The Essential CA Privacy Update Series: Part 1 -- Priority Compliance for January 1, 2026
by: Joyce Kim
On September 23, 2025, the California Privacy Protection Agency (“CPPA”) finalized new privacy rules. These new amendments implement changes on staggered timelines, so Part 1 focuses on items to prioritize for compliance by January 1, 2026. Here’s what you need to know before the deadline.
Data Subject Rights
What you need to do:
Let customers choose their timeframes – This means adding options for consumers to request all their data or add a specific date range in their request to know.
Let customers verify their sensitive data – Create a way for consumers to confirm whether their sensitive data is accurate and matches your business’s records.
Share what you can share – Even if you deny requests to know, you must still disclose the personal information that was not subject to any exceptions.
Match your Notification to the Collection Method – If you’re required to provide a “Notice of Right to Limit,” then you need to deliver the notice the same way you collected the sensitive data. For example, if you collect sensitive data by phone, you must tell callers of their right to limit by phone during the call.
Keep Corrections Permanent – Businesses must also ensure that the information remains corrected (which is particularly applicable for any business that periodically refreshes or obtains refreshed data). This may also mean including terms with service providers and third parties to contractually obligate them to ensure corrected information remains corrected.
Revealing Sources – If the business sourced inaccurate information about a consumer, then the business must provide the consumer with the name of the source or inform the source that the information must be corrected.
Training – If customers can call to make privacy requests, train your call handlers to process requests. It is no longer acceptable to allow untrained customer service representatives to field calls relating to data subject requests.
Getting Consent
California is cracking down on “dark patterns” and tricks that manipulate people into giving consent.
What you need to do:
Closing or navigating away from a pop-up window without affirmatively selecting “I accept” is not valid consent.
Make “yes” and “no” look the same. The “yes” button should not be bigger, brighter, or more prominent than a “no” button.
Choices driven by a false urgency are misleading. For example, using a countdown clock next to a consent choice, where the choice is not actually limited by time is misleading.
Match the number of clicks. The number of clicks to complete a request on the “Do Not Sell or Share My Personal Information” should be the same number of clicks to opt-in.
No confusing language. No double negatives, misleading statements, affirmative misstatements, or deceptive language.
Label your toggles clearly. If using toggle buttons, add text to explain how the toggles work.
Don’t bury privacy choices. Acceptance of general or broad terms of use that contains descriptions of personal data processing along with other unrelated information does not necessarily show consent. Businesses should examine whether their disclosures and consents are placed appropriately, beyond just including them in website terms of use policies.
Opt-Out Confirmations
For opt-outs of sale/sharing of personal information, you need to confirm their request was processed.
What you need to do:
Display a confirmation message of whether the consumer’s opt-out request was processed as a valid request. The confirmation message can read “Opt-Out Request Honored.”
Consent for Financial Incentive Programs
The CPPA is also implementing similar equal and symmetry principles when it comes to consumer participation in financial incentive programs.
What you need to:
Don’t use pre-checked boxes.
Make “yes” and “no” look the same. Choices to participate cannot be bigger, brighter, or more prominent than choices declining to participate.
Privacy Policies
What you need to do:
Update third party sharing disclosures. You only need to list categories of personal information shared with "service providers or contractors" (not all third parties).
Add links to mobile applications. Add a conspicuous link to the privacy policy IN the application, such as through the application’s settings menu – and not just on the platform page or download page.
Augmented Reality & IoT Connected Devices Notice Requirements
If you use augmented reality, virtual reality, or connected devices (such as smart TVs or watches), you need to provide notices differently.
What you need to do:
Provide notice of the right to opt-out of sale/sharing before or at the time of collection through these devices.
Your Action Plan by January 1, 2026:
Audit your data subject rights processes
Review cookie banners and consent structures
Add confirmation messages for opt-outs
Update your privacy policy
Check AR/VR/IoT products
If your business is subject to CA’s laws, then these updated regulations will impact multiple aspects of your privacy program. We recommend prioritizing the applicable items above for your compliance strategy and encourage you to follow along in this series for coverage on additional requirements to come.
This is Part 1 in our series on California's new privacy regulations. Stay tuned for additional requirements and deadlines.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.