CCPA Compliance Questions: What Every Business Needs to Know in 2026

UPDATED APRIL 2026

---

The California Consumer Privacy Act, as amended by the California Privacy Rights Act in 2020, is one of the strictest consumer privacy laws in the U.S. and has been actively enforced since 2020. New regulations that took effect January 1, 2026 added requirements for automated decision-making technology, cybersecurity audits, and risk assessments. California is no longer alone: twenty states now have comprehensive privacy laws on the books. Businesses that collect personal data from consumers in any of these states need updated privacy policies, clear opt-out mechanisms, and documented compliance processes.

---

Remember when summer meant vacations with the family, sunny days lounging by the pool or even just sleeping in? Yeah, we remember that, too. But in the world of digital marketing, summer also means planning time. Each year, it seems like we’re challenged to meet a new standard online that requires some advanced planning. Whether it’s ADA accessibility for your website, privacy regulation updates, or some change Google has forced on us, there’s always something.

Back in 2019, we wrote about the next dragon businesses would need to slay: the California Consumer Privacy Act, which was about to go live on January 1, 2020. At the time, it felt like a big deal. Turns out, it was just the beginning. Six years later, the CCPA has been amended, expanded, and joined by privacy laws in nineteen other states. The dragon had babies.

Get up to speed on where the CCPA stands today and answer the compliance questions that matter right now.

What Is the CCPA (and What Happened to It)?

The California Consumer Privacy Act was passed on June 28, 2018 and went live on January 1, 2020. Its purpose was to give California residents more control over their personal data, driven by a wave of privacy fears coming out of election tampering scandals, Facebook data breaches, and a general realization that doing anything on the web meant handing over more personal information than most people were comfortable with.

The original CCPA gave California residents the right to know what data was being collected about them, find out whether their data was being sold and to whom, say no to the sale of their data, access their data, and get equal service and pricing even if they exercised those rights.

That was the foundation. Then, in November 2020, California voters passed Proposition 24, which created the California Privacy Rights Act (CPRA). The CPRA did not replace the CCPA. Instead, it amended and expanded the existing law, adding new consumer rights and creating a dedicated enforcement agency. The CPRA amendments took effect January 1, 2023, and the combined law is still commonly referred to as the CCPA.

The biggest additions under the CPRA include a new category of “sensitive personal information” (things like Social Security numbers, precise geolocation, racial or ethnic origin, and now even neural data), the right for consumers to limit how businesses use that sensitive information, stricter data minimization requirements, and the creation of the California Privacy Protection Agency (CPPA), the first dedicated data privacy enforcement body in the United States.

If you were already CCPA compliant back in 2020, that’s a good start. But the law has changed enough that your 2020 compliance work needs a serious review.

What’s New in CCPA Compliance for 2026?

On January 1, 2026, new regulations under the CCPA took effect that significantly expand compliance requirements for businesses. These aren’t minor tweaks. The CPPA adopted final regulations in July 2025 covering four major areas:

Automated decision-making technology (ADMT)

Consumers now have the right to receive notice about, access information regarding, and opt out of businesses’ use of automated decision-making technology. This includes AI-powered systems that make decisions about employment, housing, insurance, and credit. If your business uses algorithms or AI to make decisions that affect people, you now have specific disclosure and opt-out obligations.

Risk assessments

For new processing activities initiated on or after January 1, 2026, assessments must be completed before beginning those activities. For processing activities that started before January 1, 2026, assessments must be completed no later than December 31, 2027.

Cybersecurity audits

Businesses that process personal information in ways that present risk to consumers’ privacy will need to conduct and submit annual cybersecurity audit certifications to the CPPA. The deadlines are phased: April 1, 2028 for businesses making over $100 million, April 1, 2029 for those between $50 million and $100 million, and April 1, 2030 for those under $50 million.

Neural data

Sensitive personal information now includes neural data, or information generated by measuring the activity of a consumer’s central or peripheral nervous system. If that sounds like science fiction, it’s not. Brain-computer interfaces and neurotechnology are growing fast enough that California decided to get ahead of it.

Should I Care About the CCPA?

We got this question a lot back in 2019, and the answer has gotten more complicated.

If you’re a dry cleaner in Omaha who only serves walk-in customers and doesn’t collect personal data online, you’re probably fine. But if your business is online and could serve customers in California, you should be paying attention. The CCPA applies to for-profit businesses that do business in California and meet any one of the following thresholds: annual gross revenue exceeding $25 million (adjusted periodically), buying, selling, or sharing the personal information of 100,000 or more California consumers or households, or deriving 50% or more of annual revenue from selling or sharing consumers’ personal information.

And here’s the thing we predicted back in 2019: we said the CCPA would likely become the framework for a federal privacy law. That hasn’t happened yet, but something arguably more chaotic has. In 2026, twenty states have comprehensive privacy laws in effect, with new laws in Indiana, Kentucky, and Rhode Island joining the lineup MultiState on January 1. States like Virginia, Colorado, Connecticut, Texas, and Oregon all have their own versions on the books. Each one has its own thresholds, its own quirks, and its own enforcement mechanisms.

Instead of one federal standard, businesses are now navigating a patchwork of state laws that share a family resemblance but differ in the details. If you operate in multiple states, or if your website is accessible to consumers nationwide, your compliance obligations have gotten a lot wider than just California.

Is the CCPA Being Enforced?

This isn’t a situation where the law is on the books but nobody’s enforcing it. The CPPA and the California Attorney General have been actively going after businesses. The CPPA issued its largest fine to date, $1,350,000 against Tractor Supply Company in 2025, for failures including inadequate privacy notices, missing opt-out mechanisms, and not informing job applicants of their privacy rights.

At a recent meeting, CPPA staff reported that hundreds of investigations and enforcement actions were in progress, many at a stage where the targeted businesses weren’t yet aware they were under scrutiny.

And it’s not just California. State attorneys general across the country are ramping up enforcement under their own privacy statutes. If you’ve been taking a wait-and-see approach, the waiting period is over.

How Do You Become CCPA Compliant? 6 Steps to Follow

Our original compliance steps from 2019 were solid, and the framework still holds. But the specifics need updating. Here’s what we’d recommend today:

1. Tell your team (again)

If your business falls under the CCPA or any other state privacy law, everyone who touches customer data needs to know. That means:

• The poor IT people who are often left out during planning but will be essential for implementation. (Some things never change.)
• Customer service and call center teams who may need to field questions about privacy rights, opt-out requests, and data deletion.
• Marketing, who needs to understand updated rules around data sharing for advertising purposes. Under the CPRA, “sharing” personal information for cross-context behavioral advertising triggers the same opt-out rights as selling it. That’s a big deal for digital advertising.
• HR and recruiting, since employee and job applicant data is now covered.
• Legal, obviously.

2. Take inventory and map your data flows

Before you can update anything, you need to know what you’re working with. This was true in 2019 and it’s even more true now. Document what personal information you collect, how you get it, where you store it, who you share it with, and how long you keep it. The CPRA’s data minimization requirements mean you can’t just collect everything and figure it out later. You need a reason for each category of data you hold, and you need a retention schedule.

If you‘re using any automated decision-making tools or AI systems that process consumer data, map those separately. The new ADMT regulations will require specific disclosures and consumer rights around those systems.

3. Update your privacy policy

Your privacy policy from 2020 (or 2023, or whenever you last touched it) is almost certainly out of date. At a minimum, it needs to reflect the expanded categories of sensitive personal information, the new consumer rights under the CPRA, your data retention periods, and any use of automated decision-making technology. The CPPA has specific requirements for how privacy policies must be formatted and what they need to include. This is worth having your lawyer review, not just your marketing team.

4. Update your opt-out mechanisms

The old “Do Not Sell My Personal Information” link on your homepage is still required, but the scope has expanded. Under the CPRA, consumers also have the right to opt out of the sharing of their personal information for cross-context behavioral advertising. New rules also strengthen how businesses must honor opt-out signals, including browser-based Global Privacy Control (GPC) settings. If a consumer’s browser sends a GPC signal, you need to treat that as a valid opt-out request. No workarounds.

5. Create a process to handle consumer requests

Consumers have a lot of rights under the current law, and your business needs a process for handling each of them. They can:

• Request a copy of their personal information
• Ask you to delete it
• Find out what categories of data you’re selling or sharing
• Opt out of the sale or sharing of their data
• Limit your use of their sensitive personal information

Every request still needs to be processed within 45 days. Document everything: confirmation numbers, response timelines, the works. One of the things we saw with ADA compliance was a rise in lawsuits following new requirements, and the same pattern holds here. Documentation and consistent response times are your best defense.

6. Get secure and prepare for audits

Data breaches involving California residents carry serious liability. Statutory damages range from $107 to $799 per consumer per incident, or actual damages, whichever is greater. Multiply that across thousands of affected consumers and you’re looking at millions of dollars in exposure.

With mandatory cybersecurity audit requirements phasing in over the next few years, now is the time to evaluate where and how your data is stored, whether your security measures are up to current standards, and whether you can demonstrate compliance if asked. Engage IT early. This is their territory, and they’ll need time to assess and shore up your infrastructure.

What Other States Have Privacy Laws Like the CCPA?

If there’s one thing that’s changed since our original article, it’s the scope. In 2019, we were talking about one state’s privacy law. In 2026, businesses operating in multiple states must treat compliance as an ongoing operational function, not a one-time legal exercise.

If your business serves customers in multiple states, look at where your exposure is. Kentucky’s law took effect January 1, 2026, which matters if you’re a Kentucky-based company like us. Indiana and Rhode Island went live on the same date. Arkansas kicks in July 2026. Each has its own applicability thresholds, consumer rights, and enforcement mechanisms.

The silver lining: most of these state laws share a common DNA. If you build a solid compliance program around the CCPA/CPRA (which is the strictest of the bunch), you’ll be well-positioned to meet the requirements in other states with less additional effort.

Get Help With Your Privacy Compliance

Privacy compliance has gotten more complex since 2019. That’s the bad news. The good news is that the path forward is well-defined, and you don’t have to figure it out alone. PriceWeber offers a free privacy compliance review to help you understand where you stand and what needs attention.

We’ve been helping businesses in healthcare, financial services, beverage, manufacturing, and more work through these challenges for years. We’d love to help you, too.

Or, call us at 502-499-4209 to talk with one of our experts today.

KEY TAKEAWAYS

• The CCPA has been significantly expanded by the CPRA, adding new consumer rights, stricter data minimization rules, and a dedicated enforcement agency (the CPPA).
• New regulations that took effect January 1, 2026 require businesses to address automated decision-making technology, conduct risk assessments, and prepare for mandatory cybersecurity audits.
• Enforcement is active. The CPPA issued a $1.35 million fine against Tractor Supply Company in 2025 and has hundreds of investigations in progress.
• The CCPA’s opt-out requirements now cover the sharing of personal data for cross-context behavioral advertising, and businesses must honor browser-based Global Privacy Control signals.
• California is no longer alone. Twenty states have comprehensive privacy laws in effect as of 2026, and businesses operating across state lines need a compliance strategy that accounts for all of them.
• If you built your compliance program in 2020 and haven’t revisited it, you’re almost certainly out of date. The law has changed enough to warrant a full review.