Regulations

California Consumer Privacy: 6 Business Changes to Make in 2026

DataShyre Staff
DataShyre Staff Jun 24, 2026
5 min read

California Consumer Privacy: 6 Business Changes to Make in 2026

For a lot of teams, california consumer privacy still means a footer link, a request form, and a cookie banner. That was never enough, and in 2026 it looks especially thin. California regulators are pushing past surface compliance and looking at whether opt-outs actually work, whether data uses match what people were told, and whether rights requests reach the systems and vendors that matter.

California privacy dashboard illustration with consumer rights controls and subtle DataShyre.com branding

If you also support EU users, our GDPR vs. CCPA guide is the fastest way to sort out the overlap. If your next question is vendor selection, this checklist for choosing a consent management provider is a useful follow-on.

California consumer privacy in 2026 is about operational proof

The California Privacy Protection Agency FAQ still gives a clean summary of the rights: Californians can know, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and receive equal treatment for exercising those rights. The hard part is not naming those rights. The hard part is making them work across websites, apps, ad tech, customer systems, and service providers.

That bar rose again when the CPPA’s latest CCPA updates, cybersecurity, risk assessment, ADMT, and insurance regulations took effect on January 1, 2026. In the agency’s announcement of the finalized rules, CPPA General Counsel Phil Laird said the package would “provide clarity for businesses.” It does, but it also leaves less room for vague privacy programs.

Who is actually in scope

Many companies still ask whether they have “enough” California users to worry about. That is not the test. Under the law, a covered business is generally a for-profit entity doing business in California that meets at least one threshold, including annual gross revenue above $25 million, annual buying, selling, or sharing of personal information for 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. The threshold details sit in California Civil Code section 1798.140, and the CPPA’s latest CPI adjustment notice raised the revenue threshold to $26.625 million effective January 1, 2025.

That matters because some mid-market teams still assume they are too small to worry about california consumer privacy while their data volume or ad-tech footprint quietly pulls them into scope.

What enforcement is telling businesses this year

The clearest message from 2026 is that regulators are testing whether privacy choices change actual behavior.

In February, California announced its Disney settlement, alleging that opt-out requests were not fully applied across devices and streaming services tied to a consumer account. Attorney General Rob Bonta put it plainly: businesses cannot force consumers to “go device-by-device or service-by-service” to opt out.

In May, California announced the General Motors settlement, described by the Department of Justice as the largest CCPA penalty in state history to date and its first data minimization case. Bonta’s line there was just as direct: “More data is not always better.” That is a useful test for any team retaining location data, behavioral data, or product telemetry long after the original service purpose has passed.

In January, the Department of Justice also opened a surveillance pricing sweep, warning that using personal data in ways consumers would not reasonably expect may violate California law. This is where a lot of privacy programs get shaky. A notice may mention personalization in broad terms, but the real question is whether a pricing, targeting, or profiling use would surprise a reasonable consumer.

Six business changes worth making now

1. Recheck your scope analysis

If your company grew, added new ad partners, expanded audience segments, or increased household-level tracking, your old CCPA scoping memo may be stale. Review it against current revenue and data volume.

2. Test opt-outs across every surface

A working footer link on one website is not enough. Check logged-in and logged-out states, connected apps, streaming products, subdomains, and vendor sync behavior. The Disney settlement is a reminder that partial opt-out is still a failure.

3. Treat preference signals as a product requirement

The CPPA FAQ and the California DOJ’s Global Privacy Control page make the point clearly: covered businesses must honor valid opt-out preference signals. If your stack still treats browser-level signals as edge cases, fix that before the next audit or complaint.

4. Tighten request intake and response handling

Under the CPPA FAQ, businesses generally must confirm delete, correct, or know requests within 10 business days and respond within 45 calendar days, with a possible 45-day extension if they notify the consumer. Teams that bury requests in generic support channels usually create their own compliance problem.

5. Review downstream uses, not just collection notices

If your business uses personal data for pricing, ad targeting, profiling, or analytics enrichment, review whether that use fits the purpose limitation and data minimization rules. Privacy programs often document collection well and govern later reuse badly.

6. Map any data broker exposure now

California’s Delete Request and Opt-out Platform, or DROP, is live. The CPPA’s data broker information page says consumers can use the tool now, and starting August 1, 2026, data brokers must access DROP at least every 45 days to retrieve and process deletion requests. For businesses in that ecosystem, this is a dated operational workflow, not a future talking point.

If you are also revisiting disclosure language during this work, our checklist for a GDPR compliant privacy notice can help you tighten the notice side without bloating it.

California privacy workflow illustration showing opt-out signals, deletion requests, vendor data flows, and subtle DataShyre.com branding

The bottom line

California consumer privacy is no longer a policy-page project. It is a systems question: do your opt-outs propagate, do your vendors follow them, do your data uses match what you disclosed, and can consumers actually exercise their rights without friction?

The companies that stay calm in California this year will be the ones that can show proof. Not just wording. Not just banners. Proof.

Sources

  • California Privacy Protection Agency
  • California Department of Justice
  • California Office of the Attorney General
  • California Legislative Information
DataShyre Platform

Ready to fix your privacy program?

Join 3,500+ businesses using DataShyre to automate consent management, DSR fulfillment, and compliance — without the complexity.