Major CCPA Updates and New State Consumer Privacy Laws
As 2026 begins, organizations face a rapidly evolving privacy landscape shaped by sweeping regulatory updates across multiple states. California has implemented some of the most consequential changes to date, expanding CCPA obligations with new rules governing automated decision‑making, high‑risk data processing, cybersecurity audits, and data‑broker responsibilities. At the same time, newly effective comprehensive privacy laws in Indiana, Kentucky, and Rhode Island further expand the patchwork of state requirements, while introducing subtle but important distinctions in scope, thresholds, and consumer rights. Adding to this momentum, Virginia’s new social media restrictions for minors signal an accelerating national trend toward youth‑focused online governance. Together, these developments mark 2026 as a pivotal year one in which companies will need to reassess and strengthen their privacy programs to keep pace with increasingly complex, risk‑aligned, and youth‑protective data regulations.
California
California released new regulations that refine and expand CCPA expectations; so many organizations will need to reassess existing compliance programs. A major focus is automated decision-making technology (ADMT): when ADMT is used for decisions that replace or substantially replace human judgment, businesses must provide opt-outs. Any human review must be meaningful reviewers need to understand the ADMT output and have authority to change or correct the decision.
California also introduces broader risk assessment requirements for processing that may pose privacy risk, including activities like selling/sharing personal data, processing sensitive data, using ADMT for significant decisions, certain ADMT training uses, and automated inferences in education, job-seeking, employment, or contracting contexts. In addition, the cybersecurity audit rule clarifies what counts as “significant risk” and what “reasonable” security measures should include.
For data brokers, the Delete Act and the DROP portal raise the stakes: covered brokers must honor deletion/opt-out requests submitted through DROP, run 45-day deletion sweeps, and face potentially steep per-violation penalties. Regulators have also warned brokers to fully disclose trade names and websites and to register independently, not only under a parent or affiliate.
Indiana, Kentucky & Rhode Island
Comprehensive state privacy laws coming into effect in Indiana, Kentucky, and Rhode Island were enacted earlier, and many provisions align with other state frameworks—reducing compliance surprises for many businesses.
Indiana and Kentucky closely track Virginia-style thresholds (generally: processing data of 100,000 consumers, or earning 50% of revenue from selling data of 25,000+ consumers) and include common requirements like data protection impact assessments, rules for deidentified/pseudonymous data, opt-outs for targeted ads and data sales, plus a 30-day cure provision. Indiana’s AG also issued guidance on summarizing rights and obligations ahead of the effective date.
Rhode Island applies to entities handling data of 35,000+ residents, or 10,000+ residents if 20% of revenue comes from data sales. While it includes standard consumer rights and assessments, it omits several provisions seen elsewhere, including recognition of universal opt-out mechanisms and a right to cure.
Virginia
Virginia’s new social media restrictions for minors, established under § 59.1‑577.1 and effective January 1, 2026, introduce substantial obligations for platforms operating in the state. The law requires social media providers to use commercially reasonable methods—such as neutral age‑screening mechanisms—to determine whether a user is under 16, and to limit those minors to one hour of use per platform per day, unless a parent provides verifiable consent to adjust that limit. Any data collected to determine age may be used only for age verification and the delivery of age‑appropriate experiences, and platforms must treat a user as a minor whenever the user's device or settings indicate that status. The statute also prohibits platforms from degrading service quality, increasing prices, or withholding features simply because they are not permitted to offer additional access beyond the one‑hour limit, while clarifying that providers are not required to offer features that necessitate processing a known minor’s personal information. These measures place Virginia among the states advancing youth‑focused digital governance in 2026, further cementing minors’ online safety as a central theme of emerging privacy regulation.
- New year, new rules: US state privacy requirements coming online as 2026 begins
- § 59.1-577.1. (Effective January 1, 2026) Social media platforms; responsibilities and prohibitions related to minors.
- CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations
- Rights of Kentuckians under the Kentucky Consumer Data Protection Act
- Article 15. Consumer Data Protection
- Chapter 48.1, Rhode Island Data Transparency and Privacy Protection Act [Effective January 1, 2026.]
BDO helps you develop and implement a comprehensive privacy and data protection strategy to maintain global compliance and responsibly handle personal information. Our advisory services include comprehensive assessments, risk management strategies, and compliance support to protect your sensitive data.