CCPA Compliance in 2026 Guide for Business

CCPA Compliance 2026

Last updated: May 2026

Quick answer: CCPA compliance in 2026

• Who must comply: for-profit businesses that handle California residents’ personal information and meet any one of three thresholds — over $26.625 million in annual revenue, buying/selling/sharing the data of 100,000+ Californians, or earning 50%+ of revenue from selling or sharing data. Your physical location does not matter; California residents’ data does.
• What changed January 1, 2026: mandatory opt-out confirmation, enforced honoring of the Global Privacy Control signal, a ban on dark-pattern consent design, and new governance duties — risk assessments, automated-decision-making rules, and cybersecurity audits — phasing in through 2030.
• The penalties: $2,663 per violation and $7,988 per intentional violation or one involving a minor — and each affected consumer can count as a separate violation. There is no guaranteed cure period.
• What enforcement targets: every public CCPA enforcement action to date has involved a failure of the opt-out right. A “Do Not Sell” link that does not actually stop data sharing is the single most fined mistake.
• First step: confirm whether the law applies to you, then build compliance in three layers — foundations, the 2026 consumer-experience rules, and the 2026 governance program.

Check your own status: the CCPA Compliance Self-Assessment

Reading the rules is one thing; knowing where your business stands is another. The interactive CCPA Compliance Self-Assessment below does two things: it walks through the applicability thresholds to estimate whether the CCPA covers you, and it scores your readiness across the three layers of the Compliance Stack, flagging your highest-priority gaps.

The tool produces an educational estimate to help you prioritize — it is not a legal determination. Use its output as the starting point for a conversation with a privacy professional, not as a substitute for one.

---

CCPA compliance in 2026 is no longer a privacy policy and a “Do Not Sell” link. On January 1, 2026, a package of new California regulations took effect that pushes compliance off the website footer and into your request workflows, your consent design, your vendor contracts, and — for larger businesses — formal risk assessments and independent cybersecurity audits. The businesses being fined right now are not the ones that ignored the law. They are the ones that thought a checkbox covered it.

This guide explains exactly what the California Consumer Privacy Act requires of a business in 2026: whether it applies to you, the consumer rights you must honor, what changed this year, the phased deadlines running through 2030, and what enforcement actually looks like. It includes an interactive self-assessment tool so you can check your own applicability and readiness. One note before we start: this is an operational guide, not legal advice — for decisions specific to your business, work with a qualified privacy attorney.

What is the CCPA — and who is “CalPrivacy”?

The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. Within a year, California voters passed Proposition 24, the California Privacy Rights Act (CPRA), which significantly amended and expanded the CCPA and created a dedicated regulator. In practice, “CCPA” in 2026 means the CCPA as amended by the CPRA — one law, one set of obligations.

That regulator is the California Privacy Protection Agency (CPPA), which now also goes by CalPrivacy. It is the first U.S. agency dedicated solely to privacy enforcement and rulemaking, and it shares enforcement authority with the California Attorney General. In September 2025, the California Privacy Protection Agency finalized a major regulations package — covering automated decision-making, risk assessments, and cybersecurity audits — that took effect January 1, 2026. Those rules are the reason this guide exists in its current form.

The CCPA is widely treated as the benchmark for U.S. privacy law. If you build a compliance program that satisfies California, you will have covered most of what the other state privacy laws require — though never assume that automatically.

Does the CCPA apply to your business?

The CCPA applies to a for-profit entity that does business in California, collects California residents’ personal information (or has it collected on its behalf), determines why and how that data is processed, and meets at least one of these three thresholds:

1. Revenue — annual gross revenue above $26,625,000. This figure is adjusted for inflation in odd-numbered years; the current amount holds through 2026.
2. Volume — buys, sells, or shares the personal information of 100,000 or more California consumers or households per year.
3. Data-driven revenue — derives 50% or more of annual revenue from selling or sharing personal information.

Two points trip businesses up. First, the law is extraterritorial: a company in New York or London with no California office is fully covered if it meets a threshold and handles Californians’ data. A SaaS company with 120,000 California users must comply even with modest revenue and no data sales. Second, even if you are not a covered “business,” you may still have CCPA obligations as a service provider or contractor processing data on a covered business’s behalf — and those obligations live in your contracts.

A separate regime applies to data brokers. Under California’s Delete Act, businesses that knowingly collect and sell personal information about consumers with whom they have no direct relationship must register annually with CalPrivacy and, in 2026, honor deletion requests through DROP — the new Delete Request and Opt-out Platform. CalPrivacy has been blunt that “a sale is a sale”: bundling personal data into a larger product does not exempt you.

The consumer rights you must honor

The CCPA grants California residents a set of rights, and a covered business must provide working mechanisms to exercise each one:

• Right to know / access — what personal information you collect, the sources, the purposes, and the third parties you disclose it to. As of 2026, this is no longer capped at a 12-month look-back: if you retain data longer, consumers can request information going back to January 1, 2022.
• Right to delete — to have their personal information erased, subject to specific exceptions.
• Right to correct — to fix inaccurate personal information.
• Right to opt out of sale or sharing — to stop you selling their data or “sharing” it for cross-context behavioral advertising. This is the right enforcement cares about most.
• Right to limit use of sensitive personal information — to restrict how you use data such as precise geolocation, race, health, or login credentials.
• Right to non-discrimination — you cannot penalize a consumer for exercising a right (financial-incentive programs are allowed but tightly constrained).
• Rights regarding automated decision-making — new for the 2027 deadline: notice, opt-out, and access to information about how an automated system reached a significant decision.

You must offer at least two designated methods for submitting requests, respond within statutory timeframes (generally 45 days, extendable), and verify the requester without demanding more information than necessary — over-verification is itself a violation.

The CCPA Compliance Stack: a framework for 2026

Most businesses picture CCPA compliance as a single thing — a privacy policy with a “Do Not Sell” link. In 2026 that is roughly one-third of the picture. To make the full scope manageable, we organize it as the CCPA Compliance Stack: three layers you build from the bottom up, because each depends on the one below it.

• Layer 1 — Foundations. The table-stakes obligations in force since the law matured: privacy notices, the consumer-rights request workflow, the opt-out mechanism, vendor contracts, and reasonable security. If these are broken, nothing above them counts.
• Layer 2 — The 2026 Consumer-Experience Layer. The public-facing rules that took effect January 1, 2026 — mostly changes to your website, app, and consent interfaces.
• Layer 3 — The 2026 Governance Layer. The new back-office obligations — risk assessments, automated-decision-making governance, and cybersecurity audits — phasing in through 2030.

The reason the model matters: enforcement in 2026 is concentrated on Layers 1 and 2, where the failures are visible from outside, while Layer 3 deadlines move steadily closer. A business that pours effort into Layer 3 while its opt-out link is quietly broken has built the stack upside down.

Layer 1 — Foundations

Privacy notices. You need a comprehensive privacy policy, updated at least every 12 months, disclosing the categories of personal information you collect, your purposes, retention periods, the categories you sell or share, and how consumers exercise their rights. You also need a notice at collection delivered at or before the moment you collect data — including through connected devices and apps.

The rights request workflow. A policy that promises rights is worthless without a process that delivers them. You need intake methods, identity verification that does not over-collect, routing to whoever can fulfill the request, and documented response times.

The opt-out mechanism. Covered businesses that sell or share personal information must provide a clear “Do Not Sell or Share My Personal Information” link — and, critically, it must work end to end, stopping downstream data flows to advertising and analytics partners. A link that opens a form that does nothing is the most-fined defect in CCPA history.

Vendor and service-provider contracts. Every contract with a service provider, contractor, or third party that receives personal information must contain CCPA-mandated terms — purpose limitation, a ban on the vendor selling the data, downstream opt-out obligations, and audit rights. Clickwrap and standard platform terms do not automatically qualify; this gap appears in enforcement action after enforcement action.

Reasonable security. The CCPA requires security measures appropriate to the sensitivity and volume of the data you hold. This is also where the law has teeth for individuals: a data breach of unencrypted personal information caused by inadequate security can trigger lawsuits (see Penalties, below).

---

Layer 2 — What changed on January 1, 2026

The 2026 regulations made several public-facing changes that, for most businesses, require near-term updates to a website or app:

• Mandatory opt-out confirmation. When a consumer opts out — via a link, a cookie banner, or a universal signal — you must give visible confirmation that the request was processed. Displaying an “Opt-Out Request Honored” message is one accepted method. Silent acceptance is no longer enough.
• Honoring the Global Privacy Control. You must detect and honor opt-out preference signals such as the Global Privacy Control (GPC) — a browser-level signal — and your privacy policy must explain how those signals are processed. Ignoring GPC has featured in multiple fines.
• No dark patterns — symmetry of choice. Consent interfaces must be symmetrical: the privacy-protective choice cannot be longer, harder, or more steps than the permissive one. An “Accept All” button paired with a “More Information” link instead of a “Reject All” button fails this test. This applies to every consent surface — banners, preference centers, mobile toggles, checkout prompts.
• Notice timing for connected devices. If you collect data through smart TVs, wearables, or AR/VR devices, notice must be given before or at the time the device collects data.
• Expanded sensitive personal information. The definition now includes neural data, and the personal information of consumers under 16 is treated as sensitive — which can trigger the right to limit and additional opt-out duties.

These are the changes a regulator or a complainant can see from the outside, without an investigation — which is exactly why they are enforcement priorities.

---

Layer 3 — The 2026 governance obligations and their deadlines

The heaviest new obligations are back-office programs, and they phase in over several years. Do not let the distant deadlines create false comfort — each requires substantial groundwork starting now.

Risk assessments. Before conducting high-risk processing — selling or sharing personal information, processing sensitive personal information, or using automated decision-making for significant decisions — a business must complete a documented risk assessment weighing benefits against risks to consumers. New high-risk processing started on or after January 1, 2026 requires an assessment before it begins.

Automated decision-making technology (ADMT). Businesses that use ADMT to make “significant decisions” about consumers — decisions affecting things like employment, lending, housing, or healthcare — must provide a pre-use notice, an opt-out option, and access to meaningful information about the logic and likely outcome. Notably, advertising alone does not count as a significant decision under the final rules.

Cybersecurity audits. Businesses whose processing presents a “significant risk” to consumers must complete an annual independent cybersecurity audit covering 18 control areas. “Significant risk” generally means deriving 50%+ of revenue from selling or sharing data, or having $26.625M+ in revenue while processing the data of 250,000+ consumers or the sensitive data of 50,000+ consumers.

Deadline	What is required
January 1, 2026	New regulations effective. Layer 2 public-facing rules apply. Risk assessment required before any new high-risk processing.
January 1, 2027	ADMT rules apply — pre-use notice, opt-out, and access for significant-decision uses.
December 31, 2027	Complete risk assessments for high-risk processing that began before 2026 and is still running.
April 1, 2028	First annual risk-assessment summary report and executive attestation due. First cybersecurity audit certification due for businesses with 2026 revenue over $100M.
April 1, 2029	First cybersecurity audit certification due for businesses with 2026 revenue of $50M–$100M.
April 1, 2030	First cybersecurity audit certification due for businesses with 2026 revenue under $50M.

The risk-assessment summary report must be signed by a senior executive under penalty of perjury, and CalPrivacy or the Attorney General can demand the full underlying reports with 30 days’ notice. Treat documentation as a deliverable, not an afterthought.

---

Penalties and enforcement: what non-compliance actually costs

CCPA penalties come in two forms. Administrative fines and civil penalties, assessed by CalPrivacy or the Attorney General, are $2,663 per violation and $7,988 per intentional violation or one involving a consumer under 16 (these amounts are inflation-adjusted and current through 2026). Because each affected consumer can count as a separate violation, exposure scales with the size of your user base, fast. Separately, a private right of action lets consumers sue over certain data breaches of unencrypted personal information, with statutory damages of $107 to $799 per consumer per incident.

There is no guaranteed cure period. The CPRA removed the CCPA’s original automatic 30-day right to fix violations before penalties attach; good-faith remediation may be considered, but it is discretionary, not a shield.

Enforcement is escalating sharply, and the pattern is consistent. According to the California Attorney General and CalPrivacy, recent actions include a $632,500 fine against American Honda (March 2025) for an over-burdensome verification process, a record $1.35 million settlement with Tractor Supply (September 2025) for an opt-out link that did not actually stop data sharing — plus deficient notices and vendor contracts — a $2.75 million Attorney General settlement (February 2026) with a streaming company over opt-out failures, and a $12.75 million settlement with General Motors (announced May 2026, subject to court approval) for selling drivers’ data — the largest CCPA penalty to date. The California Attorney General and CalPrivacy have also reported hundreds of investigations in progress, many involving businesses that do not yet know they are targets.

The single most important pattern: every public CCPA enforcement action so far has involved the right to opt out. Not exotic violations — broken opt-out links, ignored GPC signals, and consent designs that nudge users away from the protective choice. CalPrivacy has also confirmed it can investigate conduct dating back to the law’s 2020 operative date. If you fix one thing after reading this guide, make it your opt-out.

A practical CCPA compliance roadmap

If you are building or repairing a program, work in this order — it mirrors the Compliance Stack and front-loads what enforcement targets:

1. Confirm applicability. Run the thresholds. Document the conclusion and the date — if you are close to a threshold, monitor it.
2. Data-map. Inventory what personal information you collect, where it lives, why you process it, who you share it with, and how long you keep it. Every later step depends on this map.
3. Fix the opt-out first. Test your “Do Not Sell or Share” flow end to end. Confirm it actually severs data flows to ad and analytics vendors, and that GPC signals are detected and honored. This is your largest enforcement exposure.
4. Repair consent design. Make every choice symmetrical, remove dark patterns, and add visible opt-out confirmation.
5. Update notices. Refresh the privacy policy and notices at collection so they accurately describe current practice — including how you handle preference signals.
6. Remediate contracts. Audit every service-provider and third-party contract for the required CCPA terms; renegotiate the gaps.
7. Stand up the governance layer. Build a risk-assessment template, inventory any ADMT used for significant decisions, and assess whether you cross the cybersecurity-audit threshold.
8. Log your decisions. Keep dated records of what you changed, why, and who approved it. If a regulator asks how you implemented the rules, that evidence is your defense.

The honest part: what most CCPA guides won’t tell you

A large share of CCPA content online is published by companies selling consent-management platforms, and it tends to end at the same conclusion: buy the software. A consent tool genuinely helps — but it does not make you compliant, and believing it does is a documented way to get fined.

Consider the enforcement record. Tractor Supply had a “Do Not Sell” link. Todd Snyder had a privacy portal. Both were fined — because the tools were misconfigured and the opt-outs did not actually work. CalPrivacy’s head of enforcement put it plainly: the responsibility “stops with businesses that use” privacy management solutions, not with the vendors. A consent platform that is installed but not correctly wired to your real data flows is arguably worse than nothing: it manufactures evidence of a broken opt-out that a regulator can point to.

Two honest takeaways. First, compliance is an operational outcome — tested data flows, working requests, accurate notices — not a purchased product. Software is a means; the obligation is yours. Second, the most valuable CCPA work is unglamorous and largely free: data-mapping, testing your own opt-out like a consumer would, and reading your consent banner with an adversarial eye. No vendor can do that part for you, and no guide that is mainly selling you something will tell you so.

CCPA compliance in 2026 is more demanding than it was — but it is also more knowable than the volume of alarmed content suggests. Confirm whether it applies to you, build the stack from the bottom, fix the opt-out first, and document as you go.

---

Frequently asked questions

Who has to comply with the CCPA in 2026?

For-profit businesses that handle California residents’ personal information and meet at least one threshold: over $26.625 million in annual gross revenue; buying, selling, or sharing the personal information of 100,000+ California consumers or households a year; or earning 50%+ of revenue from selling or sharing personal information. The business’s location is irrelevant — what matters is whether it handles Californians’ data.

What changed for CCPA compliance in 2026?

Regulations effective January 1, 2026 added mandatory opt-out confirmation, enforced honoring of Global Privacy Control signals, a ban on dark-pattern consent design, notice-timing rules for connected devices, and an expanded definition of sensitive data. They also introduced new governance duties — risk assessments, automated decision-making rules, and cybersecurity audits — that phase in through 2030.

What are the penalties for CCPA non-compliance?

Administrative fines and civil penalties are $2,663 per violation and $7,988 per intentional violation or one involving a minor, with each affected consumer potentially counting as a separate violation. Data breaches of unencrypted personal information can also trigger consumer lawsuits with statutory damages of $107–$799 per person per incident. There is no guaranteed period to cure a violation before penalties apply.

Does the CCPA apply to businesses outside California?

Yes. The CCPA is extraterritorial. A business located anywhere in the world must comply if it handles the personal information of California residents and meets one of the three thresholds. A physical presence in California is not required.

What is the difference between the CCPA and the CPRA?

The CCPA is the original 2020 law. The CPRA, passed by voters in 2020, amended and expanded it — adding rights, creating the California Privacy Protection Agency, and removing the automatic cure period. In 2026, “CCPA” generally refers to the combined, amended law.

Do I need a “Do Not Sell My Personal Information” link?

If your business sells or shares personal information, yes — and it must work end to end, actually stopping data flowing to advertising and analytics partners. A link that leads to a form that does not sever those flows is the most commonly fined CCPA defect.

What is ADMT under the CCPA?

ADMT is automated decision-making technology — systems that use computation to replace or substantially replace human decision-making. When ADMT is used for “significant decisions” about consumers, businesses must provide pre-use notice, an opt-out, and access to information about the logic involved. These requirements apply from January 1, 2027.

Does the CCPA require a cybersecurity audit?

Only for businesses whose processing presents a “significant risk” to consumers — broadly, those earning 50%+ of revenue from selling or sharing data, or with $26.625M+ revenue while processing data on 250,000+ consumers or sensitive data on 50,000+ consumers. Those businesses must complete an annual independent audit, with first certifications due between April 2028 and April 2030 depending on revenue.

Is CCPA compliance the same as GDPR compliance?

No. They overlap but differ in approach: the CCPA centers on transparency and the right to opt out of data sales, while the GDPR generally requires opt-in consent before processing. A business subject to both must satisfy each — often by detecting a user’s location and applying the appropriate standard.

How long does a business have to respond to a CCPA request?

Generally 45 days from receipt, with a possible extension of another 45 days when reasonably necessary, provided the consumer is notified. You must verify the requester’s identity without demanding more information than necessary.

---

How we researched this guide: this article is based on the California Consumer Privacy Act as amended by the CPRA, the regulations finalized by the California Privacy Protection Agency in September 2025 and effective January 1, 2026, and published enforcement actions from CalPrivacy and the California Attorney General. The CCPA Compliance Stack and the self-assessment tool are original Axis Intelligence frameworks. This guide is informational and does not constitute legal advice; privacy law is fact-specific and evolving — verify against the CPPA’s official regulations at cppa.ca.gov and consult a qualified privacy attorney for decisions affecting your business. Last updated May 2026; revised as regulations and enforcement develop.