We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective.  In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:

  1.  Risk Assessments:  As of January 1, new potentially high-risk data practices (e.g., targeted advertising, sale of personal information and processing of sensitive personal information) will need to be assessed, applying very specific criteria, and documented prior to initiation of the activity. Business will have until the end of 2027 to assess ongoing activities, at which point annual reports and attestations of compliance will need to be filed with the agency (the first report due April 1, 2028, will cover calendar years 2026 and 2027). The report and attestation must be made by a member of the executive management team with oversight responsibility for the assessments (e.g., a Chief Privacy Officer). Expect the agency to start asking to inspect assessments when investigating a business as early as next year. SPB has developed templates and guidance that track the California and Colorado regulatory requirements, which overlap in some ways, but differ in others.
  2. Opt-out Confirmation: Businesses must implement the means for consumers to confirm the status of their opt-out of selling/sharing – essentially a new consumer request right. This includes, but is not limited to, displaying on web sites that Global Privacy Control signals have been read and are being honored. Where technically possible (e.g., logged in users), a single opt-out and confirmation thereof is required. Where it is not possible to do so, such as for cookie and non-cookie practices regarding consumers without online accounts, there will need to be methods to address the differing means, which should be as simplified and consolidated as possible (and well explained and easy to navigate).
  3. Requests to know: The one year look back limit on requests to know was previously changed to provide access to any personal information collected (which includes accessing) as of (or after) January 1, 2022. However, there was no obligation to explain that and consumers had to specifically request it. Now, the right to know request process must make that clear and easy to request. This will be another consumer rights request process change that will be needed by year-end.
  4. Request to correct: Existing regulations allowed, but did not mandate, a business to inform a consumer of the source of incorrect personal information. Under the revised regulations, it must do so, “or in the alternative, inform the source that the information provided is incorrect and must be corrected.” Yet another consumer rights request process that will need to be modified by January.
  5. Maintaining correct data: Once a consumer has corrected her personal information, a business must ensure that it is not overridden by subsequently acquired information from third parties (e.g., data brokers or partners).  This presents operational challenges and demonstrates the need for robust information governance systems and procedures.
  6. Health data corrections: The regulatory requirement to allow a consumer to submit a statement contesting the accuracy of health-related information to be made part of their record has been expanded to permit the consumer to request that the fact that accuracy is contested follow the contested health-related data to downstream recipients. This is one of the more obscure changes so its inclusion in the top 7 changes is notable and reflects a particular interest on consumer rights generally, and correction rights and sensitive personal information more particularly.
  7. Sensitivity of youth data: In a little noticed move in the last round of edits, the agency expanded the definition of “sensitive personal information” to include personal information of consumers under 16 years of age. This triggers new assessment and limitation of processing rights obligations. It is not clear if a limitation request should override a prior opt-in to sale/share.

There is a lot more that will be required by the new CCPA regulations, and other states’ consumer privacy laws, but this CalPrivacy alert tells us what the agency thinks is most important and will presumably be looking to enforce next share. Other obligations, such as regarding automated decision making and cybersecurity audits (including completion and maintenance of data inventories) phase in starting in 2027. For more information and assistance on evolving consumer privacy laws and regulations, contact the author or your SPB relationship lawyer. 

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorney’s marketing communications for thought leadership and rich content when you need a more comprehensive perspective.