New law requires clear “delete my account” pathways and full data removal—another front in state-level tech governance.
California Governor Gavin Newsom signed a package of data-privacy measures this week, including AB 656, which requires social-media firms to make account deletion both conspicuous and comprehensive—triggering full removal of associated personal data. The move builds on the CCPA/CPRA framework and adds operational specificity around user flows that platforms must implement. For product teams and privacy counsel, the mandate will require UI changes, compliance testing, and auditable back-end deletion. Governor of California
The broader context is a patchwork U.S. privacy landscape. With Congress stalled on omnibus privacy legislation, states continue to define their own standards, producing a compliance maze for national platforms. California’s action tends to set de facto national baselines given the state’s market size and enforcement posture. Expect adjacent debates over data portability, algorithmic transparency, and age-appropriate design to accelerate in the 2026 session. Governor of California
Pushback will likely focus on the cost of compliance and potential tensions with data-retention obligations under other regimes (e.g., litigation holds, financial records). But California’s approach mirrors transatlantic trends, and firms serving EU users have already built many of the primitives required. The signal from Sacramento is clear: make deletion easy, make it real, and prove it. Governor of California