These California privacy law updates extend the reach of the state’s privacy framework and raise the cost of non-compliance. For global privacy professionals, they point to a growing expectation that privacy protections will be built into the systems consumers use every day, from browsers to mobile operating systems. And they show that regulators are moving closer to enforcing technical compliance through substantial penalties.
New phase for California privacy: Control and accountability
Assembly Bill 566, signed into law on October 8, 2025, focuses on the opt-out preference signal, also known in the industry as a universal opt-out mechanism (UOOM). Starting January 1, 2027, any business developing or maintaining a mobile operating system must include a setting that allows consumers to signal their choice to opt out of the sale and sharing of their personal information. The same requirement applies to browsers, which will also need to disclose how this signal works and explain its impact. For example, when a consumer enables this feature in their browser, it automatically communicates their opt-out preference to every site they visit, ensuring their data is not sold or shared without consent.
This change moves privacy into the core of the user experience. Consumers will no longer depend solely on websites or consent banners to express their data privacy choices. Instead, privacy preferences will be embedded in the technologies people already use.
The law also shields browser and operating system developers from liability if another business fails to honor these opt-out preference signals. This distinction reinforces accountability across the digital ecosystem: it’s not enough to build compliant technology, companies that receive these signals must be able to recognize, respect, and document them across all data flows.
Signed into law on the same day, Senate Bill 361 targets data broker compliance and transparency. Data brokers will now need to register with the California Privacy Protection Agency (CPPA) and disclose the categories of personal information they collect. This includes identifiers like names, contact details, and government IDs, but also digital and behavioral data such as mobile advertising IDs, connected television (CTV) identifiers, and biometric data.
Brokers must also report whether they share or sell consumer data with foreign entities, governments, law enforcement, or developers of generative AI systems, such as those that use consumer data to train or refine AI models. This clarification ensures that organizations must disclose data transfers to any AI developer, regardless of size or industry focus. If they fail to register, delete data after a verified request, or meet the updated requirements, fines can add up quickly: $200 per day for unregistered operations or for every deletion request ignored.
Through these measures, compliance moves toward technical enforcement and is no longer limited to policy declarations or manual reviews. Businesses must honor privacy choices in real time, across increasingly complex data ecosystems.
Confidence in your compliance with consent
Privacy programs now need systems capable of recognizing when a consumer opts out, recording how that signal was received, and ensuring it’s honored consistently across digital channels and third-party partners.
For many organizations, this means rethinking how they structure their consent practices. Consent can no longer be a single click on a banner. It needs to function as a verified signal that flows through every part of the data lifecycle, connecting legal obligations to the systems that process and activate data.
A centralized consent and preference management system helps bridge the gap between regulatory obligations and operational execution. It allows organizations to:
- Capture and honor opt-out preference signals across web, mobile, and connected devices
- Keep a single source of truth for consent data, complete with timestamps and audit trails
- Ensure that updates flow automatically to systems where personal data is processed
- Give privacy, marketing, and data teams shared visibility into which consent signals are valid and current
This not only supports compliance with the California privacy law updates but also builds a foundation for privacy-first marketing. When consumers see their choices reflected across every channel, trust increases, and so does the value of the first-party data that is being collected.
Turning privacy obligations into operational confidence
The scale and pace of regulatory change highlights why organizations need adaptable tools. OneTrust’s Consent & Preferences solution is built to help teams quickly align compliance efforts and execution with changing laws like California’s new requirements.
With OneTrust, businesses can:
- Deploy consent experiences that meet regional privacy standards
- Automate the detection and response to opt-out preference signals across browsers, apps, and connected devices
- Centralize consent and preference data for transparent record-keeping and reporting
- Align downstream systems and partners with verified consent states to avoid unauthorized data use
These capabilities help privacy, marketing, and IT teams work from the same source of truth. Compliance becomes part of the process, not an added task. And as more jurisdictions adopt similar expectations, teams that already have a unified consent foundation will be ready for whatever comes next.
Staying ahead as privacy moves into design
California’s latest regulatory updates are another sign that privacy is moving closer to the core of digital design, and privacy controls are becoming default features rather than afterthoughts. Data brokers are being held to higher standards of transparency while fines are increasing, and expectations for accountability are rising with them.
Moving forward, organizations should see consent as a living part of their ecosystem as a continuous signal that defines how data can be used. Teams that connect legal, marketing, and technical workflows around that signal will find compliance easier to maintain - and trust easier to earn.
Privacy teams that act now will be ready when the new requirements take effect. The ones that build coordination across departments will stay ahead of both enforcement and customer expectations.
Talk to a consent expert or explore how OneTrust helps teams operationalize consent compliance.
California privacy law updates: FAQs
