California’s New Data Privacy Laws: What CMOs Need to Know

California has tightened and expanded its privacy regime again for 2026, and CMOs now face stricter consent, opt-out, and transparency expectations around personalization, ad tech, and data partnerships. The practical effect is that third‑party and cross‑site targeting in California must increasingly operate on an explicit‑choice, first‑party‑data‑centric model rather than passive tracking.​

Core laws and what changed

• CCPA/CPRA as the baseline

  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act, remains the core framework, giving consumers rights to know, delete, correct, and opt out of “sale” or “sharing” of personal information, including cross‑context behavioral advertising.​

  • CPRA also introduced sensitive personal information (precise location, race, health, etc.) and a “Limit the Use of My Sensitive Personal Information” right, which is highly relevant to location‑based and demographic targeting.​

• New 2025–2026 updates impacting marketing

  • California has layered on new obligations in late 2025 and early 2026 around automated decision‑making, data brokers, and consent/opt‑out mechanisms, closing many remaining gaps in ad‑tech practices.​

  • These updates are being enforced by the California Privacy Protection Agency (CPPA), which has authority to investigate and fine for misconfigured consent tools, pixels, and marketing stacks.​

Automated decision‑making and AI in marketing

• Governance of AI‑driven decisions

  • Organizations using automated decision‑making (including AI models) to make consumer‑related decisions, conduct extensive profiling, or train systems that infer information about real people must follow new governance and deployment standards under CCPA rules.​

  • CMOs must provide a pre‑use notice before collecting data for automated decision‑making, and consumers must be able to contest decisions and opt out of such processing, affecting things like algorithmic lead scoring, eligibility rules, and dynamic offer engines.​

• Impact on personalization and scoring

  • Practices such as propensity modeling, churn prediction, and high‑risk segmentation now require clear disclosure, assessments of risk and fairness, and mechanisms for human review on request.​

  • Failure to treat these tools as regulated automated decision‑making can expose campaigns to enforcement, especially where outputs materially affect consumer rights, pricing, or access to services.​

Targeted advertising, signals, and consent

• Cross‑context behavioral advertising limits

  • CPRA defines targeted ads as “cross‑context behavioral advertising,” covering most third‑party tracking (retargeting, look‑alike audiences, multi‑site profiling).​

  • Consumers must have an easy way to opt out of both sale and sharing, and organizations must ensure that major platforms (e.g., programmatic networks, social ads) propagate these choices, not just the brand’s own site.​

• Global Privacy Control (GPC) and automatic signals

  • Automatic recognition of browser‑level global opt‑out signals (such as Global Privacy Control) became mandatory in 2025, requiring technical infrastructure that detects and immediately applies restrictions when such signals appear.​

  • For CMOs, this means that even if a user never clicks a banner, their browser setting can silently turn off cross‑site tracking and targeted ads, so experiences and reporting need to account for a higher “no‑tracking” segment by default.​

Data brokers, kids’ privacy, and channel strategy

• Data broker disclosure expansion

  • A recent “trio” of new obligations includes an expansion of data‑broker disclosure requirements (e.g., SB 361), forcing brokers to provide more detail on sensitive data types, advertising identifiers, and whether data is sold or shared with foreign entities, governments, or AI model developers.​

  • Businesses qualifying as data brokers in 2025 must comply with these requirements by January 31, 2026, which affects third‑party audience purchases, enrichment, and co‑ops that many CMOs rely on.​

• Children’s design and age‑appropriate rules

  • The California Age‑Appropriate Design Code Act (CAADCA), which would have imposed strict profiling and design duties for under‑18s, is currently blocked by a broad preliminary injunction, and enforcement is halted while litigation continues.​

  • Even with CAADCA enjoined, regulators are signaling continued focus on children’s data, meaning youth‑oriented campaigns should still minimize profiling, default to privacy‑protective settings, and align with federal and other state child‑privacy rules.​

What CMOs should do now

• Re‑center on first‑party, consent‑rich data

  • Shift budget and strategy from opaque third‑party segments to clearly consented first‑party data collected via loyalty programs, preferences centers, and direct relationships.​

  • Build or refine a unified consent and preference framework that covers email, web, mobile apps, and ad‑tech integrations, ensuring that opt‑outs and GPC signals cascade across the stack.​

• Operational next steps for marketing teams

  • Map all data flows for advertising, personalization, and AI use cases, and label where “sale,” “sharing,” sensitive data, and automated decision‑making are involved, then adjust notices and controls accordingly.​

  • Work with legal/privacy to update vendor contracts (service‑provider vs third‑party classification), enforce platform‑level opt‑outs, and create playbooks that let campaigns launch only after privacy checks, not before.​