California’s Year-End Privacy Wave: What Businesses Need to Know

Introduction

The State of California continues to lead the way on privacy, data, social media, and artificial intelligence legislation (which we previously covered here). Right in time for this holiday season, the California State Legislature is delivering a new spate of privacy laws and regulations to companies. These new laws are in addition to the significant development of the California Consumer Privacy Act’s (CCPA’s) enhanced regulations going into effect on January 1, 2026, which we examined here. In addition, these important legislative developments follow the recent enforcement and rulemaking actions from the California Attorney General and the California Privacy Protection Agency (CalPrivacy), which we have previously covered here and here. Several new statutes that Governor Newsom recently signed into law are poised to reshape the compliance landscape in the years ahead. Below, we highlight several impactful legislative developments and offer compliance recommendations for data-driven businesses navigating the golden state wave in the months and years ahead.

Summary of Key Laws

App Age-Verification Requirements

Assembly Bill (AB) 1043, the Digital Age Assurance Act, marks a watershed moment in the development of the Internet. Together with new laws in Texas and Utah, AB 1043 implements new age-verification requirements for operating system providers, app stores, and application developers. This California law requires operating system providers to require users to provide age information as they set up their accounts. The law requires application developers to request the user’s age bracket from the operating system provider or application store (bucketed by category into ages 12 and younger, 13 – 15, 16 – 17, or 18 and older). Unless the developer has clear and convincing evidence that the age bracket signal is incorrect, AB 1043 requires developers to treat users as within the indicated age range.

Importantly, obtaining this knowledge of a user’s age may have a cascading effect on developers’, other kids’, and teens’ privacy obligations under the Children’s Online Privacy Protection Act (COPPA), state privacy laws, and age-appropriate design codes that hinge on whether businesses possess actual knowledge that their services cater to minors. Pending any potential legal challenges, such as under the First Amendment or COPPA’s preemption provision, the California Attorney General will be empowered to bring civil actions under AB 1043. The law, which exempts broadband internet access services, telecommunications services, and the delivery or use of physical products, is slated to take effect on January 1, 2027.

Geolocation Restrictions Near Healthcare Facilities

AB 45 focuses on in-person health and reproductive care by broadly prohibiting the collection, use, sale, or sharing of personal information derived from geolocation data about individuals physically located at or within 1,850 feet of covered family-planning facilities as categorized under the North American Industry Classification System adopted by the United States Census Bureau. The law will ban geofencing (or selling or sharing personal information with a third party to geofence) used for advertising or targeting for individuals seeking healthcare and places strict limits on disclosure of certain health-related research records to out-of-state subpoenas or third parties. Individuals whose data has been processed in violation of the law may bring a civil action to recover damages or obtain injunctive relief, plus reasonable attorney’s fees and costs. The law will take effect on January 1, 2026.

Browser Opt-Out Signal Requirements

AB 566, the California Opt Me Out Act, amends the CCPA to require browser developers to provide a clear, easy-to-find consumer setting that sends a standardized “opt-out preference signal” communicating a user’s choice to opt out of the sale or sharing of personal information under California law. Businesses subject to the CCPA must recognize and treat that signal as a valid opt-out request, and browser developers must disclose how the signal operates and the effect of using such an opt-out signal. The law grants CalPrivacy rulemaking authority and does not specify exemptions but provides a downstream safe harbor, protecting browser developers from liability flowing from other businesses’ violations of the law. The law will take effect on January 1, 2027.

Enhanced Data Broker Transparency Rules

Senate Bill (SB) 361 expands California’s data broker registration and transparency regime by requiring data brokers to disclose significantly more granular categories of data they collect and provide stronger user-facing deletion mechanisms and reporting. This includes data categories such as device identifiers, biometric and precise location data, and disclosures of sales and sharing to foreign entities, government actors, or AI developers.

California’s 2023 “Delete Act” introduced a requirement that data brokers (and their service providers and contractors) honor verifiable consumer deletion requests, including those made through the Delete Request and Opt-out Platform — which is a free, online tool CalPrivacy manages — starting August 1, 2026. This bill strengthens existing and upcoming consumer protections by targeting abusive practices such as dark patterns that make it difficult, misleading, or confusing for consumers to delete their data and creates audit and reporting obligations designed to improve public visibility into how personal data is amassed and monetized. Portions of the registration and deletion requirements become effective on January 1, 2026, with audit requirements set to be phased in during 2028 and beyond.

Social Media Warning Requirements

AB 56, the Social Media Warning Law, implements a black-box warning requirement for social media platforms and “addictive internet-based service[s] or application[s]” as defined by Health and Safety Code section 27000.5 (covered platforms). The law requires covered platforms to display a black-box warning for each calendar day a user uses a covered platform, after three hours of cumulative active use, and then once per hour thereafter. The warning must be displayed clearly and continuously for a duration of at least ten seconds for the first warning and thirty seconds for subsequent warnings, unless the user affirmatively dismisses the warning by clicking on a conspicuous “X” icon. The first warning must occupy at least 25% of the screen or window, while subsequent warnings must occupy at least 75%. The warning must read as follows: “The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.” Covered platforms should plan to implement these black-box warnings in the next couple of months, as the law will take effect on January 1, 2027.

Delete Account Button Mandate

AB 656 requires social media platforms that generate more than $100 million in gross annual revenue to provide a clear and conspicuous “Delete Account” button immediately visible on each platform’s settings menu. The button must provide the necessary steps to complete account deletion and must not be deceptive or designed to subvert user autonomy. Any verification of the request must be cost-effective and easy to use. Social media platforms should update their account-deletion procedures in the next couple of months, as the law will take effect on January 1, 2026.

Healthcare Immigration Information Protection

SB 81 expands California’s Confidentiality of Medical Information Act and prohibits healthcare facilities from disclosing patients’ immigration status and place of birth, except as required by law. The new law explicitly prohibits disclosure of medical information for immigration enforcement, the definition of which has also been expanded to include all efforts to investigate or assist in the enforcement of any federal civil immigration law. Healthcare facilities should take immediate action to amend procedures for engaging with visitors, restrict access to areas where patients are discussing health information, and train staff and volunteers with immigration enforcement response, as the law takes effect on January 1, 2026. Noncompliant healthcare facilities may be fined between $2,500 and $250,000 per violation.

Key Takeaways for Businesses

Businesses located or doing business in California should take action now to update and align their data governance, technology operations practices, and vendor contracts with the new legal landscape, including the following:

• Assess how data processing systems identify and classify users. New age-verification and minor-protection laws require businesses to review how user attributes are tracked, including age brackets and geolocation information, and ensure technical protocols are in place to support new product design, advertising, and data practices accordingly.
• Update user experience flows and platform interfaces. Several new laws will soon change how online products and services interact with consumers, including mandatory social media warnings and account-deletion options. Businesses should comprehensively review their platform-level user displays to ensure age gates are properly implemented, privacy settings are consistently offered, and user choice is honored without the presence of dark patterns.
• Strengthen system-level technical and operational capabilities. Businesses should invest in developing technical infrastructure and new protocols, policies, and procedures to comply with new requirements, such as browser opt-out signals, universal deletion requests, and geofencing restrictions. Additionally, companies must ensure mechanisms such as opt-outs are effective and operate as represented to avoid increased regulatory scrutiny.
• Audit third-party and vendor relationships. Several new requirements underscore the importance of stringent vendor risk management and audit processes. Businesses should confirm vendors and other data partners are prepared for the evolving regulatory landscape and should update data processing agreements, API and software development kit integrations, and ad-tech partner relationships to ensure comprehensive compliance.
• Revisit data governance and employee training policies. In addition to creating technical pathways toward legal compliance, businesses should also prepare to demonstrate their compliance posture as California’s new laws come online in the years ahead. This may involve updating risk assessments, privacy impact assessments, data classification and data flow mapping, and employee training around sensitive data access to prepare for the possibility of regulatory scrutiny.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.