PrivacyLawMap
Back to Blog
Law UpdatesMarch 15, 20268 min read

California CCPA/CPRA 2026 Changes: What Businesses Need to Know

Share:

What's Changing in 2026?

California's privacy law landscape continues to evolve. The California Privacy Rights Act (CPRA), which amended the original CCPA, has several provisions and regulations taking effect or being updated in 2026. Here's what businesses need to know.

1. Expanded Opt-Out Rights

The CPPA (California Privacy Protection Agency) has finalized regulations that expand how consumers can exercise their opt-out rights. Businesses must now honor universal opt-out mechanisms, including Global Privacy Control (GPC), as a valid consumer request to opt out of the sale and sharing of personal information.

2. Stricter Data Broker Requirements

Following the Delete Act (SB 362), data brokers face enhanced obligations in 2026. The California AG's office has established a centralized deletion mechanism that allows consumers to request all registered data brokers delete their information through a single request.

3. Automated Decision-Making

New regulations around automated decision-making technology (ADMT) are being implemented. Businesses that use ADMT for decisions that produce legal or similarly significant effects must provide consumers with meaningful information about how these decisions are made and the right to opt out.

4. Risk Assessments

Businesses engaged in processing activities that present significant risks to consumer privacy must now conduct regular cybersecurity audits and submit risk assessments to the CPPA. This applies to large-scale processing of sensitive personal information.

What Should You Do Now?

  1. Audit your data practices — Know what personal information you collect, how you use it, and who you share it with.
  2. Implement GPC — If you haven't already, ensure your website detects and honors Global Privacy Control signals.
  3. Review data broker status — Check if your business qualifies as a data broker and register if required.
  4. Update privacy policies — Ensure your privacy policy reflects all current CCPA/CPRA requirements.
  5. Document compliance — Maintain records of your compliance efforts, including risk assessments and DSAR responses.

Timeline

Most of these changes have already taken effect or will be enforced throughout 2026. The CPPA has indicated it will prioritize enforcement of GPC compliance and data broker requirements.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.