New consumer protection laws from 2025

What the law currently requires

Existing law prohibits a person or entity from manufacturing, selling, delivering, holding, or offering for sale in commerce any cosmetic product that contains any of dozens specified intentionally added ingredients except under specified circumstances.

How the bill changes the law

This bill, the Musk Reduction Act, expands the prohibition by adding musk ambrette, musk tibetene, musk moskene, and musk xylene to the list of banned ingredients. The bill also, beginning January 1, 2027, prohibits the use of musk ketone in cosmetic products in excess of specified amounts, including 1.4% in fine fragrance products and 0.042 percent in all other products except oral products.

Action items

Businesses that manufacture cosmetic products will need to start testing their products to ensure that they do not contain the newly added “musk-related” chemicals. Businesses that sell cosmetic products should require, as part of their contracts with manufacturers, that the manufacture certify in writing that cosmetic products they sell do not contain the newly added “musk-related” chemicals, and include specific indemnity language in the contracts to protect sellers from claims relating to these chemicals.

What the law currently requires

Existing law establishes the Attorney General as the head of the Department of Justice, with charge of all legal matters in which the state is interested, except as specified. Existing law imposes various requirements on the Attorney General related to consumer protection, including, among others, the supervision of charitable trusts and the enforcement of antitrust laws. Existing law, commonly known as the Cartwright Act, identifies certain acts that are unlawful restraints of trade and unlawful trusts and prescribes provisions for its enforcement.

How the bill changes the law

This bill makes it unlawful for a person to use or distribute a common pricing algorithm as part of a contract, combination in the form of a trust, or conspiracy to restrain trade or commerce. The bill makes it unlawful for a person to use or distribute a common pricing algorithm if the person coerces another person to set or adopt a recommended price or commercial term recommended by the common pricing algorithm for the same or similar products or services in the jurisdiction of the state.

In essence, the bill makes pricing algorithms subject to state antitrust law, thereby protecting consumers from price increases and false scarcity generated through unlawful collusion.

Action items

In light of this new law, businesses are encouraged to:

• List algorithmic pricing tools. Identify all tools that affect price, fees, availability or output, ranking/visibility, or pay in California. Note any tool used by more than one firm and any tool that uses competitor data, using public information or not.
• Update compliance policies. Last year, the Antitrust Division updated its compliance standards to include “new technologies such as … algorithmic revenue management software.” Company policies should be reviewed and updated. Review whistleblower program based on the new Antitrust Division Whistleblower Rewards Program.
• Update contracts and settings. Review current contracts concerning the pooling or reuse of your nonpublic data. Avoid mandatory terms concerning price or “commercial terms” under the new law. State clearly that deviation is permitted.
• Avoid conduct that may be deemed retaliatory/coercive. Avoid conduct that may be construed as coercing others to set or adopt a price or commercial term based on a common pricing algorithm for the same or similar products or services. Consider neutral ranking criteria.
• Demonstrate independent decision-making. Maintain records that establish that pricing and other decisions are the product of independent decision-making.

What the law currently requires

Existing law, pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to direct a business not to sell or shares personal information about the consumer to third parties. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 in 2020, amended the CCPA and established the California Privacy Protection Agency (“Agency”) which is vested with full administrative authority and jurisdiction to enforce the CCPA.

How the bill changes the law

Effective January 1, 2027, the bill -- called the Opt Me Out Act -- prohibits a business from developing or maintaining a browser that does not:

• Include functionality that allows the browser to send the opt-out preference signal.
• Make the functionality easy to use and configure.
• Describe to the consumer how the browser signal works and what the intended effect of the signal is.

While the current CCPA requires website operators subject to the CCPA to comply with an opt-out preference signal, many browsers do not include the capability to send this signal. Without the ability to send the opt-out signal, consumers instead must manually opt-out of the sale and sharing of their personal information on each website. The new law makes it significantly easier for consumers to exercise their rights by requiring that they be provided the ability to exercise their rights in a one-stop shop through a browser setting.

A business that develops or maintains a browser that includes a functionality that enables the browser to send an opt-out preference signal pursuant to this section shall not be liable for a violation of this title by a business that receives the opt-out preference signal.

Action items

None, unless you are a browser developer as defined in the new law. However, the bill may impact a business’ ability to maintain relationships with existing customers.

What the law currently requires

Existing law generally regulates social media platforms, including by requiring a social media company to post terms of service for each social media platform owned or operated by the company in a manner reasonably designed to inform all users of the social media platform of the existence and contents of the terms of service.

Existing law, pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer.

How the bill changes the law

AB 656 requires social media platforms that generate more than $100 million per year in gross revenues to provide a clear and conspicuous button that allows users to delete their accounts, as well as the corresponding personal information the platform holds about them pursuant to the CCPA.

The deletion button must be “immediately visible” in the platform’s settings menu regardless of whether the user is accessing the platform via an application, browser, or other means, and must be prominently labeled “delete account.” When a user clicks the button, the platform is required to provide instructions about how to delete their account, including associated personal information. However, the law permits platforms to verify the identity of the user in a “cost-effective, easy-to-use manner” before deleting the account.

Action items

None, unless your business operates a social media platform as defined in the law.

What the law currently requires

Existing law regulates the formation and enforcement of contracts, including imposing certain restrictions on the terms of a contract for the sale or lease of consumer goods or services. In this regard, existing law prohibits a provision waiving the consumer’s right to make any statement regarding the seller, lessor, or its employees or agents, or concerning the goods or services.

Existing law also prohibits a consumer service contract from limiting a consumer’s ability to file a complaint with a licensing board that regulates the consumer service provider or to participate in the board’s investigation into the consumer service provider.

How the bill changes the law

For “a consumer use agreement,” defined as “a contract between a person and a consumer that the consumer enters into in order to use, receive, or otherwise enjoy a good, service, money, or credit,” this bill limits the dispute resolution terms and conditions to the use, payment, or provision of the good, service, money, or credit provided by the consumer use agreement. The bill makes a waiver of these provisions void and unenforceable and would require that the provisions be liberally construed for the purpose of protecting consumers.

The new law aims to restrict overly broad terms and conditions that require unsuspecting consumers to sign so-called “infinite” arbitration clauses. Instead, arbitration is required only for claims arising out of the specific transaction(s) contemplated by the agreement.

Action items

Businesses that include arbitration agreements in their contracts with consumers should engage counsel to craft arbitration provisions that are not considered “infinite” or otherwise violate the new law.

What the law currently requires

Existing law, pursuant to the California Consumer Privacy Act of 2018 (“CCPA”) grants a consumer various rights with respect to personal information that is collected or sold by a business, including:

• the right to request that a business disclose specified information that has been collected about the consumer;
• to request that a business delete personal information about the consumer that the business has collected from the consumer; and
• to direct a business not to sell or share the consumer’s personal information, as specified.

The California Privacy Rights Act of 2020 (“CPRA”), approved by the voters as Proposition 24 in 2020, amended the CCPA and also established the California Privacy Protection Agency (“Agency”) vested with full administrative authority and jurisdiction to enforce the CCPA.

Existing law requires a data broker to register with the Agency and defines “data broker” to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the Agency, to provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and to state whether the data broker collects the personal information of minors, consumers’ precise geolocation, or consumers’ reproductive health care data.

Existing law requires that, beginning January 1, 2026, the Agency establish an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. Existing law also requires the Agency to create a page on its internet website where registration information provided by data brokers -- and the accessible deletion mechanism -- is accessible to the public.

Existing law requires, beginning August 1, 2026, a data broker to access the accessible deletion mechanism at least once every 45 days and, among other things, process a denied request to delete personal information as an opt-out of the sale or sharing of the consumer’s personal information under the CCPA.

How the bill changes the law

Reflecting legislators’ concerns about personal data being “used to target vulnerable communities,” SB 361 requires data brokers to inform the CPPA whether they collect consumers’ account credentials, government-issued identifiers, device or vehicle identifiers, citizenship and immigration status, union membership, gender identity and sexual orientation data, biometric data, and precise geolocation information. Additionally, data brokers must also disclose whether they have sold or shared personal information to foreign actors, federal or state governments, law enforcement, or to generative artificial intelligence technology developers within the previous year. The CPPA, however, will not publish data brokers’ responses about their collection of account credentials or device or vehicle identifiers.

Data broker registration deadlines are unchanged under SB 361. Businesses that acted as data brokers in 2025 must register with the CPPA between January 1 and January 31, 2026.

Action items

None, unless your business is considered a “data broker” as defined in the new law.

What the law currently requires

Existing law, pursuant to the California Safe Drinking Water Act, provides for the operation of public water systems and imposes on the State Water Resources Control Board (“Board”) various duties and responsibilities for the regulation and control of drinking water in the State of California.

The Safe Drinking Water Act requires the Board to adopt primary drinking water standards for contaminants in drinking water based upon specified criteria and requires a primary drinking water standard to be established for hexavalent chromium. Existing law authorizes the state board to grant a variance from primary drinking water standards to a public water system.

How the bill changes the law

This bill prohibits a public water system from being deemed to be in violation of the primary drinking water standard for hexavalent chromium while implementing a state board approved compliance plan or while Board action on the proposed and submitted compliance plan is pending – provided that the public water system otherwise meets the total chromium maximum contaminant level (MCL) enforceable standard for drinking water in California.

SB 466 aims to provide legal protections for these providers, ensuring they are not held liable for civil lawsuits as long as they are actively implementing a state-approved compliance plan. However, the bill does not offer blanket immunity; providers can still be sued for reckless delivery of contaminated water.

Action items

None.

What the law currently requires

Existing law (including the “Take All Menstrual Product-PFAS Out Now” Act or “T.A.M.P.O.N. Act”) prohibits any person from intentionally manufacturing, distributing, selling, or offering for sale in the state any menstrual products that contain regulated perfluoroalkyl and polyfluoroalkyl substances (“PFAS”).

Existing law requires the California Department of Toxic Substances Control (“DTSC”) to adopt regulations on or before January 1, 2029 for the purposes of implementing, interpreting, enforcing, or making specific these provisions.

Existing law makes a violation of these provisions punishable by a civil and administrative penalty and such penalties are to be deposited into the T.A.M.P.O.N. Act Fund in the State Treasury, which funds are subject to appropriation by the Legislature.

How the bill changes the law

The existing law does not address unintentional contaminants that may arise during manufacturing of disposable tampons and pad products. This gap poses a serious health risk, as recent studies have detected toxic metals in tampons, with lead levels exceeding federal drinking water limits by eight times. The bill seeks to close this gap by:

• Requiring manufacturers to maintain chemical concentration data for tampons and pads by December 31, 2026.
• Authorizing the DTSC to add concerning chemicals, publish testing methods, and health data.
• Imposing upfront testing costs on manufacturers and deposits funds into the T.A.M.P.O.N. Act Fund.

Action items

None, unless your business manufactures disposable tampons and pad products.

What the law currently requires

Existing law, pursuant to the California Consumer Financial Protection Law (“CCFPL”), requires the Department of Financial Protection and Innovation (“DFPI”), headed by the Commissioner of Financial Protection and Innovation (“Commissioner”), to regulate consumer financial products or services under California consumer financial laws. Pursuant to Section 90003, CCFPL makes it unlawful for a covered person or service provider to engage in certain deceptive or abusive acts or practices with respect to consumer financial products or services.

Existing law, pursuant to Section 90002(b) of the CCFPL, exempts from its provisions for certain DFPI licensees like finance lenders, escrow agents, residential mortgage lenders and brokers, or investment advisers, when acting under the authority of their respective licenses.

How the bill changes the law

The bill is aimed at expanding the state’s authority to enforce its consumer finance laws by eliminating an existing exemption for persons licensed by the DFPI if they engage in certain prohibited practices in connection with consumer financial products or services. Specifically, the bill amends Section 90002(b) to explicitly provide that this exemption does not prevent the DFPI from using the authority granted by the CCFPL to enforce Section 90003 and, in particular, the section’s prohibition against unlawful, unfair, deceptive, or abusive acts or practices.

In short, SB 825 closes potential gaps in enforcement by ensuring that the DFPI’s authority to combat unlawful, unfair, deceptive, or abusive acts or practices in consumer financial services is not limited by the exemptions currently granted under Section 90002(b) of the CCFPL.

Action items

This amendment has a significant implication for a wide range of financial services providers licensed to operate in California. Such financial services providers should take note of this enhanced enforcement authority and ensure their practices align with the requirements of Section 90003 of the CCFPL.