California’s New Privacy Laws: AB 656, AB 566, and SB 361 Explained

California just passed new privacy laws that make account deletion real, expand browser opt out controls, and shine a light on data brokers. Here is what changed, when it starts, and how it affects both users and businesses.

On October 8, 2025, California enacted a set of privacy laws that make it easier to delete social media accounts, require web browsers to include a built-in opt out control for data sale and sharing, and force data brokers to disclose more about the sensitive information they trade. This guide explains what changed, when it takes effect, and what it means for both regular people and the companies that track users online.

Quick Story Summary

California signed a privacy package that strengthens account deletion, adds a browser level opt out of sale and sharing, and expands data broker disclosures.
AB 656 requires a clear Delete Account control and real deletion of personal information collected by the platform, with narrow legal exceptions.
AB 566, the Opt Me Out Act, requires browsers to ship a built in setting that sends a universal opt out preference signal to websites.
Covered businesses must treat the browser signal as a valid California opt out and suppress sale or sharing for that user.
SB 361 forces data brokers to reveal if they trade in sensitive categories like precise location or biometrics and whether they share with governments or AI developers.
Timeline: Delete Account improvements start in 2026 for most platforms. The browser toggle must be available by January 1, 2027.

AB 656 Real deletion

AB 566 Browser opt out

SB 361 Broker transparency

The Three Laws At A Glance

1) AB 656: A Real Delete Account Button

What it is

Social media platforms must offer a clearly labeled Delete Account control in user settings. Using it must delete the account and the personal information the platform collected from the user. Companies cannot rely on dark patterns or tricky flows that stall or discourage deletion. Verification is allowed but must be simple, such as confirming by email or text. A platform account deletion also counts as a California Consumer Privacy Act deletion request.

Why it matters

Deleting should not just hide a profile. It should remove the data the platform collected from the user, subject to narrow legal exceptions.

Who is covered

Large social platforms that meet statutory thresholds, including revenue and scope, whether accessed via app or browser.

Effective timing

Approved October 8, 2025 and chaptered as Chapter 464. California laws without an urgency clause typically become enforceable the following year. Expect 2026 compliance, with regulator guidance likely.

2) AB 566: The Opt Me Out Act For Browsers

What it is

Browser makers must ship a native privacy control that, when enabled by the user, automatically sends a universal opt out preference signal to websites. The signal instructs covered businesses not to sell or share the user’s personal information under the CCPA. The control must be easy to find and clearly explained to consumers.

Why it matters

Users will not have to hunt for a Do Not Sell link on every site. One browser setting broadcasts the choice across the web. Covered businesses must honor it.

Key details

The state privacy regulator can issue rules that define technical and UX expectations.
Browsers receive liability protection for sending the signal even if a website chooses to ignore it.
Start date is January 1, 2027.

3) SB 361: Stronger Transparency From Data Brokers

What it is

Registered data brokers must expand their annual disclosures. They must say whether they collect or trade in sensitive categories such as precise location, biometrics, government ID numbers, login credentials, or sexual orientation. They must also disclose whether they sold or shared data with law enforcement, domestic government agencies, foreign actors, or developers of generative AI in the prior year. Penalties for noncompliance increase, and audit requirements are phased in over time.

Why it matters

People and regulators get more visibility into who collects what and with whom it is shared, which supports both individual data cleanup and public oversight.

Deep Dive: How The Browser Opt Out Will Work

What the signal is

A universal opt out preference signal is a machine readable instruction from the browser that says do not sell or share this user’s personal information. Today the best known implementation is the Global Privacy Control header. The law does not prescribe a single standard, but it requires that mainstream browsers include a native control that sends a compliant signal. The state regulator can clarify the technical details during rulemaking.

What websites must do

Covered businesses must treat a recognized signal as a valid CCPA opt out for the visiting user. In practice, that means preventing the sale or sharing of personal information for that user. Teams should ensure the opt out state is enforced on first page load, before any consent banner or tag manager has a chance to fire trackers that would sell or share personal information. Downstream adtech and analytics must be configured to respect that state.

Desktop and mobile considerations

The statute is framed around browsers. Implementation on mobile browsers and in-app webviews will be an important detail to watch during rulemaking so that the control is not desktop only.

Timeline and enforcement

The browser control must be available by January 1, 2027. The California Privacy Protection Agency can issue technical rules and bring enforcement actions.

What This Means If You Are A California Resident

Deleting a social media account should become straightforward, and it should remove the personal information the platform collected from you.
In 2027, you can flip a single browser setting that opts you out of sale and sharing across websites that are subject to the CCPA.
Data brokers will have to disclose more about the sensitive data they handle and who they share it with, including governments and AI developers.

Practical privacy tips

Turn on the browser opt out when it arrives.
Keep tracker blocking enabled where you prefer.
Periodically revisit account settings on major services and use delete or download tools to verify changes.
Use the statewide broker deletion mechanism when available to clean up data that has already propagated downstream.

What This Means For Companies

If your organization is subject to the CCPA, start preparing now.

1. Honor universal signals end-to-end

Map how an opt out signal suppresses personal information sale or sharing across your stack. That includes consent management platforms, tag managers, client side and server side analytics, advertising pixels, data clean rooms, and downstream partners. Treat the signal as authoritative and default to the most privacy protective state when multiple indicators conflict.

2. Prepare for the 2027 browser requirement

Track rulemaking and browser announcements. Decide how your consent interface will reflect the presence of a browser level opt out. Ensure first load behavior does not leak data before your UI renders. Build automated tests that simulate the signal and verify suppression of sale and sharing.

3. Harden the delete account flow

Place a prominent Delete Account control in settings on web and in app. Remove dark patterns such as misleading buttons or forced calls with support. Keep verification lightweight and accessible. Ensure that deletion requests trigger the corresponding CCPA deletion workflow and that re authentication does not silently cancel the request.

4. Update data broker disclosures if applicable

Inventory whether you collect or trade in sensitive categories, including biometrics, precise location, and authentication data. Track any sales or sharing to law enforcement, government agencies, foreign entities, or AI developers. Update disclosures accordingly and prepare for audits and higher penalties.

Technical Notes For Engineers

Request layer

Detect universal opt out signals on every HTTP request, including first page load and API calls. Persist the choice in a server side session so suppression logic does not depend on client side scripts or cookies that may be blocked.

Tag management

Create an allowlist for tags that are permitted when a sale or sharing opt out is active. Block any tags that would transmit identifiers to third parties for cross context behavioral advertising. Ensure server side tag pipelines respect the same rules.

Advertising and measurement

Use contextual advertising or first party bounded measurement when opt out is active. Disable audience sharing, real time bidding, data clean room exports that would constitute sale or sharing, and lookalike seed uploads for opted out users.

Data governance

Log receipt of the signal and the resulting enforcement action, such as tag suppression and partner blocking. Retain evidence for regulator inquiries. Align deletion workflows so account deletion ripples to data lakes, backups subject to retention policies, and partner systems through queued erasure tasks.

Mobile and in app

Evaluate how the browser requirement will apply to mobile browsers and embedded webviews. Provide a comparable control and honor signals across native SDKs where they route traffic to web content.

How Redact.dev Fits In

Redact.dev helps people take control of their digital footprint. These new laws make that easier at the platform and browser levels. Our guidance is simple. Use built in deletion where available and verify results. When the browser control arrives, enable it so your choice follows you across the web. Use broker deletion portals to reduce the data that has already been sold downstream.

Frequently Asked Questions

California Privacy Updates FAQ

What changed with Delete Account in California?

Social platforms must offer a clear Delete Account button. When you use it, they must delete personal information collected from you, with only narrow legal exceptions, and they cannot use tricky flows that make deletion hard.

Which companies have to follow the new Delete Account rule?

The requirement applies to covered social media platforms that meet statutory thresholds. If a service qualifies as a covered platform, it must provide a working Delete Account control and perform real deletion.

When does the Delete Account requirement take effect?

The law was signed on October 8, 2025. California laws without an urgency clause generally become enforceable the following year, so expect 2026 compliance and watch for regulator guidance.

What happens to my data after I delete my account?

The platform must delete personal information it collected from you. Limited retention may occur for security, fraud prevention, or legal obligations, but the default is deletion.

Can a company make me call support or click through lots of screens to delete?

No. The law prohibits dark patterns and obstacles that interfere with your ability to delete the account. The process must be straightforward and accessible.

What is the California Opt Me Out Act for browsers?

It requires browsers to include a built in setting that sends a universal opt out signal to websites telling them not to sell or share your personal information under the CCPA. You turn it on once and it applies broadly.

When will I see the browser opt out switch?

The legal deadline for browsers to provide the control is January 1, 2027. Some browsers may ship it earlier.

Do websites have to honor the browser signal?

Yes, if they are covered by the CCPA. The signal counts as a valid opt out of sale or sharing for that user and visit.

Does the browser opt out block all ads?

No. It stops sale or sharing of personal information for advertising under California law. Contextual ads that do not rely on selling or sharing personal information can still appear.

Will the browser signal work on my phone and in apps?

The law focuses on browsers. Expect more details for mobile browsers and in app webviews through rulemaking and browser updates.

I do not live in California. Does any of this help me?

Covered businesses must honor a valid opt out for California users. Once browsers add the control, some companies may honor it more broadly for simplicity.

What is SB 361 and why should I care?

It expands data broker disclosures. Brokers must report whether they collect sensitive categories like precise location, biometrics, government ID numbers, and login credentials, and whether they shared or sold data to governments or AI developers.

Does SB 361 mean my data will stop circulating?

Not by itself. It increases transparency and strengthens the framework that supports a one stop deletion request to brokers, which can help you reduce downstream data over time.

How do I use these new laws to protect myself right now?

Delete accounts you no longer use, download and review data exports, and send deletion requests where available. When your browser adds the opt out control, enable it so your choice follows you across sites, and use the broker deletion mechanism as it rolls out.

Can a site refuse the browser signal if I click accept on a cookie banner?

Covered businesses should honor a recognized opt out signal. When choices conflict, many programs default to the most protective state and allow you to adjust preferences in the privacy center.

After I delete my account, can the platform keep anything at all?

Platforms may retain limited data for legal, security, or fraud prevention reasons. Outside those exceptions, they must delete personal information collected from you for normal use of the service.

How will I know if the browser toggle is working?

Browsers will document where to find and verify the setting. Many sites will also reflect the opt out in their consent interfaces or account privacy pages when they detect the signal.

Does SB 361 add penalties for data brokers that fail to comply?

Yes. It tightens obligations, increases consequences for noncompliance, and anticipates audits through the state privacy regulator.