California has once again expanded its already-complex privacy and technology regulatory landscape. During the most recent legislative session, lawmakers and the California Privacy Protection Agency (CalPrivacy) advanced a wide range of new requirements touching social media, online platforms, data brokers, artificial intelligence, and youth protections. Many of these new obligations carry extended compliance timelines, but taken together, they signal a clear trend: California expects businesses to build robust, forward-looking privacy and safety programs now. A high-level overview of some of the major developments in California law is below.

Social Media & Youth Protection Laws

Social Media Warning Law (AB 56)

Beginning January 1, 2027, platforms used by minors must display a Surgeon General–style warning about potential mental health harms from social media use. The warning must appear daily, re-appear after three hours of cumulative active use, and then reappear hourly thereafter.

Digital Age Assurance Act (AB 1043) 

The Digital Age Assurance Act takes effect January 1, 2027, and requires operating systems to collect age-range information at account creation and transmit an age signal to apps (under 13, 13–16, 16–18, or 18+). Users with existing accounts must be able to update their accounts to indicate an age bracket by July 1, 2027. App developers that receive the age signal will be deemed to have actual knowledge of a user’s age bracket.

Location Tracking Restrictions Near Reproductive Health Facilities (AB 45) 

California updated and expanded existing restrictions on collecting, using, and disclosing data about individuals located in and around reproductive health clinics. The updated law now prohibits geofencing a health care business for the purpose of tracking a person seeking, receiving, or providing health care services or collecting personal information from such a person. It also protects research records related to individuals seeking or obtaining health care services from being disclosed in response to certain subpoenas. The law maintains the private right of action of individuals or entities aggrieved by a violation of the law to obtain three times their actual damages and adds a civil penalty of $25,000 for each violation of the prohibition on geofencing, which may be recovered by the Attorney General.

Consumer Choice, Platform Controls & Data Rights

California Opt Me Out Act (AB 566)

Effective January 1, 2027, browsers must support universal opt-out preference signals, reinforcing the role of automated privacy controls. The browser developer must also publicly disclose to consumers how the opt-out preference signal works and its intended effect.

Account Deletion Requirements for Large Platforms (AB 656)

Social media platforms generating more than $100 million in annual revenue must now provide a clear and conspicuous button that allows users to delete their accounts and that explains the necessary steps to delete their accounts and personal information.

Data Broker Transparency Amendments (SB 361). 

California data brokers now face expanded requirements to disclose to CalPrivacy the categories of data they collect and share. SB 361 also modifies the existing “one-click” deletion mechanism to require processing of deletion requests that cannot be verified as requests to opt-out of the sale or sharing of the requestor’s personal information within 45 days.

Delete Act Implementation (DROP System)

Under the Delete Act, data brokers have an obligation to register annually with CalPrivacy. California has now finalized regulations implementing the Delete Act. Beginning in 2026, data brokers must not only register with CalPrivacy, but also comply with the Delete Act’s accessible deletion mechanism requirements using CalPrivacy’s Delete Request and Opt-out Platform (DROP). DROP launches January 1, 2026, and data brokers must check DROP at least every 45 days starting August 1, 2026.

Artificial Intelligence Transparency & Safety

California amended the AI Transparency Act, passed the Transparency in Frontier Artificial Intelligence Act (TFAIA), and expanded safety requirements for “companion chatbot” platforms. For more information regarding these bills, please see our recent post From Colorado to Texas: How States Are Rewriting AI Laws.

CalPrivacy Regulations: Audits, Risk Assessments & ADMT

CalPrivacy finalized rules governing cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT). The new regulations take effect January 1, 2026.

• The ADMT rules are incorporated both through modifications to the CCPA regulations and in new regulations. The new regulations, in part, require a “Pre-use Notice” to inform consumers about the business’s use of ADMT and consumers’ rights to opt-out.
• Large businesses must complete the first cybersecurity audit by April 1, 2028, while small and medium-sized businesses have extended deadlines through April 1, 2029 or April 1, 2030, depending on size. Additionally, a representative of the business must submit an attestation under penalty of perjury to CalPrivacy regarding the cybersecurity audit. The rules set out specific assessment metrics, including for authentication, encryption, account management and access controls, inventory and management of personal information, hardware and software configuration, vulnerability scans and penetration testing, audit-log management, network monitoring, antivirus protection, segmentation of information systems, cybersecurity awareness and training, incident response, retention and destruction schedules, and vendor oversight. Of significance is a requirement that the auditor certifies it conducted an independent review and did not rely primarily on information provided by a business’s management.
• A business must conduct a risk assessment before selling or sharing personal information, processing sensitive personal information, or using ADMT or automated processing for certain purposes. A risk assessment must be reviewed and updated whenever there is a material change and no less than once every three years. A representative of the business must submit an attestation under penalty of perjury to CalPrivacy summarizing the risk assessments conducted in the prior year. Reporting on the first two years of risk assessments can be submitted jointly to CalPrivacy by April 1, 2028 and thereafter must be submitted yearly by the following April 1.

What Businesses Should Do Now

At first glance, the effective dates for these new California laws in 2026 and 2027 may appear distant, but compliance with many of these requirements, particularly those involving technical builds, data architecture, AI protocols, and youth-protection signaling, will take substantial time. Companies should consider beginning to take steps now to:

• map systems affected by new disclosures, signals, and warnings;
• prepare for CalPrivacy-mandated risk assessments and audits;
• assess whether products or services fall within new AI-related obligations;
• update vendor, platform, and broker relationships for DROP and data rights changes; and
• build internal governance frameworks that can scale with California’s evolving regulations.

Miller Nash’s Privacy & Data Security team will continue monitoring developments and advising clients on how to prepare for the next phase of California’s privacy and AI regulatory environment. If you would like assistance evaluating how these new laws may apply to your organization, we are here to help.

This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.