State privacy laws continue to expand, adding new pressure to national compliance programs. California leads this shift with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
The California Privacy Protection Agency (CPPA) sits at the center of this landscape. The CPRA created the agency and granted its authority to regulate, investigate, and enforce. The CPPA now requires risk assessments for high-risk data uses, independent cybersecurity audits for covered businesses (first reports due starting April 2028), and controls for automated decision-making technology (enforceable January 2027).
The CPPA now requires risk assessments for high-risk data uses, independent cybersecurity audits for covered businesses (first reports due starting April 2028), and controls for automated decision-making technology (enforceable January 2027). (This immediately signals the key dates the reader will look for)
These requirements phase in operationally now, with the first submission deadlines beginning in April 2028 and phased by revenue tier. The audit period for the largest businesses (>$100M revenue) begins January 1, 2027.
States including Colorado, Connecticut, Virginia, Texas, Oregon, Utah, and Montana have enacted their own comprehensive consumer data privacy laws, each with distinct coverage, thresholds, and enforcement regimes, which adds complexity for companies that operate across jurisdictions.
This environment shapes a national data chess board. States push new rules in response to California’s lead, and their actions influence one another in rapid cycles. This escalation increases strain on national programs and fuels pressure on Congress to adopt a uniform federal framework.
For senior counsel and executives, these shifts define key strategic decisions through 2026 and beyond.
CPPA's “Gold Standard”: Raising the Bar for Privacy Nationwide
California continues to shape national expectations and influence how companies design compliance programs across all jurisdictions.
California pushes the market forward
Key provisions raise operational demands and expand consumer control:
- Broad access, deletion, correction, and opt-out rights under the CCPA and CPRA
- The Delete Act, which creates a centralized deletion pathway for data broker records (The Delete Request and Opt-out Platform, or DROP, launches Jan 1, 2026, with data brokers required to process requests starting Aug 1, 2026).
- Rules for AI and automated decision-making in high-impact areas such as hiring, credit, housing, and health
These measures set California apart and influence how other states draft their statutes.
Certification and assessments drive deeper governance
The CPPA increases oversight with requirements that apply when a business’s processing presents significant risk:
- Independent cybersecurity audits with phase-in deadlines based on revenue tier
- Certifications that confirm audit results and remediation steps
- Detailed risk assessments for high-risk processing operations
California’s model positions the regime ahead of most federal proposals, which use broader duties without equivalent certification structures.
Enforcement strength and coordination continue to grow
The CPPA expands its enforcement division and works with federal and state regulators. This expansion allows:
- Coordinated investigations across jurisdictions
- Shared insights that shape enforcement strategies
- Stronger alignment among agencies evaluating high-risk data uses
California’s approach now operates as the most demanding statewide model, and national organizations often treat it as the effective baseline for multi-state compliance.
TrustNet supports compliance leaders with program design, readiness planning, and controls that scale across states and prepares a federal framework shaped by California’s model. Talk with a TrustNet expert today.
Legislative Ripple Effects: Driving Federal and State Lawmaking
CPPA rules do more than shape California programs. They also influence how lawmakers frame federal privacy proposals and how other states draft their own statutes.
CPPA pushes a “floor, not ceiling” model
California leaders treat state privacy law as the baseline and press Congress to respect that position.
- The Governor, Attorney General, and CPPA jointly urged Congress to adopt a federal law that sets a floor, not a ceiling, allowing states to maintain stronger rules and respond to new technologies.
- The CPPA board voted to oppose the American Data Privacy and Protection Act (ADPPA) and any federal bill that broadly preempts California law or blocks the state from strengthening protections in the future. The board agreed to support only a federal framework that creates a “true floor” for privacy rights.
- The CPRA itself establishes a state-level floor in California law by allowing amendments only when they “further the purpose and intent of the Act,” which prevents rollbacks and ensures a minimum level of protection.
This posture signals to Congress that any federal proposal that strips back California’s standards will face sustained political and regulatory resistance.
Federal draft bills echo key California themes
Recent federal bills such as the ADPPA, H.R. 8152, and the newer APRA share several core features with California’s regime, even though they draw from many sources.
Both ADPPA and APRA:
- Grant individual rights to access, correct, delete, and export personal or “covered” data.
- Provide opt-out rights for targeted advertising and data transfers to third parties and require clear mechanisms to exercise those rights.
- Treat sensitive data differently, including stronger consent rules or restrictions on transfers to third parties.
- Introduce a duty of loyalty and data minimization, which limits collection, processing, and transfer to what is necessary, proportionate, and limited to defined purposes.
- Require algorithmic impact assessments (AIAs) or similar reviews for large data holders when automated systems create significant or consequential risk of harm.
- Call on the FTC to establish and enforce a global or universal opt-out mechanism, allowing individuals to express their opt-out choices across services through a single signal.
California already embeds similar concepts in the CCPA/CPRA framework and in CPPA regulations for risk assessments, cybersecurity audits, and automated decision-making technology.
Federal drafts do not copy California line by line, and in some areas, ADPPA or APRA would exceed California on specific issues, such as certain civil rights or children’s protections.
For national organizations, the key point is alignment: federal proposals and California rules now revolve around the same set of pillars — rights, data minimization, sensitive data controls, algorithmic governance, and centralized opt-out signals.
Preemption stands at the center of the federal debate
The largest policy fight sits in one word: preemption.
- ADPPA and APRA both rely on broad preemption of state privacy laws, with defined carve-outs. Industry groups support this structure because it simplifies compliance and creates a single federal standard.
- California leaders argue that this approach would weaken existing protections under CCPA/CPRA and block future innovations in areas such as automated decision-making, children’s privacy, and reproductive data.
- The CPPA, the Governor, and the Attorney General have taken public positions against broad preemption, explicitly calling for federal law that allows states to keep and expand stricter standards.
This clash shapes the path for any national privacy law:
- If Congress enacts a strongly preemptive law, California may lose the ability to maintain or extend CPPA rules, and national programs would likely shift toward the federal standard.
- If Congress adopts a floor model, organizations will likely continue to treat California and a handful of strict states as the effective ceiling for design, even under a federal framework.
This preemption fight drives a strategic question: design programs only to anticipate federal text or keep building to CPPA standards and treat California as the enduring high-water mark.
Legal, Political & Compliance Risks for National and Global Organizations
Multi-state complexity and timing risk
Many national and global organizations now manage overlapping requirements across a growing list of state privacy laws. Analysts describe this landscape as a patchwork that forces companies to track different thresholds, definitions, and rights across jurisdictions.
Several sources note that relying on a future federal law is a high-risk strategy. Federal proposals continue to stall, while more states pass and enforce their own statutes, which increases operational cost and legal exposure for organizations that serve consumers nationwide.
This leaves two primary paths for leaders:
- Maintain separate state-by-state programs with rising overhead.
- Or design a unified architecture that uses a strict standard as the baseline.
The “California Effect” in program design
Commentary from industry and legal analysts describes a growing privacy “California Effect.” Many organizations adopt California’s requirements across their U.S. operations because the state’s market is large, its standards are strong, and segmented compliance models are costly.
This approach continues as:
- CCPA and CPRA set operational expectations that many national firms already treat as their default standard.
- New state laws often incorporate concepts first established in California, which reinforces the value of aligning with the most developed regime.
- Coordinated enforcement and litigation exposure
- Regulators now coordinate across states in ways that raise risk for national and global organizations.
- The Consortium of Privacy Regulators (including regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon) shares information and coordinates enforcement of state privacy laws.
- The CPPA and the attorneys general of California, Colorado, and Connecticut launched a joint investigative sweep focused on honoring Global Privacy Control opt-out signals.
At the federal level, the Federal Trade Commission continues to expand its privacy enforcement work, and lawmakers have proposed funding a dedicated privacy bureau to increase resources.
Litigation exposure also increases as more states establish rights and remedies that plaintiffs can utilize in disputes involving data mishandling or misuse. (Notably, APRA proposes a broader private right of action than the limited scope currently available under CPRA).
Strategic planning scenarios
From a planning perspective, leaders face two likely scenarios:
Scenario 1: Congress advances a federal bill that incorporates some California-aligned concepts.
Drafts such as the ADPPA and APRA include rights to access, correction, deletion, protections for sensitive data, data minimization, and elements of algorithmic oversight.
If Congress passes a broadly preemptive version, national programs would shift toward the federal baseline, while still incorporating design choices tailored to California.
Scenario 2: Federal efforts stall, and California remains the high-water mark.
More states continue to legislate, often looking to California as a reference, and coordinated enforcement through the Consortium expands.
Organizations aligned to California maintain a stronger position, while lagging peers face higher remediation costs.
Across both scenarios, programs built to meet CPPA expectations sit on firmer ground, since many state and federal initiatives mirror similar themes: strong rights, minimization, sensitive data controls, and documented oversight for high-risk processing.
Quick Look: Key Risks for National and Global Organizations
|
Risk Area
|
What Organizations Face
|
Why It Matters
|
|---|---|---|
|
Multi-State Complexity
|
Different rights, thresholds, and definitions across many states
|
Increases operational cost and adds ongoing rule-tracking demands
|
|
Slow Federal Progress
|
No predictable timeline for a federal privacy law
|
Creates uncertainty and forces interim strategies that carry risk
|
|
California Effect
|
Many organizations adopt California’s standards across all states
|
Reduces fragmentation and raises baseline operational expectations
|
|
Coordinated Enforcement
|
Joint actions by CPPA and multiple state attorneys general
|
Raises the chance of multi-state findings from a single issue
|
|
Federal Enforcement Momentum
|
FTC expands privacy oversight and seeks added resources
|
Signals stronger federal attention on high-risk data practices
|
|
Litigation Exposure
|
More states create rights and remedies usable in civil claims
|
Increases risk in breach cases and disputes involving data use
|
|
Scenario: Federal Bill Passes
|
Programs adjust to a federal baseline that includes California-style concepts
|
Requires rapid realignment and close review of preempted areas
|
|
Scenario: Federal Bill Stalls
|
California remains the high-water mark for compliance programs
|
Reinforces the need to design for CPPA standards to stay ahead
|
The Future Chess Moves: From State Patches to a Federal Net
California may hold the high-water mark for the next few years. More states continue to pass their own laws, and this growth increases pressure on Congress to consider a federal baseline that brings consistency.
Until that happens, California’s standards shape how regulators and lawmakers define rights, limits on high-risk processing, and expectations for automated decision-making.
Where regulators continue to align:
- Audits for high-risk processing
- Detailed risk assessments
- Strong privacy-by-design expectations
- Oversight for automated decision-making and AI
- Broad consumer rights across data use
What leaders should do now:
- Use CPPA requirements as the baseline for multi-state programs
- Strengthen documentation for audits and assessments
- Track preemption activity to prepare for a federal framework
- Keep governance structures flexible as new state laws activate
Programs built around California’s model sit in a stronger position as the national landscape moves toward those same themes.
Personal Guidance and Expert Support
Need help aligning your program with CPPA standards while preparing for federal shifts? TrustNet supports teams with high-risk processing reviews, risk assessments, audit preparation, and workflow automation.
Connect with a TrustNet expert who can review your program and help you build a reliable path to compliance under California’s rules and emerging federal expectations.
