Client Insight: California Raises the Bar: Groundbreaking Privacy Laws Bring Universal Opt-Out, Data Broker Transparency, and Health Data Protections

Print
PDF
Share this page

Insights

October 13, 2025

Last week, California Governor Gavin Newsom signed three powerful privacy laws—AB 566, SB 361, and AB 45—further expanding privacy protections for consumers and compliance obligations for businesses handling personal information in the state. Each law addresses a distinct aspect of data privacy and will significantly impact digital platforms, data brokers, and healthcare-related entities as they take effect in 2026 and 2027.

Key Takeaways

Universal Opt-Out Signals Coming: By January 1, 2027, web browsers must offer built-in controls for Californians to send automated opt-out preference signals, making it much easier for users to prevent the sale or sharing of their personal information online.
Expanded Data Broker Transparency: Effective January 1, 2026, data brokers must publicly disclose whether they collect sensitive identifiers (for example, Mobile Advertising Identifiers, Connected TV Identifiers, and Vehicle Identification Numbers), and report any sharing or selling of data to foreign actors, governments, or AI developers in the prior year.
Geofencing & Health Location Privacy: Also starting January 1, 2026, it will be unlawful to collect, use, or share personal information about individuals physically near family planning or in-person healthcare centers. The law bans targeted geofencing and advertising related to health services.

Important Features of the New Laws

These new laws arrive as part of a rising tide of state-level privacy requirements. AB 566 (the “Opt Me Out Act”) is the first in the nation to obligate browsers, rather than individual sites, to offer a one-click universal opt-out for all Californians. The opt-out feature communicates the user’s intent to restrict the sale or sharing of their personal information, and has to be easy to find and configure for a reasonable person. This law addresses a previous challenge for Californians exercising their opt-out rights under the California Consumer Privacy Act (CCPA), which required individuals to opt out on a site-by-site basis or use specialized privacy-protective browsers or browser extensions. Additionally, browsers and mobile operating systems must allow users, or, in the case of children under 13, their parents or guardians, to specify age-related privacy protections.

SB 361 amends and strengthens the Delete Act, requiring greater transparency and annual reporting from data brokers, especially regarding sales to law enforcement, federal agencies, and algorithmic/AI system developers. The law also increases the penalties for noncompliance, making broker exposure substantial for failures in deletion or registration processes. California broadly defines “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,”[1] and businesses who fall within this definition need to make sure that their registration is current and covers all the new requirements as of January 1, 2026.

AB 45 takes aim at digital tracking around sensitive health locations. It broadly outlaws geofencing near family planning and healthcare centers for tracking, data collection, or sending targeted ads—including a private right of action for affected individuals. The law also prohibits the sale or sharing of personal information to or with third parties for these unlawful purposes, and any information received in violation of these prohibitions may not be used. In addition to the private right of action, California’s Attorney General can enforce the law, with available penalties of $25,000 per violation, as well as injunctive relief. There are limited exemptions for internal use by healthcare facilities and security.

Practical Steps for Businesses

Start Mapping Opt-Out Signal Handling: Evaluate and update web infrastructure to ensure opt-out preference signals (for example, the Global Privacy Control, or GPC) are always honored, including by downstream vendors and ad partners. See our previous insight regarding CCPA enforcement actions and the importance of opt-out signal compliance, including the record $1.35 million fine against Tractor Supply, here.
Review Data Broker Registration Requirements: If you qualify as a data broker under California’s broad definition, begin preparing for expanded reporting obligations and track past data sharing, especially any sales to governmental or foreign entities or AI companies.
Audit Geofencing and Health Data Practices: Ensure no geofencing technology is used, and no health-related location data is collected, used, or processed for prohibited targeting activities, in each case near healthcare locations. Update policies and train staff to avoid liability.

How can GD help?

If you have any questions regarding this client alert, or your company needs assistance with this topic, including practical guidance and hands-on support for navigating evolving privacy and data protection laws, please reach out to your Gunderson Dettmer attorney or contact any of the members of our data privacy group.

[1] Cal. Civ. Code § 1798.99.80