California’s 2025 legislative session closed with 14 new privacy and AI-related bills. We’d like to highlight a few of the most relevant signed bills and encourage other states and countries to follow California’s example.
Let’s go over some of the bills that were signed by the governor and how they might affect consumers.
Social media account cancellation (AB 656)
Governor Gavin Newsom signed AB 656, which not only requires social media companies to make canceling an account straightforward and clear, it should also ensure that cancellation triggers full deletion of the user’s personal data. The governor stated:
“It shouldn’t be hard to delete social media accounts, and it shouldn’t be even harder to take back control of personal data. With these bills, social media users can be assured that when they delete their accounts, they do not leave their data behind.”
Canceling social media accounts is a well-known struggle for those who have tried. Many users face a frustrating obstacle course—deletion options buried deep in menus, confusing jargon, or multiple steps to confirm deletion. Even then, fully erasing personal information can require extra, non-obvious steps. This often leaves users uncertain whether their digital footprint is truly gone for good.
Lawmakers and press releases have not yet specified the effective date for AB 656. However, California usually enacts consumer privacy bills on January 1 of the year after they pass. Based on this pattern, AB 656 will likely take effect on January 1, 2026, unless future legislative updates or guidance announce a different date.
Opt Me Out (AB 566)
This act requires browsers to include a setting that allows users to send an opt-out preference signal, letting Californians stop the sale or sharing of their data with a single action, instead of opting out site by site.
Effective January 1, 2027, the California Opt Me Out Act mandates that a business:
“shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses which the consumer interacts with the browser.”
For example, a user with an opt-out preference signal enabled on their internet browser will automatically send an opt-out request to each website and third party they encounter during a browsing session.
Strengthening data broker laws (SB 361)
Data brokers collect and sell personal information by aggregating data from various public and private sources. SB 361 expands the obligations for data brokers to be transparent about personal information they collected and access, tightening oversight by the California Privacy Protection Agency (CPPA).
Effective January 1, 2026, this law will require data brokers to make much more detailed disclosures when registering with the CPPA. For example, they must reveal whether they collect sensitive personal information and whether they have sold or shared consumers’ data with a foreign actor, the federal government, other state governments, law enforcement, or developers of generative AI systems or models.
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
