They say the only two certainties in life are death and taxes. Humbly, we’d like to propose a third: New California privacy rules.
Going into effect January 1, 2026, the new rules package for the CCPA adjusts key elements of privacy compliance in the Golden State. Some of these changes are minor; others are major shifts.
Understanding them and how they apply to your privacy program is essential if you want to stay compliant in California, which is fast earning a reputation as the most aggressive enforcer of privacy law in the US. Let’s jump in.
The recent rule changes introduced some new requirements to the CCPA and tweaked existing requirements. The table below summarizes the changes.
|
New Requirements |
Updates |
|
Cybersecurity Audits: Companies meeting certain thresholds will need to conduct mandatory cybersecurity audits and submit a certification of completion to the California Privacy Protection Agency (CPPA) annually. |
Data from minors under 16 years old is now sensitive personal information (PI). |
|
Risk Assessments: Businesses must conduct assessments prior to any “high-risk” processing activity and submit an annual summary report to the CPPA. |
Businesses offering mobile apps, connected devices, and/or augmented reality (AR) or virtual reality (VR) devices must meet transparency requirements. |
|
Automated Decision-Making Technology (ADMT): Businesses using ADMT to make “significant decisions” about consumers must meet additional requirements. |
Businesses must provide a means for consumers to confirm their opt-out and/or limitation requests have been processed. |
|
|
Consumers can now request that a business confirm the details of sensitive PI it has processed. Note that this requirement may pose security risks. |
|
|
Businesses must now honor authorized agent requests even if they require the data subject to verify their identity directly first. |
|
|
Prohibitions against the use of dark patterns have been clarified. |
|
|
The CCPA now applies to entities covered by the California Insurance Code—though data they handle that is already covered by the California Insurance Code is still exempt. |
It's important to note that this article doesn’t cover each and every change made in this latest round of amendments. Many changes are minor, apply only in specific circumstances, or merely clarify. When building a privacy program to enable compliance, it is essential to consult a privacy and/or legal professional.
Lastly, while most of these requirements go into effect January 1, 2026, certain complex requirements have staggered dates. We cover the timelines associated with all of these new amendments later on in this article.
You’ll need to comply with the CCPA’s new cybersecurity requirements if your organization:
Under this requirement, your organization will need to undergo a cybersecurity audit by an independent auditor. That auditor can be an internal one, so long as they report to an executive without cybersecurity responsibilities, among other requirements to ensure their independence.
The rules set out 18 categories of information the auditor must assess, including the inventory and management of PI; oversight of service providers, contractors, and third parties; access controls; and similar cybersecurity factors.
You must also submit an annual certification to the CPPA summarizing certain information from the audit and signed (under penalty of perjury should the certification be found inaccurate) by a member of your organization’s executive management team.
While privacy impact assessments were already a requirement in the CCPA, now businesses must conduct risk assessments for activities that present a significant risk to consumers. Covered activities include:
The amendments also include a catch-all requirement to conduct assessments for any activity that could pose significant risk to consumers’ privacy rights. So, when in doubt, err on the side of conducting an assessment beforehand.
Similarly to cybersecurity audits, businesses must submit a summary annually to the CPPA. This needs to include:
Additionally, the person submitting the certification must be a member of your business’s executive management team, and their signature places them under penalty of perjury should the summary be inaccurate.
Even though you only have to submit a summary to the CPPA, you’ll want to hold onto your risk assessments; regulators have the power to request to see any individual risk assessment you certified completing. The law states you must hold onto your assessments either for five years or until the processing activity ends—whichever is longer.
If your business uses ADMT to make decisions about providing financial services, housing, education enrollment, employment, or independent contracting, or healthcare services, then you’ve met the standard for making a “significant decision” about consumers under the CCPA.
That means you need to provide a notice about your organization’s use of ADMT before making the decision. This should include the consumer’s right to opt out of the use of ADMT and access information about its use. Accordingly, you also have to honor consumers' opt-out requests and tell them about the purpose, method of processing, and decision-making outcome associated with your use of ADMT upon consumers’ request. You also must grant consumers the option to appeal the results of ADMT.
As described previously, you’ll need to run a risk assessment if you use ADMT for significant decisions or if you train ADMT to make such decisions using PI.
Lastly, if you process the PI of at least 10 million consumers, you’ll need to disclose how many ADMT opt-out or access requests you received, complied with, and denied on your website.
The new amendments adjust the definition of sensitive PI to include data from consumers under 16 years of age—that is, so long as your organization has actual knowledge of the consumers’ age. So, if you have an age gate on your website or app, you’ll be considered to have actual knowledge of a consumer’s age.
This update has an interesting intersection with California’s Digital Age Assurance Act as well. Under the Digital Age Assurance Act, operating system and app store developers must ask consumers for age information during account creation. Then, app developers must request that information from the operating system and app store developer when their app is downloaded or launched. If you’re an app developer, this means you’ll have actual knowledge of a consumer’s age, even if you didn’t want to know their age in the first place.
This update means that you’ll need to provide and honor requests to limit the use of sensitive PI from users under the age of 16, among the CCPA’s other requirements around sensitive PI, like risk assessments.
If you provide a mobile app, you’ll need to ensure that your organization’s privacy policy is accessible from both the app’s download page and within the app's settings menu.
If you collect data from a connected, augmented reality (AR), and/or virtual reality (VR) device, then you’ll also have additional transparency requirements. Specifically, you’ll need to provide consumers with notices about their rights to opt out of sale/sharing and to limit the use of sensitive PI before the collection begins.
When consumers opt out of the sale or sharing of their PI, you’ll now need to display a signal indicating that the request has been processed. You could, for example, display a banner reading “Opt-Out Request Honored” on your website.
Importantly, this must also apply to opt-out requests from universal opt-out mechanisms like the Global Privacy Control (GPC), too, since it can be unclear to users whether you’ve processed such signals or not.
Businesses must confirm certain types of sensitive PI in requests to access or correct. For example, if a consumer wants to know if you have an accurate Social Security number, driver’s license, financial account number, or other sensitive PI on file, you cannot disclose this information directly to the consumer.
Instead, the consumer must verify their identity, present the accurate sensitive PI, and ask for confirmation. As an example, a consumer might call your organization’s toll-free phone number, provide some identification, and read out their Social Security number to confirm that you have the accurate number on file.
Note that meeting this requirement poses a security risk—an identity thief could attempt to impersonate a consumer and use this method to determine whether they have stolen accurate information.
Businesses can require consumers to verify their own identities or directly confirm that they’ve authorized the agent to submit a subject rights request on their behalf. But now, they are explicitly not permitted to have consumers resubmit requests themselves.
Several portions of the amendments clarify the CCPA’s prohibition against dark patterns.
For example, say you present a banner on your website asking consumers to opt into data collection. If they close the banner without selecting an affirmative button, then the amendments explicitly state that this does not count as an opt-in.
You also cannot color a “yes” button differently from a “no” button, make one a different size than the other, or otherwise nudge consumers to opt in rather than opt out.
And if a consumer chooses to opt in, then it must be equally easy or easier for them to opt out. For example, if a consumer must click two buttons to opt into the sale or sharing of PI, then it must take two clicks or fewer to opt out of that processing later.
This may all seem fairly nitpicky, but if you make a good-faith effort to generally avoid influencing consumers to take one action over another in regard to their data privacy rights, you’ll be well on your way to compliance.
Lastly, any entity subject to the California Insurance Code is defined as an "insurance company" under the CCPA. Accordingly, they must comply with the CCPA for any data they handle that is not already subject to the California Insurance Code.
With a few exceptions, these amendments go into effect on January 1, 2026. Some of the more onerous requirements come into effect later on.
Businesses must complete cybersecurity audits and submit their annual certifications to the CPPA by certain dates, depending on their gross revenue:
Risk assessments and associated submissions to the CPPA are staggered based on when the covered activities began.
Requirements associated with ADMT begin January 1, 2027.
Make use of these delayed effective dates to get prepared! Standing up an assessment process, conducting cybersecurity assessments, and rejiggering your ADMT program are going to be complicated endeavors that take time.
In addition to your existing privacy program, here’s what you need to focus on in order to set the groundwork for CCPA compliance given these new amendments.
There’s a reason why this requirement kicks in starting 2027. Running comprehensive audits of all the criteria enumerated in the CCPA is difficult in and of itself—and the vulnerabilities uncovered by those audits need to be actioned on. Don’t wait: Put this requirement on your cybersecurity team’s radar or start hiring cybersecurity professionals now. And if you’re just slightly under the thresholds where this requirement kicks in, it’s still prudent to prepare. You may grow and become eligible in the coming years.
So many of the CCPA’s new requirements center on honoring consent and subject rights requests. Consent Management Platforms (CMPs) can help you manage these new requirements, including rights requests to stop the sale/sharing of PI and limit the use of sensitive PI. The right platform will also facilitate the display of an Opt-Out Honored signal, as required by the amendments.
This doesn’t need to be perfect on your first try; rather, think of it as a learning exercise to help you understand the gaps in your current process. Pick a processing activity that you believe will require a risk assessment, such as selling or sharing PI, processing sensitive PI, or using ADMT. The current CCPA regulations (with the most recent rounds of amendments) list out the information you should include. Broadly, they should cover:
Be sure to consult the updated CCPA for specific guidance.
Manual compliance isn’t feasible anymore—especially if you need to comply with laws beyond the CCPA. Privacy management software can help you automate and streamline compliance processes.
Osano, for example, can support:
If you want to dive deeper into the specific ways that Osano can help your organization comply with the new CCPA amendments, schedule a demo with us today.