As has often been the case in recent years, California enacted a bevy of new data privacy and AI bills into law in 2025. This note reviews the highlights of the 2025 legislative session and discusses several of these new laws, many of which will become effective in the new year:
- SB 446 (modifying data breach notification) effective January 1, 2026
- AB 45 (health and location data) effective January 1, 2026
- AB 566 (mandating browser opt-out preference signals) effective January 1, 2027
- AB 1043 (digital age assurance) effective January 1, 2027
- AB 656 (governing social media account deletion procedures) effective January 1, 2026
- SB 361 (regulating data brokers) effective January 1, 2026
These and other new enacted privacy laws, along with significant recent AI legislation and newly finalized rules on automated decision-making tools, cybersecurity audits and risk assessments, and active enforcement by the newly rebranded California Privacy Protection Agency—now also known as CalPrivacy—continue the trend of adding detailed and prescriptive requirements to the Golden State’s already complex privacy and data regulatory landscape.
SB 446: Data Breach Notification
SB 446 amends California’s data breach statute. Existing law imposed a requirement on businesses that experience a data security incident involving the data of California residents to disclose the incident to such individuals expediently. SB 446 fixes a definite timeline for such disclosures; businesses suffering a data breach must now notify California residents within 30 days of discovering the breach.
Additionally, SB 446 clarifies that, in instances where 500 or more California residents are notified, the business must also notify the California Attorney General, providing a sample of the individual notice, within 15 days of the notification to the individuals. The new requirements will become effective on January 1, 2026.
Organizations should take steps to account for SB 446’s stricter timing requirements on data breach notifications. By reviewing and updating their playbooks and incident response processes to align with the new requirements, businesses can ensure compliance with the new law.
AB 45: Health and Location Data
AB 45 expands privacy protections around reproductive health targeting geofencing and data sharing near clinics. It amends existing law to prohibit the collection, use, disclosure, sale, sharing, or retention of personal information of any natural person located at or within the precise geolocation of, a family planning center, except as necessary to provide requested goods or services.
AB 45 also introduces limits on geofencing practices, prohibiting the use of geofencing technology around in-person health care facilities for tracking, identifying, collecting personal information from, or sending targeted ads or notifications to individuals seeking, receiving, or providing health care services. The law exempts facility owners who use geofencing for their own operations, certain research uses, and some labor organization activities, if consent is obtained for collection of personal information. Covered entities and businesses associates, as defined under the federal Health Insurance Portability and Accountability Act, will also be exempt.
AB 45 establishes a private right of action allowing individuals to sue for violations of the provisions relating to the collection, use, disclosure, sale, sharing, or retention of personal information. Plaintiffs can recover treble damages, as well as costs and attorney fees. The law specifically empowers family planning centers to bring actions for violations. The California Attorney General may bring a civil action for violations of the geofencing provisions, seeking up to $25,000 per violation.
AB 566: Opt-Out Preference Signals
Effective January 1, 2027, AB 566, or the “California Opt Me Out Act”, amends the California Consumer Privacy Act (“CCPA”) to require businesses that develop or maintain a web browser to include among the browser’s features the ability to send an opt-out preference signal to businesses with which the California resident interacts through the browser. The feature must be easy for a reasonable person to locate and configure.
Opt-out preference signals, which include Global Privacy Control signals, allow users to communicate to website operators a request to not sell their personal information, share it for cross-context behavioural advertising, or use it for targeted advertising purposes. This technology enables users to communicate their privacy preferences to any website they visit, without having to click through banners or menus on each individual website.
Many state privacy laws, including the CCPA and the privacy laws of Colorado, Connecticut, Oregon, Texas, and other states, already require businesses to recognize opt-out preference signals, and signals transmitted via universal opt-out mechanisms. Users have typically needed to download a browser extension or use certain browsers to be able to transmit such signals. AB 566 leverages California’s prominence in the software industry, and is the first law essentially to mandate that all browsers include opt-out preference signal capabilities. AB 566 also requires companies that develop or maintain browsers to explain in public disclosures how the opt-out preference signal works and its intended effect.
AB 1043: Digital Age Assurance Act
AB 1043 will impose new age verification requirements for digital businesses starting from January 1, 2027. The new obligations will apply to “operating system providers” (who develop, license, or control the operating systems on a computer, mobile device, or other general purpose computing device), “covered applications stores” (publicly available internet websites, software applications, online services, or platforms that distribute and facilitate the download of applications from third-party developers to users), and “developers” (who own, maintain, or control an application).
These requirements vary depending on the respective roles. Operating system providers must provide an accessible interface for age indication and supply age bracket signals to developers upon request. They are prohibited from sharing age signals with third parties for purposes not required by the Act and must minimize data sharing. Application developers, upon receiving an age signal, are deemed to have actual knowledge of the user’s age range and must treat this as the primary indicator unless clear and convincing evidence suggests otherwise. Developers are also restricted from requesting more information than necessary or sharing age signals with third parties. Unlike some other state age assurance laws, the AB 1043 does not require formal age verification (such as government-issued ID) or parental consent for app downloads.
The California Attorney General will enforce AB 1043, with statutory penalties of up to $2,500 per affected child for negligent violations and $7,500 for intentional violations. AB 1043 does not provide a private right of action.
AB 656: Social Media Account Deletions
Effective January 1, 2026, AB 656 will require covered social media platforms to make it easier for users to delete their accounts. Social media platforms that generate more than $100m per year in gross revenue will need to provide a clearly labeled “Delete Account” button in the platform’s settings menu. Upon clicking the “Delete Account” button, the user must be led to clear instructions of the steps to complete an account deletion request. If verification is used as part of the deletion process, such verification must be cost-effective and easy-to-use. Dark patterns may not be used to obstruct or interfere with a user’s attempt to delete their account; the statute invokes the CCPA’s definition of “dark patterns”—i.e., any user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further expounded upon by CalPrivacy’s CCPA regulations. AB 656 establishes that a request to delete one’s social media account is considered a deletion request under the CCPA and is therefore subject to the deadlines and processes set out for consumer requests in the CCPA.
SB 361: Regulating Data Brokers
SB 361 imposes new requirements on “data brokers,” which California law defines as a business that “knowingly collects and sells to third parties the personal information of California residents with whom the business does not have a direct relationship.”
Every year, data brokers must register with and pay fees to CalPrivacy. Effective January 1, 2026, SB 361 will require data brokers to provide more information to CalPrivacy with their annual registration, including whether the data broker collects each type of sensitive personal information, as defined in the CCPA, and whether they have shared California residents’ data with a foreign actor, the U.S. federal government, U.S. state governments, law enforcement, or a developer of a generative AI system. Foreign actor includes governments of, and companies organized under the laws of, a foreign adversary country (including e.g. China). Although SB 361 bars CalPrivacy from publishing certain registration information publicly — such as whether the data broker collects consumers’ names, dates of birth, zip codes, email addresses, or phone numbers — other information may be shared or made publicly accessible.
Although SB 361 does not restrict data brokers from selling personal information to foreign actors, federal regulations do. In particular, the federal Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”) and U.S. Department of Justice’s Final Rule on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “Final Rule”) generally prohibit sharing Americans’ sensitive data, a term which both PADFA and the Final Rule define broadly, to foreign adversary countries and entities under their control. Thus, bearing in mind that CalPrivacy is not prohibited from publishing whether a data broker shares California residents’ data with foreign actors, data brokers that state in their annual submissions to CalPrivacy that they sell California residents’ personal information to foreign actors may invite federal regulatory scrutiny.
Relatedly, CalPrivacy adopted regulations establishing the Delete Request and Opt-Out Platform (“DROP”). The new tool, which will go live on January 1, 2026, will provide consumers a centralized mechanism to request data brokers to delete their personal information pursuant to the Delete Act. Beginning August 1, 2026, data brokers will be required to access DROP at least every 45 days to process deletion requests. Violations of the Delete Act carry a fine of $200 per deletion request for each day the data broker fails to delete information.
Although SB 361 and the Delete Act regulations apply directly to data brokers, businesses should be aware of the law’s potential wider impacts. For one, all businesses that share personal data with third parties should work with outside counsel to assess whether these activities bring them within the ambit of SB 361 and other data broker laws. Businesses should also refresh their vendor diligence and procurement processes to account for SB 361 and other new data broker laws.
Next Steps
As these new requirements become effective, it will be essential for businesses to add data privacy compliance to their list of New Year’s resolutions. Businesses should assess their data collection and sharing practices, update public disclosures, and ensure technical solutions are in place to meet consumer privacy requests efficiently and transparently. By embracing these regulatory changes, companies can ring in 2026 by building trust with consumers, and avoiding scrutiny from enforcement agencies and plaintiffs’ counsel.
