The California Consumer Privacy Act (CCPA), as amended and effective January 1, 2026, brings the most detailed and sweeping changes since the law’s introduction. If you do business in California or handle Californians’ personal information, here’s what your company must know, and do, to avoid compliance risks.

Expanded Privacy Policy and Disclosure Requirements

The updated regulations demand detailed transparency:

  • Expanded Privacy Policy: Companies must now include highly specific disclosures in their privacy policies, such as: categories of both personal and sensitive personal information collected, sources, purposes, retention periods and criteria, categories of third parties, business purposes, Automated Decision-Making Technology (ADMT) uses, and all consumer rights (including new ADMT rights and right to limit sensitive personal information use).
  • Notice at Collection: Must be given at or before the point of personal information collection, describing categories of personal information or sensitive personal information, purposes, whether info is sold and/or shared, retention schedule or criteria, and a link to your privacy policy. This applies online and offline.
  • Special Notices: Additional notices are required if you sell and/or share personal information (“Do Not Sell or Share” hyperlink), use and/or disclose sensitive personal information for non-exempt reasons (“Limit the Use” hyperlink), or offer financial incentives.

The New “Alternative Opt-Out Link”

  • Instead of posting both a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link, you may use one consolidated link, “Your Privacy Choices” or “Your California Privacy Choices” with an approved opt-out icon in your website or mobile app’s header or footer.
  • Clicking this consolidated link must bring consumers to a page explaining both the right to opt-out of sale and/or sharing and the right to limit sensitive personal information use, with simple, interactive tools to exercise both rights.
  • This option improves usability but does not exempt you from processing Global Privacy Control (GPC) or opt-out preference signals.
  • All online mechanisms must be easy, accessible, and avoid “dark patterns” (i.e., cannot use manipulative or confusing user interfaces).

ADMT: New Rights, Notices, and Risk Assessments

If your company uses ADMT, including profiling for significant decisions (e.g., employment, lending, housing, education, or healthcare), be aware of the following:

  • Pre-use Notice: You must give affected consumers a special “Pre-Use Notice” at or before the point of collection for any personal information used in ADMT, explaining the logic, output, opt-out/right to access, non-retaliation, and alternatives if the consumer opts out.
  • Opt-out and Access Rights: Consumers can request to opt out of ADMT (unless you use an approved human review process) or request detailed information about how ADMT impacted their case; this includes details about the logic, parameters, outputs, and any human involvement in the decision.
  • Risk Assessment: You must conduct and submit to the California Privacy Protection Agency (CPPA) thorough risk assessments before using ADMT for significant decisions or processing sensitive personal information for profiling, with stakeholder involvement, documentation, and periodic review.
  • Deadlines: Existing uses of ADMT must be compliant by January 1, 2027.

Cybersecurity Audits and Written Security Programs

  • Mandatory Security Programs: All businesses collecting personal information must maintain “reasonable security procedures and practices.” The 2026 regulations require written technical and organizational security controls, including multi-factor authentication, access controls, inventorying, vendor management, and regular testing.
  • Annual Independent Cybersecurity Audits: Businesses meeting specific thresholds (by size or risk) must undergo independent cybersecurity audits (internal or external) covering all technical, administrative, and organizational security measures, with a formal report and executive certifications submitted to the CPPA.
  • Retention and Executive Certification: Audit reports must be kept for five years. Annual, signed executive certification of audit completion is due to the CPPA by April 1.

Data Minimization, Purpose Limitation, and Record-Keeping

  • Data Minimization: You may only collect, use, retain or share the minimum personal information or sensitive personal information that is reasonably necessary and proportionate to the specific, disclosed purposes. You must justify and document all purposes and retention periods.
  • Comprehensive Record-Keeping: Retain records of consumer rights requests and your responses for at least 24 months. Very large businesses (i.e., collects 10 million or more consumers personal information per year) must publish annual request metrics.

New Consumer Request Channels and Requirements

  • Multiple Request Methods Required: Most businesses must provide at least two methods for submitting requests to know, delete, correct, opt-out, and (if applicable) opt-out of ADMT or to limit sensitive personal information use, including a toll-free number and online mechanism.
  • Strict Deadlines: Confirm all rights requests within 10 business days, and fulfill fully within 45 calendar days (up to 90 additional days, if necessary, with notice).
  • Verification and Transparency: All verification processes must be documented, proportionate, and not impose undue burden; special rules apply for ADMT access requests.

Service Provider and Third-Party Contracts

  • Required Contract Provisions: Contracts with service providers, contractors, and third parties must meet detailed new standards: specific purposes (not generic), privacy obligations, no use for other purposes, full cooperation with your cybersecurity audits and risk assessments, and must ensure pass-down of these obligations to any subcontractors.

Training and Large-Scale Metrics

  • Annual Training: Everyone who handles consumer requests or privacy compliance must receive up-to-date training on the regulations and the requirements.
  • Annual Metrics (for companies that collect 10 million or more consumers’ personal information): Large companies must publish the prior year’s statistics on requests to know, delete, correct, access ADMT, opt-out, limit sensitive personal information, and how fast they responded.

What Should Organizations Do Now?

The updates are coming and it’s time to act. Here’s what you can do:

  • Audit All Notices and Privacy Policy: Review and update all consumer-facing notices and your website Privacy Policy to confirm compliance with all new content, accessibility, language, and user-experience requirements.
  • Review Data Practices: Re-assess why you collect, use, share, or retain any category of personal information or sensitive personal information and update documentation.
  • Implement “Your Privacy Choices” Landing Page (if using consolidated link).
  • Assess Use of Automated Decision-Making: Update processes and prepare to provide new notices, risk assessments, opt-out, and access rights if ADMT is used for significant decisions.
  • Formalize Your Security and Compliance Program: Write and maintain new audit, training, and record policies; ensure vendor contracts will meet all regulatory requirements.

2026 is the year comprehensive, user-focused, and risk-aware privacy compliance becomes mandatory in California. Review your policies, tech, staff, and contracts; change is here, and the enforcement authority now has greater resources and reach than ever before.