Photo of TK Lively

TK Lively

Subscribe to TK Lively's Posts

TK advises clients on privacy and information security matters, including U.S. state consumer privacy laws, biometric privacy regulations, data broker registration, health information privacy, and international frameworks.

Follow:Read more about TK LivelyTK's Linkedin Profile

Key point: Businesses subject to the CCPA now must conduct risk assessments for certain types of processing activities and, starting in 2028, must certify to California regulators that they completed the assessments.

The California Consumer Privacy Act’s (CCPA) new regulations went into effect on January 1, 2026. Although the new regulations bring many changes for businesses subject to the CCPA, one of the biggest changes is a new requirement to conduct risk assessments for processing activities that present “significant risk to consumers’ privacy.” This can encompass many types of common data processing activities such as the use of third-party cookies and tracking technologies, processing of sensitive personal information (e.g., biometric data), and the use of AI for certain employment-related activities. Like the CCPA, the risk assessment requirement applies to consumer, employee, and commercial personal information.

Importantly, on April 1, 2028, businesses subject to the CCPA must file a certification with the California Privacy Protection Agency (CalPrivacy) attesting — under penalty of perjury — that they conducted the required risk assessments. The certification must be signed by a member of the business’s executive management team.

In the below article, we provide an overview of this new risk assessment requirement.

Key point: Starting August 1, 2026, registered data brokers will need to access California’s new one-stop-shop deletion platform to process deletion requests or risk significant fines.

Last month, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s (CalPrivacy) regulations further implementing the Delete Act (SB 362). Effective January 1, 2026, the Delete Act makes several changes to California’s data broker law, including charging CalPrivacy with creating a new one-stop-shop for California residents to request that all registered data brokers delete their personal information. California residents can begin registering on January 1, 2026, and data brokers must process requests starting August 1, 2026. Failure to comply is subject to a $200 fine “for each deletion request for each day the data broker fails to delete information.”

In the below article, we provide a brief background on the Delete Act and summarize the new regulations.

Privacy_1200x600_GettyImages-1400779382

Key point: The California AG’s fifth CCPA-related enforcement action focuses on the CCPA’s right to opt out of sales/shares and on children’s privacy provisions and, with respect to the right to opt out, it should trigger businesses to reevaluate their procedures, especially as it relates to the treatment of account holders and mobile apps.

On October 30, 2025, the California attorney general (AG) announced a settlement with a streaming services provider[1] over violations of the California Consumer Privacy Act (CCPA). Pursuant to the proposed final judgment and permanent injunction, the company will pay a $530,000 fine and implement several injunctive relief requirements. According to the press release, the settlement arose from a 2024 investigative sweep of streaming services.

The complaint alleges two CCPA violations: (1) failure to provide easy-to-execute methods for consumers to opt out of the selling and sharing of their personal information; and (2) failure to provide sufficient privacy protections for children. Given that these are distinct issues, we will address them in two separate articles. This first article provides a brief background of the enforcement action, an analysis of the right to opt-out violations, and a summary of the injunctive relief requirements. The next article will analyze the children’s privacy violations.

Key point: A federal district court judge rejected the claim that the disclosure law violates the First Amendment.

On October 8, 2025, a judge for the U.S. District Court for the Southern District of New York granted the New York attorney general’s (AG) motion to dismiss a lawsuit filed by a retail trade association claiming that New York’s Algorithmic Pricing Disclosure Act violates the First Amendment. Below, we provide a brief history and summary of the law and analysis of the court’s decision.

Key point: California lawmakers once again increase the disclosure and transparency requirements for registered data brokers.

On October 8, 2025, California Governor Newsom signed SB 361 into law. The bill amends California’s existing data broker registration law to require data brokers to provide significantly more disclosures regarding their processing activities when annually registering with the California Privacy Protection Agency (CPPA).

This amendment comes shortly after the CPPA board’s recent approval of amendments to the state’s data broker regulations to incorporate the 2023 Delete Act (SB 362), including the creation of an accessible deletion mechanism that data brokers will need to comply with starting in August 2026. Those regulations were filed with the Office of Administrative Law on September 26.

Given these developments, California data brokers will need to engage in additional compliance measures in the coming months. In the below article, we provide an overview of the changes made by SB 361.

Key point: Businesses subject to the CCPA must comply with extensive new regulations.

On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.