January 1, 2026 marked a significant shift in US privacy regulation. The California Privacy Protection Agency rolled out new requirements under the CCPA, affecting every website collecting data from California residents. If your organization serves US customers, these changes demand immediate attention.
This post explains what actually changed, why it matters for your website and the specific steps you need to take now. We’ll skip the regulatory theater and focus on what affects your operations.
What Changed in the CCPA on January 1, 2026
The CCPA already required businesses to respect consumer privacy rights. The 2026 updates make those requirements concrete and enforceable through new technical and procedural standards that directly impact how your website collects and shares data.
Risk Assessments Now Mandatory for “Significant Risk” Activities
The California Privacy Protection Agency now requires businesses to conduct data protection impact assessments (DPIAs) for any processing activity that presents significant risk to consumer privacy or security. This means your website team needs to document which data flows carry risk.
The regulation doesn’t define “significant risk” with mathematical precision. Instead, it points to factors like whether you’re processing sensitive personal information, selling data, or using automated decision-making. If your website does any of these things, expect that you need a DPIA.
What does a DPIA look like? It’s essentially a documented risk assessment. You identify what personal data you collect, where it goes, how long you keep it and what could go wrong. Then you describe how you’re mitigating those risks. This becomes your evidence of compliance if the CPPA audits you.
Sensitive Personal Information Now Includes Data from Anyone Under 16
The CCPA already had a definition of “sensitive personal information” (things like social security numbers, financial account data and health information). The 2026 update expands this: any personal data from someone under 16 now counts as sensitive PI, regardless of what that data is.
This is significant if your website doesn’t have explicit age verification. If you collect any personal data and can’t prove the user is 16 or older, you must treat all their data as sensitive. That means you need affirmative consent before collection, not just an opt-out right.
For most websites, this usually means either adding age verification to your user flow (asking for birthdate) or making a business decision to treat all user data as if it came from someone under 16. Both approaches are valid, the first is more precise.
Opt-Out Confirmation Must Display “Opt-Out Request Honored”
When a consumer requests to opt out of the sale of their personal information, your website must display a confirmation message. Specifically, it must show “Opt-Out Request Honored” or substantially similar language.
This isn’t optional theater. If a consumer opts out and your website doesn’t show this confirmation, the CPPA considers the opt-out ineffective. You’re also required to remember their opt-out preference and honor it on return visits using a persistent identifier like a cookie.
Consent Cannot Be Re-Requested for the Same Purpose Within 6 Months
The CCPA now prohibits you from re-requesting consent for the same purpose if the consumer has already declined within the last 6 months. This stops the common pattern of “consent fatigue” where companies ask the same question repeatedly hoping for a different answer.
For websites, this means if someone declines to share their location for marketing purposes, you cannot ask again in the same month or three months later. You must wait a minimum of 6 months before requesting again.
Data Broker Disclosure Requirements Expanded
If your website sells or shares data with data brokers, you must now disclose this specifically in your privacy policy and explain how consumers can opt out of that sharing. Many websites partner with analytics vendors, ad networks and data enrichment services. These partnerships may constitute “sales” under the CCPA statute. Documenting them and making them transparent is now non-negotiable.
What Your Website Must Do for CCPA 2026 Compliance
The 2026 updates move CCPA from legal requirements to operational requirements. Here’s what actually changes on your website and in your processes.
Implement Persistent Opt-Out Compliance
Your website needs two technical components for opt-out compliance. First, you need a clear, functional way for consumers to opt out of the sale or sharing of their personal information. This usually appears as a link in your footer or privacy policy. Second, you need to store and honor that preference across sessions, typically using a secure cookie or account preference.
When someone opts out, verify that your consent management platform or backend system stops sending their data to third parties who would “sell” or “share” it. This is where many websites fail compliance audits. They have an opt-out button, but data still flows to advertisers behind the scenes.
Test this: opt out, clear cookies, revisit the website. If you see a tracking pixel fire or an ad network request succeed, you have a compliance gap.
Recognize Global Privacy Control Signals and Browser-Based Opt-Outs
Eleven states now require businesses to recognize the Global Privacy Control (GPC), a browser signal that indicates a consumer’s privacy preference. The CCPA now includes this requirement. If a user’s browser sends the GPC signal, you must treat it as a valid opt-out request.
California and other states also require you to respect browser-based opt-out mechanisms like “Do Not Track” headers where applicable and emerging standards.
For your website team, this means configuring your consent management platform or tag manager to check for the GPC signal on page load. If present, disable sale and sharing tags without requiring an additional click from the user.
Update Your Privacy Policy for 2026 Requirements
Your existing privacy policy likely covers basic CCPA rights. The 2026 updates require more detail.
Document which processing activities undergo data protection impact assessments and why. You don’t need to publish the full DPIA, but your privacy policy should acknowledge that you conduct them and describe your general approach to risk management.
Explain your sensitive personal information policy, specifically how you handle data from users under 16. If you require age verification, describe the mechanism. If you treat all data as potentially from minors, state that.
List any data brokers you work with and link to their privacy policies. This transparency requirement is new and specific.
Describe your opt-out confirmation mechanism and retention policy (how long you honor the preference). Include language about GPC recognition.
Your privacy policy becomes your compliance evidence. Law enforcement and the CPPA read these closely.
Implement Age Verification or Adopt Conservative Data Handling
The sensitive PI expansion for users under 16 forces a decision: build age verification or assume all data is sensitive.
Age verification can range from simple (asking for birthdate) to robust (document upload, third-party verification services). For most websites, asking users to confirm they’re 16 or older at signup or first visit is sufficient. Document this and keep records.
If you skip age verification, then treat all collected data as sensitive personal information. This means you need affirmative opt-in consent before collecting it, not just an opt-out right. It also means the data has stronger security obligations under the law.
Neither approach is wrong. The choice depends on your business model. An e-commerce website might use verification. A news website might use conservative assumptions.
The Bigger Picture: 20 US States and Counting
The CCPA was the first state privacy law to establish broad consumer rights. As of April 2026, 20 states now have similar laws: California, Colorado, Connecticut, Delaware, Indiana, Kentucky, Montana, Nevada, New Hampshire, Oregon, Rhode Island, Tennessee, Texas, Utah, Vermont, Virginia and others.
Each state’s law differs slightly. Virginia’s VCDPA focuses on algorithmic processing. Colorado’s CPA emphasizes targeted advertising. Indiana’s new law (effective 2027) covers personal data processing broadly.
For your website, the practical reality is that you need a privacy program that covers all these states simultaneously. Fortunately, compliance with the strictest law (California) usually gets you most of the way to compliance with others.
Universal Opt-Out Is Becoming Standard
Eleven states now require recognition of universal opt-out mechanisms like Global Privacy Control. This trend will accelerate. Websites that build GPC support today won’t need to rebuild when more states require it.
The real compliance challenge is not CCPA 2026. It’s managing privacy across 20 state regimes. The CCPA updates are one piece of a larger puzzle.
CCPA vs GDPR: Key Differences for Website Compliance
Many organizations think of CCPA as “GDPR for the US.” This misses the actual design differences, which affect how you operate your website.
Opt-Out vs Opt-In
GDPR uses opt-in: you need explicit consent before collecting personal data for marketing or analytics. CCPA uses opt-out: you can collect and use personal data, but consumers have the right to opt out of sales and sharing.
This changes your website. Under GDPR, you show a consent banner before tracking pixels load. Under CCPA, you can load tracking pixels but must honor opt-out requests.
Neither is inherently easier. Opt-out is simpler to implement but creates more consumer complaints. Opt-in is more friction for users but clearer legally.
“Sale” and “Sharing” Are Broader Than You Think
Under CCPA, “sale” includes when you receive any monetary or valuable consideration for personal information. This includes free services from ad networks in exchange for user data. “Sharing” includes passing data to third parties for behavioral advertising.
Many websites unknowingly trigger these definitions through ordinary use of Google Analytics, Facebook pixels or programmatic advertising. The CCPA requires you to notify consumers and provide an opt-out for these relationships.
GDPR treats this differently: data transfers to US vendors often require data processing agreements and specific legal bases. CCPA requires simpler notification and opt-out rights.
For a detailed comparison guide, explore our upcoming blog on these differences. For now, understand that CCPA compliance is different from GDPR compliance, not easier or harder, just different.
Wrapping Up: What to Do This Week
Here’s a practical checklist:
- Audit your website’s data flows. Identify who receives personal data from your website (analytics vendors, ad networks, CRM systems, data brokers).
- Check whether you have an opt-out mechanism for sales and sharing. Test it: opt out and verify that third-party data sharing stops.
- Update your privacy policy to disclose data broker relationships, explain your sensitive PI handling for users under 16 and describe your opt-out confirmation process.
- Configure your consent management platform or tag manager to recognize Global Privacy Control signals.
- Document your data handling practices. If you process large amounts of sensitive data or use automated decision-making, document your risk assessment.
The CCPA 2026 updates are enforceable. The CPPA has authority to issue fines: $7,500 per intentional violation, $2,500 per unintentional. More importantly, consumers can sue for data breaches and certain violations. Non-compliance creates legal and financial exposure.
If you’re building a compliance program from scratch, start with California. Then expand to the other 19 states that have passed laws. The regulatory picture will continue to shift, but the foundations you build now won’t become obsolete.
Questions about CCPA 2026 compliance? Use Nixon Pro to scan your website for pre-consent tracking, consent implementation gaps and third-party data flows that may affect your CCPA 2026 compliance obligations.
Related reading: US state privacy laws in 2026: 20 states compared | Universal opt-out mechanisms: how to make your website compliant | CCPA vs GDPR: what website owners need to know about both
