California's 2026 Privacy Rules Just Made Algorithmic Decisions Your Business

An algorithm just decided whether you get that apartment. Another one determined your insurance premium. A third flagged your resume for rejection before a human ever saw it. Until now, you had no way of knowing—and no way to push back.

That changes on January 1, 2026. California's new CCPA regulations create the most comprehensive automated decision making rules in the United States. For the first time, consumers gain real power over the algorithms that shape their lives.

What the New Rules Actually Require

The regulations define automated decision making technology broadly: any system that "processes personal information and uses computation to replace or substantially replace human decision making." That covers everything from AI hiring tools to algorithmic credit scoring.

Before using these systems, businesses must now provide "pre use notice" disclosures. They have to tell you that automated technology will be involved, what it does, and how it might affect you. No more black box decisions.

The definition of profiling also expands significantly. It now covers automated processing that evaluates your "intelligence, aptitude, health, preferences, behavior, location, and movements." If a company is building a digital profile of you, they have to disclose it.

The Right to Say No

Here is the part that matters most: you can now opt out of automated decision making in most circumstances. Companies cannot force you into algorithmic processing without your consent.

For "significant decisions"—those affecting financial services, housing, education, employment, or healthcare—you get an additional right: the ability to appeal. If an algorithm denies your loan application or flags your job application, you can demand a human review the decision.

Those human reviewers cannot just rubber stamp the algorithm. The regulations require them to "understand the technology's output and possess authority to modify decisions." A human who cannot override the machine does not count.

Mandatory Security Audits

Companies whose data processing "presents significant consumer security risk" must now conduct annual cybersecurity audits. These are not voluntary self assessments. The regulations specify requirements for privileged account management, multi factor authentication, and penetration testing.

Businesses must also conduct risk assessments analyzing their processing activities. The rules specifically address "sensitive locations"—healthcare facilities, domestic violence shelters, educational institutions, and places of worship—where tracking requires heightened scrutiny.

Technologies like Wi-Fi tracking, drones, video surveillance, and geofencing now fall under "systematic observation" requirements. If a company is watching you, they need to document why.

The Data Broker Deletion Button

Perhaps the most practical change is the new Delete Request and Opt out Platform, or DROP. California consumers can now submit a single deletion request that reaches all registered data brokers simultaneously.

Data brokers must check the platform at least every 45 days, compare consumer identifiers using standardized procedures, and delete matched personal information. They must also report their deletion status through the platform—creating accountability that previously did not exist.

New data brokers cannot even begin operations until they establish DROP accounts. The days of shadowy data trading with no consumer recourse are ending—at least in California.

Three More States Join the Fight

California is not alone. On January 1, 2026, three additional states activated comprehensive privacy laws: Indiana, Kentucky, and Rhode Island. Several others—including Connecticut, Oregon, Texas, Utah, Virginia, and Arkansas—are implementing major amendments to existing protections.

Connecticut goes further than most. Starting July 1, 2026, it becomes the first state to classify neural data as "sensitive data," requiring heightened protections for brain computer interface information. As wearable technology advances, this precedent matters.

The result is what privacy experts call a transition from "law creation to law enforcement." Regulatory agencies now have settlement precedents and technical expectations. Companies that ignored privacy requirements can no longer claim ignorance.

What This Means for You

If you live in California, you now have concrete rights over algorithmic systems. Use them. When a company makes a significant decision about you, ask whether automated technology was involved. Request the pre use notice they are required to provide. If the decision goes against you, exercise your appeal rights.

The DROP platform gives you a practical tool for controlling your data. A single request can trigger deletions across dozens of data brokers who previously operated in the shadows. That is real power.

Even if you do not live in California, these regulations matter. Companies rarely maintain separate systems for different states. Protections created for Californians often become the de facto standard nationwide. The algorithmic accountability you deserve might start in Sacramento—but it does not have to end there.