California's privacy landscape transformed substantially in 2026 with the California Privacy Rights Act (CPRA) and updated regulations. The law now distinguishes sharply between legitimate operational necessity and commercial data exploitation.
The definition of "business purpose" has narrowed significantly. While businesses can still share data for direct marketing to their own customer lists, cross-context behavioral advertising—following users across websites—is now strictly prohibited and classified as a "share" requiring consumer opt-out rights. Contextual advertising on current pages remains acceptable, but building consumer profiles is not.
The CPRA introduced a new category called "Contractors" alongside traditional Service Providers. Contractors must now provide specific written certification confirming they understand CPRA restrictions, adding an extra compliance layer beyond standard Data Processing Addendums.
Perhaps the most significant change is the "anti-combining" rule. Service providers are prohibited from combining personal information from different clients or sources, except for security, fraud detection, or explicitly authorized purposes. Violating this rule transforms a Service Provider into a Third Party, retroactively reclassifying the data transfer as a "Sale" with serious regulatory consequences.
For businesses using Automated Decision-Making Technology (ADMT)—such as AI for credit decisioning or risk assessment—2026 brought additional transparency and audit requirements. Companies must now be able to explain how automated systems make decisions and maintain contractual audit rights with service providers.