Disney paid $2.75 million in February 2026 for failing to honor opt-outs and Global Privacy Control signals, and they are not the only company to learn the new rules the hard way. Since January 1, 2026, California’s privacy law has teeth that were not there before, with mandatory signal honoring, visible opt-out confirmations, and explicit bans on the design tricks many sites still use.
If you run a website that touches California visitors, the CCPA 2026 compliance requirements changed how cookie banners must look, what signals you must honor, and what you must show users when they opt out. This guide covers every requirement that took effect on January 1, the rules still rolling out through 2030, and what your banner must do today to avoid the next round of enforcement actions.
While building a fully compliant banner from scratch is possible, tools like CookieTrust handle GPC detection, opt-out confirmation, symmetric UX, and audit logging automatically. We will walk through both paths so you can choose what fits your team.
What Changed in CCPA on January 1, 2026
Six new requirements activated together at the start of 2026, and they apply to any business that meets the existing CCPA thresholds. Together they shift the law from a passive set of rights into an active set of website behaviors.
Opt-out confirmation visibility is now mandatory. Silently honoring an opt-out request fails the new rules. When a user opts out, your site must display a visible confirmation, often called an “Opt-Out Honored” badge or message, so the user knows the request was processed. Quietly flipping a database flag is no longer enough.
Global Privacy Control honoring is required. California, along with 11 other states, now requires sites to detect the GPC browser signal and treat it as a valid opt-out request the moment it arrives. The signal is sent automatically by browsers and extensions, so users do not need to click anything for opt-out to take effect.
Dark patterns are explicitly banned. Pre-checked consent boxes, vague language, asymmetric button sizes, and hiding the reject option behind extra clicks are all out. Closing a popup does not equal consent under the 2026 rules, even if your old banner code assumed it did.
Symmetric UX is enforced. Rejecting cookies must require the same number of steps and have the same visual prominence as accepting them. A green “Accept All” button with a tiny gray “Reject” link below it is the textbook example of what regulators are now penalizing.
Historical data access expanded. Consumer right-to-know requests must now cover data going back to January 1, 2022, instead of the prior 12-month window. Companies need data retention systems that can pull at least four years of records.
Risk assessments started. Businesses processing significant volumes of personal information must begin formal risk assessments for high-risk activities. Submission deadlines come later, but the documentation work begins now.
For a contrast with European requirements, our GDPR cookie consent requirements guide covers how the EU rules differ from these California obligations.
The Full CCPA 2026 Compliance Timeline
Compliance is not a single event in 2026, it is a sequence of dates that runs through 2030. Mapping the calendar early prevents scrambling later.
What Is Already Mandatory (January 2026)
As of January 1, 2026, the following requirements are live and enforceable:
- GPC honoring in 12 states: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas
- Opt-out confirmation display on every covered request
- Symmetric UX enforcement on all consent interfaces
- Dark pattern elimination in cookie banners
- Notice at Collection on first visit
- Right-to-know access covering data back to January 2022
- Risk assessment work for qualifying businesses
August 1, 2026: Data Broker Obligations
Data brokers registered in California must begin checking the DROP (Delete Request Opted-in via Privacy) registry every 45 days. The registry consolidates consumer deletion requests, so brokers can no longer claim they were unaware of a request that was sitting in the public system.
What Is Coming in 2027 and Beyond
The next big shift arrives on January 1, 2027, when two changes hit at once:
- Automated Decision-Making Technology (ADMT) compliance kicks in. Businesses using AI to make significant decisions about consumers in financial services, housing, education, employment, or healthcare must provide pre-use notices and offer opt-out rights.
- The Opt Me Out Act (AB 566) requires Chrome, Safari, and Edge to ship with built-in GPC controls, making the signal available to nearly every California user by default.
Cybersecurity audits then phase in by company size:
- April 1, 2028: Audits and risk assessment attestations due for businesses with $100 million or more in annual revenue
- April 1, 2029: Audits due for businesses with $50 million to $100 million in revenue
- April 1, 2030: Audits due for businesses under $50 million in revenue
The staggered audit deadlines give smaller companies more time, but the cookie banner and GPC rules apply to everyone covered by CCPA right now.
Cookie Banner Requirements Under CCPA 2026
Your banner is the most visible part of CCPA 2026 compliance, and it is where most enforcement actions originate. Every covered site needs the following elements working correctly.
Required Links and Disclosures
Two links are mandatory on any covered page:
- “Do Not Sell or Share My Personal Information” link, accessible from the homepage and every page where data is collected
- “Limit the Use of My Sensitive Personal Information” link, required when your site processes sensitive PI
A “Notice at Collection” must appear on first visit, explaining what categories of personal information you collect, the purposes, and whether you sell or share that information.
Opt-Out Confirmation Display
When a user opts out, whether through a button click or a GPC signal, your site must show a confirmation that the request was honored. Common formats include:
- A persistent “Opt-Out Honored” badge in the banner
- A toast notification confirming the opt-out
- A status indicator in the user account settings
Silent backend processing without any visual confirmation is now a violation, and Disney’s 2026 settlement is the textbook case of what happens when the confirmation step is skipped.
GPC Detection and Auto-Honoring
The GPC signal flow looks like this: the browser sends a Sec-GPC: 1 header, your site detects it on page load, you treat it as an opt-out request, and you display the confirmation message. All four steps must happen automatically, without requiring the user to click anything in your banner.
Symmetric UX Enforcement
Symmetric UX means equal steps and equal prominence for accept and reject. In practice this means:
- Both buttons must be the same size, color contrast, and visual weight
- Reject must be reachable in the same number of clicks as accept (one click to one click)
- No hiding the reject option in a “Settings” submenu while accept sits prominently on the main view
- No pre-checked boxes for non-essential cookies
- Closing the banner does not count as consent
For more on banner design specifics, see our cookie banner best practices guide.
Response Times
Opt-out requests must be honored within 15 business days. For GPC-based requests, the honoring should be immediate on page load, but the 15-day window covers any backend systems that need to propagate the change.
New Sensitive Personal Information Categories in 2026
Two additions to the sensitive PI list took effect this year, and both have direct cookie banner implications.
Neural data is now sensitive PI. This covers EEG signals, brain-computer interface data, and any neuroactivity readings collected through consumer devices. Companies in the brain-tech space, gaming peripherals that read brainwaves, meditation apps tracking neural patterns, all now fall under sensitive PI handling rules.
All data from minors under 16 is automatically sensitive. Previously, special handling applied to children under 13 under COPPA-aligned rules. The 2026 expansion covers ages 13 to 15 as well, classifying their data as sensitive by default. Sites that cannot reliably identify visitor age should treat user data conservatively or implement age-gating.
These additions sit alongside the existing sensitive PI categories: health data, biometric identifiers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, contents of mail and messages, and sexual orientation or behavior.
When sensitive PI is involved, the “Limit the Use of My Sensitive Personal Information” link becomes mandatory. The link gives users a way to restrict use of that data to the specific purposes for which it was collected, blocking secondary uses like targeted advertising.
CCPA Enforcement: Who Is Covered and What the Penalties Are
The thresholds determining who must comply with CCPA did not change in 2026, but the adjusted revenue figure did. As of 2025-2026, your business is covered if you meet any one of:
- $26.625 million or more in annual gross revenue (the 2025-2026 inflation-adjusted threshold)
- 100,000 or more California consumers or households whose personal information you process
- 50% or more of annual revenue derived from selling or sharing California consumers’ personal information
Penalties run $2,500 per violation for negligent breaches and $7,500 per violation when intent is established. Each affected consumer can count as a separate violation, which is why fines compound quickly.
Recent Enforcement Cases
The 2025-2026 enforcement record shows where regulators are focused:
- Disney, $2.75 million in February 2026, for failed effective opt-outs and missing GPC recognition
- Healthline Media, $1.55 million in July 2025, for failing GPC and sharing sensitive health data
- Tractor Supply, $1.35 million in August 2025, for not processing GPC until July 2024
- Honda, $632,500 in March 2025, for an asymmetric banner combined with excessive identity verification on opt-outs
- Sling TV, $530,000 in October 2025, for a confusing opt-out flow
- Todd Snyder, $345,000 in May 2025, for a non-functioning consent banner
- TicketNetwork, $85,000 in June 2025, for related consent issues
Going further back, Sephora’s $1.2 million settlement in 2022 established the precedent that ignoring GPC signals is itself a violation. Enforcement has only intensified since.
The pattern across these cases is consistent: non-functional or confusing opt-out paths, ignored GPC signals, and dark patterns in banner design. Every one of these issues is preventable with a properly configured consent management platform.
Simplifying CCPA 2026 Compliance with CookieTrust
Building all of the above from scratch requires GPC signal detection code, opt-out confirmation UI, symmetric UX styling, geolocation logic to differentiate California visitors, audit logging for every consent event, and a way to track sensitive PI handling. That is easily 100 or more lines of custom code, plus ongoing maintenance as the rules continue to expand through 2030.
Instead of writing all that yourself, CookieTrust handles every CCPA 2026 cookie banner requirement automatically with two lines:
<script src="https://cmp.cookietrust.io/gdpr/autoblocker.umd.js"></script>
<script id="cookietrust-cmp" src="https://cmp.cookietrust.io/gdpr/[YOUR-SITE-ID]/latest/v2consent.js" async></script>What this gives you for CCPA 2026:
- Auto-Blocker stops all third-party tracking scripts (Google, Meta, TikTok, and others) until the user gives consent, preventing unauthorized selling or sharing before opt-out
- Geolocation Rules detect California visitors automatically and serve the CCPA-specific banner with the required “Do Not Sell or Share” link, while non-California visitors see the GDPR banner version
- Built-in GPC detection reads the signal on every page load, honors the opt-out immediately, and displays the required “Opt-Out Honored” confirmation without any custom code
- Symmetric UX by default means accept and reject buttons share equal prominence and step counts, satisfying the 2026 rule out of the box
- Proof of Consent generates timestamped audit logs for every consent event and every opt-out, which is the evidence regulators ask for during enforcement actions
- AI Cookie Scanner identifies every cookie and tracking script on your site and flags which ones involve data selling or sharing
- Google Consent Mode v2 support keeps your Google Analytics and Ads integrations working correctly under CCPA without breaking attribution
- 40+ language support with automatic detection serves the right language to US visitors without separate banner setups
For a full feature breakdown, see CookieTrust features.
The comparison is straightforward: 2 lines of code with CookieTrust versus 100+ lines of custom GPC detection, opt-out confirmation, symmetric UX, and audit logging. And every time the rules expand (which they will, repeatedly, through 2030), the platform updates without you touching the code.
ADMT and What to Prepare for 2027
Automated Decision-Making Technology, or ADMT, refers to AI systems that make significant decisions about consumers. The CCPA 2027 rules cover decisions in five domains:
- Financial services: credit approvals, loan underwriting, insurance pricing
- Housing: rental approvals, mortgage decisions
- Education: admissions, scholarship decisions, academic placement
- Employment: hiring screens, promotion decisions, performance evaluations
- Healthcare: access decisions, treatment authorizations, coverage determinations
Two main obligations apply when ADMT is used for a covered decision. First, businesses must provide a pre-use notice explaining that AI is involved in the decision, what data feeds the system, and how it influences the outcome. Second, consumers gain the right to opt out of automated decision-making for decisions that significantly affect them.
The January 1, 2027 effective date sounds far off, but auditing your AI tooling takes time. If your hiring software uses an ML resume screen, your loan-application flow runs a risk model, or your healthcare booking uses algorithmic prioritization, those systems need notice language and opt-out paths designed and tested before the deadline.
Conclusion
January 1, 2026 marked the most significant CCPA enforcement shift since the law passed. Six new requirements are live now, more deadlines roll out through 2030, and the recent enforcement cases show regulators are taking the new rules seriously.
Three takeaways to act on this week:
- Audit your cookie banner against the 2026 rules: GPC detection, opt-out confirmation, symmetric UX, and required links
- Map your CCPA timeline through 2030, including data broker obligations, ADMT compliance, and the cybersecurity audit phase that affects your revenue tier
- Document risk assessments and consent logging now so you have evidence ready when enforcement comes knocking
The companies that paid millions in 2025 and 2026 all had the same problem: their banners did not match the new rules, and they lacked the audit trail to defend their practices. Both gaps are solvable with the right consent management platform.
Take the next step: Start your free CookieTrust trial and meet CCPA 2026 requirements in minutes.
