The Bottom Line
- Privacy compliance continues to grow more complex for businesses with new regulations and laws being enacted.
- Regulatory enforcement is picking up as more companies have become subject to actions.
- While California may be leading the way in terms of comprehensive laws and regulations, other state privacy laws cannot be ignored.
California’s privacy regulators and legislature have been incredibly active over the past few weeks. As a trailblazer in U.S. privacy regulation since 2018, the state is once again making significant strides in this important area.
CPPA Adopts Final Regulations for CCPA
The California Privacy Protection Agency (CPPA) adopted a package of finalized regulations, effective January 1, 2026, introducing new compliance burdens for businesses in three significant areas.
Cybersecurity Audits
Businesses that process consumer personal information presenting a “significant risk” to security are required to conduct annual, independent cybersecurity audits. This includes businesses that derive 50% or more of its annual revenues from selling or sharing consumers’ personal information, process the personal information of 250,000 or more consumers in the preceding calendar year, or process the sensitive personal information of 50,000 or more consumers in the preceding calendar year.
The compliance deadlines for this requirement are in phases based on the business’s revenue. They begin on:
- April 1, 2028 for businesses with revenue over $100 million,
- April 1, 2029 for businesses with revenue between $50 – $100 million, and
- April 1, 2030 for businesses with revenue below $50 million.
Businesses must submit a certification of completion by the auditor to the CPPA each year that the business is required to conduct an audit, and must retain all audit-related records for at least five (5) years.
Risk Assessments
Starting April 1, 2028, businesses that engage in high-risk processing — such as selling personal information, sharing personal information for cross-context behavioral advertising, processing sensitive data, using ADMT (as described below), and certain profiling activities — are required to submit annual attestations and summaries to the CPPA.
Automated Decision-making Technology (ADMT)
Starting January 1, 2027, businesses must provide consumers with a pre-use notice, the right to opt out of ADMT use, the right to request access to information about the business’s use of ADMT, including information about the logic of the ADMT and how ADMT outputs are used in decision-making, and the right to appeal decisions made by ADMT.
The regulations define ADMT as technology that replaces or substantially replaces human decision-making for “significant decisions.” These include decisions in areas such as finance, housing, education, employment, or health care, but not advertising (which was included in previous drafts of the regulations).
Other CCPA Updates
In addition, the final regulations include updates to existing California Consumer Privacy Act (CCPA) rules in several key areas:
- Businesses must provide a link to their privacy policy on any web page where personal information is collected, and not just on their homepage.
- Where a processing purpose relies on consent, consumers must be able to withdraw consent at any time.
- In response to consumer access requests, businesses must provide personal information beyond the previous 12-month limit.
- Consumers must be able to opt out with the same ease as opting in.
Given that CCPA enforcement is no longer a theoretical, with the CPPA having undertaken a number of enforcement actions this year, businesses should not delay inventorying ADMT use, developing risk assessment frameworks, and preparing their cybersecurity programs to ensure compliance with the final regulations.
Another CCPA Enforcement Action
The CPPA has continued trucking along in enforcement, with Tractor Supply being the latest target in its path.
The $1.35 million settlement to the CPPA is the largest to date (the Healthline Media settlement to the tune of $1.55 million was with the California Attorney General). This settlement marks the first enforcement action addressing the privacy rights of job applicants, with the CCPA deviating from other state privacy laws by expressly regulating employees’ personal information. It also demonstrates the watchdog’s willingness to pursue CCPA violations that occurred prior to January 1, 2023.
According to the settlement order, Tractor Supply failed to maintain a CCPA-compliant privacy policy and failed to notify candidates of their privacy rights and how to exercise them. Tractor Supply also allegedly disclosed personal information to third parties without proper contractual protections and failed to honor consumers’ requests to opt out from data sales or sharing, including recognizing Global Privacy Controls (GPC), as required by the CCPA.
The order requires Tractor Supply to certify compliance to the CPPA for the next four years, conduct annual reviews of the third parties with whom it shares data, perform quarterly scans of its website and maintain an inventory of tracking technologies, and post metrics such as the number of privacy requests it received and how many were denied to its website for five (5) years.
Notably, the order credits Tractor Supply for undertaking remediation efforts upon becoming aware of the CPPA’s investigations. However, companies – especially small and mid-sized businesses – should view this action as a signal to proactively implement a privacy compliance program, and not wait until the regulator comes knocking. It is also a reminder that employee and applicant data – sometimes neglected by companies focusing on consumer data – must not be overlooked for CCPA compliance.
Updates to California’s Data Broker Registration Law
On October 8, 2025, California Governor Newsom signed into law SB 361, which amends California’s existing data broker registration law to expand the disclosures data brokers are required to provide when annually registering with the CPPA.
While the existing law required data brokers to disclose whether they collect the personal information of minors, precise geolocation, and reproductive health care data, the amendment significantly expands the disclosure requirement to include the following categories of personal information:
- names, dates of birth, ZIP Codes, email addresses, or phone numbers;
- account login or account number in combination with any required security code, access code, or password that would permit access to a consumer’s account with a third party;
- drivers’ license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers;
- citizenship data, including immigration status;
- union membership status;
- sexual orientation status;
- gender identity and gender expression data; and
- biometric data.
The amendment, effective January 1, 2026, also requires data brokers to disclose whether, in the past year, they shared or sold consumers’ data to (1) a foreign actor, (2) the federal government, (3) other state governments, (4) law enforcement (unless done pursuant to a subpoena or court order), or (5) a developer of a GenAI system or model.
Lastly, the amendment provides that if a data broker does not collect either of the following, then it must disclose “up to three, but no fewer than one, of the most common types of personal information that the data broker collects.”
- consumers’ names, dates of birth, ZIP Codes, email addresses, or phone numbers; or
- mobile advertising identification numbers, connected television identification numbers, or vehicle identification numbers.
New Data Privacy Bills
Governor Newsom also signed two additional bills:
- AB 656 requires social media companies to make it clear and easy for a user to delete their account. The law is narrowly focused – applying only to platforms that generate more than one hundred million dollars ($100,000,000) per year in gross revenues – and requires that “each screen visible to a user” contain a clear and conspicuous message notifying the user how they may delete or suspend their account. The bill also requires that deletion triggers full deletion of the user’s personal data.
- AB 566 requires browsers to include a setting that allows users to send an opt-out preference signal, enabling consumers to request that the business stop the sale or sharing of their data with a single action, instead of opting out site by site.