In part 1 of this series, we provided an overview of California’s 2026 privacy regulations (2026 Regulations), which further implement the California Consumer Privacy Act (CCPA). In part 2 of this series, we dive deeper into the implications for businesses subject to the CCPA. Part 2 explores new concepts and changes to principles previously set forth in the CCPA, highlighting the importance of businesses reviewing their data practices, policies, and procedures for regulatory compliance.
Deeper Look
The 2026 Regulations set forth several new defined terms as applied in the scenarios outlined in part 1 of this series:
- Sensitive Location. This is a new term generally defined to mean health care facilities, including hospitals, doctors’ offices, urgent care facilities, and community health clinics; pharmacies; domestic-violence shelters; food pantries; housing/emergency shelters; educational institutions; political party offices; legal services offices; union offices; and places of worship.
- Systematic Observation. This is a new term generally defined to mean methodical and regular or continuous observation. This includes, for example, methodical and regular or continuous observation using Wi-Fi or Bluetooth tracking; radio frequency identification; drones; video or audio recording or live-streaming; technologies that enable physical or biological identification or profiling; and geofencing, location trackers, or license-plate recognition.
- Train. This is a new term generally defined to mean the process through which a technology discovers underlying patterns, learns a series of actions, or is taught to generate a desired output. Examples of training include adjusting the parameters of an algorithm used for ADMT, improving the algorithm that determines how a machine-learning model learns, and iterating the datasets fed into ADMT.
We also see changes to legacy definitions and a variety of new obligations, including the following:
- Profiling. The 2026 Regulations expand the definition of “profiling” to cover aspects concerning a person’s intelligence, ability, aptitude, mental health, and predispositions, defining profiling as “any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s intelligence, ability, aptitude, performance at work, economic situation, health, (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements.” Furthermore, the 2026 Regulations expressly state that ADMT includes profiling. Therefore, using ADMT to make a significant decision would bring a business within the scope of the ADMT obligations described in part 1 of this series.
- Consumer Requests. Businesses must ensure that methods for submitting CCPA requests are functional and contain clear, nonconfusing language.
- Scope of Collection and Processing Purpose. The collection and processing of personal information must be consistent with the reasonable expectations of the consumer.
- Mobile Apps. The link to a business’s privacy policy must be accessible within the mobile app, such as on the app’s menu screen.
- Opt-Out Confirmation. Businesses must provide a means by which consumers can confirm that their request to opt out of selling or sharing their data has been processed by the business. For instance, the business may display on its website “Opt-Out Request Honored” or provide a webpage that displays the consumer’s privacy settings.
- Opt-Out Preference Signal. As opt-out widgets advance, consumers may increasingly configure their browsers to automatically send opt-out preference signals to the websites they visit. The 2026 Regulations require businesses’ websites to display whether the websites have processed a consumer’s opt-out preference signal as a valid request to opt out of selling or sharing their data. For example, a business may configure its website to display the message “Opt-Out Request Honored” in response to an opt-out preference signal.
- Symmetry in Choice. The 2026 Regulations retain the prohibition against making it harder or longer for a consumer to choose a privacy-protective option (like opting out of data sharing) over a less-protective option. Going a step further, the 2026 Regulations add examples to clarify this prohibition. Notably, the 2026 Regulations characterize the the examples as requirements.
- Prohibition Against Dark Patterns. The 2026 Regulations provide expanded descriptions and examples of the use of dark patterns, barring businesses from using language or interactive elements that are confusing to the consumer, including double negatives, misleading statements or omissions, affirmative misstatements, or deceptive language. Toggles or buttons must clearly indicate the consumer’s choice.
- Testing of Methods. Businesses must test the methods they provide for consumer choice to make sure the opt-out methods work properly.
- Sensitive Personal Information Limit Confirmation. Businesses must provide consumers with methods to confirm whether their request to limit the use of sensitive personal information has been processed by the businesses. For example, a business may provide a webpage that indicates the consumer has elected to restrict the business’s use and disclosure of the consumer’s sensitive personal information.
- Vendor Contracts. The 2026 Regulations retain the requirement for businesses to enter into contracts with their vendors (i.e., service providers and contractors) for vendor relationships that involve personal information. In addition, the 2026 Regulations provide examples of contractual provisions obligating these vendors to assist the business with completing their cybersecurity audit and risk assessment obligations under the 2026 Regulations.
The 2026 Regulations represent a comprehensive overhaul of California’s regulatory framework for the CCPA. As businesses expand their use of AI and automated processes for decision-making and other workflows, businesses subject to the CCPA should review their current data practices, evaluate their obligations under these new rules, and implement appropriate measures for compliance.
For more information about the California Consumer Privacy Act, its regulations, and compliance guidance, please contact Renato Smith-Bornfreedom, Data Security & Technology Practice Area co-chair, at rsmithbornfreedom@barclaydamon.com; Kat Delos Reyes, associate, at kdelos@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.