Q&A From Our 2026 Privacy Laws Webinar

Miss the most recent webinar from the Osano team? Did your question not come up during discussion? Don't worry: We've collated, condensed, and thematically grouped the questions from 2026 Privacy Laws: New Laws, Amendments, and More, and the Osano team has provided their answers here. Plus, you can watch the webinar recording free and on-demand here, or select clips! Let's dive in.

Confusion Around the CCPA and CCPA Amendments

What profiling activities trigger risk assessments under the new CCPA rules?

Businesses must conduct risk assessments when they wish to use automated processing to profile a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements–but only when based upon systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student employee, or independent contractor for the business.

Risk assessments for such profiling must also be conducted when the profiling is based on the consumer’s presence at a sensitive location, such as a hospital, food pantry, or political party office, unless the information is used solely to deliver goods to or provide transportation for the consumer at a sensitive location.

Do the amendments to the CCPA apply to nonprofits?

Like the rest of the CCPA, the most recent CCPA amendments generally do not apply to nonprofits. However, nonprofits tightly associated with a covered business are not exempt from the CCPA. To be covered by the CCPA, a nonprofit must control or be controlled by a CCPA‑covered business, share common branding with that business, and receive personal information from the business.

Does the expansion of sensitive personal information to include under-16-year-olds’ data apply to organizations in the education industry?

Any data not already subject to the Family Educational Rights and Privacy Act (FERPA) is subject to the CCPA for applicable organizations, including the requirements around sensitive personal information such as data belonging to an under-16-year-old.

Assessments Answers

Can one risk assessment be conducted for similar activities?

Generally speaking, one risk assessment can cover several similar processing activities. The CCPA, for example, allows businesses to conduct a single risk assessment for a “comparable set of processing activities,” which it defines as “a set of similar processing activities that present similar risks to consumers’ privacy.”

How comprehensive do CCPA risk assessments need to be, especially for sensitive data processing?

CCPA-compliant risk assessments, regardless of whether they involve sensitive data processing or not, must include several types of information, including: 

• The purpose behind the processing, the categories of information to be processed and the categories of sensitive personal information.

• Information relating to collection; retention periods; method of interaction with the consumer (e.g. via website); number of consumers whose data will be processed; planned disclosures; and the names or categories of the service providers, contractors, or third parties to whom the business discloses or makes available the consumers’ personal information and why they’re receiving the information. Additionally, if automated decision-making technology (ADMT) is being used to make significant decisions about consumers, then businesses must document the logic of the ADMT, its output, and how it will be used to make a significant decision.

• The benefits the business, consumers, other stakeholders, and the public will receive from the processing.

• The negative impacts to consumers’ privacy associated with the processing.

• Safeguards put in place to address said negative impacts.

• Whether the organization plans to go ahead with the processing based on the risk assessment.

• Any individuals who provided information to support the risk assessment, except for legal professionals providing legal advice.

• The date the assessment was reviewed and approved and the individuals who did so, except for legal counsel providing legal advice. This must include an individual with the decision-making power to move ahead or not with the processing activity.

Do the new CCPA updates require risk assessment summaries to be submitted once every 3 years or annually?

The CCPA amendments require annual summaries of the risk assessments conducted that year. This question asker likely mixed up the requirements for businesses to review and update as necessary risk assessments at least once every three years. Thus, if there are no changes to any of your organization’s processing activities, then it is conceivable that you may only need to submit a summary of risk assessments once every three years, since that will be when you are required to repeat or review already conducted risk assessments.

Can we have one risk assessment done for all applicable states? Or will there be significant differences to consider, requiring risk assessments to be conducted for separate states (i.e., Maryland vs California)?

California has the most specific requirements for a risk assessment in the US, and where other states include specifics, they broadly mirror California’s assessment structure. So, if you follow California’s specific requirements, you can generally assume you’ll be meeting the general requirements for risk assessments in other jurisdictions.

Enforcement Anxiety

Are there any new developments with the California Invasion of Privacy Act, VPPA, or other wiretap laws?

Yes! Although there has been some pushback against the use of these laws for modern data privacy in the courts and legislature, law firms are still actively and successfully suing businesses under wiretap theories. Our upcoming webinar on February 5th, 1 pm EST, will get into more detail about the current state of wiretap suits and how to reduce your risk with your privacy software. 

With the increase in CIPA and Wiretap Act lawsuits, is the safest approach to the use of cookies and other tracking technologies the implementation of an opt-in consent banner for all US web traffic?

Yes. Opt-in consent is a much stronger legal basis for tracking than opt-out consent, and wiretap laws like CIPA and the Wiretap Act require it. You can find out more about what CIPA and similar laws are and how Osano handles them here.

Given that California is the only state with a dedicated enforcement agency (CPPA), do we expect that enforcement in states other than CA will lag significantly behind CA since all other states rely on State AGs for enforcement?

Yes and no. California has by far been the most active state for privacy enforcement thus far. But state AGs are coordinating with one another, and California has put together the Consortium of Privacy Regulators. This consortium shares information, investigations, and strategies with its members. As a result, California is sharing its enforcement expertise with smaller states.

Consent Consternation

Does closing a cookie consent banner count as accepting cookies as long as the use of cookies is explained in a privacy policy?

It depends on which consent model your organization adheres to. For opt-out consent, you’re free to use cookies and other data trackers until the consumer explicitly opts out–so long as you inform them of your data collection and their rights. Under an opt-in consent model, closing a banner does not constitute consent to data collection in and of itself. Most US laws require an opt-out consent model, but wiretap laws require an opt-in consent model, and sensitive data collection also often requires opt-in consent.

Does an “Opt Out Signal Honored” notice need to be in response to a signal, or can it just be posted on your website?

These indicators can’t be static notices; they need to turn on dynamically in response to an opt-out signal. If a user who doesn’t have an opt-out signal set in their browser visits your site, a static indicator would cause them to be confused about the status of their privacy preferences. Furthermore, a static indicator would increase your risk in case your website’s consent mechanism became nonfunctional, as it would mislead consumers.

Has anyone figured out how to technically add an "Opt Out Signal Honored" indicator?

Yes! Consent Management Platforms (CMPs), like Osano, dynamically display these indicators in response to consumer opt-out preference signals. You can learn more about these signals in our blog, Global Privacy Control (GPC) and Universal Opt-Out, and about how Osano handles this requirement in our documentation.

How does Osano check whether companies are correctly respecting user consent preferences and thus whether or not to display an “Opt Out Signal Honored” indicator?

If you use Osano and have the Support Global Privacy Control (GPC) toggle turned on, it will display an “Opt Out Signal Honored” indicator to users who visit your site and who have opted out via a preference signal in their browser. Osano reads the user’s preference signal from their browser, blocks classified data trackers accordingly, and displays the indicator on your site. You can learn more in our documentation here.

If we use Osano to manage scripts and cookie consent, are all of the updates to state privacy law consent requirements baked in? As a result, we won’t need to worry about cookie consent on our website if we set it up with Osano?

Yes, but some light management work is necessary on an ongoing basis. Most websites continue to add and remove different data trackers as time goes on; you’ll need to classify these trackers to ensure Osano can block or allow them based on users’ preferences.

We make it as easy as possible with AI-assisted cookie classification recommendations, but the Osano user still needs to log in, review, and accept or change classifications. As for the different rules around how consent must function in different jurisdictions, Osano handles all of that for you. When there’s ambiguity or multiple approaches to handling consent (such as adhering to an opt-in vs. opt-out standard of consent in California), we provide as much guidance on best practices as is possible.

International Inquiries

To what extent do these state-level laws apply to companies operating out of states without a privacy law or other countries? What might the enforcement look like for international companies?

Like the GDPR and other global privacy laws, US state privacy laws have an extraterritorial reach. If you process protected US consumers’ data and meet the applicability thresholds of their governing privacy laws, you’ll be subject to enforcement in the same manner as local companies.

When will there be an overarching (GDPR-style) federal US privacy law?

While there remain a few efforts to advance a federal privacy law, there may never be an overarching framework for privacy in the US. As more states pass their own privacy laws, it reduces the pressure on federal legislators to pass a privacy law and increases the complexity of doing so as well. Previous federal privacy law proposals have failed because they would pre-empt stronger state privacy laws, such as the CCPA, effectively downgrading protections for residents of certain states.

For a global company, do “consumers" in the CCPA mean California residents or all global consumers?

The CCPA defines “consumers” as natural persons who are residents of California.

Data Broker Doubts

For California’s DROP system, do we have to delete the data within 45 days, or do we have to just access the DROP every 45 days (and then adhere to a different timeline for actually deleting the data)?

Under the Delete Act, data brokers must both access DROP at least once every 45 days and process consumers’ deletion requests within 45 days of receipt.

For data brokers, if a consumer submits a request to opt-out/delete request, would it be compliant to retain the information as a standalone suppression table to exclude a consumer’s information from coming from other incoming data feeds/sources?  

The Delete Act and DROP require data brokers to maintain a suppression list of consumers who have requested to opt out or have their data deleted to prevent reacquisition. As a best practice, this list should include the minimum amount of information necessary to prevent re-acquisition. You’re allowed to remove consumers from your suppression list if they subsequently withdraw their opt-out or delete request.

Which states specifically require data broker registration?

California, Vermont, Oregon, and Texas all require data broker registration.

Other State Privacy Law Observations

What's going on with the Colorado AI Act, and how is that going to affect privacy and data processing?

As of this writing, the Colorado AI Act’s (CAIA’s) implementation deadline has been delayed until June 30, 2026, to allow time for revisions. CAIA is primarily intended to prevent algorithmic discrimination in AI systems used to make consequential decisions, like lending, employment, healthcare, and so on. Currently, CAIA compliance involves common tasks seen in privacy compliance, such as assessing systems for their potential for harm, providing notice to consumers, and operationalizing requests to opt out of the system’s use.

Are banks exempt from these state-level privacy laws? 

In some jurisdictions, they are exempt, and in others, they are not. Some state privacy laws exempt financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA) at the entity-level, meaning the whole organization is exempt from compliance (such as in Texas). Other states only exempt the data subject to the GLBA, meaning other data the organization processes is still subject to their privacy law (such as in California).

Does the new privacy law in Maryland impact non-profits?

Non-profits are not exempt from Maryland’s data privacy law.

What is a good resource to understand the definitions of data types as they relate to privacy?

We describe the categories of data trackers here. However, you may have been asking about what constitutes sensitive personal information under the various data privacy laws. That information can be found here.

What are Rhode Island’s privacy notice requirements for otherwise under-threshold organizations?

Any commercial website or ISP that does business in Rhode Island or has Rhode Island customers and collects, stores, and sells personally identifiable information must provide a privacy notice–even if they don’t meet the RIDTPPA’s normal thresholds. This notice needs to include a list of all third parties to whom the controller has sold or may sell personal data; the categories of personal data collected; contact information for the controller; a clear statement that they sell data or use it for targeted advertising; and a description of the rights available to consumers and how they can exercise their rights. Thus, the privacy notice requirements only apply if you sell personal information but would otherwise not be above-threshold.