Raising the Stakes: California Enacts Trio of New Consumer Privacy Obligations
Three new California privacy bills signed into law expand consumer privacy protections and could have broad compliance implications for any company doing business in the state.
On October 8, 2025, Governor Newsom signed three California privacy bills into law. Together, these measures expand consumer privacy protections by providing consumers with ways to manage their data rights. These laws carry broad compliance implications for any company doing business in the state.
AB 566: California Opt Me Out Act. The Opt Me Out Act provides consumers with additional ways to exercise their opt-out rights under the California Consumer Privacy Act ("CCPA") by requiring businesses that develop or maintain browsers to provide a setting that allows users to send a preference signal to opt out of the sale and sharing of their personal information. This signal functions as a global opt-out setting which will persist across any website visited on the browser, so consumers do not have to submit unique requests to each website they visit. However, browser developers who provide the required opt-out signal will not be held liable for businesses who fail to honor the request. The Act goes into effect on January 1, 2027, and will be enforced by the California Privacy Protection Agency ("CPPA").
SB 361: Defending Californians' Data Act. Under the CCPA, data brokers engaged in the collection or sale of consumers' personal information must register with the CPPA, pay a registration fee, and provide certain information regarding the types of information collected. SB 361 expands those disclosure obligations by requiring more detail about the types of sensitive data collected, the advertising identifiers used, and whether, in the prior year, the broker sold or shared consumers' personal data with foreign actors, federal or state governments, or developers of generative AI models. Businesses that qualified as data brokers in 2025 must comply with these requirements by January 31, 2026. Registration is enforced by the CPPA, who may levy administrative fines, recover fees accrued during the period of noncompliance, and recover expenses incurred.
AB 656: Click to Cancel 2.0. AB 656 requires social media platforms that generate more than $100 million annual gross revenue to provide a clear, accessible method for users to delete or suspend their accounts. When users initiate this process, social media platforms must allow users to terminate their account without obstruction but may seek confirmation of the request to delete or suspend the account. These requests will be treated as requests to delete under the CCPA, violations of which may be penalized by up to $7,988 per violation, for intentional violations involving minors' personal information. The law is expected to go into effect on January 1, 2026.
