Regulations

California Web Privacy Law: What Your Site Must Show in 2026

DataShyre Staff
DataShyre Staff Jul 6, 2026
6 min read

California Web Privacy Law: What Your Site Must Show in 2026

For most teams, california web privacy law is not one rule. It is a stack. At the base, California’s online privacy law expects a real privacy policy on your site. If your business also falls under the CCPA, the bar goes higher: consumer rights, notices, opt-out mechanics, and proof that your website tools actually do what your policy says.

Website privacy controls dashboard with California rights options and subtle DataShyre.com branding

That distinction matters because a lot of websites still look compliant from the footer and still fail in the plumbing. If you need the broader business backdrop first, our guides to California consumer privacy and the California Data Privacy Protection Act are the fastest primers. This article is narrower: what your website needs to publish, honor, and route now.

California web privacy law starts with two layers

The first layer is CalOPPA. California Business and Professions Code section 22575 says an operator of a commercial website or online service that collects personally identifiable information from Californians must conspicuously post a privacy policy. That policy has to say what categories of information the operator collects, what categories of third parties may receive it, how users can review or request changes if that process exists, how material policy changes are handled, and how the operator responds to browser “do not track” signals.

The second layer is the CCPA, as amended by the CPRA. If your business is in scope, your website privacy policy has to do more than sit there. It needs to describe privacy rights and how consumers can exercise them, and the law requires that information to be updated at least once every 12 months. As of January 1, 2025, the revenue threshold is $26.625 million, and the law also covers businesses that buy, sell, or share the personal information of 100,000 or more California residents or households, or derive 50% or more of annual revenue from selling or sharing personal information.

In November 2025, the California Privacy Protection Agency approved updated CCPA regulations that took effect on January 1, 2026. CPPA board member Phil Laird said the package would “provide clarity for businesses.” That is fair. It also makes it harder to hide behind vague disclosures or half-working workflows.

What websites now need to show and honor

If your site is covered, the practical checklist is pretty specific.

First, the policy has to be easy to find. California’s own consumer guidance tells people to review the privacy policy to see what a website collects, why it collects it, how it uses the data, and who it shares it with.

Second, your notice and your tag behavior need to match. If the page says a user can opt out of sale or sharing, the trackers on that page cannot keep firing as if nothing changed. That is where a lot of consent banners quietly fail.

Third, if your business sells or shares personal information, you need a clear way to submit that opt-out. California says covered businesses must offer methods to submit opt-out requests, and for businesses collecting information online, one acceptable method is Global Privacy Control. GPC is the browser-level “stop selling or sharing my data” signal, and California says covered businesses must honor it as a valid request.

Fourth, these California website privacy rules also turn into an operations issue once a consumer asks to know, correct, or delete their information. The CPPA FAQ says businesses must confirm those requests within 10 business days and respond within 45 calendar days, with one extra 45-day extension if the consumer is notified. If your team is still sending those requests through generic support queues with no routing logic, the risk is obvious.

If deletion workflows are what you are tightening next, our article on California privacy law delete data goes deeper on the request side.

Website privacy workflow showing notices, GPC handling, and request routing with subtle DataShyre.com branding

What enforcement is telling website teams

The easiest way to understand california web privacy law in 2026 is to look at what regulators have been willing to allege.

In the 2025 Healthline settlement, California said the publisher used online tracking technology on its health information website in ways that violated the CCPA. The state alleged Healthline failed to let users opt out of targeted advertising, shared data with third parties without required privacy protections, and used a consent banner that did not actually disable tracking cookies when a user turned the box off. That case should make any website team a little uncomfortable, especially if marketing tags are controlled by multiple vendors and nobody has tested the opt-out path end to end.

A month earlier, in a January 2026 enforcement announcement involving Sling TV, Attorney General Rob Bonta said that “every Californian has the right to their online privacy.” Then in February 2026, California announced its Disney settlement. Bonta said businesses cannot force people to “go device-by-device or service-by-service” to stop the sale or sharing of their data. The message for website operators is simple: privacy choices have to propagate across the account, not die on the one browser tab where the user clicked.

That pair of statements is a useful read on California’s posture. The state is not treating privacy pages as decorative compliance assets. It is asking whether the website experience, account logic, ad-tech wiring, and contracts all line up with what the user was told.

A sharper 2026 website checklist

If I were auditing a site this week, I would start here:

  1. Re-read the footer experience. Can a visitor find the privacy policy, the relevant California rights language, and the privacy choices path in seconds?
  2. Map every tracker before rewriting copy. If pixels, SDKs, or ad partners are still collecting after an opt-out, the wording will not save you.
  3. Test GPC and manual opt-outs together. Both should suppress the right flows, and the result should carry across the account where the business links devices or services.
  4. Check request routing, not just request intake. Deadlines matter, but so do the systems and vendors that have to act after the ticket opens.
  5. Review ad-tech and analytics contracts. Healthline is a reminder that website privacy is partly a contract-management problem.

That is the real reading of the law right now. Good websites do not just post disclosures. They keep the disclosures, controls, and downstream data behavior in sync.

The bottom line

In 2026, california web privacy law means your website has to do three things well: explain what data you collect, give Californians workable choices, and make those choices stick in the systems behind the page. If the policy says one thing and the trackers do another, California has already shown it is willing to care.

Sources

  • California Legislative Information
  • California Privacy Protection Agency FAQ
  • California Privacy Protection Agency regulations and announcements
  • California Department of Justice CCPA resources
  • California Department of Justice enforcement actions
DataShyre Platform

Ready to fix your privacy program?

Join 3,500+ businesses using DataShyre to automate consent management, DSR fulfillment, and compliance — without the complexity.