The California Consumer Privacy Act (CCPA) Regulations got a New Year update, with amendments effective on January 1, 2026. Think of these changes as a front-door refresh—strengthening key points to the privacy program—rather than a complete overhaul. The focus is on bolstering existing practices to meet precise, verifiable standards, complete with a structured timeline and preparations for upcoming requirements.
While elements like mandatory cybersecurity audits, comprehensive risk assessments, and rights related to Automated Decision-Making Technology (ADMT) roll out gradually (e.g., ADMT notices and opt-outs begin January 1, 2027; audits and initial attestations span 2027–2030 based on business scale), several updates demand immediate action to avoid compliance gaps.
Near-Term Priorities (30–90 Days)
These near-term adjustments are straightforward but essential, targeting visible aspects of the program that regulators can easily scrutinize.
1. Privacy Policy Update
Policies must now spell out categories of personal information shared with service providers and contractors for business purposes in the last 12 months. This shines a light on vendor data flows, adding detail that many notices may currently lack. Action items include:
- Add a dedicated section listing disclosed categories of personal information —or state that none occurred.
- Tie each disclosed category to specific recipient categories (e.g., “service provider” or “vendor”).
- Double-check vendor lists and contracts for correct labels—ensuring disclosures match reality.
This amendment is among the most visible changes. A mismatched or missing disclosure could attract attention during sweeps or investigations. Prioritize it for quick, high-impact compliance.
2. Mobile App Accessibility
For businesses with mobile apps, the privacy policy must now be directly accessible within the app, such as via a settings menu link.
3. Enhanced Global Privacy Control (GPC) Compliance
Businesses must detect and honor GPC signals (opt-out preference signals from browsers/extensions) as valid requests to opt out of sales and sharing.
- Display visible confirmation (e.g., “Opt-Out Request Honored” notice or toggle in privacy settings) instead of background processing.
- Update detection systems and interfaces promptly, given recent multi-state AG enforcement actions highlighting this area.
4. Website Pop-ups: “X-ing” Out Does Not Constitute Consent
The amendments clarify that valid consent cannot be obtained through inaction: closing a pop-up, clicking outside it, or navigating away does not count. Consumers must actively select an unequivocal affirmative option (e.g., “Accept” or “Allow”). Additionally, the “yes” and “no” choices must be presented symmetrically—no affirmative button may appear more prominent in size, color, etc.
This applies primarily to businesses relying on an opt-in (consent-based) approach for activities that would otherwise constitute sale or sharing of personal information for cross-context behavioral advertising, such as tracking via cookies or pixels. The following are recommended for compliance:
- Audit existing consent banners and flows to ensure active, unequivocal affirmation and visual symmetry across all platforms.
- Eliminate any mechanism that treats inaction as consent or visually favors the affirmative choice.
5. Opt-Out Symmetry
The process for opting out should mirror or simplify the opt-in experience, ensuring no extra hurdles. Practically, the step count from “Do Not Sell or Share” to completion should be the same or fewer than the step count to opt back in.
Looking Ahead (2027–2028)
As 2026 transitions into longer-term obligations, shift attention to embedding sustainable processes for ADMT, risk assessments, and cybersecurity audits. These demand ongoing governance, annual reviews, and executive accountability.
- ADMT Implementation (Starting January 1, 2027): Identify uses of ADMT in significant decisions (e.g., credit, employment, healthcare). Develop pre-use notices, opt-out mechanisms, and explanations of the technology and opt-out outcomes.
- Risk Assessments (By December 31, 2027): Conduct evaluations for high-risk activities like selling personal information, handling “sensitive personal information”, or ADMT profiling. From April 1, 2028, submit annual summaries to the CPPA with executive attestations.
- Cybersecurity Audits (Phased from 2027): Based on company size, perform yearly audits, document controls, and secure executive certifications.
By addressing these amendments methodically, the business’s privacy program gains resilience against evolving scrutiny, turning compliance into a strategic asset.
