Keeping Up With California Privacy Updates: What SB 361, AB 566, and AB 656 Mean for Your 2026–2027 Roadmap
October 28, 2025
California just rewrote parts of your 2026–2027 roadmap. SB 361 expands data broker disclosures on January 1, 2026. AB 566 brings a built-in browser opt-out signal by 2027. AB 656 tightens account deletion for large social platforms. The CPPA’s finalized rules also land on January 1, 2026 and add concrete duties for automated decision making, risk assessments, and cybersecurity audits.
If you run a site or app used by Californians, collect personal information on any page, license or sell data, or use automation that influences outcomes, these changes are yours to handle. That includes higher education, nonprofits, financial services, healthcare, marketplaces, and any employer recruiting in California. The work touches marketing, product, engineering, privacy, and HR.
In 2026 the CPPA updates take effect for collection pages, access requests, withdrawals of consent, and opt-out symmetry. Automated decision-making duties arrive in 2027 for significant decisions in finance, housing, education, employment, and health. SB 361 tightens data broker disclosures on January 1, 2026. The Delete Act adds a 45-day deletion cadence starting August 1, 2026. AB 566 pushes browser-level opt-out signals into mainstream use by 2027. AB 656 raises expectations for simple account deletion on large social platforms.
What you need to do now
January 1, 2026 arrives in just over two months, and with it comes a new layer of compliance requirements under the CPPA's updated rules. Every page where you collect personal information will need to meet a higher standard. Picture a visitor landing on your site: they should immediately see a clear privacy policy link, encounter opt-out mechanisms that mirror the simplicity of opting in, and find a straightforward path to withdraw consent whenever they choose. Your systems need to honor access requests that reach back beyond the traditional twelve-month window, and your consent banner must be tested rigorously—closing it cannot silently register as agreement.
The real work lies in making sure that when someone makes a choice in your preference center, that decision travels seamlessly across your email platform, CRM, and analytics stack without delay. Labels and cadences must align so that a person's intent is never lost in translation between systems.
Now is the time to begin building your automated decision framework, even if the public-facing version won't launch until later. Walk through your organization's processes and identify every point where a model or business rule influences outcomes in sensitive areas: admissions, lending, hiring, housing, or health. For each one, draft a two-paragraph notice in plain language that explains what's happening before the decision is made. Then work through the harder questions—where can you offer an opt-out? How will someone request access to the logic behind a decision? What does your appeal process look like? Assign an owner and a deadline to each piece so nothing drifts.
If your organization crosses the cybersecurity audit thresholds, schedule that first independent review now. Build a one-page risk assessment template that your team can apply consistently to new campaigns and tools as they launch. And if you're in the business of licensing or selling data, your obligations are expanding: update your data-broker oversight to meet SB 361 requirements and prepare your systems for the Delete Act's new cadence, which takes effect in 2026.
What Q1 2026 looks like
January. Publish the visible fixes on collection pages. Run a browser-signal test on your top tasks. Complete a consent propagation check so a change on page updates email, CRM, and analytics consent at the same time. Begin drafting pre-use notices for the automated decisions you already run.
February. Run an inventory on your data-broker relationships, update disclosures for SB 361, and put a 45-day rhythm on your calendar for Delete Act requests. Add identity-match and suppression rules that minimize personal data and still resolve the right records. Start vendor conversations to keep AI features opt in by default and to require structured, accessible outputs.
March. Finalize access and appeal handling for automated decisions. Assign owners for each step and set next check dates. Lock your audit plan if thresholds apply and keep five-year retention in mind. Record an internal change log for what you updated on pages and in contracts.
Some projects will take longer than a quarter. Automated decisions that touch admissions or employment often require copy, UX, and legal review. Preference center parity across legacy systems may need engineering time. Broker reconciliation and deletion at scale is a habit you grow, not a toggle. Sequence the work and keep momentum visible so the 2027 duties do not arrive as a surprise.
First moves
- Treat browser opt-out signals as normal. Keep primary tasks working when optional scripts do not. Measure with server-side events that record what happened.
- Bring page copy and your preference center into full agreement. Purpose labels and cadence should match. Changes on the page should update email, CRM, and analytics consent at the same time.
- Write the pre-use notice for any automated decision that influences admissions, lending, hiring, housing, or health. Decide where an opt-out is feasible and how you will handle access and appeals. Assign owners and dates.
- Tighten contracts and renewals. Keep AI features opt-in by default. Require structured outputs with claim, dated evidence, review status, and accessibility metadata for anything generated. For applications, donations, and payments, require a brownout and rollback plan.
- Map data broker relationships and prepare for the Delete Act cadence. Plan to process deletion requests on a 45-day rhythm. Match identities with minimal data, carry consent scope and policy version with each record, and keep evidence of what you deleted and why.
Why browser signals change your design target
AB 566 makes the opt-out preference signal a baseline feature in browsers serving Californians starting in 2027. You should assume that more people will arrive with a signal enabled. That means a page must resolve the task even when optional analytics and ad tags do not run. It also means your consent platform and tag manager need a clean rule set that honors signals without blocking core flows. The safest pattern is to put the value on the page and let email follow with proof. If you want a practical model for honoring Global Privacy Control across your stack, I covered it here: Stop Tracking Customers and Start Earning Their Trust by Using Clear Consent and Global Privacy Control.
A good test is to load your top three pages with the signal on, then try to complete the main task. Download the guide. Book the consultation. Start the application. If any step relies on a tag to construct a critical URL or to reveal a form, remove that dependency. If a widget fails without consent, provide a stable link that does not. You will protect conversion and reduce support tickets during peak weeks.
What changes on your collection pages and request handling
The CPPA’s update requires you to place a privacy policy link on every page where you collect personal information, not just the homepage. You also need to let people withdraw consent at any time, make opt-out as easy as opt-in, and support access responses beyond the previous twelve-month window. These are visible fixes that change your enforcement posture. Do the audit now. Add the missing links. Check the banner behavior so closing a modal is not treated as agreement. Confirm that your opt-out path is no harder than the opt-in path. Expand your access workflow so you can respond beyond twelve months where required.
Your preference center must mirror the page. If the page introduces a purpose that the preference center cannot express, fix the preference center. If cadence labels differ, fix the page. When a person changes a setting, propagate that change to email, CRM, and analytics consent at the same time. People notice when these systems disagree.
Automated decision making now needs more transparency
For significant decisions in finance, housing, education, employment, and health, you owe people a short pre-use notice in plain language, an opt-out where feasible, access to meaningful information about logic and use, and a way to appeal. Do not wait on a vendor compliance statement. Write the notice for your flows and attach names and dates to each step. If a model influences admissions pre-screens, say so. If a rule set routes employment candidates, say so. Decide how you will handle access requests without exposing proprietary logic. Decide who reviews appeals and within what time.
Put those dates on your calendar now. The rule package is effective January 1, 2026. The ADMT duties begin January 1, 2027. Risk assessment attestations are due April 1, 2028 for activities that started before 2026 or during 2026 and 2027. Cybersecurity audit certifications follow a revenue-tier schedule beginning in 2028. Capture these in one page leaders can read in a minute.
Risk assessments and audits without building binders
A risk assessment that leadership can read is more useful than a binder nobody opens. Use one page. State the purpose, the people affected, the kinds of data involved, the safeguards in place, how you will measure impact, and what triggers a correction. If the activity began before 2026, complete the risk assessment by December 31, 2027 and submit your attestation and summary by April 1, 2028. If the activity starts in 2026 or 2027, assess before you start and still submit by April 1, 2028. After 2027, submit by April 1 of the following year.
If you meet the thresholds for cybersecurity audits, schedule an independent annual review and put your first certification date on the calendar based on revenue. Keep audit records for at least five years. Use gaps identified by your auditor to guide your 2026 backlog.
Data brokers, DELETE at scale, and the reality of reconciliation
SB 361 expands what brokers disclose to the CPPA starting January 1, 2026. The categories now reach deeper, including biometric data, gender identity and expression, various government identifiers, and whether data was shared or sold to a foreign actor, a government entity, law enforcement in limited contexts, or an AI developer. Even if you are not a broker, this changes how you vet providers and how you write contracts.
The Delete Act’s DROP portal changes cadence. Consumers will have a single place to trigger deletion across registered brokers. Brokers must check the portal and process verified requests on a regular schedule beginning August 1, 2026. That will increase the volume of reconciliations you need to handle and the number of identities you need to match accurately. Plan suppression and matching rules that minimize personal data and still resolve the right record. Keep evidence of what you deleted and why.
Contracts and renewals that keep you safe
Renewals are where your posture becomes real. Keep AI features opt-in by default. Require structured outputs from any tool that generates public material. Capture claim, dated evidence, reviewer name, review date, and a next review date. Require accessibility metadata for public assets. For critical flows such as applications, donations, and payments, require a brownout plan and a clear rollback path. If a vendor cannot meet these terms, hold the feature and keep it on the roadmap.
Extend the same standard to recruiting and HR vendors. The CPPA’s enforcement posture shows that applicant and employee data are not a side note. If your public site honors browser signals and your ATS ignores them, the mismatch will surface during review. Bring careers pages and applicant tracking into scope now.
Measurement that stays helpful under limited consent
Analytics will be partial when people decline optional tracking. Accept that and anchor your reporting to a few server-side events that record what actually happened. Application started. Donation completed. Consultation booked. Account created. Keep those events independent of optional scripts. When consent is present, allow analytics to record. When it is not, rely on system events and downstream outcomes. Leaders get numbers they can trust. Support gets fewer tickets because the page delivers the value immediately and the inbox follows with proof.
Carry consent scope, policy version, and keep-until with each record so you can answer legitimate questions from finance and legal without pulling entire event streams. If you want a short playbook for turning compliance into speed, I wrote it here: CPRA/CCPA Compliance That Speeds You Up
Week-over-week habits that keep you on track
Make progress visible. Set a thirty minute weekly review with one person each from Marketing, Engineering, Legal, and Support. Look at five pages that matter to the quarter. Confirm that privacy policy links exist on collection pages. Check that closing a banner is not treated as consent. Verify that on-page fallbacks exist for downloads, confirmations, and bookings. Test with a browser signal on and complete the main task. Choose one improvement to publish within seven days and record the change in a simple log.
Use the same meeting to track ADMT preparation. Keep a list of flows influenced by models or rules and attach a status to each artifact you need. Notice written. Opt-out feasibility decided. Access path documented. Appeal path documented. Owner named. Next check date. When dates arrive in 2026 and 2027, you will not be starting from a blank page.
Sector snapshots you can adapt this quarter
A public university opens applications for a competitive program. The application page leads with a concrete promise and a dated proof point from the prior term. The link to apply is stable and does not rely on a tag. A person who starts receives a confirmation on the page and an email copy within a minute. If the email is delayed, the applicant still gets the details and a calendar file. Server-side events record application start and submission. Admissions dashboards show reality even when analytics is partial. The pre-use notice for an admissions screen is posted and the access and appeal paths are documented with an owner and a date.
A national nonprofit runs a seasonal campaign with strict privacy expectations. The donation page explains required versus optional data in plain language. The page provides a receipt on completion and an email copy. If the email is slow, the donor still gets the receipt on the page. Donation events are recorded server-side and tied to a stable identifier. Consent scope and policy version travel with the record. Preference center options for impact stories and appeals match the page copy. Broker contracts are updated to reflect SB 361 disclosures and the team is ready for the DROP cadence.
A regional bank publishes a content series for small businesses. Pages use a simple structure of claim, dated evidence, and next step. Downloads appear on the page after a brief form, with an email copy as a convenience. A person, who arrives with a browser signal on, still completes the task. The team measures consult requests and product inquiries with server-side events. Risk assessment summaries exist for the series and for any automated triage flow that influences eligibility. Renewals include opt-in AI, structured outputs for generated content, and a rollback plan for key paths.
Dates that shape your calendar
Mark January 1, 2026 for the CPPA rule package and SB 361’s broker disclosures. Mark August 1, 2026 for the DROP cadence. Mark January 1, 2027 for automated decision making duties and for browser-level opt-out signals. Mark April 1, 2028 for risk assessment attestations and for the first wave of cybersecurity audit certifications, with later dates tied to revenue tiers. Keep those dates on one page you can read in a minute and review it monthly.
