consumer privacy law in the United States
• 2020: Proposition 24 (California Privacy Rights Act) approved by voters, creating California Privacy Protection Agency
• January 1, 2020: CCPA takes effect
• July 1, 2023: CPRA enforcement begins for violations occurring on or after this date
• June 2024: AdSense updates privacy messaging for US state regulations compliance
• September 2024: Governor Newsom vetoes AB 3048, which would have mandated browser opt-out settings
• July 2025: Healthline settles for $1.55 million, largest CCPA penalty to date
• November 2025: Jam City settles for $1.4 million for mobile app privacy violations
• December 2025: Updated CCPA text posted with AB 137, AB 566 amendments
• January 1, 2026: Updated CCPA requirements take effect
• January 1, 2027: Browser opt-out functionality requirements become operative

Summary

Who: California businesses, service providers, contractors, and third parties that collect, process, sell, or share consumer personal information; California residents with rights to control their personal data.

What: Assembly Bills 137 and 566 update the California Consumer Privacy Act with new requirements for contractual agreements when transferring personal information, expanded disclosure obligations, stricter consent mechanisms, and enhanced consumer rights to know, delete, and correct data.

When: The updated requirements become effective January 1, 2026, with browser functionality requirements operative January 1, 2027.

Where: California, affecting businesses doing business in the state regardless of physical location, with jurisdiction exercised by the California Privacy Protection Agency and California Attorney General.

Why: The amendments strengthen consumer privacy protections by addressing gaps in data transfer oversight, expanding sensitive information categories including neural data, clarifying business obligations for third-party data sharing, and providing enforcement mechanisms through administrative fines and civil penalties following enforcement actions that revealed compliance failures in mobile applications and health information platforms.