California has always been the United States' regulatory bellwether. What Sacramento mandates today, the rest of America debates tomorrow. And as of January 2026, the California Consumer Privacy Act — as substantially amended by the California Privacy Rights Act and the September 2025 regulatory package finalised by the California Privacy Protection Agency — has entered its most demanding phase yet.

For organisations operating in California, or processing the personal information of California residents anywhere in the world, the compliance landscape has shifted materially. This article sets out what has changed, what enforcement is already telling us about priorities, and what boards and general counsel need to do now.

What changed on 1 January 2026

The September 2025 regulatory package, adopted by the CPPA and effective 1 January 2026, introduces three primary new obligations that materially expand compliance requirements beyond the baseline CCPA/CPRA framework.

Mandatory risk assessments for automated decision-making

Businesses that use automated decision-making technology — defined to include AI and machine learning systems that make or materially influence significant decisions about consumers — must now conduct formal risk assessments before deploying those systems. The obligation applies to decisions in consequential domains: credit and insurance underwriting, employment screening, healthcare eligibility, education enrolment, and housing access.

The risk assessment must document how the system works, what data categories it uses, what the potential impacts on consumers are, and what mitigation measures are in place. Critically, the assessment must be completed before deployment — not retrofitted after a system is already in use. For organisations that have been deploying AI in hiring, credit decisioning, or customer triage without this infrastructure, the retroactive compliance burden is significant.

Businesses engaging in automated decision-making must also provide consumers with a clear pre-use notice and, in most cases, the right to opt out of purely automated decisions that significantly affect them. The opt-out must be genuinely functional — not a buried settings page that consumers cannot realistically find.

Mandatory cybersecurity audits

Certain categories of businesses must now conduct annual cybersecurity audits and submit summary reports to the CPPA. The audit obligation applies to businesses that process personal information of one million or more consumers or households annually, and to data brokers. The audit must be conducted by a qualified independent auditor and cover the organisation's data security practices, incident response procedures, and technical safeguards.

This is a significant new obligation for larger organisations. It creates a documented compliance record that the CPPA can request in the context of an investigation — and, as enforcement actions in early 2026 have demonstrated, regulators are actively requesting documentation rather than simply relying on self-certification.

Extended data access rights

As of 2026, consumers exercising their right to know can request access to personal information going back to 1 January 2022, to the extent the organisation retains it. The lookback period will continue extending annually until it reaches the organisation's maximum retention period. Organisations that have been responding to access requests with 12-month lookbacks need to update their data subject request workflows immediately.

What enforcement is already telling us

The early 2026 enforcement actions are instructive about where the CPPA and California Attorney General are focusing their attention.

In February 2026, the California Attorney General announced a $2.75 million settlement with Disney and ABC — the largest CCPA settlement to date — arising from failures in opt-out mechanisms across streaming services. The core issue was that Disney's opt-out controls were siloed by service and device: a consumer who opted out on one Disney platform was not opted out across the others. The CPPA's position is clear that opt-out mechanisms must function comprehensively and symmetrically across all channels through which data is collected and used for advertising purposes.

In March 2026, the CPPA announced enforcement actions against Ford and PlayOn Sports, totalling nearly $1.5 million in penalties. The PlayOn Sports action is particularly notable as the first CPPA decision involving privacy violations affecting students and California schools — signalling that the youth data protections introduced by the 2026 amendments will be actively enforced.

The pattern across these enforcement actions is consistent: regulators are testing opt-out mechanisms technically, not just reviewing privacy policies. Businesses should assume that future investigations will include technical audits of whether consent and opt-out controls actually work as described — not just whether the privacy policy says they do.

California regulators are testing opt-out mechanisms technically. The question is no longer whether your privacy policy is accurate. It is whether your systems do what your policy says.

The youth data expansion

One of the most significant substantive changes in the 2026 amendments is the reclassification of all personal information of consumers under 16 as sensitive personal information. This dramatically expands the protections that apply to this data category and restricts the purposes for which it can be used without triggering the right to limit.

For businesses that process data of consumers who may be minors — which includes virtually any consumer-facing digital service — the practical implication is a need to assess whether current data practices are permissible for under-16 data even where age has not been formally verified. The CPPA has made clear that age verification gaps are not a defence to processing minor data for prohibited purposes.

The opt-out confirmation requirement

From 2026, businesses must provide visible confirmation to consumers when an opt-out request has been honoured. Silent processing — receiving an opt-out signal and acting on it without notifying the consumer — no longer suffices. Businesses must display visible confirmation: a toggle state, a badge, a status message. This requirement applies equally to opt-out preference signals transmitted via browser (Global Privacy Control) as to explicit consumer requests.

GPC compliance has become a specific enforcement focus. Businesses that detect a GPC signal but do not treat it as a valid opt-out request, or that set tracking cookies before confirming the signal has been processed, are in violation of the regulations as currently interpreted by the CPPA.

What organisations need to do now

The compliance implications of the 2026 CCPA changes are operational, not just legal. The following actions should be treated as current priorities, not future projects.

Map all automated decision-making systems against the CPPA's definition of ADMT and identify which deployments require pre-use notices, opt-out mechanisms, and formal risk assessments. This exercise should include AI systems procured from third-party vendors — the obligation runs to deployers, not just developers.

Audit opt-out mechanisms technically. Commission a technical review of consent and opt-out controls across all channels and platforms to confirm that they function as described in the privacy policy, that they respond correctly to GPC signals, and that opt-out status is applied consistently across services.

Update data subject request workflows to extend the lookback period to January 2022 and confirm that request response processes can retrieve and compile personal information across historical data stores within the 45-day response timeline.

Review vendor contracts for ADMT-specific provisions — notification of changes to automated systems, audit rights, compliance certifications, and data processing restrictions. Existing contracts predating the 2026 amendments are unlikely to contain these provisions.

Initiate cybersecurity audit planning if the business processes personal information of one million or more consumers annually. Identify a qualified auditor, define the audit scope, and establish a cadence that allows the first audit to be completed and documented before the CPPA requests it in the context of an investigation.

The CCPA has matured from a disclosure and consent framework into a substantive accountability regime. The 2026 amendments mark the point at which California's privacy law begins to look, in its expectations and its enforcement mechanisms, more like the EU's GDPR than the lighter-touch American regulatory model. For organisations operating across both jurisdictions, the convergence is both a compliance challenge and an opportunity to build governance infrastructure that works in both directions.