California's legislature has once again taken center stage in the national privacy conversation, passing a flurry of privacy bills during a marathon session that stretched into the night of September 12.
These newly approved measures—ranging from social media warnings to health data protections to global opt-outs for both browsers and data brokers—now await Governor Gavin Newsom's signature, with an October 12 deadline looming for him to sign or veto each bill. California also passed a raft of new bills related to artificial intelligence (AI) that are similarly waiting for Governor Newsom's signature.
Social Media Platforms
AB 56 requires the display of a "black box warning" on social media platforms to alert users, especially children, about the risks extensive social media use may pose to their mental health. Social media platforms must display the label to users of all ages when they first use the platform, and at least once a week after that initial use, for at least 90 continuous seconds. If Governor Newsom signs the bill, California will become the second state, after Minnesota, to require social media platforms to display mental health warning labels. Lawmakers in both states referenced the recommendation of then-U.S. Surgeon General Vivek Murthy to mandate warning labels in response to growing concerns over the potential impact of these platforms on the mental health of young users.
AB 656 requires social media platforms with annual gross revenue exceeding $100 million per year to provide their users with a clear and conspicuous "Delete Account" button that enables them to delete their account. The button must be accessible in every medium where the platform is offered, including applications and browsers. When a user utilizes this button, the platform must treat the request as applicable to both the user's account and their personal information, as required under the California Consumer Privacy Act (CCPA). Social media platforms are prohibited from using "dark patterns" in the user interface to interfere with a user's ability to delete their account. Platforms may not interpret a user's subsequent login to an account for which a deletion request has been submitted as a withdrawal of that request.
SB 771 creates a private right of action against a social media platform for violations of four civil rights statutes, including the Ralph Civil Rights Act and the Tom Bane Civil Rights Act. These laws prohibit individuals, including corporations, from engaging in, aiding, abetting, or conspiring to commit acts of violence, intimidation, or coercion based on protected characteristics such as race, religion, gender, sexual orientation, and immigration status.
Under SB 771, social media platforms may be held liable if: (1) their algorithms display content to users; (2) they aid, abet, act in concert with, or conspire in a violation of these laws; or (3) they are considered joint tortfeasors in such violations. The bill states that deploying an algorithm to relay content is treated as a separate act from the content itself. Platforms are deemed to have actual knowledge of their algorithms, including how and under what circumstances content is shown to certain users but not others. Penalties for violations include up to $1 million for intentional, knowing, or willful violations, and up to $500,000 for reckless violations. If the platform knew, or should have known, that the plaintiff was a minor, the court may award up to double these penalties. If the governor signs the bill, it will take effect January 1, 2027.
Age Assurance
The Digital Age Assurance Act, AB 1043, requires operating system providers to implement a system for collecting user age during account setup and then sharing the user's age range (or bracket) with all apps in a covered app store. Under the bill, an "operating system provider" is defined as any person or entity that develops, licenses, or controls operating system software for computers, mobile devices, or any other general purpose computing devices. Websites were originally considered in the legislation, but were removed prior to passage. Specifically, providers must offer an accessible interface at account setup, requiring either the account holder (if 18 years of age or older) or a parent or legal guardian (if under 18) to indicate the user's date of birth, age, or both. This information is used to generate a digital signal reflecting the user's age bracket, which is then provided to applications available through app stores.
Providers are also required to supply developers—persons that own, maintain, or control an application—with a digital signal identifying the user's age range. Developers must request this signal from providers or app stores when an application is downloaded and launched. Receipt of the signal gives developers actual knowledge of the user's age range, but developers may not willfully disregard clear and convincing information that the user's age differs from the signal. Developers are prohibited from requesting more information than necessary to comply with the bill or sharing the signal with third parties, except as permitted.
Providers and covered app stores must comply with nondiscrimination provisions, ensuring that their own applications and distribution channels are subject to the same restrictions and obligations imposed on third-party apps and distributors. They are also barred from using data collected under the law in an anti-competitive manner.
The California Attorney General has enforcement powers to levy civil penalties of up to $2,500 per affected child for negligent violations and up to $7,500 per affected child for intentional violations. If signed by Governor Newsom, AB 1043 will take effect January 1, 2027. The bill sets a later deadline of July 1, 2027, for providers to implement this system for accounts created prior to January 1, 2027. Developers also have until July 1, 2027, to request the age range signal for applications updated on or after January 1, 2026, and downloaded before January 1, 2027.
Global Opt-Out for Browsers
The legislature amended the CCPA through the California Opt Me Out Act, AB 566. The bill requires browser developers to provide functionality for a consumer-configurable opt-out preference signal. Businesses that maintain or develop browsers must include information in their public disclosures about the opt-out preference signal's operation and its intended effect. Browser developers that include the required opt-out functionality will not be held liable if a business that receives the opt-out preference signal violates the provisions. Governor Newsom vetoed a similar bill last year, but it was broader and would have imposed the same requirements on mobile operating systems as well as browsers. The governor explained his concern that while most browsers had either included an opt-out or allowed users to "download a plug-in with the same functionality," he noted that "[n]o major mobile OS incorporates an option for an opt-out signal." If signed, the bill will take effect January 1, 2027, and the California Privacy Protection Agency (CPPA) has authority to issue regulations for these provisions.
Health Privacy and Location Data
AB 45 prohibits the collection, use, disclosure, sale, sharing, or retention of personal information from individuals at or within a precise geolocation (defined as a radius of 1,850 feet or less) of family planning centers, except as necessary to provide requested services to the individual or as otherwise permitted by law. Notably, the law permits individuals or entities, including family planning centers, to bring civil actions for injunctive relief, monetary damages (including treble damages), and attorney's fees within three years of discovering a violation.
The law also prohibits the use of geofencing, technology that enables spatial or location detection to set up a virtual boundary around a physical location and determine when an individual enters or exits that area. Specifically, the law prohibits geofencing of in-person health care services for purposes of (1) identifying or tracking individuals seeking, receiving, or providing health care services; (2) collecting personal information from such individuals; or (3) sending notifications or advertisements to an individual related to their personal information or health care services. Selling or sharing personal information to third parties for these prohibited purposes is likewise prohibited. However, the law permits geofencing for an in-person health care entity's own legitimate health care operations (e.g., monitoring newborns or memory-impaired individuals), providing security at reproductive health care facilities, and certain labor organization activities, provided that no personal information is collected without express consent. The state's Attorney General may seek civil penalties of $25,000 per violation for unlawful geofencing.
In addition, AB 45 imposes strict limits on the release of personally identifying research records related to individuals seeking or obtaining health care services. Specifically, such records cannot be disclosed in response to subpoenas or requests based on another state's laws that conflict with California's Reproductive Privacy Act, or in connection with foreign penal civil actions. These records are also protected from release to law enforcement for the enforcement of such laws or actions, unless permitted by valid, nonprohibited subpoena.
Health Privacy and Immigration Status
SB 81 expands privacy protections for patients in health care facilities, with a particular focus on immigration status and enforcement. The law broadens the definition of "medical information" under California's Confidentiality of Medical Information Act (CMIA) to include a patient's immigration status and place of birth, prohibiting health care service plans, contractors, and related entities from disclosing such information for immigration enforcement purposes, except as expressly permitted by the patient or required by law.
The law requires health care provider entities that receive public funding, including public and private hospitals, clinics, physician organizations, and integrated health systems, to implement procedures for monitoring and receiving visitors, including law enforcement, to enhance privacy and protect patients. The law also mandates the designation of nonpublic, restricted-access areas to help preserve patient privacy where patients receive care or discuss protected health information, restricting access for immigration enforcement purposes unless a valid warrant or court order specifically grants access.
Health care provider entity personnel must immediately notify management or legal counsel of any immigration enforcement requests for access to the facility, patients, or documents, including those made through subpoenas, warrants, or court orders. Additionally, covered entities must provide training to all staff and volunteers on how to respond to immigration enforcement requests or inquiries that would grant access to the premises or patients.
Violations of the law remain subject to the existing CMIA penalties, including misdemeanor liability for breaches causing economic loss or personal injury to a patient. If signed, SB 81 would take effect immediately, and covered entities must comply with its requirements within 45 days of enactment.
Data Broker Reporting and Data Deletion
SB 361 strengthens California's regulation of data brokers by expanding California's existing data broker registration and disclosure requirements. If signed by Governor Newsom, the bill would require data brokers to provide detailed information to the CPPA about the types of personal information they collect, including names, dates of birth, government IDs, biometric data, and whether they have sold or shared data with foreign actors, government entities, law enforcement, or developers of generative AI systems. The bill also requires data brokers to provide a clear link on their website for consumers to exercise and learn about privacy rights, and prohibits the use of dark patterns to interfere with these rights. The bill also directs the CPPA to create a public website listing data broker registration information, with certain sensitive data categories excluded from public view.
By January 1, 2026, the CPPA must establish an accessible deletion mechanism that allows consumers to request deletion of all personal information held by any data broker. Beginning August 1, 2026, data brokers must access the deletion mechanism at least once every 45 days, process deletion requests within 45 days, and treat unverified requests as opt-outs from the sale or sharing of consumer information. After a deletion request, brokers must continue to delete new personal information at least every 45 days and are prohibited from selling or sharing new data unless permitted by law or requested by the consumer.
Starting January 1, 2028, data brokers must undergo independent audits every three years to ensure compliance, maintain these reports for six years, and submit audit reports to the CPPA upon written request. Failure to register or comply with deletion requirements subjects data brokers to daily administrative fines of $200 for each day of noncompliance with the statute, as well as payment of prior registration fees and reasonable investigation costs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
