New California Cybersecurity and Data Privacy Laws: Increased Compliance Obligations; Heightened Enforcement Risks

This CLE webinar will provide an overview of the comprehensive new California Consumer Privacy Act (CCPA) regulations and other significant legislation impacting cybersecurity and data privacy compliance in the U.S., with a particular focus on California. The panel will review the various compliance timelines and provide strategies for ensuring compliance and mitigating enforcement risks under this new and evolving legal and regulatory framework.

In 2025, California passed several new laws and regulations that establish an even more comprehensive cybersecurity, data privacy, and automated decision making/artificial intelligence (AI) regulatory framework. In addition, as of Jan. 1, 2026, there will be 20 state consumer privacy laws in effect. Several of the newer ones add obligations and restrictions beyond that the others require. It is imperative that companies understand these new requirements and begin taking proactive steps to update and renew documentation, governance, and consumer-facing processes to remain compliant. 

On Sept. 23, 2025, the California Office of Administrative Law approved the California Privacy Protection Agency's regulations creating three new areas of compliance under the CCPA relating to automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits. These new requirements significantly increase a company's compliance obligations under the CCPA and will be phased in over the course of several years with some regulations requiring compliance as early as Jan. 1, 2026. 

There were also significant changes to California's data privacy framework. The new regulation and legislation relates to opt-out preference signals to allow consumers to opt out of the sale or sharing of their personal data; expanding data broker registration, data collection, and deletion requirements; reproductive health and location data privacy; and data breach notification timing. 

In late 2025, several bills were also signed into law to increase the protection for children from the threats associated with social media and AI. Some of the key requirements of these new laws include requiring an age verification interface for platforms, with notice to developers, limiting liability defenses for AI developers and users, requiring chatbots to disclose they are AI, and reminding minors to take a break. California also passed landmark legislation regulating the development and deployment of AI models and requiring public, standardized safety disclosures for AI developers. 

Listen as our authoritative panel highlights the most significant new data privacy, cybersecurity, and AI laws enacted in 2025 and provides tips for navigating these legislative and policy developments in 2026 and beyond.