On September 23, 2025, the California Privacy Protection Agency announced that the state’s Office of Administrative Law approved regulations that update existing California Consumer Privacy Act (“CCPA”) regulations and introduce new regulations covering cybersecurity audits, risk assessments, and automated decision-making technology.  The updates to the existing regulations—which take effect on January 1, 2026—expand business obligations under the CCPA and give consumers more control over their personal information.  This blog post highlights key updates to the existing regulations. 

  • Mandatory Opt-Out Confirmation.  When a consumer requests to opt-out of the sale or sharing of their personal information, including when the request is made through an opt-out preference signal, businesses will be required to provide confirmation that such a request has been processed.  For example, the updated regulations state that a business may display an “Opt-Out Request Honored” message on its website and indicate the processed opt-out request through a toggle or radio button in the consumer’s privacy settings.  Notably, providing opt-out confirmation is currently optional.
  • Enhanced Right to Know.  Currently, businesses are required to provide a method for consumers to submit a request to know.  Under the updated regulations, if a business maintains the personal information of a consumer for longer than 12 months, the method for submitting a request to know must allow the consumer to request access to personal information collected prior to the 12-month period preceding the consumer’s request, going back as far as January 1, 2022.  According to the updated regulations, this can be effectuated by providing the consumer an option to indicate a date range for which the consumer is making the request to know or by permitting the consumer to request all of the personal information that the business has collected about them.
  • Clarification on Privacy Policy Disclosures.  Whereas the existing regulations require a business to identify in its privacy policy the categories of personal information disclosed to “third parties” in the previous 12 months, the updated regulations clarify that a business must also identify the categories of personal information disclosed to a “service provider or contractor.”
  • Updated Definition of “Sensitive Personal Information.”  The updated regulations amend the definition of “sensitive personal information” to include any personal information belonging to consumers that a business has actual knowledge are less than 16 years old.  
  • Expanded Notice of Right to Limit.  The updated regulations will require a business to provide to consumers a notice of their right to limit the business’s use or disclosure of sensitive personal information in the same manner in which it collects the information, subject to exceptions.  The updated regulations also provide examples of how a business can properly provide such a notice in the context of consumer interactions that occur via connected device (e.g., smart televisions) and through augmented or virtual reality.
  • Additional Examples of Prohibited Dark Patterns.  The updated regulations provide examples of several practices that may constitute prohibited dark patterns, including:
    • requiring more steps to opt-out of the sale or sharing of personal information than to opt-in;
    • making a “yes” button more prominent than a “no” button (e.g., through sizing or color selection);
    • treating the act of closing or navigating away from a pop-up as a valid form of consumer consent without the consumer first affirmatively selecting “I accept” or an equivalent;
    • selecting by default, or featuring more prominently, the option to participate in a financial incentive program than the option not to; and
    • creating a false sense of urgency that pressures consumers into quickly making a decision about the scope of their consent.

Tags: California Consumer Privacy Act, State Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less
Photo of Bryan Ramirez Bryan Ramirez

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains…

Bryan Ramirez is an associate in the firm’s San Francisco office and is a member of the Data Privacy and Cybersecurity Practice Group. He advises clients on a range of regulatory and compliance issues, including compliance with state privacy laws. Bryan also maintains an active pro bono practice.

Read more about Bryan RamirezEmail
Show more Show less