From our base in New York, we represent a diverse range of clients across the country and around the world.

Insights + Events
bookmarkprintShare>

Alert -

Privacy New Year’s Resolutions

The Bottom Line

  • Privacy compliance obligations continue to grow and expand, so businesses should revisit their privacy compliance programs regularly.
  • California has introduced even more unique privacy compliance obligations.
  • Kentucky, Indiana and Rhode Island join the fray of states with effective comprehensive consumer privacy laws on January 1, 2026.

The new year might mean the same to you, but for businesses, the turn of the calendar once again means a new set of privacy compliance obligations. 2026 brings new requirements in California, which has the most comprehensive regulatory framework and a stand-alone privacy regulatory agency, along with new state privacy laws in Kentucky, Indiana and Rhode Island taking effect.

CCPA Final Regulations

The California Privacy Protection Agency (CPPA) adopted a package of finalized regulations earlier this year, which take effect January 1, 2026. As discussed in our previous alert, businesses must be cognizant of critical areas that will require additional steps for compliance, including:

  1. Risk assessments before initiating processing that presents “significant risk” to consumers’ privacy, including selling or sharing personal information, processing sensitive personal information, using automated decision-making technology (ADMT) for significant decisions, and certain automated profiling activities (beginning April 1, 2028);
  2. Cybersecurity audits for businesses whose processing presents “significant risk to consumers’ security” (beginning dates vary based on the business’s revenue, with April 1, 2028, being the first deadline); and
  3. Where a business uses ADMT to make “significant decisions” about consumers, it must provide a pre‑use privacy notice, the right to opt‑out of ADMT, and the right to access information about the business’s ADMT use with respect to the consumer (beginning January 1, 2027).

Additional CPPA Requirements

The CPPA has provided businesses with a list of additional items that businesses should know and prepare for, which includes, among other things, the following:

Display Opt-Out Request Status

A business must provide a means by which a consumer can confirm the status of their opt-out request, including those submitted through an opt-out preference signal, like the Global Privacy Control. For example, a business can display on its website “Opt-Out Request Honored” and indicate in the consumer’s privacy settings, via a toggle or radio button, that the consumer has opted out of the sale/sharing of their personal information.

Furthermore, businesses that sell or share personal information must process recognized opt out preference signals as valid requests to opt out for the device/browser and any associated profiles, and — where the consumer is known — apply the signal to the account and offline sales/sharing.

Requests to Know and Correct

For requests to know if businesses retain data beyond 12 months, consumers must be able to obtain all personal information collected on or after January 1, 2022, unless impossible or disproportionate, with individualized responses and secure delivery.

For corrections, businesses must now provide the consumer with the name of the source from which they received inaccurate information, or alternatively, inform the source themselves that the information is incorrect and must be corrected. Businesses must also ensure that corrected information remains corrected. For example, if the business regularly receives information from data brokers, it must make sure the corrected data is not overridden by inaccurate information later received from data brokers.

If a business denies a request to correct health information, consumers have the right to submit a 250-word written statement contesting the accuracy of health information, and upon the consumer’s request, the business must make that statement available to any person to whom it disclosed the contested personal information.

Expanding Right to Limit

The definition of “sensitive personal information” now explicitly includes personal information of consumers the business knows are under 16, as well as “neural data,” and confirms the sensitivity of several categories (e.g., precise geolocation, union membership, sexual orientation).

If a business is using consumers’ sensitive personal information for something other than the permitted uses set forth in section 7027(m) of the CCPA regulations, it must offer and honor consumers’ right to limit, and update privacy policies accordingly. Businesses may omit the “not inferring characteristics” condition only if they truly do not infer characteristics from sensitive data.

Enhanced Notices, Choice Architecture, and Universal Design Principles

All disclosures and interfaces for CCPA requests and consent must be easy to read, accessible, and free from dark patterns, with symmetry in choice and minimal steps to execute privacy‑protective options. Notices must be conspicuous online and in mobile apps (e.g., in the app’s platform or download page), and accessible across modalities (including offline and device environments).

The regulations also codify specific requirements for the Notice at Collection, Notice of Right to Opt‑Out of Sale/Sharing, Notice of Right to Limit, and the Alternative Opt‑Out Link (“Your Privacy Choices” icon), including placement, content, and interactivity, with tailored offline and connected‑device pathways.

Service Provider / Contractor Oversight

The regulations clarify that a business’s failure to conduct appropriate due diligence of its service providers — including ensuring that its subcontractor agreements comply with the CCPA and the regulations — will be factored into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and the regulations.

Metrics and Reporting for Large Data Handlers

Businesses handling 10 million or more consumers’ personal information annually must, by July 1st of each year, disclose metrics of volumes and median/mean response times for requests to delete, correct, know, opt‑out of sale/sharing, limit, and, where applicable, access ADMT. Disclosures must state whether figures cover all individuals or only California consumers, with the business having the option of which metrics to disclose in its privacy policy.

Non-Discrimination Rules and Financial Incentives

The regulations reinforce that price or service differences tied to the exercise of CCPA rights are prohibited unless reasonably related to the value of the consumer’s data. Businesses must be able to substantiate valuations and provide a compliant Notice of Financial Incentive where applicable. In addition, non‑discrimination rights extend to the exercise of ADMT rights.

Insurance Clarification

Insurance companies that are “businesses” under the CCPA must comply with the regulation with respect to personal information that is not subject to the Insurance Code, such as website tracking for advertising or employment information (claims‑related data governed by the Insurance Code remains outside the scope of the CCPA).

New State Privacy Laws – Kentucky, Indiana and Rhode Island

Three new consumer privacy laws take effect on January 1, 2026:

Among the patchwork of existing state privacy laws, Indiana and Kentucky’s laws are most similar to Virginia’s Consumer Data Protection Act (VCDPA) and the Connecticut Data Privacy Act (CTDPA), as opposed to the more unique aspects of the CCPA. Covered businesses include those that:

  1. Control or process personal data of at least 100,000 consumers, or
  2. Control or process personal data of at least 25,000 consumers while deriving over 50% of gross revenue from the sale of personal data

Businesses who already comply with other state laws may not have to make significant changes to their privacy program. Businesses should, however, review their existing privacy policies to ensure they include the required disclosures under Indiana and Kentucky’s laws.

Rhode Island’s Unique Requirement

Rhode Island, notwithstanding its similarities to the existing laws, includes a unique provision that controllers must identify “all third parties to whom the controller has sold or may sell consumers’ personally identifiable information” (subject to an exception for disclosing trade secrets). Notably, the statute does not define “personally identifiable information,” instead referring to “personal data” (which is defined) in most of its provisions, so it is unclear how broadly this provision sweeps.

Controllers subject to Rhode Island’s law include those that:

  1. Control or process personal data of at least 35,000 Rhode Island residents, or
  2. Control or process personal data of at least 10,000 Rhode Island residents and derived more than 20% of gross revenue from sale of personal data.

This requirement has the potential to impose an onerous burden on companies that engage in a substantial volume of such sales.

What’s on the Horizon?

For the first time this decade, there are no consumer privacy laws signed by a governor waiting to take effect. But don’t get too comfortable. Legislation in Wisconsin, Michigan, Massachusetts, Pennsylvania, and North Carolina is moving through committees. As always, it remains to be seen which of these bills will ultimately become law, but this is nonetheless a reminder that privacy law never sleeps.