The California Consumer Privacy Act of 2018 Remains One of the Strictest Consumer Privacy Laws in the Nation

The California Consumer Privacy Act of 2018 (CCPA), as amended, gives consumers the following rights:

• the right to limit the use and disclosure of sensitive personal information collected about them;
• the right to opt out of the sale of their personal information and the right to opt out of the sharing of their personal information for cross-context behavioural advertising;
• the right to correct inaccurate personal information that businesses have about them;
• the right to know what personal information businesses have collected about them and how they use and share it;
• the right to equal treatment (ie, non-discrimination); and
• the right to delete personal information, subject to some exceptions.

Businesses must provide methods by which consumers can exercise these rights. The CCPA imposes certain disclosure obligations, including the posting of a notice at collection and a privacy policy.

California Created the First, and Only, Privacy Enforcement Agency in the United States

In 2020, California voters approved the California Privacy Rights Act of 2020, which amended the CCPA. Among other things, the California Privacy Rights Act created a new agency to implement and enforce the CCPA – the California Privacy Protection Agency (CPPA). The CPPA is responsible for:

• promoting public awareness of consumers’ rights and businesses’ responsibilities under the CCPA;
• adopting regulations in furtherance of the CCPA;
• enforcing the CCPA through investigations, audits, and enforcement actions;
• co-operating with other agencies with jurisdiction over privacy laws to ensure consistent application of privacy protections; and
• providing technical assistance and advice to the legislature with respect to privacy-related legislation.

With New Regulations Come Increased Compliance Obligations

On 23 September 2025, the CPPA announced the approval of new regulations. Most notably, the new regulations require businesses to complete annual cybersecurity audits and conduct risk assessments before certain processing activities. The new regulations also require that consumers be given the opportunity to opt out of the business’s use of automated decision-making technology.

The new regulations, described below, went into effect on 1 January 2026.

Cybersecurity audits

Every business whose processing of consumers’ personal information presents a significant risk to consumers’ security is required to complete an annual cybersecurity audit. Processing of personal information presents significant risk to consumers’ security if:

• the business derived 50% or more of its annual revenue from selling or sharing consumers’ personal information in the preceding calendar year; or
• the business had annual gross revenue in excess of USD25 million in the preceding calendar year and:
1. processed personal information of 250,000 or more consumers or households in the preceding calendar year; or
2. processed the sensitive information of 50,000 or more consumers in the preceding calendar year.

Businesses must use a qualified, objective, independent professional using procedures and standards recognised within the auditing profession. Businesses must make good-faith efforts to disclose all relevant facts and make sure the auditor has access to all relevant information. Attestations are insufficient.

The audit must assess how the business’s cybersecurity programme protects personal information from unauthorised access, destruction, use, modification, or disclosure, and protects against unauthorised activity resulting in the loss of availability of personal information. This includes evaluating the strength of passwords, the use of multi-factor authentication, encryption practices, account management and access controls, the security of hardware and software being used by the business, and network defences.

Once an audit report is complete, the business must certify to the CPPA that it has completed the required audit. The certification must be completed by a member of the business’s executive management team.

When a business must start completing cybersecurity audits depends on the business’s annual revenue.

Businesses with more than USD100 million in annual gross revenue in 2026 must comply with the new audit requirements by 1 April 2028. The audit should cover 1 January 2027 through 1 January 2028.

Businesses with annual gross revenue between USD50 million and USD100 million in 2027 must comply with the new audit requirements by 1 April 2029. The audit should cover 1 January 2028 through 1 January 2029.

Businesses with less than USD50 million in annual gross revenue in 2028 must comply with the new audit requirements by 1 April 2030. The audit should cover 1 January 2029 through 1 January 2030.

After 1 April 2030, businesses must complete an audit that covers the calendar year. The audit report must be completed by 1 April of the following year.

Risk assessments

Every business whose processing of consumers’ personal information presents significant risk to consumers’ privacy must conduct a risk assessment before initiating that processing. The following processing activities present a significant risk to consumers’ privacy:

• selling or sharing personal information;
• processing sensitive personal information;
• using ADMT for a significant decision concerning a consumer;
• using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behaviour, location, or movements, based on:
1. a systematic observation of that consumer when they are acting in their capacity as an educational programme applicant, job applicant, student, employee, or independent contractor for a business, or
2. the consumer’s presence in a “sensitive location”, such as a hospital, pharmacy, domestic violence shelter, or food pantry;
• processing personal information that the business intends to use to train:
1. an ADMT for a significant decision concerning a consumer;
2. facial recognition technology;
3. emotion recognition technology; or
4. other technology that verifies a consumer’s identity or conducts physical or biological identification or profiling of a consumer.

The purpose of a risk assessment is to determine whether the risks to consumers’ privacy from the processing outweigh the benefits to consumers, the business, other stakeholders, and the public. The goal is to restrict or prohibit the processing of personal information if the risks to privacy outweigh the benefits of processing.

Risk assessments must be revisited at least once every three years, or whenever there is a material change relating to the processing activity, to ensure they remain accurate. Businesses must retain their risk assessment for as long as the processing continues or for five years after the completion of the risk assessment, whichever is later.

As with cybersecurity audits, certain information about risk assessments must be reported to the CPPA. For risk assessments conducted in 2026 and 2027, the business must submit the required information no later than 1 April 2028. For risk assessments conducted after 2027, the business must submit the required information no later than 1 April of the following year.

Automated decision-making technology

The new regulations impose additional obligations on businesses that use “automated decision-making technology”, or ADMT, to make a significant decision concerning a consumer. ADMT is defined as any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making. A significant decision is one that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.

A business that uses ADMT to make a significant decision must provide consumers with a prominent and conspicuous pre-use notice. Among other things, the pre-use notice must include a link through which consumers can opt out of the business’s use of ADMT. There must be two or more methods to opt out of ADMT. When developing these methods, the business must consider how the consumer ordinarily interacts with the business. The method of opting out must be easy and require minimal steps.

In addition, a business must provide consumers with the following information upon request:

• the specific purpose for which the business used ADMT;
• information about the logic of the ADMT;
• outcome of the decision-making process for the consumer, including how the business used the output of the ADMT to make a significant decision with respect to the consumer; and
• notice that the business is prohibited from retaliating against consumers who make such requests.

Businesses must comply with these ADMT provisions by 1 January 2027.

California Has Increased Its Enforcement Activity

Since its creation in 2020, enforcement actions have steadily increased in both number and severity. For example, on 30 September 2025, the CPPA announced a record USD1.35 million fine against Tractor Supply. The CPPA alleged that Tractor Supply:

• failed to maintain an adequate privacy policy notifying consumers of their rights;
• failed to provide adequate privacy notices to consumers and job applicants;

• did not implement effective opt-out mechanisms, including browser-based Global Privacy Control signals; and
• lacked CCPA-compliant data sharing agreements with other companies.

In addition to the penalty, Tractor Supply was ordered to conduct quarterly scanning of digital properties, update its processes for handling opt-out requests, amend its third-party contracts, and have a senior officer or director certify its compliance with the CCPA annually for the next four years.

Soon after, on 11 February 2026, the California Attorney General announced a settlement of USD2.75 million with Disney. The Attorney General alleged that Disney did not have effective opt-out mechanisms. The opt-out toggle only applied the request to the specific streaming service the user was watching and often only the specific device being used. Webform opt-outs were not effective for embedded third-party tracking pixels. Global Privacy Control signals were only honored on the device used to make an opt-out request rather than on all user devices. Based on Disney and other recent settlements, user opt-outs appear to be a high priority for the Attorney General.

The CPPA Also Implements and Enforces Laws Relating to Data Brokers

A “data broker” is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Data brokers must register with the CPPA on or before 31 January of each year.

Data brokers must register for California’s accessible deletion mechanism, referred to as “DROP” (Delete Requests and Opt-Out Platform). Data brokers must check the platform at least once every 45 days then: (i) process all requests, and (ii) direct all service providers or contractors to delete the consumer’s personal information, as well.

In addition, data brokers must make additional disclosures in their privacy policy. Namely, by 1 July 2026, data brokers must disclose:

• the number of deletion requests received in the previous calendar year;
• the number of requests complied with in the previous calendar year;
• the number of requests denied in the previous calendar year, along with the reason(s) for the denial; and
• the median and mean number of days that it took to respond to requested received during the previous calendar year.

Further, starting on 1 January 2028, and every three years thereafter, data brokers must undergo an audit by an independent third party to determine compliance with the data broker statutes.

Businesses Operating in California Are Also Facing a Wave of Litigation Relating to the Use of Third-Party Cookies and Tracking Technologies

The California Invasion of Privacy Act (CIPA) is a criminal statute enacted in 1967. In addition to criminal liability, it creates a private right of action for acts such as wiretapping, eavesdropping, and the use of a pen register. Enterprising attorneys have taken this law and applied it to new, web-based technologies, such as third-party cookies.

There are two primary theories. One, that the use of third-party cookies constitutes wiretapping, because the cookies read or attempt to read the contents of a communication between the website and its visitor without the visitor’s consent. Two, the cookies or tracking technologies are “pen registers” because they are devices or processes that record electronic communications.

There is not uniform treatment of these claims by the courts. However, we are seeing more and more federal courts allow these claims to proceed, while state courts tend to be more skeptical.

CIPA imposes a fine of USD2,500 per violation. Typically, these suits are brought by individual plaintiffs and seek damages of approximately USD30,000. However, there is a risk of a class action, which could expose businesses to significant liability.

There have been several attempts by the legislature to limit these claims. Most recently, on 3 June 2025, the California Senate passed Senate Bill 690, which would create a “commercial business purpose” exception to CIPA. The bill is still active; it is in the committee process. Until this or a similar law is passed, many businesses are implementing new cookie practices, akin to the European standard, to reduce their risk of CIPA liability.