CCPA Cookie Consent Requirements in 2026: What California Sites Actually Need
When teams search for ccpa cookie consent requirements, they usually want a simple answer: does California require a GDPR-style cookie banner before anything loads?
Usually, no. California’s model is centered on opt-out rights, not blanket cookie opt-in. The real question is whether your site sells or shares personal information, whether visitors can stop that without friction, and whether your systems actually honor the choice. If you want the wider baseline first, start with our guides to cookie consent requirements, CCPA cookie consent, and California web privacy law.

The short answer on ccpa cookie consent requirements
For most California websites, the practical job is to:
- disclose tracking and sharing practices clearly;
- offer a real opt-out if cookies, pixels, or ad tech support a sale or sharing of personal information;
- honor Global Privacy Control (GPC) and other valid opt-out signals;
- avoid dark patterns that push visitors toward one outcome; and
- get affirmative opt-in before selling or sharing personal information of consumers under 16.
So California usually does not require a general “click accept first” cookie wall. It does require a working privacy choice when your adtech or measurement setup triggers sale or sharing rules.
What California expects from websites now
1) A real opt-out for sale or sharing
California Civil Code Section 1798.120 gives consumers the right to direct a business not to sell or share their personal information. Section 1798.135 ties that right to the site experience by requiring methods for submitting these requests.
That standard is showing up in enforcement. In the California Attorney General’s October 30, 2025 settlement with Sling TV, Rob Bonta said the company failed to provide consumers “an easy way to opt-out”. That is a useful plain-English benchmark for web teams: if stopping sharing takes hunting, extra clicks, or confusing labels, the flow is probably weak.
2) GPC must change behavior, not just policy text
The California Attorney General says businesses that sell or share personal information must treat a user-enabled GPC signal as a valid request to stop sale or sharing. The CPPA’s consumer FAQ says Californians may exercise the right to opt out of sale or sharing through a user-enabled opt-out preference signal.
This is where many implementations still break. The preference center may look fine while advertising tags, downstream audiences, or account-linked sharing continue anyway. If that happens, the interface is decoration, not control.
3) The interface cannot rely on dark patterns
California regulators are looking at design choices, not just legal wording. In its September 2024 enforcement advisory, the CPPA said businesses should present privacy choices in a clear and balanced way. Michael Macko, the agency’s Deputy Director of Enforcement, put it well: “Dark patterns aren’t about intent, they’re about effect.”
That is a good test for product and growth teams. If ccpa cookie consent requirements are being met only on paper while the interface heavily favors “accept” over “opt out,” the risk is still there.

4) Minors and sensitive data need separate handling
Section 1798.120 says a business cannot sell or share the personal information of consumers under 16 without affirmative authorization. For ages 13 to under 16, that authorization comes from the minor. For children under 13, it must come from a parent or guardian.
Sensitive personal information is a separate layer. Section 1798.121 gives consumers the right to limit certain uses and disclosures of sensitive personal information. If your site handles precise geolocation, health-related information, or similarly sensitive signals, a standard banner may be too narrow a control.
Where enforcement is landing in 2026
If you only test whether a popup appears, you are testing the easy part.
The Attorney General’s privacy enforcement page says Disney agreed on February 11, 2026 to pay $2.75 million to resolve allegations that it failed to fully effectuate opt-out requests across Disney+, Hulu, and ESPN+ for account-linked users. Bonta said businesses cannot force people to go “device-by-device or service-by-service” to stop sale or sharing.
That matters because the law is asking whether the choice flows through tags, vendors, apps, accounts, and suppression logic. A polished banner does not help much if downstream systems keep sharing data.
A practical checklist for web teams
If you need a workable standard, start here:
- Map every cookie, pixel, SDK, and vendor that could support sale or sharing.
- Decide which of those flows create California opt-out rights.
- Confirm GPC changes tag firing and downstream sharing where required.
- Make the privacy path easy to find and easy to complete.
- Review the UI for symmetry, plain language, and minimal friction.
- Add separate handling for under-16 sale or sharing.
- Test logged-in, logged-out, and cross-device experiences so the request is not trapped in one context.
If you are refining the broader standard too, our posts on GDPR cookie consent requirements and cookie consent requirements are useful companion reads.
Bottom line
ccpa cookie consent requirements are best understood as an opt-out compliance problem, not a banner design exercise. California usually does not require a GDPR-style opt-in wall. It does require a real opt-out path, support for GPC, balanced interfaces, and controls that make the user’s choice stick.
Sources
- California Office of the Attorney General
- California Privacy Protection Agency
- California Legislature