policystamp.com
Home / Blog / Compliance updates

CPRA 2026 Amendments: What Changed and What You Have to Update

Compliance updates 9 min read by PolicyStamp Team
Pencil and watercolor architectural study of the California State Capitol dome in soft sage green with oxblood ornamental details, beside a serif title block reading CPRA 2026.

California's privacy regulations got an update in early 2026. The California Privacy Protection Agency (CPPA) finalised new regulations that took effect in stages through Q1, adding three substantive requirements on top of CCPA / CPRA as previously enforced. Most "CCPA-compliant" privacy policies written before 2026 are now non-compliant on at least one of them.

Here's what changed, what your policy needs to say, and how to check.

What's new

Three additions worth caring about:

1. ADMT — Automated Decision-Making Technology disclosures. When an automated system makes a decision that produces "legal or similarly significant effects" on a consumer, you have to disclose that. This is California's version of GDPR Article 22 — narrower in scope but with real teeth.

2. Sensitive Personal Information subsection. Already a CPRA concept since 2023, but the 2026 regs tightened what counts and required a dedicated subsection in the privacy policy describing handling. Most policies that name SPI once in a list now need a full subsection.

3. Global Privacy Control honor commitment. The California AG has treated GPC as a valid opt-out signal since 2021 and brought enforcement actions for ignoring it. The 2026 regs codify this — your privacy policy has to explicitly commit to honoring GPC, not just imply it.

Let's walk each one.

ADMT disclosure — what it actually requires

The ADMT requirement is the biggest substantive change. If your business uses an automated decision-making technology (an algorithm, an ML model, an automated workflow) and the output produces legal or similarly significant effects on a consumer, you have to:

  • Disclose the use in your privacy policy.
  • Describe the logic at a high level — what the system does, what data goes in, what kinds of decisions come out.
  • Offer a pre-use notice to consumers before subjecting them to ADMT.
  • Provide a way to opt out in many cases (with exceptions for specific permitted uses like fraud prevention and security).
  • Provide an access right so consumers can request the output that was applied to them.

What counts as "legal or similarly significant"? The regulations name several explicit categories:

  • Financial / lending decisions (approval, denial, interest rate, credit limit)
  • Employment decisions (hiring, termination, performance evaluation, scheduling)
  • Housing decisions (rental approval, mortgage approval)
  • Educational decisions (admissions, financial aid)
  • Healthcare access decisions
  • Insurance decisions (coverage, premium)
  • Access to essential goods or services
  • Criminal justice / legal decisions

If your business does any of these things using an automated system — even partially — you're in scope. A SaaS that scores leads via an ML model and uses the score to auto-deny trials might be in scope. A platform that uses an algorithm to throttle access for users it suspects of abuse might be in scope. A health-tech tool that triages patients via an ML model is definitely in scope.

What ADMT does NOT cover: routine internal analytics, A/B testing of marketing copy, product analytics, search ranking, content recommendation (unless the recommendation affects access to essential services). The bar is "legal or similarly significant effects on the consumer", not "any automated decision".

What to put in your policy:

  • A subsection titled something like "Automated Decision-Making" or "ADMT".
  • A clear statement of whether you use ADMT and for what purposes.
  • A high-level description of the logic — you don't have to publish the model, but you have to describe what it does at a level a consumer can understand.
  • The data inputs (categories of personal information used).
  • The opt-out mechanism — typically an email or webform.
  • A statement that the consumer can request the output applied to them under their access rights.

What NOT to do: don't add ADMT language if you don't actually use ADMT. The CPPA is clear that ADMT disclosures should reflect actual practice — adding ADMT boilerplate to look thorough creates obligations you can't meet.

Sensitive Personal Information — full subsection now expected

CPRA introduced "sensitive personal information" as a category back in 2023, requiring a separate handling regime and a right to limit use. The 2026 regulations clarified that the privacy policy must include a dedicated SPI subsection — not just a reference somewhere in the broader categories list.

What counts as SPI under California law:

  • Social Security number, driver's license number, state identification card, passport number
  • Account login credentials with access permissions
  • Precise geolocation (within ~1850 feet)
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Mail, email, or text message contents (not intended for the business)
  • Genetic data
  • Biometric information for identification
  • Health information
  • Sex life or sexual orientation
  • Certain personal information of consumers known to be under 16

What the subsection has to cover:

  • Which categories of SPI you collect.
  • The sources you collect SPI from.
  • The purposes you use SPI for.
  • Whether you sell or share SPI.
  • Whether you use or disclose SPI for purposes other than inferring characteristics about the consumer (because the Right to Limit attaches to those uses).
  • How to exercise the Right to Limit Use of SPI.

The big change in practice: most CCPA / CPRA policies pre-2026 mentioned SPI in passing — listed in the broader categories table, maybe a sentence about handling. That's no longer sufficient. The policy needs a section that a regulator (or a consumer) can navigate to specifically.

If you genuinely don't collect any SPI, your policy can include a short SPI section stating exactly that. The structural slot needs to be there even when the content is "we don't collect this".

GPC honor commitment — now explicit

Global Privacy Control is a browser-sent signal indicating the user is exercising their CCPA opt-out right for sale or sharing of personal information. Sephora was the first big enforcement target (settled with the California AG in 2022 for $1.2m) for ignoring GPC.

The 2026 regulations make explicit what was already enforced: GPC signals count as valid opt-out requests, and the privacy policy has to commit to honoring them.

What to put in your policy:

  • An explicit statement that you honor GPC signals as opt-out requests for sale and sharing.
  • A note that GPC + the explicit "Do Not Sell or Share My Personal Information" link both work — consumers can use either path.
  • A practical description of what honoring means: if a user visits with GPC enabled, you treat them as having opted out of sale and sharing for that session and any persistent identifier you maintain for them.

What NOT to do: don't bury GPC in a generic "we respect privacy signals" sentence. The regulations want an explicit GPC commitment.

What to update in your policy — concrete checklist

If you have an existing CCPA / CPRA-compliant privacy policy, run through this list:

  1. Add an ADMT subsection if you use automated decision-making with legal or similarly significant effects. Skip if you genuinely don't.
  2. Convert any passing SPI mention into a dedicated SPI subsection covering categories, sources, purposes, sale / sharing, and the Right to Limit Use.
  3. Add an explicit GPC honor commitment to the Do Not Sell or Share section.
  4. Refresh the "Last updated" date so the change is visible.
  5. Run an audit against the current regulations to catch anything you missed.

The whole update typically takes 30-45 minutes by hand. Most policies generated by older tools (TermsFeed, Iubenda before their 2026 update, FreePrivacyPolicy.com, anything from a 2024 ChatGPT prompt) need all three additions.

How to verify

Three approaches, in increasing order of work:

1. Free audit (15 seconds). Run your policy URL through our free privacy audit — the audit pipeline checks against the 2026 amendments specifically. If your policy is missing ADMT, SPI subsection, or GPC commitment, the audit flags each one as a major finding.

2. Manual checklist (45 minutes). Walk through the three items above against your policy text. Print the policy, find each section by searching for keywords, mark what's present / missing / needs revision.

3. Lawyer review (paid). For higher-risk businesses (health, finance, large consumer base in California), pay a privacy lawyer to review and update. Typical engagement: $400-$1,500 depending on complexity.

Why this matters now

California's CPPA has been the most active US privacy regulator since CCPA took effect. The agency has brought enforcement actions consistently — Sephora, Healthline, and a string of smaller actions in 2024-2025. The 2026 amendments raised the floor for compliance, and the enforcement window for the new requirements opens 12 months after promulgation (so mid-to-late 2026 is when enforcement letters start landing for ADMT and SPI subsection gaps specifically).

If you have meaningful California traffic and your privacy policy was last updated before 2026, this is the year to refresh it.

Put the article into practice

Run the free audit or generate a fresh document.

The audit checks your existing document against current law in 20 seconds. The generator drafts a new one from a 2-minute wizard. Both free to try.

Audit a privacy policy →
More posts

Keep reading.