California continues to define the privacy agenda

California is no longer just shaping the privacy landscape, it is building the operating system for data governance in America.

Over the past two years, the state has expanded the scope of its data protection laws, strengthened enforcement authority, and modernized the definition of personal information. This latest wave of legislation and rulemaking, centered around SB 361, SB 362, AB 1008, SB 1223, and the new California Privacy Protection Agency (CPPA) regulations, marks a fundamental evolution in how privacy is governed and operationalized.

Together, these measures transform compliance from a static legal requirement into a continuous operational discipline. Privacy is no longer a checkbox function that sits within the legal department. It is a measurable and ongoing business process that must touch every data-driven operation.

For organizations that collect or process data on California residents, this shift signals a new era of continuous accountability. The emerging expectation is not only to comply but to demonstrate compliance dynamically.

1. SB 361: The next chapter in data broker transparency

SB 361, known as the Defending Californians’ Data Act and signed October 8, 2025, builds directly on California’s privacy architecture under the CCPA and CPRA. The law heightens requirements for data brokers by expanding public transparency and ongoing disclosure obligations.

Brokers must now provide detailed statements about what personal information they collect, where it originates, why it is used, and which categories of third parties receive it. Registration frequency has increased, and documentation expectations have tightened, closing long-standing loopholes that allowed intermediaries to operate without full consumer visibility.

Implications for business:

Any organization that relies on data brokerage, enrichment, or behavioral analytics must now trace the full chain of custody for its data. Privacy disclosures must evolve from high-level summaries to granular and verifiable documentation.

Strategic takeaway:

Transparency has become a compliance performance indicator. Companies should treat transparency metrics as part of operational audits, not just communications strategy.

2. SB 362: The Delete Act and centralized data control

If SB 361 redefines transparency, SB 362, the California Delete Act, redefines control. Signed in 2023, it creates a single mechanism for consumers to request deletion of their personal information from every registered data broker in the state.

Instead of consumers contacting each broker individually, the Act establishes a centralized platform managed by the CPPA that distributes and enforces deletion requests automatically. This centralization reshapes consent management architecture in the United States by allowing Californians to make one deletion request that ripples across the entire data ecosystem.

Beginning August 1, 2026, registered data brokers must access the CPPA system at least every 45 days and process pending requests.

Implications for business:

For companies that source or use brokered data, this law introduces both technical and procedural obligations. Businesses must ensure that partners honor deletion requests and that internal records are updated in real time. Failure to do so could create downstream enforcement risk.

Strategic takeaway:

Automation is the only sustainable path forward. Manual deletion processes cannot meet the scale or speed of centralized consumer rights requests. Companies that invest early in automated deletion workflows and data lineage tools will reach compliance maturity faster and more efficiently.

3. AB 1008 and SB 1223: AI outputs and neural data move into scope

Artificial intelligence has blurred the boundaries of what counts as personal data. AB 1008, signed in September 2024 and effective January 2025, clarifies that personal information under the CPRA includes AI system outputs and related data formats, bringing model artifacts and generated profiles into privacy scope.

In parallel, SB 1223 adds neural data to the CPRA’s definition of sensitive personal information, alongside biometric and genetic data. Neural data includes information generated by measuring or analyzing the central or peripheral nervous system, such as through brain-computer interfaces, emotion recognition tools, or behavioral inference models.

Together, these updates reflect the convergence of human cognition and digital processing.

Implications for business:

Organizations that build or deploy AI systems must treat any data involving emotional, behavioral, physiological, or neural indicators as sensitive. This triggers heightened obligations related to security, purpose limitation, and opt-out rights.

Strategic takeaway:

The regulatory perimeter now includes data generated through human and machine interaction. Embedding AI governance within privacy frameworks today will reduce future compliance costs and reputational risk.

4. CPPA regulations: From compliance checklists to risk governance

In September 2025, the California Privacy Protection Agency finalized regulations requiring privacy risk assessments for significant-risk processing and establishing rules for automated decision-making technologies. The regulations take effect January 1, 2026, with phased compliance timelines for audits and assessments.

The rules broaden what qualifies as automated decision-making, now encompassing algorithms that influence eligibility, pricing, or access to goods and services. The CPPA holds explicit authority to request and review these assessments, signaling a move from reactive enforcement to proactive oversight.

Implications for business:

Compliance can no longer be reactive. Organizations must integrate privacy risk analysis into the design phase of new products and data initiatives while aligning it with security and AI governance workflows.

Strategic takeaway:

Risk assessment is now a mandatory compliance function. Enterprises should operationalize privacy impact assessments, align them with security risk frameworks, and maintain evidence-ready documentation for regulators.

5. A convergence of transparency, automation, and accountability

Together, these developments form a new compliance model anchored in three interdependent pillars: transparency, automation, and accountability.

• Transparency ensures regulators and consumers understand what data is collected and why.

• Automation provides the technical backbone for rights management and compliance at scale.

• Accountability bridges both by proving that organizations not only comply but also understand and manage their data risks.

This convergence illustrates California’s broader ambition to transform privacy from a legal function into an operational discipline measured through continuous performance metrics. In this new model, compliance becomes an ongoing process supported by data intelligence rather than a periodic certification exercise.

6. Readiness roadmap: Preparing for California’s new standard

To adapt effectively, organizations should begin with four foundational steps:

1. Map and document data flows. Refresh data inventories and track third-party dependencies to prepare for expanded broker and deletion requirements.

2. Automate rights response. Deploy or upgrade automation for deletion, consent, and access workflows to meet CPPA timelines.

3. Reclassify sensitive data. Identify emerging sensitive data types, including biometric, genetic, and neural data, and apply elevated safeguards.

4. Embed privacy risk analysis. Incorporate risk assessment checkpoints into product design, marketing systems, and AI deployments.

These steps establish a foundation for measurable, continuous compliance that aligns with California’s expectations for transparency, automation, and accountability.

7. The Privaini perspective: Privacy intelligence as resilience

At Privaini, we view this new wave not as a compliance burden but as the maturation of privacy into an enterprise resilience strategy. Data governance, risk analytics, and automation now intersect to define both regulatory trust and business agility.

Organizations that succeed under this model will demonstrate three operational capabilities:

• Automated visibility. Continuous identification and classification of personal and sensitive data across the digital ecosystem.

• Real-time compliance validation. Automated workflows that detect and flag potential privacy gaps as part of normal operations.

• Integrated regulatory intelligence. Adaptive systems that evolve dynamically as laws and enforcement priorities change.

Privaini’s privacy intelligence platform enables enterprises to operationalize these capabilities by combining data discovery, third-party monitoring, and regulatory change tracking. Our goal is simple: make compliance continuous, measurable, and innovation-friendly.

At Privaini, we believe privacy intelligence is not merely about readiness. It is about building the operational confidence to innovate responsibly and earn sustainable trust.

8. The road ahead: Anticipation over reaction

California’s regulatory momentum will continue. The CPPA has already signaled upcoming guidance on AI fairness, employee data, and privacy by design standards. Other states, including Washington, Colorado, and New York, are aligning with California’s approach, which increases the need for harmonized compliance infrastructure.

The lesson is clear: anticipation will outperform reaction. Compliance can no longer rely on manual oversight or after-the-fact audits. To operate at the speed of modern data ecosystems, organizations must embed compliance into technology itself.

Continuous compliance, powered by automation, data mapping, and privacy intelligence, will define the next generation of resilient enterprises. Those that embrace it early will not only meet regulatory expectations but also lead in trust, agility, and innovation.

Compliance is no longer about surviving regulation. It is about creating the foundation for sustainable trust.

‍