Companies Face New CPPA Rules in 2026, Oregon Privacy Law Changes
Privacy professionals begin the new year considering significant changes to some state privacy requirements. Lawyers suggested resolutions to review data and get an early start on risk assessments.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
For example, a rulemaking package approved last September by the California Privacy Protection Agency (CalPrivacy) on automated decision-making technology (ADMT) and other issues took effect Jan. 1, though some of the new requirements provide extra time for companies to comply (see 2509230036). A recent agency flyer flagged a variety of fresh rules now in effect under the California Consumer Privacy Act (CCPA), including new obligations related to risk assessments, sensitive kids’ data and requests to know, correct and opt out.
Meanwhile, an amendment to Oregon’s comprehensive privacy law bans selling precise geolocation data and kids’ personal data as of Jan. 1. As a result of the change, the privacy law will now prohibit selling precise geolocation data that shows the location of a consumer within 1,750 feet. Also, it will ban processing, profiling or selling data of a consumer who a controller knows is younger than 16.
In addition, an amendment to the Virginia Consumer Data Protection Act effective Jan. 1 requires that social media platforms conduct age verification and set a one-hour daily limit for users younger than 16, unless a parent consents for additional time. NetChoice has challenged the amendment’s constitutionality in court (see 2512220041).
Some delayed requirements commenced, as well. On Jan. 1, obligations to honor universal opt-put signals come into effect under Delaware and Oregon privacy laws. In addition, comprehensive privacy law rights to cure expired Dec. 31 in Delaware and New Hampshire and Jan. 1 in Oregon. Not far behind, Minnesota’s right to cure will sunset Jan. 31.
Three new comprehensive laws took effect Jan. 1 (see 2512230032), but lately it’s been the amendments to existing laws creating the most compliance headaches, Troutman privacy attorney David Stauss said in an interview. Other states that have been tweaking their privacy laws include Connecticut and Montana (see 2506260005 and 2505120005).
Consumer advocates appreciate such changes, however. Hayley Tsukayama, Electronic Frontier Foundation state affairs director, told us she’s “been really encouraged by the way that, in some states, privacy laws have been evolving.” Lawmakers in those places have “been learning from the mistakes" of others, she said.
Meanwhile, Tsukayama hopes the end of more states’ rights to cure will mean additional enforcement. “We have heard from regulators that rights to cure can be huge obstacles to bringing cases.”
Stauss predicted it will mean more privacy actions. “Those states that no longer have rights to cure” have “a lot stronger enforcement than the states that do.”
He added that what makes the Jan. 1 amendment to Oregon’s privacy law especially interesting is that it’s happening at the same moment that the statute’s right to cure is expiring. Oregon has been signaling that it will be an active privacy enforcer, he said. The state attorney general’s office said in an October enforcement report that its privacy unit is “developing resources” for the amendment (see 2510300034).
Oregon’s amendment banning the sale of kids and geolocation data is “pretty significant,” said Jordan Francis, Future of Privacy Forum senior policy counsel. While Maryland still has the strictest privacy law on selling sensitive data, since it does so broadly, the fact that Oregon is banning sales “for these specific types of sensitive data … is unique,” he said.
California Rules Take Effect
Stauss said one of the most significant CCPA rule changes is that websites must now show on the site when a visitor’s universal opt-out signal has been honored. The lawyer also highlighted that provision during an August webinar because he said it would be easy for enforcers to check something so visible for violations (see 2508210026).
In addition, Stauss said he and his colleagues have “been jumping up and down” about a deadline related to CalPrivacy’s risk assessment rules. Starting Jan.1, according to CalPrivacy’s flyer, “a business must conduct a risk assessment before starting several activities, such as selling or sharing personal information, processing sensitive personal information, and using or training certain automated technologies.”
Companies don’t have to certify they have done the required risk assessments until April 1, 2027, but the Jan. 1, 2026, starting date is important, said Stauss. “Trying to create this muscle memory within clients of having to do risk assessments is something that we’re spending a lot of time doing.”
Many other privacy lawyers also sounded the alarm about new CCPA rule changes in December blog posts.
“Businesses must be cognizant of critical areas that will require additional steps for compliance, including" risk assessments, cybersecurity audits and ADMT used for significant decisions, blogged Davis+Gilbert attorneys Gary Kibel and Jeremy Merkel on Dec. 18.
The ringing in of the new year brought “the most detailed and sweeping changes since” CCPA arrived, Robinson+Cole privacy attorney Kathryn Rattigan wrote in a Dec. 11 post. “2026 is the year comprehensive, user-focused, and risk-aware privacy compliance becomes mandatory in California.” Companies should audit their privacy policies and notices, review data practices, implement “Your Privacy Choices” landing pages, assess ADMT usage and formalize their security and compliance program, she said.
Aaron Charfoos and other Paul Hastings privacy lawyers flagged a CCPA change that means consumers will be able to request access to personal information as far back as Jan. 1, 2022. “This highlights the need to ensure that consumer personal information is properly accounted for and deleted when no longer necessary. Businesses should have established data retention policies and practices related to the secure deletion of information when appropriate.”
Among other key changes, the CCPA rules now define personal information of consumers younger than 16 years old as sensitive, the Paul Hastings attorneys added. “Businesses that regularly collect and maintain youth personal information will need to ensure their processes are able to honor such requests when received.”
In a Dec. 22 blog post, Lowenstein Sandler attorneys stressed the importance of the new risk-assessment rules. “The regulations require a risk assessment when personal information is processed in ways that could materially impact consumer privacy,” such as when using ADMT for a significant decision, processing sensitive personal information, selling or sharing personal information, profiling and processing “that could create a reasonably foreseeable risk of harm, including risks related to discrimination, loss of confidentiality, or economic injury,” wrote Amy Mushahwar and two colleagues.
“Given the complexity of these assessments and the potential exposure to regulatory enforcement, companies should consider conducting preliminary risk assessments under attorney-client privilege to protect the analysis from disclosure, especially if California’s regulations create newly risk-assessed infrastructure,” the Lowenstein lawyers added. “The final risk assessment can then be completed after a period of remediation.”