California continues to set the pace for digital privacy reform, enacting three groundbreaking laws that will reshape how personal information is handled across the state. On October 8, 2025, Governor Newsom signed three new privacy bills, which will allow California consumers to gain greater control over their personal information, while businesses, data brokers, and social media platforms will face new transparency and compliance obligations.

AB 566: California Opt Me Out Act

Key Provisions:

• Requires companies that develop or maintain web browsers to offer a simple, built-in setting that lets website users send a universal “opt-out preference signal” (OOPS) to every website they visit.
• Businesses operating websites accessed by California consumers must honor the OOPS, which allows consumers to block the sale or sharing of their personal information with a single click rather than having to opt out site-by-site, as previously required.

This landmark law will empower Californians to gain practical control over their personal information, including their browsing history and location data. At the same time, it will streamline compliance for businesses and website browser developers, who should prepare for increased enforcement and consumer inquiries about their data sharing practices.

The California Privacy Protection Agency (CPPA) is empowered to investigate violations and issue administrative fines for non-compliance. Under the CPPA’s existing enforcement framework, fines can total up to $7,500 per violation.

The Opt Me Out Act will go into effect on January 1, 2027.

AB 656: Account Cancellation

Key Provisions. This bill requires social media platforms with over $100 million in annual gross revenue in California to:

• provide users with a “clear and conspicuous” way to delete their accounts;
• ensure that the deletion process does not use deceptive design tactics (e.g., “dark patterns”) that make cancellation difficult; and
• fully delete all personal information associated with the account upon deletion (previously, social media companies were permitted to retain personal information after account deletion).

AB 656 will go into effect on January 1, 2026. Enforcement will be handled primarily by the CPPA and the California Attorney General.

SB 361: Defending Californians’ Data Act

Key Provisions:

• Builds on the 2023 Delete Act by mandating that data brokers comply with expanded disclosure, deletion, and audit requirements.
• Defines “data broker” to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.
• Requires a data broker to provide significantly more information when registering annually with the CPPA, including its name and primary contact information (physical, email, and website addresses), and whether it collects consumers’ government-issued identification numbers, precise geolocation, citizenship status, biometric data, reproductive health care data, or any personal information related to minors.
• Imposes stricter deletion obligations for data brokers, as they must now integrate with the Data Removal and Opt-Out Platform (DROP).
  • DROP is a one-stop mechanism maintained by the CPPA for consumers to request data deletion from all registered data brokers.
• Requires a data broker to process a consumer’s deletion request within 45 days and continue deleting any new personal information collected about the consumer at least once every 45 days, unless the consumer requests otherwise or an exception applies.

Data brokers will be subject to mandatory compliance audits every three years beginning in 2028.

SB 361 will go into effect on January 1, 2026, with enforcement powers granted to the CPPA which can levy fines up to $200 per day, per deletion request. This means that the penalty applies to each consumer’s request to delete their personal information. If a business fails to comply with a single deletion request, it can be fined for each day the request remains unfulfilled.

Practical Implications: California’s recent privacy legislation may well set the stage for similar reforms across the country. These latest laws represent further protections for consumers in today’s increasingly complex digital environment.

Next Steps:

• Companies that develop or maintain internet browsersshould begin implementing new opt-out and deletion mechanisms.
• Social media platforms should ensure that account deletion processes are user-friendly and continuously erase personal information.
• Data brokers should update their CPPA registration information and personal information deletion processes ahead of mandatory audits.