California Governor Gavin Newsom Signs Seven New Data Privacy Laws

Key Takeaways

• Recently signed California privacy laws carry new requirements for healthcare providers, data brokers, and companies that provide web browsers. All businesses should be aware of the California Opt Me Out Act, which could result in the introduction of new browser opt-out signals like the Global Privacy Control, which all websites will need to recognize.
• The governor also signed laws mandating social media companies to offer easy account and data-deletion mechanisms and to display warnings to users under 17 about the dangers of “addictive” app use.
• Another new state law requires operating system providers to collect user age and provide user age brackets to the applications operating on its platform.

California Governor Gavin Newsom recently signed seven privacy, social media, and age assurance bills into law, vetoing only one social media law passed by the legislature. These laws introduce new requirements for a range of businesses operating in the state, including companies operating browsers, app stores, or operating systems; healthcare providers; data brokers; social media companies; and app developers. These laws go into effect at varying times over the next two years, with one going into effect as early as November 4, 2025. The following Update summarizes the key provisions and compliance recommendations for each law to help organizations prepare for these substantive regulatory changes. 

Privacy

AB 566, the California Opt Me Out Act, amends the California Consumer Privacy Act (CCPA) to require all browser developers to provide a consumer-configurable opt-out preference signal that is easy to use and locate in the browser. The opt-out preference signal communicates the consumer’s choice to opt out of the sale or sharing of the consumer’s personal information. These businesses must make it clear to a consumer in their public disclosures how the opt-out preference signal works and the intended effect of the opt-out preference signal. The law also shields browser developers who implement the opt-out from liability for downstream violations by businesses. The law authorizes the California Privacy Protection Agency to adopt regulations to implement this requirement. Penalties for violations of the CCPA are up to $7,500 per violation. AB 566 takes effect on January 1, 2027.

SB 81 expands medical privacy protections under California’s Confidentiality of Medical Information Act to prohibit healthcare facilities from disclosing patients’ immigration status and place of birth for immigration enforcement purposes, except as required by law. The legislation requires covered entities to establish or amend procedures for monitoring, documenting, and receiving visitors to healthcare provider entities; designate areas where patients are receiving treatment or care or discussing protected health information as nonpublic and restrict access to those areas; and provide staff and volunteers with training on responding to immigration enforcement requests. Noncompliance can result in civil penalties from $2,500 to $250,000 per violation depending on the nature of the violation. Healthcare providers should update staff training for healthcare facilities, implement procedures for visitor monitoring and restricted areas, and review protocols for responding to law enforcement and immigration requests. SB 81 is effective immediately, with covered entities required to comply by November 4, 2025.

AB 45 prohibits the collection, use, sale, or sharing of personal information from any individual physically located at, or within a precise geolocation radius of 1,850 feet from, a family planning center. Exempted from this prohibition is any collection or use of such data when necessary to perform services or provide goods requested by the individual. The law also bans geofencing for tracking or advertising to individuals seeking healthcare services and imposes strict limits on the release of healthcare research records, particularly in response to out-of-state subpoenas. Entities should audit their geolocation data practices near sensitive health facilities, review and update the use of geofencing and targeted advertising, and revise policies for handling health-related research records to ensure compliance. Violations of the geofencing provisions may result in civil penalties of up to $25,000 per incident. AB 45 takes effect on January 1, 2026.

AB 361 expands data broker registration and disclosure requirements by mandating that data brokers publicly report detailed information about their personal data collection practices, including sales to foreign entities, governments, law enforcement, and AI developers. Data brokers also must provide a clear and accessible mechanism for consumers to request deletion of their personal information. The law prohibits the use of “dark patterns” to frustrate deletion requests and introduces a requirement for independent audits of compliance every three years. Data brokers should prepare for expanded reporting and audit obligations, implement and maintain user-friendly deletion mechanisms, and review and update website disclosures and opt-out processes to ensure compliance. Noncompliance can result in administrative penalties of $200 per day. The deletion mechanism requirement takes effect on January 1, 2026, and the audit requirement on January 1, 2028. 

Social Media

AB 656 requires social media platforms with annual gross revenue exceeding $100 million to provide users with a clear and easily accessible “Delete Account” button on all platforms and ensure that account deletion requests also result in the deletion of associated personal information in compliance with the CCPA. The law prohibits the use of “dark patterns” that could interfere with or complicate the account deletion process. Social media platforms should update their user interfaces and data deletion workflows to ensure compliance. Noncompliance may result in civil penalties. AB 656 also takes effect on January 1, 2026.

AB 56, the Social Media Warning Law, requires covered platforms to display “black box warnings” to users under 17. Covered platforms include social media platforms and statutorily defined "addictive internet-based services or applications.” These platforms must show the black box warning each day the user initially accesses the social media platform, again after three hours of cumulative active use, and at least once per hour of cumulative active use. The law requires the initial warning label to be shown for at least 10 seconds, and the subsequent labels must be shown for at least 30 seconds. The label must be shown “clearly, conspicuously, and legibly in black text on a white background,” and the text must read: “The Surgeon General has warned that while social media may have benefits for some young users, social media is associated with significant mental health harms and has not been proven safe for young users.” Covered platforms should implement the required warning labels. AB 56 takes effect on January 1, 2027. 

Age Assurance

AB 1043, the Digital Age Assurance Act, requires operating system providers—any person or entity that develops, licenses, or controls operating system software for computers, mobile devices, or any other general purpose computing devices—to implement a system to collect user age during account setup and then provide the user’s age range (or bracket) with all apps in a covered app store. Specifically, the provider must present an accessible interface at account creation that prompts either the account holder (if 18 or older) or a parent/legal guardian (if under 18) to enter the user’s date of birth, age, or both. Application developers—those who own, maintain, or control an app—must request and receive this age bracket signal whenever an app is downloaded or launched. The law prohibits discrimination and anticompetitive use of age data. The California attorney general may impose civil penalties of up to $2,500 per affected child for negligent violations and up to $7,500 per affected child for intentional violations. AB 1043 takes effect on January 1, 2027. For accounts created before the law takes effect, operating system providers must implement the age verification system by July 1, 2027. For apps updated on or after January 1, 2026, and downloaded before January 1, 2027, app developers must update their app to request the age bracket signal by July 1, 2027.