The new year is off to a quick start. February looms. Businesses are beginning to settle into 2026, and some trends (or at least outlines of such) are beginning to emerge. Businesses are digesting the AI and privacy bills that were signed into law last Fall. California Invasion of Privacy Act (CIPA) litigation shows no sign of abating. Perhaps the failure of SB 690 (see below), and another year of runway, is driving litigation in this space. As of January 21, 2026, 40 data breaches (impacting more than 500 California residents) have been reported to the California Attorney General, compared to 23 for the same period in 2025. Privacy class action litigation usually follows soon after reporting, suggesting that 2026 will be another, if not more, active year in that space.

Investigations from regulators follow as well. The beginning of the year is as good a time as any to review the Written Information Security Program (WISP) and to confirm appropriate implementation of the systems and measures that flow from the WISP. Likewise, it is as good a time as any to review and (if appropriate) update website privacy notices, ensure that website consent managers and opt-out mechanisms function as intended, and conduct privacy and cybersecurity training. What’s old is new, at least each January. 

The California Privacy Protection Agency continues to focus on data brokers and with the availability of the Delete Request and Opt-Out Platform (DROP) will likely step up enforcement in 2026. Implementation of DROP may not be entirely straightforward, so a detailed project plan and punchlist are recommended.

The updated California Consumer Privacy Act of 2018 (CCPA) regulations became operative on January 1, 2026. These regulations now mandate, among other items, annual cybersecurity audits, data privacy risk assessments, and pre-use notice and other requirements for automated decision-making technologies, generally with staggered start dates depending on the size of the business.

The California legislature reconvened on January 5, 2026. As we are in the second year of the 2025-2026 Biennium, legislators may introduce new bills and/or try to progress bills, introduced during the first year, that had not made it to the Governor’s desk. For example, a few bills stalled in the Assembly Privacy and Consumer Protection Committee, after having been approved by the Senate: SB 690 (an act to amend Sections 631, 632, 632.7, 637.2, and 638.50 of the Penal Code, relating to crime) aimed to de-conflict CIPA and the CCPA and in so doing legislatively closed the floodgates on CIPA litigation; SB 420 would have required developers of high-risk automated decision systems to conduct impact assessments before making the system publicly available. The current legislative session ends on August 31, 2026.

The following AI and data privacy laws went into effect on January 1, 2026.

  1. AB 316 (Artificial intelligence: defenses)
  2. AB 566 (CCPA: opt-out preference signal)
  3. AB 853 (California AI Transparency Act)
  4. SB 53 (Artificial intelligence models: large developers)
  5. SB 243 (Companion chatbots)
  6. SB 361 (Data broker registration: data collection)
  7. SB 446 (An act to amend Section 1798.82 of the Civil Code, relating to personal information and data breach notification)

AB 566 (the California Opt Me Out Act) requires web browsers to include a clear, one-step setting allowing users to send an opt-out preference signal. AB 853 imposes new transparency and disclosure obligations on GenAI systems, amending the existing California AI Transparency Act. On an even larger scale, SB 53 requires large AI developers to publish risk-management frameworks and report catastrophic safety incidents to the State.

SB 446 mandates data breach notification to impacted California residents within 30 calendar days of discovery or notification of the data breach, with customary exceptions. A breach notification report must be submitted to the California Attorney General within 15 calendar days of notifying the affected individuals.

A number of new AI and privacy bills have been introduced.

SB 300, SB 867, and AB 1609 are new chatbot bills. AB 1064 (Leading Ethical AI Development (LEAD) for Kids Act) was vetoed by Governor Newsom last Fall. A new ballot measure, Parents & Kids Safe AI Act, has been introduced, and signatures are now being sought to put the measure on the ballot in November 2026. It’s possible that the California legislature may introduce, and Governor Newsom may sign, new legislation on this topic, following the course of the CCPA, which was originally a proposed ballot measure.

AB 1542 (an act to amend Sections 1798.100 and 1798.121 of the Civil Code relating to privacy) would, under the CCPA, prohibit a business, service provider, or contractor from selling or sharing sensitive personal information to a third party. Current law allows the consumer to opt out of the selling or sharing of personal information and to limit the use and disclosure of sensitive personal information to certain uses as set out in the statute. AB 1542 may be heard in committee on February 5, 2026.

Stay tuned. 2026 promises to be another interesting year in California.

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.