California Privacy Developments to Watch in 2026

California has never been the kind of state that says, “Let’s keep privacy simple.” No, California prefers a full production: statutes, regulations, enforcement sweeps, agency announcements, and enough acronyms to make even seasoned compliance teams reach for a second coffee. In 2026, that habit becomes even more important because the state is no longer just talking about privacy in theory. It is operationalizing it.

That is the big story for this year. California privacy law is moving from “you should think about this” to “show your work.” The California Privacy Protection Agency, the Attorney General, and lawmakers have all spent the last two years building a system that is broader, more technical, more consumer-facing, and a lot less tolerant of clunky opt-out flows dressed up as compliance. If 2025 was the year businesses read the memo, 2026 is the year regulators ask for receipts.

For companies doing business in California, that means this is not a year for polishing a privacy policy and calling it a day. The biggest developments to watch in 2026 involve rule implementation, data broker obligations, automated decisionmaking, browser-based opt-outs, health and location data, and a very noticeable enforcement trend: California is focusing on whether privacy rights actually work in the real world. Fancy notice language is nice. A consumer-rights maze is not.

Why 2026 matters more than the usual “new year, new checklist” moment

The reason 2026 feels different is simple: California now has both the rules and the machinery. The CPPA’s updated regulations are effective. The Delete Request and Opt-out Platform, better known as DROP, is live. New laws passed in 2025 are taking effect or setting up near-future compliance deadlines. And enforcement agencies have made it clear they are not only reading privacy disclosures but also clicking through the user experience, testing whether opt-outs work across devices, and examining how businesses use sensitive categories of information.

California also reworked how privacy enforcement is funded, which matters more than it sounds. It means privacy oversight is increasingly built to sustain itself rather than depend on a little luck and a line item somewhere in a budget binder. Translation: the referee now has better shoes, a whistle, and probably a replay booth.

1. The CPPA’s final regulations are now the center of gravity

The single biggest California privacy development in 2026 is the arrival of the CPPA’s finalized regulations covering risk assessments, cybersecurity audits, automated decisionmaking technology, insurance clarifications, and updates to the existing CCPA rules. These regulations took effect on January 1, 2026, which means businesses can no longer treat them as speculative draft material floating around conference slides.

Risk assessments stop being a nice idea and become an actual assignment

One of the most important changes is the requirement to conduct privacy risk assessments for processing activities that present a significant risk to consumers’ privacy. In practice, that sweeps in several kinds of modern data activity that many companies rely on every day: selling or sharing personal information, processing sensitive personal information, and using automated tools in ways that affect major life outcomes.

For processing that begins on or after January 1, 2026, businesses need to assess privacy risk before the processing starts. For older activities that were already underway before the rules took effect but continue into the future, companies are not off the hook. Those legacy systems and ongoing programs still need to be evaluated. This is why 2026 is likely to become the year of the privacy inventory spreadsheet, the internal questionnaire, and the meeting where marketing, legal, product, security, and procurement all suddenly realize they have been describing the same data flow in five different ways.

The practical takeaway is that California wants businesses to document why a risky data practice should continue, not just assume it can. If the benefits do not outweigh the privacy risks, the state expects changes. That is a much more disciplined standard than the old “we have always done it this way” tradition, which, to be fair, has powered many questionable dashboards.

Cybersecurity audits push privacy and security into the same room

Cybersecurity is also getting a more formal compliance structure. The new rules require certain businesses whose processing presents a significant risk to consumers’ security to complete annual cybersecurity audits. The deadlines are phased by revenue, with the first certifications due in 2028, 2029, and 2030 depending on the size of the business. That may sound far away, but 2026 is still the year to prepare because audits do not magically become painless just because the calendar is kind.

Smart businesses will use 2026 to decide whether they fall into the covered thresholds, identify the systems that matter most, select an audit methodology, and fix obvious gaps before an auditor writes them down in a document that may eventually attract regulatory attention. California is sending a message here too: if you handle large amounts of personal data or engage in high-risk processing, security cannot live as a vague promise under a website footer link.

ADMT compliance is the next big sprint

The automated decisionmaking technology rules are especially important because they connect privacy law to AI and algorithmic governance in a concrete way. Businesses that use ADMT to make significant decisions concerning a consumer will need to comply beginning January 1, 2027. Significant decisions include determinations involving financial or lending services, housing, education enrollment or opportunities, employment or compensation, and healthcare services.

So why watch this in 2026 if the main deadline hits in 2027? Because 2026 is the build year. Companies need time to identify which models or systems are covered, determine whether human review is meaningful or just decorative, draft pre-use notices, establish opt-out and access workflows, and negotiate with vendors that may suddenly become very interested in calling their tools “decision support” rather than “decision making.” California is not banning all automated tools, but it is demanding more visibility, more explanation, and more consumer control when those tools shape serious outcomes.

2. DROP turns data-broker privacy from theory into infrastructure

If one California development in 2026 feels especially headline-worthy, it is DROP. The Delete Request and Opt-out Platform went live on January 1, 2026, giving Californians a centralized way to direct registered data brokers to delete their personal information. That is a major shift because data broker regulation has historically suffered from a frustrating problem: most people do not know who the brokers are, what they have, or how many forms they would need to fill out to claw back control.

DROP is California’s answer to that mess. Instead of expecting consumers to chase down broker after broker like they are collecting trading cards from the surveillance economy, the state built a central system. Beginning August 1, 2026, registered data brokers must access DROP at least every 45 days, process the deletion requests they receive, and maintain suppression practices so the data does not simply boomerang back into circulation later.

This matters for at least three reasons. First, it makes privacy rights more usable for actual humans. Second, it imposes operational burdens on brokers that go beyond posting their name on a registry. Third, it increases the chance of visible enforcement because compliance will be easier for regulators to measure. When privacy rights are centralized, failures become easier to spot.

SB 361 raises the bar for data brokers even higher

California did not stop at launching DROP. SB 361, which took effect in 2026, adds new pressure on the data-broker ecosystem. Among other things, it requires a cleaner, more rights-oriented compliance posture, including a website page that explains how consumers can exercise privacy rights without using dark patterns. It also adds an audit cycle beginning in 2028 and reinforces the idea that data brokers are not just registry entries. They are businesses with continuing obligations, recurring reviews, and a shrinking ability to hide behind technicalities.

That is why 2026 should be seen as a transition year for the broker market. The old model rewarded opacity. The new one increasingly punishes it.

3. Enforcement is focusing on friction, sensitive data, and reality-based testing

If you want to understand where California privacy is headed in 2026, do not just read the statutes. Read the enforcement actions. They reveal the state’s current mood, and the mood is: make the rights work.

The Attorney General’s cases against streaming services made that point loudly. The 2025 Sling TV settlement focused on confusing opt-out mechanics, burdensome forms, and inadequate protections for children. Then in February 2026, Disney agreed to a $2.75 million settlement over allegations that it failed to fully effectuate consumers’ requests to opt out of the sale or sharing of personal information across devices and services tied to their accounts. That tells businesses something important: California does not want an opt-out that works only on Tuesdays, only in one app, or only if a consumer navigates three menus and a minor existential crisis.

The Healthline settlement was another signal flare. California alleged that online tracking on health-content pages exposed sensitive information and failed to honor required opt-outs. This is a warning to publishers, health-adjacent platforms, and marketers who still act as though article URLs and page titles are harmless when combined with third-party ad tech. In California’s view, context matters. A tracking event on a recipe page is one thing. A tracking event tied to content suggesting a serious medical condition is a very different animal.

Then there is the Attorney General’s 2026 surveillance pricing sweep. That initiative indicates the state is watching whether businesses use personal information in ways consumers do not reasonably expect, including individualized pricing. Even where a company thinks it is being clever, California may see a purpose-limitation problem or a disclosure problem. “Because the algorithm could do it” is not shaping up to be a winning defense strategy.

Data brokers are also firmly in the crosshairs. The CPPA launched a dedicated Data Broker Enforcement Strike Force and continued bringing cases against unregistered brokers. The January 2026 Datamasters action is especially memorable because it involved the resale of lists tied to sensitive health conditions and demographic traits. That case makes the policy concern plain: data brokerage is not just abstract data commerce. It can create concrete risks of manipulation, discrimination, fraud, and exploitation.

4. Browser-based opt-outs are coming next, so 2026 is the rehearsal year

Another development worth watching is the California Opt Me Out Act, AB 566. Signed in 2025 and effective January 1, 2027, it makes California the first state to require browsers to offer built-in opt-out preference signals. In plain English, that means the “please do not sell or share my data” signal is moving closer to becoming a standard feature rather than a privacy nerd Easter egg hidden in specialized tools.

For businesses, 2026 is the year to get ready. Companies should review whether their sites and apps reliably detect and honor opt-out preference signals, whether their consent-management tools interpret those signals correctly, and whether internal data-sharing logic actually matches the promise. The law’s significance goes beyond browser design. It continues California’s broader theme: privacy rights should be easy to exercise at scale, not buried inside a maze of toggles that feels like a game show nobody asked to play.

5. Health, location, and neural data remain high-priority categories

California’s privacy framework keeps moving toward special scrutiny for data that is especially intimate, revealing, or easy to weaponize. In 2026, two areas stand out: health-location data and neural data.

AB 45 tightens rules around health-related location information

AB 45, effective in 2026, adds restrictions involving personal information tied to the precise geolocation of family planning centers and related health contexts. The law makes it unlawful to collect, use, disclose, sell, share, or retain personal information about a person physically located at or within a precise geolocation of a family planning center, except in limited circumstances such as providing requested services. It also addresses geofencing and research records in ways designed to reduce misuse and out-of-state fishing expeditions for sensitive reproductive-health information.

This is a reminder that location data is never “just location data” when it reveals something deeply personal. A ping on a map can become a proxy for health status, beliefs, relationships, or vulnerability. California regulators clearly understand that, and businesses should assume consumers do too.

Neural data is no longer science fiction in the law

California already added neural data to the CCPA’s definition of sensitive personal information, and that move continues to matter in 2026 as neurotechnology, wearables, and biometric-adjacent tools mature. Even if most companies are not building brain-computer interfaces, the policy signal is clear: California intends to treat especially revealing human data as deserving heightened care early, not after a scandal. In 2026, privacy teams should review whether any products, research partnerships, or future-facing sensors could drift into this category. Waiting until a regulator says “surprise” is rarely the premium compliance strategy.

6. What smart companies will actually do in 2026

The businesses that handle California best this year will not be the ones with the longest privacy policies. They will be the ones that translate law into operations. That means mapping high-risk processing, reviewing vendor tools, stress-testing consumer rights workflows, tightening data-broker relationships, and making sure product, engineering, marketing, and legal teams are using the same definitions.

They will also stop treating California privacy as a siloed legal project. In 2026, privacy overlaps with AI governance, cybersecurity, consumer UX, procurement, ad tech, data architecture, and executive oversight. The biggest risk is not simply having a bad policy. It is having a policy that says one thing, a product that does another, and a vendor contract that says, essentially, “good luck.”

7. Experience from the field: what 2026 feels like in practice

Across privacy teams, a few common experiences are already defining 2026, and they help explain why this year feels so intense. First, many organizations are discovering that their hardest privacy problem is not a regulation. It is internal alignment. A legal team may believe the company only “uses analytics.” Product may call the same tool “personalization.” Marketing may call it “audience optimization.” Security may not know the tool exists until someone asks whether it touches sensitive personal information. California’s 2026 framework exposes those translation gaps fast.

Second, companies are learning that opt-out design is now a business process, not a footer exercise. Teams are testing whether a signal sent through one browser is honored across web, mobile, connected TV, customer accounts, and downstream ad systems. That sounds straightforward until someone realizes the consumer opted out on the website, but the app SDK kept firing, the customer-data platform still created a segment, and the ad partner never got the memo. Suddenly, privacy is not abstract. It is a debugging project with legal consequences.

Third, compliance leaders are spending more time with engineers than they did a few years ago. The ADMT rules, risk assessments, and DROP-related obligations all require technical facts, not polished adjectives. Regulators are increasingly interested in what a system does, what data feeds it, what outputs it creates, what appeal or alternative process exists, and whether the company can prove that control worked. “Trust us” is not much of a systems architecture.

Fourth, health and location data reviews are becoming sharper and less forgiving. Teams that once treated geolocation or page-level tracking as routine are now asking more skeptical questions. Does this signal reveal a medical condition, a clinic visit, a reproductive-health decision, or presence in a sensitive location? Could a third party infer something intimate from a title, URL, segment, or audience label? In 2026, experienced privacy teams are getting better at spotting these context clues before they become enforcement exhibits.

Finally, there is a broader cultural shift inside organizations. California privacy work in 2026 is pushing businesses away from checkbox compliance and toward evidence-based accountability. The most capable teams are documenting decisions, recording tradeoffs, updating inventories, and treating consumer rights as features that must work consistently. The least prepared teams are still hoping a layered notice and a cheerful button label will distract everyone from a messy backend. That hope is unlikely to age well.

Conclusion

California privacy developments in 2026 are not random updates floating in separate silos. They are part of a larger pattern. The state is building a privacy regime that is more operational, more technical, more consumer-usable, and more willing to test how data systems function in the wild. The final regulations are in force. DROP is changing data-broker expectations. Enforcement is targeting broken opt-outs, health-related tracking, and consumer surprises. Browser-level signals are on deck. Sensitive categories like health, location, and neural data are staying at the center of the conversation.

For businesses, the message is clear: 2026 is the year to prove privacy rights work beyond the policy page. California is no longer impressed by decorative compliance. It wants functioning controls, understandable notices, honest data maps, and systems that respect what consumers asked for. In other words, the Golden State is still gold-medal-level demanding. But at least now everyone can see the racecourse.

Note: This article is for informational purposes only and does not constitute legal advice.