The California Consumer Privacy Act has undergone its most significant expansion since the CPRA amendments took effect in 2023. On January 1, 2026, a new wave of regulations from the California Privacy Protection Agency (CPPA) became enforceable, introducing requirements that reach into automated decision-making, data broker operations, consent mechanisms, and cybersecurity practices. These are not incremental tweaks. They represent a structural shift in what California expects from businesses that collect personal information online. If your website serves California consumers, these seven changes demand immediate attention.
1. Automated Decision-Making Technology Opt-Out Rights
The most consequential change in the 2026 regulations is the introduction of consumer opt-out rights for automated decision-making technology (ADMT). Under the new rules, any business that uses technology to process personal information and produce a decision that has a legal or similarly significant effect on a consumer must provide the ability to opt out of that processing.
This goes well beyond obvious examples like credit scoring or insurance underwriting. The CPPA’s final regulations define ADMT broadly enough to capture algorithmic pricing, content personalization that affects access to services, eligibility determinations, and behavioral profiling used to tailor offers or experiences. If your website uses machine learning models to determine what products a user sees, what price they are quoted, or whether they qualify for a service, you are likely operating automated decision-making technology under the new definition.
The practical requirements are substantial. Businesses must provide consumers with a clear description of the ADMT they use, including the logic involved and the intended output. They must offer a pre-decision opt-out mechanism accessible from the privacy policy or through a dedicated link. When a consumer opts out, the business must provide a human review alternative for any decision that produces legal or similarly significant effects. The notification must occur before the automated decision is made, not after.
For website owners, this means auditing every algorithmic process that touches consumer data. Recommendation engines, dynamic pricing systems, fraud detection tools, and eligibility algorithms all fall within scope. The opt-out mechanism must be functional, not merely a form that disappears into an unmonitored inbox.
2. Expanded Definition of Sensitive Personal Information
The CPRA already established a category of “sensitive personal information” with elevated protections. The 2026 regulations expand what falls within this category and tighten the obligations attached to it.
The expanded definition now explicitly includes neural data, encompassing information generated by brain-computer interfaces, neurotechnology devices, and similar technologies that measure or record electrical, chemical, or other signals from the brain or nervous system. While this may seem forward-looking, California’s proactive approach reflects the rapid growth of consumer neurotechnology products and the state’s intent to regulate before widespread harm occurs.
More immediately relevant for most website operators, the regulations clarify that precise geolocation data collected through mobile applications or browser-based location services constitutes sensitive personal information even when it is collected for ostensibly routine purposes like local search results. Any website that requests or passively collects location data beyond what is strictly necessary for the requested service must now provide a “Limit the Use of My Sensitive Personal Information” link and honor consumer requests to restrict processing to service-necessary purposes only.
The practical impact is that businesses need to review every point at which they collect data that could qualify as sensitive under the expanded definition. Privacy policies must be updated to disclose the specific categories of sensitive information collected, the purposes for collection, and the consumer’s right to limit use.
3. New Data Broker Registration Requirements
The 2026 amendments introduce stricter obligations for data brokers, defined as businesses that knowingly collect and sell or license the personal information of consumers with whom they do not have a direct relationship. While many website operators do not consider themselves data brokers, the line is thinner than it appears.
Under the new rules, any business that meets the data broker definition must register with the CPPA and pay an annual registration fee. But the more impactful change is the deletion mechanism. Data brokers must now participate in an accessible, centralized mechanism through which consumers can submit a single opt-out request that applies across all registered brokers. The CPPA has been developing this centralized system, and data brokers are required to integrate with it.
For website owners who share or sell consumer data to third parties, the key question is whether those third parties qualify as data brokers. If they do, your privacy policy must disclose that personal information may be transferred to registered data brokers and must explain the consumer’s right to opt out of such transfers. If your business itself collects data from third-party sources or through tracking technologies deployed across sites you do not own, you may need to evaluate whether you meet the data broker threshold.
4. Enhanced Opt-Out Mechanisms
The 2026 regulations significantly strengthen the requirements for how businesses implement opt-out mechanisms for the sale and sharing of personal information.
The most notable addition is the requirement to honor Global Privacy Control (GPC) signals. GPC is a browser-level signal that communicates a consumer’s opt-out preference automatically to every website they visit. While the CPPA had previously indicated that businesses should honor GPC signals, the 2026 regulations make this an explicit legal obligation. Any website that detects a GPC signal from a California consumer must treat it as a valid opt-out request for the sale and sharing of personal information, with no additional action required from the consumer.
Beyond GPC, the regulations require that opt-out links be accessible from every page where personal information is collected, not just from the homepage or privacy policy page. The “Do Not Sell or Share My Personal Information” link must be clearly visible, use the exact statutory language or an approved alternative, and function without requiring the consumer to create an account or provide additional personal information to exercise the opt-out.
Businesses that use consent management platforms or cookie banners must ensure that these tools are configured to detect and honor GPC signals. A cookie banner that asks the consumer to manually opt out despite a GPC signal being present is non-compliant under the 2026 regulations.
5. Stricter Consent for Minors Under 16
The CCPA has always imposed heightened protections for minors. Under the original law, businesses could not sell or share the personal information of consumers under 16 without affirmative consent: from the consumer themselves if they are between 13 and 16, or from a parent or guardian if they are under 13. The 2026 regulations expand these protections in several meaningful ways.
First, the penalty for violations involving minors’ data has increased. Intentional violations involving children’s personal information now carry fines of up to $7,500 per incident, and the CPPA has signaled aggressive enforcement in this area.
Second, the affirmative consent requirement now extends beyond sale and sharing to cover the use of minors’ personal information for behavioral advertising, profiling, and automated decision-making. A website that knows or should reasonably know that a user is under 16 cannot deploy behavioral advertising or profiling technologies against that user without obtaining verifiable consent through an age-appropriate mechanism.
Third, the regulations establish specific standards for what constitutes valid consent from minors. Pre-checked boxes, buried disclosures within lengthy terms of service, or consent bundled with other permissions are explicitly invalid. The consent mechanism must be prominent, clearly worded in language appropriate for the minor’s age, and must specifically describe the data practices to which the minor is consenting.
Website owners who operate platforms used by minors, including e-commerce sites, educational technology, social media, gaming, and content platforms, should review their age verification and consent collection practices immediately. The CPPA has indicated that enforcement actions targeting businesses that fail to properly protect minors’ data are a priority for 2026.
6. Cybersecurity Audit Requirements for High-Risk Processors
The 2026 regulations introduce mandatory cybersecurity audits for businesses whose data processing activities present significant risk to consumer privacy or security. This requirement applies to businesses that process personal information of a substantial number of consumers, that process sensitive personal information at scale, or whose processing activities present a heightened risk of harm.
The audit must be conducted annually by a qualified, independent assessor. It must evaluate the business’s administrative, technical, and physical safeguards, including access controls, encryption practices, incident response procedures, employee training, and vendor security management. The audit report must be submitted to the CPPA upon request and must include findings, identified deficiencies, and remediation timelines.
For website owners, the threshold question is whether your processing activities trigger the cybersecurity audit requirement. If your website collects sensitive personal information from a large number of California consumers, uses automated decision-making technology, or has experienced a data breach in the preceding 24 months, you likely fall within scope. Even if you are not immediately subject to the audit requirement, implementing the audit framework proactively demonstrates good faith compliance and reduces enforcement risk.
The audit requirement aligns California more closely with the security assessment obligations found in the EU’s GDPR (Article 32) and the growing number of US state privacy laws that mandate risk-based security reviews.
7. Risk Assessments for AI-Driven Profiling
The final major change in the 2026 regulations is the introduction of mandatory risk assessments for businesses that engage in profiling activities, particularly those powered by artificial intelligence.
A risk assessment must be conducted before a business begins any processing activity that involves profiling consumers for behavioral advertising, evaluating consumers for eligibility determinations, or using AI systems that produce outputs with legal or similarly significant effects. The assessment must weigh the benefits of the processing against the potential risks to consumer privacy, including risks of discrimination, inaccurate profiling, and unauthorized secondary use of the profile data.
The risk assessment must be documented, must be updated when processing activities change materially, and must be submitted to the CPPA upon request. The documentation requirements are specific: the assessment must identify the categories of personal information processed, the profiling methodology, the purposes, the potential negative outcomes for consumers, and the safeguards implemented to mitigate those risks.
For website owners using AI-driven tools, this requirement has broad implications. If your website employs any form of algorithmic profiling that uses personal information, from product recommendation engines to credit pre-qualification tools to targeted advertising algorithms, you must now conduct and document a risk assessment before deploying that technology against California consumers.
The risk assessment requirement is not a one-time exercise. As your AI systems evolve, as training data changes, and as the outputs of your profiling activities shift, the risk assessment must be revisited and updated. Businesses that deploy AI tools from third-party vendors are not exempt; you must assess the risk of the processing activity regardless of whether you built the technology or purchased it.
What Website Owners Should Do Now
The January 2026 effective date means these requirements are already enforceable. The CPPA has a 12-month ramp-up period for some audit and assessment obligations, but the core consumer-facing requirements, including ADMT opt-outs, GPC signal compliance, enhanced minor consent, and updated privacy policy disclosures, are in effect immediately.
Here is a practical action plan:
Audit your automated systems. Identify every algorithmic or AI-driven process on your website that uses personal information to produce decisions, recommendations, or eligibility determinations. Map these against the ADMT opt-out requirements.
Update your privacy policy. Your policy must now disclose ADMT use, expanded sensitive personal information categories, data broker relationships, and the consumer’s right to opt out of automated decisions. Ensure the policy reflects the 2026 regulatory language, not just the pre-2026 CCPA text.
Implement GPC signal detection. If your website does not already detect and honor Global Privacy Control signals, this is an immediate compliance gap. Most consent management platforms offer GPC detection as a configuration option.
Review minor consent workflows. If your website serves users under 16 or collects data from minors, verify that your consent mechanisms meet the new specificity and prominence requirements.
Schedule a cybersecurity audit. If your processing activities fall within the high-risk threshold, begin the process of engaging an independent assessor now. Audit slots fill quickly, and the CPPA has indicated that failure to conduct a required audit is itself an enforceable violation.
Conduct AI risk assessments. For every profiling or AI-driven processing activity, complete a documented risk assessment that meets the CPPA’s specifications. Keep these assessments current and accessible for regulatory review.
Conclusion
The 2026 CCPA regulations mark California’s transition from a disclosure-focused privacy law to a comprehensive regulatory framework that governs the full lifecycle of personal information processing. Automated decision-making, AI profiling, cybersecurity, data brokerage, and minor consent are no longer peripheral concerns. They are core compliance obligations with teeth.
The businesses that will navigate this landscape successfully are those that treat the 2026 changes not as a checkbox exercise but as an operational transformation. Privacy is now embedded in how your website collects data, how your algorithms process it, and how your security infrastructure protects it.
If your website needs an updated privacy policy that addresses the 2026 CCPA requirements, WebLegal generates jurisdiction-aware legal documents starting from 14,90 €. The process takes under 10 minutes and produces a policy tailored to your specific data practices, including the new automated decision-making and sensitive personal information disclosures that California now requires.