California Privacy Rights Act Amendments: What Changed in June 2026

California Privacy Rights Act Amendments: What Changed in June 2026 The California Privacy Protection Agency (CPPA) Board adopted significant amendments to the California Privacy Rights Act (CPRA) on June 5, 2026, following months of stakeholder consultation. The changes expand consumer rights, impose new obligations on data brokers, and — most significantly — create a private right of action for certain violations. Expanded Consumer Rights The June 2026 amendments add or strengthen several consumer rights: Right to Correct Consumers can now correct inaccurate personal information held by businesses, not just request deletion. The right applies to: Data held by the business directly Data the business has shared with third parties (requiring notification to those parties) Inherited data (acquired companies must correct pre-acquisition data) Businesses must respond to correction requests within 45 days, with a 15-day extension for complex requests. Right to Limit Use of Sensitive Personal Information The existing opt-out of sensitive personal information (SPI) use is strengthened: Businesses must offer a "limit use" button at collection, not just at opt-out pages The definition of SPI now includes biometric data and geolocation data (previously it covered fewer categories) Businesses cannot use SPI for purposes not compatible with the disclosed purpose without explicit consent Automated Decision-Making Rights Consumers can now request human review of automated decisions that significantly affect them, including: Eligibility for employment, housing, credit, and insurance Content moderation decisions on platforms Risk assessment decisions in healthcare This is the first US-state-level right to human review of algorithmic decisions. Data Broker Registration Tightening Data brokers — companies that knowingly collect and sell personal information without direct consumer relationship — face stricter requirements: Mandatory Registration Verification California already required data broker registration. The June amendments add: Annual audit requirement: Data brokers must submit to annual compliance audits (third-party, CPPA-approved auditors) Buyer restriction: Registered data brokers can only sell to other registered data brokers or businesses with certified compliance programs Delisting from non-compliant brokers: The CPPA can issue emergency delisting orders if a broker poses imminent risk to consumer data Record-Keeping Requirements Data brokers must now maintain: Complete records of data sources (not just categories but specific sources) Data sale records: Who bought what data, when, and for what stated purpose Retention schedules: Maximum retention periods for each data category Failure to maintain records is treated as a violation regardless of whether data was misused. Private Right of Action The most significant change is the new private right of action for data breaches involving: Social Security numbers Financial account information in combination with access credentials Medical information Biometric data The private right of action allows consumers to sue for statutory damages of $100-$750 per consumer per incident, or actual damages if greater. This brings data breach litigation closer to the model established by the Illinois Biometric Information Privacy Act (BIPA). Enforcement Timeline September 1, 2026: Consumer rights amendments take effect January 1, 2027: Data broker amendments take effect April 1, 2027: Private right of action provisions take effect June 2027: First required data broker audits submitted For businesses, the amendments require updating privacy notices, implementing correction request workflows, and reviewing third-party data sharing agreements for compliance with the new buyer restrictions.