The Complete Guide to CCPA/CPRA Compliance in 2026

8 min read

Why CCPA/CPRA Is Still Tripping Companies Up in 2026

If you’re feeling overwhelmed by CCPA and CPRA, you’re not alone. The California Consumer Privacy Act (CCPA) has been around since 2020. The California Privacy Rights Act (CPRA) amended and significantly expanded it starting in January 2023. Yet companies operating California-facing programs consistently miss basic obligations — not because of negligence, but because the landscape keeps shifting.

Think of CCPA/CPRA compliance like keeping your business license current. The baseline requirements were set years ago, but the renewal conditions keep getting updated — and assuming last year’s paperwork is still valid is exactly how companies end up with violations.

The CPRA didn’t just add new consumer rights. It created new enforcement structures, introduced entirely new categories of personal information, extended compliance obligations to new activities, and changed how companies must interpret “selling” and “sharing” data. In 2026, the rule changes accelerated. The California Privacy Protection Agency (CPPA) — the independent enforcement body established by the CPRA — finalized critical new regulations around risk assessments, cookie and pixel handling, data broker requirements, and automated decision-making technology.

If your CCPA/CPRA program was last updated in 2023 or early 2024, you’re missing compliance obligations that are now enforceable.

CCPA vs. CPRA: What Changed and When

The CCPA and CPRA aren’t separate laws. CPRA is an amendment that modifies and extends CCPA. Understanding the timeline matters because compliance deadlines staggered over several years.

CCPA (effective January 1, 2020; enforcement began July 1, 2020) gave California consumers the right to know what personal information is collected, the right to delete, the right to opt-out of “sales,” and the right to non-discrimination. It applied to for-profit entities collecting California residents’ data that met one of three thresholds: $25 million in annual revenue, buying/selling personal information of 100,000+ consumers, or deriving revenue from selling/sharing personal data of 100,000+ households.

CPRA (signed November 3, 2020) amended CCPA significantly. Key changes: created a new independent enforcement agency (the CPPA), expanded covered activities to include “sharing” for cross-context behavioral advertising alongside “selling,” added new consumer rights (right to correct, right to limit use of sensitive personal information), introduced “sensitive personal information” as a distinct category, and added new compliance obligations around risk assessments and data broker activities. The for-profit requirement for the revenue threshold was retained. CPRA became operative January 1, 2023, with full enforcement beginning July 1, 2023.

2026 updates (now enforceable) include formal written risk assessment requirements for high-risk processing, new rules around cookies and pixels (reclassifying certain tracking as a “sale” or “share”), refined data broker registration requirements, and new automated decision-making technology (ADMT) opt-out rights for consumers.

Does Your Business Need to Comply? (The Thresholds)

CCPA/CPRA applies to any organization doing business in California and meeting at least one of three thresholds:

• Annual gross revenues exceeding $25 million (applies to for-profit entities doing business in California)
• Buys, sells, or shares personal information of 100,000 or more California consumers or households (CPRA updated the language from “receives for commercial purposes” to include “sharing” for cross-context behavioral advertising)
• Derives 25% or more of annual revenues from selling or sharing California consumers’ personal information (CPRA reduced this from the CCPA’s original 50% threshold and expanded the activities covered to include sharing, not just selling)

If you have any California customers or users and you process their data, assume the CPRA applies. The thresholds are low, and the definition of “personal information” is broad.

What Rights California Consumers Now Have

CPRA gives consumers eight distinct rights, five of which are enforceable as of 2026:

• Right to know: consumers can request what personal information is collected, used, shared, or sold
• Right to delete: consumers can request deletion of personal information collected from them (with some exceptions: where needed to complete a transaction, for security, legal compliance, or similar legitimate purposes)
• Right to correct: consumers can request correction of inaccurate personal information (new right under CPRA)
• Right to opt-out: consumers can opt out of the “sale” or “sharing” of personal information, and as of 2026, out of targeted advertising, profiling in furtherance of decisions that produce legal/significant effects, and automated decision-making technology
• Right to limit use: consumers can limit the use of sensitive personal information to purposes necessary to perform requested services (new right under CPRA)
• Right to data portability: consumers can request their personal information in a portable and readily usable format
• Right to non-discrimination: companies cannot discriminate against consumers for exercising their rights (cannot deny goods/services, charge different prices, or provide lower quality service)
• Right to opt-out of automated decision-making technology (ADMT): consumers can opt out of decisions made solely by automated means that produce legal/significant effects concerning them (2026 finalization)

The most misunderstood of these is the right to opt-out of “sharing.” Under CPRA, “sharing” is distinct from “sale” — it means sharing for cross-context behavioral advertising. Both require an opt-out mechanism visible and prominent on the homepage (“Do Not Sell or Share My Personal Information”).

What CPRA Requires of Businesses: The Full Obligation List

CPRA compliance isn’t just about responding to requests. Companies must implement proactive, documented programs. Here’s what you must do:

1. Maintain a Data Inventory and Privacy Policy

Document what personal information you collect, where it comes from, how you use it, who you share it with, and retention periods. Your privacy policy must clearly disclose all of this and be updated within 60 days of any material change.

2. Implement Opt-Out Mechanisms

If you sell or share personal information, you must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on your homepage. If you process personal information for targeted advertising, profiling, or Automated Decision-Making Technology (ADMT) as of 2026, you must provide opt-out mechanisms for each. These must be single-action, easy to use, and free.

3. Conduct and Document Risk Assessments (2026 Requirement)

CPRA requires you to conduct and maintain written risk assessments for processing activities that present heightened risk. “Heightened risk” includes processing sensitive personal information, large-scale processing, automated profiling or decision-making, and activities that could result in unlawful discrimination. These assessments must document the risk and the safeguards you’ve implemented to mitigate it. This is not a once-a-year checkbox — it’s an ongoing obligation tied to data lifecycle changes.

4. Manage Cookies, Pixels, and Similar Technologies (2026 Requirement)

CPRA rules finalized in 2026 clarified that cookies and pixels used for targeted advertising, cross-context behavioral profiling, or activities that constitute a “sale” or “share” require affirmative opt-in consent before deployment. You cannot rely on “implied consent” or pre-checked boxes. This has forced most companies to rethink their Consent Management Platforms (CMP). If you’re still using a banner with pre-ticked boxes for analytics or advertising cookies, you’re non-compliant.

5. Honor Data Subject Access Requests (DSARs) and Exercise Requests

You must respond to consumer Data Subject Access Requests (DSAR) to know, delete, correct, or port their data within 45 days (extendable 45 more days with notice for complex requests). You must verify the consumer’s identity but cannot require excessive documentation. You must not charge a fee unless the request is duplicative or frivolous.

6. Register Data Brokers and Limit Their Use

If you use third-party vendors to collect or buy California consumer data (data brokers), you must verify that they are registered with the CPPA and maintain a list of vendors. You cannot use data brokers to collect sensitive personal information without affirmative consumer consent.

7. Disclose Automated Decision-Making and Profiling (2026 Requirement)

If you use Automated Decision-Making Technology (ADMT) or engage in profiling that results in legal or similarly significant effects (credit decisions, employment, housing, health, etc.), you must disclose this clearly in your privacy policy and offer an opt-out mechanism. The CPPA’s 2026 rule also requires you to provide consumers with a mechanism to manually review and dispute automated decisions affecting them.

8. Maintain Vendor Contracts with Required Language

Any service provider who processes California consumer personal information on your behalf must have a contract with you that restricts their use of data to only the purposes you’ve disclosed and prohibits them from selling, renting, releasing, disclosing, or otherwise communicating the personal information to third parties. This contract must be in place before data is shared.

9. Document Compliance and Retain Records

Keep records of your privacy policy versions, risk assessments, vendor contracts, consumer requests, responses, and any corrective actions. Regulators will ask for these. A privacy audit will uncover gaps here immediately.

The 2026 Updates You Can’t Ignore

Four regulatory changes that became enforceable in 2026 are causing the most disruption:

Risk Assessment Requirements

CPRA requires documented, written risk assessments for processing activities presenting heightened risk. The CPPA finalized guidance in early 2026 specifying that “heightened risk” includes processing sensitive personal information at scale, large-scale automated profiling or decision-making, and activities presenting reasonable risk of discrimination or manipulation. Unlike GDPR’s more prescriptive DPIA requirements, CPRA’s risk assessment rules are flexible — but that flexibility means you must be thoughtful about what you document and how. We recommend a matrix-based approach: identify processing activities, categorize risk level (low/medium/high), document the specific risks, and list your mitigation controls. This must be updated whenever you introduce new processing or change how you use data.

Cookie and Pixel Rules

The CPPA’s 2026 rulemaking clarified that persistent cookies and tracking pixels used to follow a consumer across websites (cross-context behavioral advertising) or to profile consumers for purposes that constitute “selling” or “sharing” personal information require affirmative opt-in consent before they’re deployed. You cannot obtain this consent via a privacy banner with pre-ticked boxes or “cookie walls” that block site access unless consent is given. Many companies that believed they were compliant under CCPA learned in 2026 that their cookie implementations were non-compliant under CPRA’s stricter rules.

Data Broker Registration Changes

The CPPA expanded data broker registration requirements in 2026. If you buy or license consumer data from third parties, you must verify that each broker is registered with the CPPA. The list of registered brokers is public. Penalties for using an unregistered broker are steep.

Automated Decision-Making Technology (ADMT) Opt-Out

CPRA gave consumers the right to opt out of decisions made solely by automated means that produce legal or similarly significant effects. The CPPA’s 2026 rule finalized what this means: if you use AI/ML to make decisions about credit, employment, housing, insurance, healthcare, education, or similar consequential matters, you must disclose this and provide an easy opt-out mechanism. Experience shows that many companies aren’t prepared for the operational burden of manual reviews at scale — but providing consumers the ability to request human review and dispute the automated decision is essential.

How to Build a CCPA/CPRA Compliance Program

Compliance isn’t a one-time project. It’s a governance structure. Here’s how to build one:

Step 1: Assess Your Current State

Conduct a privacy audit. Map all systems that collect, process, or store California consumer data. Document data flows, retention periods, and third-party processors. Identify gaps against CPRA requirements. This audit is the foundation for everything else.

Step 2: Update Your Privacy Policy

Your privacy policy must disclose what personal information is collected, where it comes from, how it’s used, who it’s shared with, and how long it’s retained. It must separately address sensitive personal information and explain how you handle it differently. It must include clear links to opt-out mechanisms. It must disclose automated decision-making practices. Most privacy policies written before 2024 are missing these disclosures.

Step 3: Implement Consent Management

If you use cookies, pixels, or similar tracking, you need a Consent Management Platform (CMP) that can record affirmative consent before deploying cookies. OneTrust, Ketch, and Usercentrics are industry-standard platforms. Your CMP must distinguish between essential cookies (which don’t require consent) and non-essential cookies (which do). It must honor opt-out signals from the browser and from your privacy policy page.

Step 4: Document Risk Assessments

Create a register of data processing activities that present heightened risk. Document the risks and mitigation controls. Update this quarterly or whenever processing activities change.

Step 5: Establish a DSAR and Exercise Workflow

Build a repeatable process for receiving, verifying, and responding to consumer requests. This should include a central intake point (email, web form), identity verification procedure, data location and compilation, legal review, response, and documentation. Most companies underestimate the operational burden — a mid-market company might receive 50–300 consumer requests per month depending on product and audience.

Step 6: Vendor Management

Review all vendor contracts. Ensure they contain CPRA-compliant restrictions on data use, including language prohibiting sales or sharing of personal information. If a vendor doesn’t agree to these terms, you cannot share California consumer data with them.

Step 7: Ongoing Monitoring and Training

Privacy compliance is not a static state. Assign accountability (privacy lead, legal counsel, or a designated team), schedule quarterly reviews, and ensure key stakeholders understand the rules. New product launches, M&A activities, and vendor additions are high-risk moments for compliance gaps.

Common Compliance Gaps Identified in Audits

Audits of mid-market companies consistently reveal the same gaps:

• No clear consent management: companies deploying non-essential cookies without documented affirmative consent or with pre-ticked consent boxes
• Incomplete data inventory: inability to answer basic questions about what personal information is collected, where it’s stored, and how long it’s retained
• Privacy policy out of sync with practice: privacy policies that don’t accurately reflect how data is actually used or shared
• No risk assessments: companies processing sensitive personal information or using automated decision-making without documented risk assessments
• Weak DSAR processes: no centralized intake point, slow response times, identity verification that’s either too weak or too burdensome
• Vendor contracts missing CPRA language: service provider agreements that don’t include required restrictions on data use
• Automated decision-making undisclosed: companies using ML to make consequential decisions (churn scoring, credit decisions, pricing) without disclosure or opt-out mechanisms
• No accountable owner: privacy compliance treated as “everyone’s job” and therefore no one’s responsibility

These aren’t judgment calls or gray areas. They’re clear CPRA violations that regulators cite in enforcement actions.

Next Steps

CCPA/CPRA compliance involves more moving parts than most companies expect. If you’re operating in California without a documented privacy program, or if your program was last updated before 2026, you have compliance gaps.