These updates strengthen consumer rights, impose new documentation and assessment obligations on businesses, and introduce stricter rules around data handling, opt-outs, corrections, and sensitive information — especially for minors.
If your business collects personal information from California residents, now is the time to audit your practices. Ignoring these changes could lead to enforcement actions, fines, and damage
Here are the seven key things every business needs to know and act on before 2026
1. Mandatory Risk Assessments for High-Risk Data Processing
Starting January 1, 2026, businesses must conduct and document thorough risk assessments before engaging in activities that pose a “significant risk” to consumers’ privacy.
- Selling or sharing personal information
- Processing sensitive personal information (e.g., precise geolocation, health data, biometric information)
- Using automated decision making technology (ADMT) in ways that significantly affect consumers
Assessments must detail the business purpose, types of data involved, potential negative impacts (like discrimination or privacy intrusions), benefits, and safeguards to mitigate risks.
Action item: Map your data flows now and build a risk assessment template. These documents must be retained and may be requested by the CPPA or Attorney General at any time.
2. Confirm Opt-Out Status for Sale/Sharing Requests (Including GPC Signals)
Consumers already have the right to opt out of the sale or sharing of their personal information — including via automated signals like Global Privacy Control (GPC).
New in 2026: Businesses must provide an easy way for consumers to confirm that their opt-out is being honored.
- A clear message like “Opt-Out Request Honored” on your website
- Toggle switches or radio buttons in privacy settings showing the opt-out is active
Action item: Update your privacy dashboard and cookie consent tools. Test that GPC signals are detected and respected, and display confirmation prominently.
3. Expanded “Right to Know” — Access Data Back to January 1, 2022
Previously, requests to know (access requests) were generally limited to the 12 months preceding the request.
Now, if your business retains personal information longer than 12 months, consumers can request all their data going back as far as January 1, 2022.
Your request submission method must allow consumers to specify older date ranges or request everything.
Action item: Review data retention policies and ensure your request portal supports historical lookups.
4. Stronger “Right to Correct” — Keep Data Accurate and Notify Sources
Consumers can already request corrections to inaccurate personal information.
2026 brings tougher obligations:
- Corrected data must stay corrected — even if you later receive outdated info from data brokers or third parties
- If a correction request is denied for health-related information, consumers can submit a 250-word statement contesting it, which you must share with anyone who received the disputed data
- You must disclose the source of inaccurate information or notify that source to correct it
Action item: Implement processes to flag corrected records, suppress overrides from brokers, and track sources of incoming data.
5. Youth Data Is Now Sensitive Personal Information
The personal information of consumers under 16 years old is now explicitly treated as sensitive personal information.
This triggers the “right to limit” use unless it’s for narrowly permitted purposes (e.g., providing requested services).
If your site or app collects data from minors — even unintentionally — you may need to honor limit-use requests for their data.
Action item: Age-gate where appropriate, review minor data flows, and ensure your “Limit Use of My Sensitive Personal Information” link works for this category.
6. Broader Privacy Policy Disclosures and Dark Pattern Bans
Privacy policies must now explicitly list categories of personal information disclosed to service providers and contractors (not just third parties).
Cookie banners and consent mechanisms will face stricter scrutiny — “dark patterns” that nudge users toward less protective choices (or infer consent from inaction) are prohibited.
Action item: Audit and rewrite your privacy policy. Simplify consent flows and make opt-out as easy as opt-in.
7. Don’t Forget the Bigger Picture: Cybersecurity Audits and ADMT Rules Are Coming
While full enforcement for these is phased (2027–2030 depending on your size), the clock starts in 2026:
- Large businesses may need annual cybersecurity audits documenting “reasonable security”
- Use of AI/ADMT for significant decisions (e.g., profiling, employment, credit) triggers pre-use notices, opt-outs, access rights, and risk assessments
Action item: Start inventorying ADMT tools and cybersecurity controls now — these will be foundational for 2026 risk assessments.
CCPA Requirements: Pre-2026 vs. 2026 Onward – Comparison Chart
| Requirement Area | Pre-2026 (Before January 1, 2026) | 2026 Onward (New/Updated) |
|---|---|---|
| Risk Assessments | Not required under CCPA (though recommended best practice) | Mandatory documented risk assessments before high-risk processing (selling/sharing PI, sensitive PI, certain ADMT use). Must begin for new activities Jan 1, 2026. |
| Opt-Out of Sale/Sharing Confirmation | Honor opt-outs and GPC signals, but confirmation optional | Must provide easy way for consumers to confirm opt-out is active (e.g., “Opt-Out Honored” message, toggle in settings) |
| Requests to Know (Access) | Generally limited to 12 months prior to request | If data retained longer, consumers can request all data back to Jan 1, 2022; portal must support historical requests |
| Requests to Correct | Correct inaccurate PI upon request; no ongoing duty to prevent overrides | Corrected data must stay corrected (no overrides from brokers); disclose source of inaccurate data or notify source; special 250-word contest statement for denied health corrections |
| Sensitive Personal Information (SPI) | Defined categories (e.g., SSN, financial, health, precise geolocation); right to limit use | PI of consumers under 16 now explicitly SPI (with actual knowledge); triggers right to limit unless for permitted purposes |
| Privacy Policy Disclosures | List categories disclosed to third parties | Must also list categories disclosed to service providers/contractors |
| Cybersecurity Audits & ADMT Rules | Reasonable security required; no formal audits or ADMT-specific rules | Phased-in annual cybersecurity audits for large businesses; new ADMT notices, opt-outs, access rights, and risk assessments (full rollout 2027+) |
Your 2026 CCPA Compliance Checklist
- Conduct a full data mapping exercise
- Update privacy notices, request portals, and dashboards
- Build risk assessment and correction workflows
- Train teams on new consumer rights
- Review contracts with data brokers and vendors
The CPPA is actively enforcing the CCPA — recent settlements have topped millions of dollars with Healthline paying out $1.55 million, Tractor Supply breaking $1 million, and Honda paying out $632,500 for CCPA violations while using the OneTrust privacy software that was not configured correctly.
Don’t wait until January 1. Get ahead of these changes and turn compliance into a competitive advantage and let us help with our software that we set up for you to ensure it’s integrated correctly. .
Need help automating requests, conducting risk assessments, or building a scalable CCPA program? Captain Compliance has the tools and expertise to make 2026 seamless and to make sure you pass CCPA compliance requirements for 2026.
