California Gov. Gavin Newsom has signed a trio of privacy bills into law, adding to the mounting compliance burden facing businesses that handle personal information across an increasingly fragmented regulatory landscape.

The new measures underscore that the rush of state-level privacy legislation shows no signs of abating, even as businesses continue grappling with California’s landmark Consumer Privacy Act and similar laws spreading across the country.

The bills will impose new requirements on businesses operating in the Golden State.

Starting in 2027, all web browsers must include functionality allowing Californians to transmit opt-out preference signals to websites they visit. The requirement, established under AB 566, comes as California’s Privacy Protection Agency has joined with Colorado and Connecticut regulators to investigate companies potentially ignoring the Global Privacy Control.

Data brokers face expanded disclosure mandates beginning next year under SB 361. The law requires these companies to report whether they collect mobile advertising IDs, connected TV identifiers, and vehicle identification numbers when they register annually with the state. They must also reveal if they’ve shared or sold data to foreign entities, federal or state governments, or developers of generative AI systems.

Perhaps most striking is AB 45, which takes effect in 2026 and prohibits collecting personal information about individuals within 1,850 feet of family planning centers unless necessary to provide requested services. The law also bans geofencing around healthcare facilities to track patients, target health-related ads, or send notifications about their personal information.

California isn’t acting alone. Maryland’s Online Data Privacy Act took effect Oct. 1, giving residents new privacy rights and imposing data-minimization requirements on businesses. Rhode Island, Indiana, and Kentucky will activate their own comprehensive privacy laws on January 1, 2026, while Connecticut, Montana, and Oregon have strengthened existing statutes this year.

Virginia recently amended its Consumer Protection Act to prohibit using or disclosing personally identifiable reproductive or sexual health information without consent, and the state created a private right of action for violations, allowing individuals to sue directly.

The regulatory pressure is intensifying beyond just new laws. Minnesota and New Hampshire recently joined the Consortium of Privacy Regulators, a multistate enforcement coalition launched in April. The group now includes privacy authorities from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. The consortium aims to coordinate investigations into potential privacy law violations across state lines. While California has led enforcement efforts so far, experts say other states are poised to follow suit.

For companies handling consumer data, the message is clear: prepare for complexity.

Businesses must ensure their systems can recognize and respond to browser-based opt-out signals. Data brokers need to assess whether California’s broad definition of their industry applies to their operations and prepare enhanced disclosures for 2026 registration.

With Maryland’s law already active and multiple states launching requirements in 2026, legal observers say companies need unified compliance frameworks that can scale across jurisdictions.

The stakes are rising, too. Between the new multistate enforcement coalition, Virginia’s private right of action for reproductive data violations, and California’s active enforcement posture, companies face mounting legal exposure for privacy missteps.