The California Privacy Protection Agency approved new regulations under the California Consumer Privacy Act (CCPA) in September 2025, which became effective January 1, 2026. These regulations reinforce consumer autonomy and meaningful consent, while tacking on additional compliance requirements relating to cybersecurity audits, risk assessments and the use of automated decision-making technology (ADMT). In our latest data privacy alert, we recap the updated regulations that may impact how any entity that conducts business in California assesses and manages its data privacy and ADMT practices.
Broader Definition of Sensitive Personal Information
The definition of “sensitive personal information” has been expanded to include a consumer’s neural data. Demonstrating the California Privacy Protection Agency (“the Agency”) is concerned about emerging technologies that can reveal intimate insights about a consumer, neural data is defined as “…information that is generated by measuring the activity of a consumer’s central or peripheral nervous system….”.
If a business has personal information they have collected from someone under the age of 16, that data now constitutes sensitive personal information. Therefore, as of Jan. 1, if a business collects personal data (such as date of birth or age) when individuals create an account, purchase products, or for content personalization or other access points on a business website, this may now indicate that a business has awareness it is collecting the sensitive personal information of consumers under the age of 16.
Because of this expanded definition, businesses may need to analyze the purposes of processing such information – if it goes beyond what is expressly permitted, a business will be required to amend its privacy notices to disclose the nature of the processing and provide an opt-out mechanism for consumers in order to limit the collection or use of sensitive personal information associated with those users under age 16.
Expanding the Scope of Rights
Under the revised regulations, a consumer’s “right to know” is no longer limited to a 12-month look-back period. If a business retains a consumer’s personal information for longer than 12 months, it must provide a method for consumers to exercise their request for information collected prior to the 12-month period, except for personal information collected prior to January 1, 2022. In order to comply with this new requirement, a business may ask consumers to provide a date range for which they are making the request or offer the ability to request all personal information collected.
Consumer Consent and Dark Patterns
The new regulations provide additional guidance on obtaining meaningful informed consumer consent that provides symmetry in choice and avoids the use of dark patterns. For cookie, pixel or other tracking consent purposes, one of the major changes is that closing or navigating away from a pop-up window on a website that requests consent, without clicking on a button similar to “I Accept,” does not constitute consent.
Some other explanatory examples cited in the updated regulations echo fair information privacy principles and target dark patterns, including:
- The number of steps required to submit an opt-out request should be the same as or fewer than the number of steps for submitting a request to opt in wherever a business offers a link for consumers to learn more about opting in to the selling or sharing of personal information.
- A choice to opt in that only provides two options – “Yes” and “Ask Me Later” – is not valid because it is not symmetrical and does not provide the consumer the opportunity to decline to opt in.
- A choice where the “Yes” button is highlighted more clearly by being larger in size or in a brighter color than the “No” button is not acceptable.
- A choice is not symmetrical or permitted where the option to participate in a financial incentive program is selected by default or it is made more visible with a bigger font size or different color.
- Any choice driven by a false sense of urgency is not permissible.
The key here is not only to make the consent language easy to understand and avoid misleading statements or omissions, but also to optimize consumer autonomy and transparency in how consent is obtained.
Opt-Out Requirements
There have been several updates in regulations on the timing of opt-out requests and business responses. A business must provide confirmation that the opt-out request for the selling and sharing of personal information has been processed, regardless of whether the opt-out request occurred through a cookie banner, a link or a universal opt-out signal like the Global Privacy Control. One of the ways a business can meet this compliance requirement is to display an “Opt-Out Request Honored” message on its website or in the privacy settings immediately following the request.
Another key element in the updated regulations is the timing of notice. It is important that a consumer receives notice before or at the time of collection of personal data. For instance, under the new CCPA regulations, a business that sells or shares personal information it collects through connected devices (e.g., smart TVs or smart watches) or through an augmented virtual reality gaming device or mobile application shall provide notice before or at the time the device collects personal information, or before or at the time the consumer enters or encounters the business within the virtual reality environment. This means businesses need to strategize not only on the content of their privacy notice, but also on how the notices are delivered – ensuring that device design and user experience provide notice at a meaningful point of interaction.
Automated Decision Making
The new regulations also establish obligations on a business’s use of ADMT – defined as technology that processes personal information and uses computation to replace or substantially replace human decision making. By January 1, 2027, if ADMT is used in financial or lending services, housing, education enrollment or opportunities, employment/compensation or health care services, a business will have to meet various requirements. For example, businesses must include a pre-use notice provided at or before the time of use of ADMT that, among other things, states the purposes for the business’s plans to use ADMT, a description of the right to opt out of ADMT, a consumer’s right to request access and additional information on how the ADMT works.
Cybersecurity Audits
The Agency will now require businesses whose processing of a consumer’s personal data poses a significant risk to a consumer’s security to conduct annual audits, with compliance deadlines between 2028-2030 – established with phased completion dates based on the business’s annual gross revenue for the given preceding year:
- April 1, 2028: For businesses making over $100 million.
- April 1, 2029: For businesses making between $50 million and $100 million.
- April 1, 2030: For businesses making less than $50 million.
The cybersecurity audit must be conducted by a qualified internal or external auditor, and will cover areas such as components of the business’s cybersecurity program, authentication, encryption of personal information at rest and in transit, and account management and access controls.
Risk Assessment
Any business collecting or processing personal data that poses a significant risk to consumers’ privacy must conduct a risk assessment. Data practices such as selling or sharing personal information (including targeted behavioral advertising), processing sensitive information or using ADMT for a significant decision concerning a consumer can trigger such risk assessment obligations. Depending on when the activity first began, risk assessment reports may need to be submitted to the Agency by December 31, 2027, or April 1, 2028 (and annually thereafter).
Conclusion
The latest CCPA regulations signal heightened regulatory expectations. These compliance requirements provide guidance on how privacy should function in real time as consumers interact with business products, services and websites. Therefore, businesses will need to carefully examine how these changes affect their privacy notices, consent management tools and internal data flows.
For help determining how the new CCPA regulations may impact your business, please contact Chiara Portner or Bushra Samimi, or your regular Lathrop GPM attorney.