New California Privacy Updates: Stricter Rules on Consent

Introduction

California continues to lead the United States in developing rigorous data privacy protections, and the latest updates introduced by the California Privacy Protection Agency (CPPA) reflect a growing commitment to strengthening oversight, accountability, and consumer control. These updates, focused on consent, automated systems, notices, and data protection measures, represent the most significant adjustments to the California Consumer Privacy Act (CCPA) since the implementation of the CPRA amendments. As businesses operating in California navigate these new regulatory obligations, understanding the scope of the changes is essential to ensure compliance and avoid enforcement actions.

The CCPA remains one of the most comprehensive data protection laws in the country. It grants residents key consumer rights, including the ability to access, delete, and opt-out of the sale or sharing of their personal information. It also requires businesses to adopt reasonable security safeguards designed to protect consumer data from unauthorized access, breaches, or misuse. With the CPPA now issuing updated regulations that expand notice requirements, clarify opt-out preference signals, and impose more stringent expectations on consent practices, businesses subject to the CCPA must reassess their compliance programs. The updates place particular attention on sensitive personal information, automated decision-making technology, and risk assessments, reinforcing California’s position at the forefront of digital privacy protections.

California Privacy Laws Overview

The CCPA remains the cornerstone of California privacy laws, establishing a detailed framework for how organizations may collect, use, share, and disclose personal data. Regulations establish strict requirements for transparency and consumer choice, obligating businesses to explain their data processing activities in a manner that is understandable, accessible, and free of deceptive language. This includes clear disclosure of the categories of personal information collected, ranging from biometric data and precise geolocation to records of how consumers interact with connected devices such as mobile apps, smart home sensors, or wearables.

Under the CCPA, businesses must also provide consumer notices at or before the point of data collection, outlining the purposes for data use and the types of third parties receiving the data. If a business engages in the sale or sharing of personal information, it must offer consumers an easy method to opt-out. These requirements extend to data brokers, financial or lending services, healthcare services, social media companies, and foreign entities that process data from California residents. Importantly, the law also includes a private right of action for consumers affected by certain data breaches, adding an enforcement layer beyond administrative law. The combined regulatory approach ensures that businesses maintain robust privacy practices aligned with existing regulations and the evolving expectations of California regulators.

Automated Decision-Making Technology

Among the most anticipated updates are new rules governing Automated Decision-Making Technology (ADMT). As the use of artificial intelligence and automated systems expands in sectors such as lending, employment, advertising, and consumer services, the CPPA has imposed clearer boundaries on how ADMT may be deployed. The regulations require businesses to deliver a pre-use notice whenever ADMT is used in contexts where it replaces or substantially replaces human decision-making in making significant decisions about consumers. These decisions may involve eligibility for credit, employment screenings, access to essential services, or any other outcome with a significant risk of affecting a consumer’s rights or opportunities.

The updated regulations also grant consumers several important rights related to ADMT. Individuals can request access to information about the logic behind automated decisions, including an explanation of how inputs such as sensitive data or behavioral attributes were used. They can also appeal ADMT decisions if they believe the outcome was unfair or inaccurate. Notably, the CPPA’s final rules exclude advertising from ADMT regulations, clarifying that marketing-related automated systems do not fall under the same obligations. This distinction matters for businesses that use recommendation engines or interest-based advertising while continuing to process personal information in ways separate from high-risk decision making.

Expanded Notice Requirements

The CPPA’s expanded notice requirements significantly reshape how businesses must communicate their data practices. Organizations must now provide more detailed descriptions of their processing activities, including explicit explanations of the categories of personal information collected, the types of sensitive information involved, and the specific purposes of each category of data processing. These notices must be presented in a clear and conspicuous manner, avoiding technical jargon and ensuring that consumers can understand how their information will be used.

Additionally, businesses must describe whether personal information will be sold, shared, or transferred to third parties, including data brokers or entities engaged in high-risk processing. If a business engages in such activities, it must provide an easily accessible opt-out mechanism, allowing consumers to withdraw consent in the same manner it was provided. This prevents businesses from creating burdensome or confusing opt-out pathways. The updated regulations also require businesses to include disclosures relevant to updated regulations, evolving technologies, and connected devices so that consumers receive a comprehensive and timely understanding of the company’s privacy practices.

Consumer Opt-Out Requests

The updated regulations reinforce consumers’ ability to submit consumer opt-out requests concerning the sale or sharing of their data. Businesses must ensure that opt-out links are not only accessible but labeled with precise language such as “Do Not Sell or Share My Personal Information.” These links must function properly across websites, mobile apps, and connected devices, enabling consumers to withdraw consent through a range of channels, including online forms, toll-free numbers, or browser settings.

Businesses must verify that an opt-out request is honored within the regulatory timeframe and that the withdrawal of consent is applied broadly across all systems where the consumer’s personal information is processed. This includes internal databases, analytics tools, marketing platforms, and any third-party partners with whom the business shares consumer information. To ensure compliance, companies must maintain internal documentation outlining how consumer requests are logged, processed, and resolved. Businesses that fail to process opt-out requests or knowingly ignore them face higher scrutiny from regulators, especially in industries where data-driven profiling and tracking are common.

Global Privacy Control

A major development in California privacy enforcement is the requirement for businesses to recognize the Global Privacy Control (GPC), a browser or device-level opt-out preference signal that allows consumers to exercise their rights across multiple platforms simultaneously. When a consumer enables GPC, any business subject to the CCPA must treat the signal as a valid request to opt-out of the sale or sharing of personal information. The CPPA has clarified that businesses may not require additional authentication before honoring a GPC signal unless the request poses a demonstrable risk of fraud or impersonation.

The GPC serves as a universal opt-out mechanism and reduces the burden on consumers who previously had to submit opt-out requests to each business individually. Organizations must provide clear disclosure about whether they support GPC and how consumers can manage their privacy preferences across different devices and web environments. Failure to honor GPC signals is treated as a violation of the CCPA, and regulators expect businesses to test and validate their technical implementations to avoid giving consumers a false sense of control over their personal data.

Connected Devices

The proliferation of connected devices, from smart home technologies and wearables to mobile apps and industrial IoT products, has increased the amount of consumer data collected through automated channels. Under the updated regulations, businesses that operate connected devices must implement reasonable security measures tailored to the type of data being collected, including safeguards for sensitive personal information such as biometrics, precise geolocation, or health-related data. These measures must address unauthorized access, data leakage, misuse by third-party partners, and improper cross-device tracking.

Businesses must also provide easily accessible disclosures specifying the categories of data collected through connected devices, the purposes for which the data is used, and any third parties with whom the data is shared. Consumers must be informed if the device collects sensitive personal data or continuously monitors behavior. If a business has actual knowledge that a connected device is used by minors or collects information at heightened risk levels, it may face additional obligations under state privacy laws and the federal Children’s Privacy Rulemaking.

Cybersecurity Audits

Another significant update is the emphasis on mandatory cybersecurity audits for businesses engaged in high-risk data processing. Under the new rules, organizations must undergo regular audits, typically led by independent third-party auditors, to evaluate the adequacy of security controls and identify vulnerabilities that could expose consumer information. These audits must be comprehensive, covering internal systems, third-party integrations, data flows, authentication measures, and the organization’s incident-response readiness.

Businesses must retain records of their cybersecurity audits for at least the preceding calendar year and up to five years, depending on the scope of the audit requirement. This documentation may be requested during regulatory investigations, particularly in cases where a business fails to ensure compliance with data protection standards. The CPPA views cybersecurity audits as an essential safeguard against breaches, especially for companies handling large volumes of sensitive data or operating within industries such as healthcare, lending services, or social media.

Compliance and Enforcement

The CPPA’s updated regulations include phased compliance deadlines, which vary based on the type of processing activity and the scale of consumer data involved. Businesses must carefully evaluate which requirements apply to them, including obligations related to consents, notices, ADMT, cybersecurity audits, and risk assessments. Missing a compliance deadline increases exposure to enforcement actions and may indicate that the business does not maintain adequate internal controls, documentation, or governance structures.

To ensure compliance, many organizations are adopting internal privacy management programs that integrate policy updates, employee training, vendor contract reviews, and continuous monitoring of data practices. Businesses must also consider how updated regulations affect privacy policies, consumer-facing disclosures, and internal workflows that support consumer rights such as access, deletion, and opt-out requests. By establishing structured compliance efforts, organizations can reduce risk and demonstrate good-faith adherence if investigated by regulators.

Enforcement Actions

Enforcement authority is shared between the California Attorney General and the California Privacy Protection Agency, both of which have the ability to investigate violations and impose penalties. Enforcement actions may arise from complaints, audits, consumer reports, or the agency’s independent investigations. Penalties can escalate quickly, particularly for violations involving sensitive personal information, failure to honor opt-out preference signals, or a lack of proper consent mechanisms.

The Attorney General can issue civil penalties, seek injunctive relief, or require corrective measures to prevent future violations. The CPPA may also issue guidance documents or interpretive opinions that clarify how businesses should apply new privacy regulations. Companies are expected to cooperate fully with investigations, providing timely documentation, internal records, and explanations of their data protection practices. Non-compliance or obstruction can lead to severe penalties and heightened scrutiny for subsequent years.

Conclusion

California’s updated privacy regulations mark a pivotal shift toward stricter rules on consent, increased transparency, and heightened accountability for businesses processing personal information. By imposing clearer requirements for opt-out mechanisms, expanding notice obligations, and establishing rules for automated decision-making technology, the CPPA is strengthening privacy protections across the state. These updates reinforce consumer control over personal data, giving individuals more meaningful authority to manage their privacy preferences and ensure that businesses respond appropriately to their consumer rights.

For organizations, the new regulations require enhanced governance, ongoing monitoring, and improved risk management strategies. Businesses must adopt robust compliance programs, conduct cybersecurity audits, ensure that opt-out request-honoring workflows function seamlessly, and update privacy policies to meet the standards outlined in the CCPA and its latest amendments. As California continues to influence broader state privacy laws, these regulations represent an essential step in building trust and promoting responsible data practices within the digital economy.