Stronger Privacy for Californians: Four Bills Signed into Law

light blue background of a book shelf with a picket sign on the right that says amplify your voice and a hand holding a bullhorn at the bottom right and another hand holding a magnifying glass on the bottom left with the work law in the glass
Data Brokers
Data Breaches
Preference Signals

Posted: October 09 2025

Governor Newsom has signed SB 361, AB 566, AB 656, and SB 446 into law, advancing browser controls, data broker transparency, social media account deletion, and breach notification—continuing California's role as a national leader in consumer data privacy. 

AB 566: Requiring Browsers to Make it Easier for Californians to Exercise Privacy Rights

AB 566, the California Opt Me Out Act, requires browsers to offer users an easy way to exercise their rights under the California Consumer Privacy Act and tell websites not to sell or share their personal information. This groundbreaking law, the result of a multi-year advocacy effort, makes it far more practical for consumers to exercise existing rights. 

Earlier browser-based preference signals, such as "Do Not Track", lacked enforcement mechanisms, making them largely ineffective. So, not a failure of implementation, but of regulation. California now mandates (thanks to the California Consumer Privacy Act) that businesses honor opt-out preference signals, and AB 566 requires browser developers to make sending those signals straightforward and accessible. 

Beginning January 1, 2027, any business that develops or maintains a browser must include an easy-to-locate setting enabling users to send opt-out signals. AB 566 defines "browser" broadly as "an interactive software application that is used by consumers to locate, access, and navigate internet websites." This includes traditional web browsers on your phone or PC, but also will cover web browsers made for smart TVs, vehicles and many other devices. Notably, though, the law applies to the browser software on these devices, not to the devices themselves or other apps that might be installed on those devices

Privacy Rights Clearinghouse has long advocated for meaningful and accessible privacy rights, and AB 566 represents a significant step forward in ensuring more people can exercise their rights easily and efficiently. Instead of visiting individual websites to opt out of data sales and sharing, consumers will be able to set their preference once in their browser settings. Looking ahead, we hope to see this model extended to other internet-connected devices, vehicles, and beyond.

Read AB 566 here

SB 361: Expanding Data Broker Disclosures

SB 361 builds on the California Delete Act, co-sponsored by Privacy Rights Clearinghouse in 2023 and already in force. Beginning next year, the Delete Requests and Opt Out Platform (DROP) mechanism will provide Californians with a free service to delete or opt out from hundreds of registered data brokers, freely, easily, automatically, and in perpetuity. SB 361 makes that system more useful by requiring data brokers to make more detailed disclosures.

Under SB 361, data brokers must now report whether they collect:

  • Basic identifiers (names, dates of birth, addresses, phone numbers)
  • Account credentials and security codes
  • Government-issued ID numbers
  • Mobile advertising IDs and connected TV identifiers
  • Citizenship and immigration status
  • Union membership
  • Sexual orientation and gender identity data
  • Biometric data and precise geolocation
  • Reproductive health information

They must also disclose whether they've sold or shared consumer data with:

  • Foreign actors
  • Federal, state, or local government entities
  • Law enforcement (except pursuant to legal process)
  • Developers of generative AI systems

This last category is particularly timely. As AI companies increasingly rely on vast datasets to train their models, consumers deserve to know which data brokers are feeding personal information into these systems.

A Transparency Gap

The final version of SB 361 includes a provision that limits public access to some key disclosures. Information about whether brokers collect basic identifiers, mobile advertising IDs, and the most common types of data they handle will not be publicly visible on the California Privacy Protection Agency's website. This information will still be available through public records requests, but not through the easy public interface.

This limitation undermines the core purpose of data broker registration: helping consumers make informed decisions about which companies to exercise their deletion rights against. We will continue to advocate for legislation that restores full public transparency.

Despite this limitation, SB 361 represents an improvement to California's regulation of data brokers, particularly with the new disclosure requirements around sales to government entities and AI developers. Moving forward, we will continue working to ensure that transparency requirements remain truly transparent to the public.

Read SB 361 here

SB 446: Concrete Deadlines for Data Breach Notification

SB 446 addresses a critical gap in California's data breach notification law by establishing clear timelines for notifying consumers when their personal information has been exposed. 

Until now, California law required companies to notify consumers of breaches "in the most expedient time possible and without unreasonable delay." This vague standard left too much room for interpretation. 

The results of California's vague standard are evident in our Data Breach Chronology. Looking at recent California-reported breach notifications from 2020-2025, the average time to notify consumers was 160 days, or nearly six months. The median was 120 days, or four months. It's difficult to see how those timelines square with the statutory requirement for notification "in the most expedient time possible."

This lag creates a real problem where consumers' information has been exposed but they're unaware and unable to take protective steps like monitoring their credit or watching for fraud. Months can pass while bad actors exploit stolen data, and victims remain in the dark.

As our 2023 report on breach notification laws highlighted, California had fallen behind other states in providing clear timelines. SB 446 corrects this by establishing a 15-day deadline for breach notification (one of the strongest requirements in the nation).

Read SB 446 here

AB 656: Straightforward Social Media Account Deletion

AB 656 requires social media companies to make account deletion straightforward and to fully delete user data when an account is canceled.

As Governor Newsom stated: "It shouldn't be hard to delete social media accounts, and it shouldn't be even harder to take back control of personal data. With these bills, social media users can be assured that when they delete their accounts, they do not leave their data behind."

Read AB 656 here

What's Next

These bills take effect at different times:

  • AB 566: Operative January 1, 2027
  • SB 361: Registration requirements already in effect, with new disclosure categories in upcoming cycles
  • SB 446: Takes effect upon signing
  • AB 656: Takes effect upon signing

Together, these laws create a more functional privacy framework: universal browser controls for exercising privacy rights, enhanced transparency surrounding data broker practices, concrete deadlines for breach notification, and straightforward deletion requirements for social media accounts.