- with readers working within the Advertising & Public Relations industries
- within Compliance, Tax and Intellectual Property topic(s)
2025 has further solidified California's position as a first-mover in U.S. privacy law. On October 8, 2025, California Governor Gavin Newsom signed three new pieces of privacy legislation into law, including the California "Opt Me Out Act," which will require web browsers to include built-in opt-out preference signal functionality and has been subject to both praise and criticism from stakeholders.
All three laws stand to shake up compliance obligations in the Golden State, impacting consumer privacy rights, deletion obligations and required data broker disclosures. They also track areas of emphasis in recent CCPA enforcement actions, including opt-outs and data brokers' transparency obligations. We break down these new requirements below:
AB 656 (social media account cancellation):
AB 656 will require social media platforms that generate more than $100 million per year in gross revenues to provide a clear and conspicuous button that allows users to delete their accounts, as well as the corresponding personal information the platform holds about them pursuant to the California Privacy Protection Act (CCPA).
The deletion button must be "immediately visible" in the platform's settings menu regardless of whether the user is accessing the platform via an application, browser, or other means, and must be prominently labeled "delete account." When a user clicks the button, the platform is required to provide instructions about how to delete their account, including associated personal information. However, the law permits platforms to verify the identity of the user in a "cost-effective, easy-to-use manor" before deleting the account.
AB 656 will go into effect on January 1, 2026.
SB 361 (data broker disclosure requirements):
SB 361 amends the state Delete Act to expand the range of information that data brokers must disclose when registering with the California Privacy Protection Agency (CPPA). Reflecting legislators' concerns about personal data being "used to target vulnerable communities," SB 361 requires data brokers to inform the CPPA whether they collect consumers' account credentials, government-issued identifiers, device or vehicle identifiers, citizenship and immigration status, union membership, gender identity and sexual orientation data, biometric data, and precise geolocation information. Additionally, data brokers must also disclose whether they have sold or shared personal information to foreign actors, federal or state governments, law enforcement, or to generative artificial intelligence technology developers within the previous year. The CPPA, however, will not publish data brokers' responses about their collection of account credentials or device or vehicle identifiers.
Data broker registration deadlines are unchanged under SB 361. Businesses that acted as data brokers in 2025 must register with the CPPA between January 1 and January 31, 2026.
SB 361 will go into effect on January 1, 2026.
AB 566 prohibits businesses from developing or maintaining "browsers" (i.e., interactive software applications used by consumers to locate, access, and navigate internet websites) that do not include built-in opt-out preference signal technology. Additionally, these businesses must provide consumer disclosures explaining how the opt-out preference signal works and the intended effect of the tool. AB 566 authorizes the CPPA to issue rules, as necessary, to implement and administer the requirements of the law. Notably, the law does not address opt-out signals in mobile operating systems, which had been at issue in previous iterations of the law. Governor Newsom vetoed a similar proposal sent to his desk in 2024, citing concerns regarding mandates on operating system developers and suggesting the issue should be "first addressed by developers, rather than regulators."
AB 566 will go into effect on January 1, 2027.
***
In the time before these new laws become effective, businesses should review their practices to identify any potential gaps with California's new requirements, as well as keep an eye out for enforcement actions that shed light on regulators' priorities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
