What are the new CCPA requirements that took effect January 1, 2026?

The California Privacy Protection Agency finalized a broad package of CCPA regulation updates effective January 1, 2026. Key new requirements: mandatory opt-out confirmation display (businesses must visibly confirm when a GPC signal or opt-out request has been honored), symmetrical consent (opt-out must be as easy as opt-in), expanded right-to-know (consumers can request personal information back to January 2022), and new pre-use notice and opt-out rights for automated decision-making technology (ADMT).

CCPA Compliance Checker: Is Your Business Ready for California Privacy Law?

Q: Does CCPA apply to employee data?

Yes, as of January 1, 2023, CCPA's employee data exemption expired. California employees, job applicants, and contractors now have the same CCPA rights as consumers. This means your HR practices, job application forms, and employee data retention policies need to satisfy CCPA requirements, including rights to know, delete, and correct personal information.

On February 11, 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with Disney and ABC — the largest CCPA penalty on record. Within weeks, California's privacy enforcement division followed up with two more actions against Ford and PlayOn Sports, bringing total 2026 CCPA penalties to over $4.2 million in under three months.

None of these cases involved sophisticated data breaches or complex legal theories. They were mostly about opt-out failures: businesses that weren't properly processing Global Privacy Control signals, weren't displaying opt-out confirmations, or made it harder to opt out than to opt in. These are exactly the kinds of things a CCPA compliance checker finds in minutes.

The California Privacy Protection Agency finalized a major package of updated CCPA regulations effective January 1, 2026. If you haven't reviewed your privacy practices since then, there's a real chance you're already out of compliance.

Who has to comply with CCPA

CCPA applies to for-profit businesses that do business in California and meet at least one of these three thresholds:

Annual gross revenue over $25 million (global, not just California revenue)
Buy, sell, or share personal information of 100,000+ California consumers or households per year
Derive 50%+ of annual revenue from selling or sharing California consumers' personal information

If you're B2B-only and don't handle California consumer data, you might be out of scope — but be careful here. The employee data exemption expired January 1, 2023. California employees, job applicants, and contractors now have full CCPA rights. If you have any California-based employees, CCPA applies to your HR practices too.

The 100,000 consumer threshold is easier to hit than people realize. A mid-sized SaaS product with California users, an e-commerce site, or any app with meaningful traffic — you can cross 100,000 California data touchpoints without noticing it.

What changed on January 1, 2026

The CPPA's September 2025 regulation package made several requirements mandatory that were previously either voluntary or ambiguously worded. Here's what actually changed:

Mandatory opt-out confirmation display

This is the one that got Disney. When a consumer sends a Global Privacy Control (GPC) signal or submits an opt-out request, your website now must visibly confirm that the request has been processed. One acceptable approach: display an "Opt-Out Request Honored" message in your privacy settings. Silently processing the signal without acknowledgment is no longer enough.

GPC signal detection is not optional

GPC is a browser-level privacy signal — think of it as a system-wide "Do Not Sell" setting. If a user enables GPC in their browser, your site must detect it, treat it as a valid opt-out, and not set tracking cookies. Twelve US states now require businesses to honor GPC signals, making it effectively a national standard for any company with meaningful US web traffic.

Symmetrical consent requirements

If you offer a way to opt in to data selling or sharing, opting out must require the same number of steps or fewer. You can't bury the opt-out behind three menu layers while making opt-in a single click. This sounds obvious, but a lot of cookie consent implementations failed this test.

Expanded right to know

Consumers can now request personal information going back to January 1, 2022. If you haven't been logging what data you collect from California consumers with enough granularity to respond to historical requests, that's a gap you need to close.

Automated decision-making technology (ADMT) rules

If you use automated systems that make significant decisions about consumers — credit decisions, hiring screening, targeted advertising based on inferences — you now have pre-use notice and opt-out obligations. This is new territory for a lot of companies using AI-driven personalization or recommendation systems.

DELETE ACT: COMING AUGUST 2026

California's DELETE Act requires data brokers to connect to the California Consumer Privacy Protection Agency's Data Rights Optout Platform (DROP) by August 2026. If your business qualifies as a data broker under California law — defined broadly as businesses that collect and sell personal information about consumers they don't have a direct relationship with — this is a hard deadline with enforcement teeth.

What a CCPA compliance checker actually examines

A good CCPA compliance checker isn't just scanning for the words "Do Not Sell." It reviews your privacy policy and practices across five areas where violations actually happen:

1. Privacy policy required disclosures

Your privacy policy must disclose: what categories of personal information you collect, the purposes for collecting it, the categories of third parties you share it with, consumer rights under CCPA, and how consumers can exercise those rights. Missing or vague language in any of these sections creates exposure. "We may share your data with partners for marketing purposes" doesn't satisfy CCPA's specificity requirements.

2. Consumer rights processes

CCPA gives California consumers five rights: right to know (what you collected and why), right to delete, right to correct, right to opt out of sale/sharing, and right to non-discrimination. You need documented processes for each, including timelines: you have 45 days to respond to most requests, with one 45-day extension if needed. A compliance checker looks for whether these processes are described in your policy and whether your stated timelines are legally compliant.

3. Opt-out mechanism implementation

The "Do Not Sell or Share My Personal Information" link must be prominently displayed. Post-January 2026, you also need opt-out confirmation and GPC signal processing. Many businesses have the link but fail on the mechanics — the opt-out doesn't actually work, doesn't process GPC signals, or doesn't display confirmation.

4. Data categories and third-party disclosures

CCPA requires you to disclose 11 specific categories of personal information (identifiers, commercial information, biometric data, geolocation, etc.) if you collect them. Your privacy policy needs to check those boxes explicitly, not describe data in generic terms that map to those categories if you squint.

5. Financial incentive programs

If you offer discounts, rewards, or different prices in exchange for personal information — loyalty programs, referral bonuses, data-for-discount arrangements — CCPA requires a separate financial incentive notice explaining the material terms. A lot of small businesses with loyalty programs are missing this entirely.

Check your privacy policy against CCPA requirements

PolicyAudit scans your privacy policy documents against current CCPA requirements — including the January 2026 changes — and shows you exactly which disclosures are missing or incomplete. Free for up to 3 documents, no credit card required.

Check your CCPA compliance for free →

The CCPA compliance checklist

Here's what you should be verifying right now. These map directly to the areas regulators have focused enforcement on.

✓ Privacy policy discloses all 11 CCPA data categories you actually collect
✓ Privacy policy states purposes for collection and third-party sharing categories
✓ "Do Not Sell or Share My Personal Information" link is visible in site footer
✓ Opt-out confirmation message displays when a request is processed
! GPC browser signals are detected and treated as valid opt-out requests
! Opt-out requires the same or fewer steps than opt-in
✓ Documented process for responding to right-to-know requests within 45 days
✓ Documented process for right-to-delete and right-to-correct requests
✓ Non-discrimination policy stated (can't penalize consumers for exercising rights)
! ADMT pre-use notice if using AI for significant consumer decisions
✓ Financial incentive notice if operating loyalty or rewards programs
✓ Employee privacy notice if you have California-based employees

The items marked with ! are the ones most frequently missed after the January 2026 changes. GPC processing in particular is technically non-trivial — you need your consent management platform or tag manager to actually read the GPC header and suppress tracking cookies, not just display a banner.

Common CCPA violations in 2026 enforcement

Looking at the enforcement actions so far this year, a pattern is clear. The CPPA and AG aren't going after obscure edge cases. They're looking for:

Opt-out mechanisms that don't work. The link exists, but submitting the opt-out form doesn't actually stop data selling. This was central to the Ford action.
GPC signals that are ignored. A user has GPC enabled, hits your site, and you're still setting ad targeting cookies. Your consent banner might show, but the technical implementation doesn't respect the browser signal.
Overly complex opt-out flows. Opt-out requires creating an account, verifying email, waiting for a confirmation link, and clicking through a survey. Meanwhile, opting into your rewards program is one click. This violates the symmetry requirement.
Vague or incomplete privacy policies. "We may share with third parties" without specifying categories doesn't meet the disclosure requirements. Regulators are now checking for specificity, not just presence.

The practical lesson from these actions: most CCPA violations aren't about exotic data practices. They're about documentation and implementation failures that a compliance review would catch.

CCPA vs. GDPR: what's different

If you're already GDPR-compliant, CCPA isn't as daunting — but it's not the same thing. A few key differences:

Area	GDPR	CCPA/CPRA
Lawful basis	Required for processing (consent, legitimate interest, etc.)	No explicit lawful basis requirement — opt-out model instead of opt-in
Opt-out mechanism	Varies by basis (withdraw consent, object to processing)	Specific "Do Not Sell or Share" right, GPC signals
Request response time	30 days (extendable to 90)	45 days (extendable to 90)
Private right of action	Broad — any violation can trigger claims	Limited to data breach affecting specific data types
Employee data	Covered under GDPR since inception	Added January 1, 2023 (previously exempt)
Automated decisions	Article 22 — right not to be subject to solely automated decisions	ADMT rules effective January 1, 2026

GDPR compliance doesn't automatically mean CCPA compliance. The opt-out mechanism structures are different, the disclosure categories don't map perfectly, and the January 2026 CCPA additions — particularly the opt-out confirmation requirement — don't have direct GDPR equivalents.

MULTI-STATE PRIVACY LAW IN 2026

California is no longer alone. Connecticut, Colorado, Virginia, Texas, Florida, and seven other states now have comprehensive privacy laws. If you're trying to be compliant across jurisdictions, the good news is they share a common structure. The bad news is each has specific quirks. PolicyAudit checks your privacy policy against multiple US state privacy frameworks simultaneously — CCPA, CPRA, CTDPA, CPA, and others — so you're not checking each one manually.

How to run a CCPA compliance check

There are a few ways to approach this depending on your budget and how much risk you're carrying.

Option 1: Manual review against the checklist

Work through the checklist above against your privacy policy and website implementation. This is free but time-consuming, and you need someone who understands the specific language requirements — "we collect identifiers including name, email address, IP address" is more compliant than "we collect some personal information."

Option 2: Automated policy scanning

PolicyAudit scans your privacy policy documents against CCPA requirements and highlights missing or incomplete disclosures. It covers the required category disclosures, consumer rights language, and flags vague or generic language that regulators target. You can upload your policy and get results in under a minute. Free for up to 3 documents.

Option 3: Privacy law counsel review

For businesses with complex data practices — significant ad tech, cross-context behavioral advertising, AI-driven personalization, sensitive data categories like health or financial data — a qualified privacy attorney review is worth the investment. The ADMT rules in particular are new enough that attorney guidance on your specific use cases makes sense.

Most businesses should start with options 1 and 2, then bring in counsel for the specific areas that need deeper analysis.

Frequently asked questions

What does a CCPA compliance checker look for?

A CCPA compliance checker reviews your privacy policy and website practices against California Consumer Privacy Act requirements: required disclosures (categories of data collected, purposes, consumer rights), opt-out mechanisms (Do Not Sell/Share link, GPC signal detection, opt-out confirmation), consumer rights processes (right to know, right to delete, right to correct), and data subject request fulfillment timelines. The January 2026 regulation changes added mandatory opt-out confirmation displays and new rules for automated decision-making.

Who has to comply with CCPA in 2026?

CCPA applies to for-profit businesses that do business in California AND meet at least one threshold: annual gross revenue over $25 million (globally), buy/sell/share personal information of 100,000+ California consumers per year, or derive 50%+ of annual revenue from selling California consumers' personal information. Since January 2023, the employee data exemption no longer applies — if you have California employees, CCPA covers your HR data practices too.

What are the new CCPA requirements effective January 1, 2026?

The CPPA finalized a broad package effective January 1, 2026. Key new requirements: mandatory opt-out confirmation display when GPC signals or opt-out requests are processed, symmetrical consent (opt-out can't require more steps than opt-in), expanded right-to-know (historical data back to January 2022), and new pre-use notice and opt-out rights for automated decision-making technology (ADMT). Risk assessments are also now required for certain high-risk processing activities.

What happens if you violate CCPA?

The California Attorney General can seek civil penalties of $2,500 per violation and $7,500 per intentional violation. The California Privacy Protection Agency (CPPA) has independent enforcement authority and issued over $4.2 million in penalties in the first three months of 2026. The Disney settlement in February 2026 — $2.75 million — was the largest CCPA penalty on record. A private right of action also exists for consumers in cases of certain data breaches.

Does CCPA apply to employee data?

Yes. The employee data exemption expired January 1, 2023. California employees, job applicants, and contractors now have the same CCPA rights as consumers — right to know what you collected, right to delete (with exceptions for employment records), and right to correct inaccurate information. Your job application forms, onboarding data, and HR systems need to satisfy CCPA, including a separate employee privacy notice.

Don't wait for an enforcement letter

PolicyAudit checks your privacy policy against CCPA requirements — including the January 2026 updates — and shows you exactly where your disclosures are incomplete. It takes less than a minute and it's free for up to 3 documents.

Check your privacy policy for free →