ARTICLE
21 October 2025

California Governor Gavin Newsom Signs Seven New Data Privacy Laws

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
California Governor Gavin Newsom recently signed seven privacy, social media, and age assurance bills into law, vetoing only one social media law passed by the legislature.
United States California Privacy
Alison Watkins,Francys Guevara,Amber Mixon
+1 Authors
Alison Watkins’s articles from Perkins Coie LLP are most popular:
  • within Privacy topic(s)
  • with readers working within the Retail & Leisure industries
Perkins Coie LLP are most popular:
  • within Family and Matrimonial, Transport and Real Estate and Construction topic(s)

Key Takeaways

California Governor Gavin Newsom recently signed seven privacy, social media, and age assurance bills into law, vetoing only one social media law passed by the legislature. These laws introduce new requirements for a range of businesses operating in the state, including companies operating browsers, app stores, or operating systems; healthcare providers; data brokers; social media companies; and app developers. These laws go into effect at varying times over the next two years, with one going into effect as early as November 4, 2025. The following Update summarizes the key provisions and compliance recommendations for each law to help organizations prepare for these substantive regulatory changes.

Privacy

AB 566, the California Opt Me Out Act, amends the California Consumer Privacy Act (CCPA) to require all browser developers to provide a consumer-configurable opt-out preference signal that is easy to use and locate in the browser. The opt-out preference signal communicates the consumer's choice to opt out of the sale or sharing of the consumer's personal information. These businesses must make it clear to a consumer in their public disclosures how the opt-out preference signal works and the intended effect of the opt-out preference signal. The law also shields browser developers who implement the opt-out from liability for downstream violations by businesses. The law authorizes the California Privacy Protection Agency to adopt regulations to implement this requirement. Penalties for violations of the CCPA are up to $7,500 per violation. AB 566 takes effect on January 1, 2027.

SB 81 expands medical privacy protections under California's Confidentiality of Medical Information Act to prohibit healthcare facilities from disclosing patients' immigration status and place of birth for immigration enforcement purposes, except as required by law. The legislation requires covered entities to establish or amend procedures for monitoring, documenting, and receiving visitors to healthcare provider entities; designate areas where patients are receiving treatment or care or discussing protected health information as nonpublic and restrict access to those areas; and provide staff and volunteers with training on responding to immigration enforcement requests. Noncompliance can result in civil penalties from $2,500 to $250,000 per violation depending on the nature of the violation. Healthcare providers should update staff training for healthcare facilities, implement procedures for visitor monitoring and restricted areas, and review protocols for responding to law enforcement and immigration requests. SB 81 is effective immediately, with covered entities required to comply by November 4, 2025.

AB 45 prohibits the collection, use, sale, or sharing of personal information from any inpidual physically located at, or within a precise geolocation radius of 1,850 feet from, a family planning center. Exempted from this prohibition is any collection or use of such data when necessary to perform services or provide goods requested by the inpidual. The law also bans geofencing for tracking or advertising to inpiduals seeking healthcare services and imposes strict limits on the release of healthcare research records, particularly in response to out-of-state subpoenas. Entities should audit their geolocation data practices near sensitive health facilities, review and update the use of geofencing and targeted advertising, and revise policies for handling health-related research records to ensure compliance. Violations of the geofencing provisions may result in civil penalties of up to $25,000 per incident. AB 45 takes effect on January 1, 2026.

AB 361 expands data broker registration and disclosure requirements by mandating that data brokers publicly report detailed information about their personal data collection practices, including sales to foreign entities, governments, law enforcement, and AI developers. Data brokers also must provide a clear and accessible mechanism for consumers to request deletion of their personal information. The law prohibits the use of "dark patterns" to frustrate deletion requests and introduces a requirement for independent audits of compliance every three years. Data brokers should prepare for expanded reporting and audit obligations, implement and maintain user-friendly deletion mechanisms, and review and update website disclosures and opt-out processes to ensure compliance. Noncompliance can result in administrative penalties of $200 per day. The deletion mechanism requirement takes effect on January 1, 2026, and the audit requirement on January 1, 2028.

Social Media

AB 656 requires social media platforms with annual gross revenue exceeding $100 million to provide users with a clear and easily accessible "Delete Account" button on all platforms and ensure that account deletion requests also result in the deletion of associated personal information in compliance with the CCPA. The law prohibits the use of "dark patterns" that could interfere with or complicate the account deletion process. Social media platforms should update their user interfaces and data deletion workflows to ensure compliance. Noncompliance may result in civil penalties. AB 656 also takes effect on January 1, 2026.

AB 56, the Social Media Warning Law, requires covered platforms to display "black box warnings" to users under 17. Covered platforms include social media platforms and statutorily defined "addictive internet-based services or applications." These platforms must show the black box warning each day the user initially accesses the social media platform, again after three hours of cumulative active use, and at least once per hour of cumulative active use. The law requires the initial warning label to be shown for at least 10 seconds, and the subsequent labels must be shown for at least 30 seconds. The label must be shown "clearly, conspicuously, and legibly in black text on a white background," and the text must read: "The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users." Covered platforms should implement the required warning labels. AB 56 takes effect on January 1, 2027.

Age Assurance

AB 1043, the Digital Age Assurance Act, requires operating system providers—any person or entity that develops, licenses, or controls operating system software for computers, mobile devices, or any other general purpose computing devices—to implement a system to collect user age during account setup and then provide the user's age range (or bracket) with all apps in a covered app store. Specifically, the provider must present an accessible interface at account creation that prompts either the account holder (if 18 or older) or a parent/legal guardian (if under 18) to enter the user's date of birth, age, or both. Application developers—those who own, maintain, or control an app—must request and receive this age bracket signal whenever an app is downloaded or launched. The law prohibits discrimination and anticompetitive use of age data. The California attorney general may impose civil penalties of up to $2,500 per affected child for negligent violations and up to $7,500 per affected child for intentional violations. AB 1043 takes effect on January 1, 2027. For accounts created before the law takes effect, operating system providers must implement the age verification system by July 1, 2027. For apps updated on or after January 1, 2026, and downloaded before January 1, 2027, app developers must update their app to request the age bracket signal by July 1, 2027.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alison Watkins
Alison Watkins
Photo of Francys Guevara
Francys Guevara
Photo of Naa Kai Koppoe
Naa Kai Koppoe
Photo of Amber Mixon
Amber Mixon
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More