California Consumer Privacy Act (CCPA) 

 

2, January 2026

 

 

Major updates to California's privacy landscape take effect on January 1, 2026, primarily through new regulations under the California Consumer Privacy Act (CCPA) and the implementation of the California Delete Act. 

 

Key 2026 Privacy Law Updates

Effective January 1, 2026, the following requirements apply:

Mandatory Risk Assessments:

 Businesses must conduct formal privacy risk assessments before starting any "high-risk" data processing, such as selling personal data, processing sensitive information, or training AI.

The "Delete Act" (SB 362) & DROP:

California's Delete Request and Opt-out Platform (DROP) launches, allowing residents to request data deletion from all registered data brokers simultaneously.

Data brokers must register by January 31, 2026, or face daily fines of $200.

Starting August 1, 2026, brokers must check DROP every 45 days and process all pending deletion requests.

Opt-Out Confirmation: 

Websites must now provide a clear visual signal (e.g., a toggle or "Opt-Out Request Honored" text) confirming that a user's opt-out or Global Privacy Control (GPC) signal has been processed.

Youth Data Protections: 

Personal information for anyone under 16 is now automatically classified as Sensitive Personal Information, triggering stricter processing limits and the "Right to Limit".

Expanded "Right to Know": 

Consumers can now request access to any personal information collected by a business since January 1, 2022, removing the previous 12-month lookback limit.

Geolocation Restrictions (AB 45): 

Effective January 1, 2026, geofencing is prohibited within 1,850 feet of family planning and healthcare facilities for tracking or targeted advertising. 

 

Compliance Timeline for Businesses

While core obligations start in 2026, several enforcement and reporting milestones follow:

  1. January 1, 2026:  All new high-risk processing must have documented risk assessments.
  2. January 1, 2027: Existing uses of Automated Decision-Making Technology (ADMT) must be compliant.
  3. April 1, 2028: Large businesses (over $100M revenue) must submit their first annual cybersecurity audit certifications. 

 

New Consumer Rights in 2026

Social Media Account Deletion: Platforms with over $100M in revenue must provide a conspicuous "Delete Account" button in settings that also triggers a full CCPA data deletion.

Health Data Dispute: If a business denies a request to correct health data, consumers can now submit a 250-word statement that must follow the data to any third-party recipients.

Correcting Data Sources: Businesses must now identify the specific third-party source of any inaccurate data they hold when a consumer submits a "Right to Correct" request.