California Privacy Rules Expand in 2026; ICO Backs Meta’s Consent Model as Global Standards Shift

Want to receive these privacy recaps in your inbox each week? Subscribe here.

California businesses will face new compliance requirements starting in January 2026, as updated CCPA regulations mandate opt-out status displays. Meanwhile, the UK’s ICO signals growing acceptance of consent-or-pay models.

These developments reflect a global shift toward more transparent, yet commercially tolerant privacy choices. Keep reading to learn more.

United States

Updated CCPA Regulations to Take Effect January 1, 2026

The California Office of Administrative Law (OAL) has officially approved a package of regulations that businesses must comply with on a staggered timeline, beginning January 1, 2026, when updates to the CCPA regulations take effect and become enforceable.
Although many of the CCPA updates are minor clarifications, two notable updates will impact the consumer-facing notices that businesses must display:

1. Businesses will be required to display the status of a consumer’s opt-out preference (for example, through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information) and whether it has processed the consumer’s opt-out preference signal as a valid request to opt out (for example, by displaying “Opt-Out Request Honored” when a consumer using an opt-out preference signal visits the website);

2. Businesses that collect personal information through connected devices (e.g., smart televisions or smart watches) must provide notice of the right to opt out of the sale or sharing of such information before or at the time the connected device begins collecting the personal information, and businesses that collect personal information in augmented or virtual reality (e.g., through gaming devices or mobile applications) must provide such notice either before or at the time the consumer enters the augmented or virtual reality environment or before or at the time the consumer encounters the business in the augmented or virtual reality environment.

In addition to CCPA updates, the OAL approved regulations governing: Automated Decision Making Technology that must be complied with beginning January 1, 2027; Cybersecurity Audits that must be conducted beginning April 1, 2028, 2029 or 2030, depending on the revenue of the business; and Risk Assessments that must be completed beginning January 1, 2026 and submitted to the CCPA beginning April 1, 2028.

TAKEAWAY

Opposition to the new requirements to display the status of a consumer’s opt-out preference and whether the opt-out preference signal has been honored expressed that these requirements are inflexible and would disrupt the user experience. However, the agency’s response to such opposition (published as an Appendix to its Statement of Reasons) provides insight into the agency’s interpretation.

The response says that “there is nothing in the regulation that requires a new screen or pop-up that would undo the frictionless use case” and that the example to display “Opt-Out Request Honored” when a consumer visits the website “is an example and does not reflect all factual scenarios that would be in compliance with this requirement’, indicating that the agency is flexible and open to creative approaches to comply with these requirements, as long as the status of the consumer’s opt-out preference and whether the business has processed the consumer’s opt-out preference signal is displayed.

ICO Welcomes Meta’s Consent or Pay Model

A spokesperson for the UK Information Commissioner’s Office (ICO) issued a statement in response to Meta’s implementation of a “consent or pay” model in which Facebook and Instagram users are given the choice between consenting to personalized ads or paying a monthly subscription for an ad-free service.

The spokesperson said that the ICO “welcome[s] Meta’s decision to ask users for consent to use their personal information to target them with ads” (rather than targeting them with ads as part of the standard terms and conditions for using the service) and that they recognize “that online platforms, like every business, need to operate commercially”.

The statement also noted that Meta has responded to the ICO’s request that the price set provides UK consumers with a fair choice between consenting to targeted ads using their data or paying to subscribe to no ads and that they expect Meta to assess the impact of implementing the new model.

TAKEAWAY

This statement is consistent with previous guidance from the ICO, which concludes that consent or pay models can be compliant if the consent is freely given.

The determination of whether consent is freely given should be assessed, according to the guidance, based on a number of provided factors, including whether there is a power imbalance between the platform and its users, the appropriateness of any fee (in particular where there is a power imbalance), and whether the same core service is included under either option.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• New Zealand Passes Privacy Amendment Act, Effective May 2026
• Joint Canadian Investigation Forces TikTok Privacy Commitments
• Does Google Tag Manager (GTM) require user consent in Germany?

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.