California Privacy Rights in 2026
The California Consumer Privacy Act (CCPA) changed the data privacy landscape in the United States by giving residents significant control over their personal information. Since the California Privacy Rights Act (CPRA) amendments took full effect, and with the latest 2026 regulatory updates from the California Privacy Protection Agency (CPPA), the legal requirements for websites have become increasingly technical. Compliance is no longer just about having a privacy policy; it is about providing functional interfaces that respect user autonomy in real time.
Data protection authorities have shifted from education to active enforcement. In 2025, the CPPA issued multiple six-figure fines for misconfigured cookie banners and hindered opt-out processes. Understanding these six rights is the first step in ensuring your website remains compliant and avoids the scrutiny of California regulators.
1. The Right to Know
The right to know allows California residents to request details about the personal information a business collects, uses, and shares. This includes the categories of information, the sources from which it was collected, the business purpose for the collection, and the specific third parties who received that data.
Under the 2026 updates, the look-back period for the right to know has expanded. While the original law limited requests to the preceding 12 months, consumers can now request historical data stretching back to January 2022, provided the business still maintains that information. Your website must provide a clear mechanism, such as a dedicated email address or a web form, for users to submit these verifiable consumer requests.
2. The Right to Delete
Users have the right to request the deletion of personal information collected from them. When you receive a valid deletion request, you must delete the information from your records and direct your service providers to do the same. This is particularly relevant for marketing databases and tracking logs generated by cookie categories like marketing and analytics.
However, the right to delete is not absolute. You may retain data if it is necessary to complete a transaction, detect security incidents, or comply with a legal obligation. The 2025 Todd Snyder enforcement action highlighted that businesses cannot require excessive identity verification - such as requesting a government ID - for simple deletion or opt-out requests. The verification process must be proportionate to the sensitivity of the data involved.
3. The Right to Opt-Out of Sale or Sharing
One of the most visible requirements for website owners is the right to opt-out. California law distinguishes between "selling" (exchanging data for money or other valuable consideration) and "sharing" (transferring data for cross-context behavioural advertising). Most modern websites that use third-party marketing pixels are considered to be "sharing" data.
To comply, your website must feature a clear and conspicuous link titled "Do Not Sell or Share My Personal Information." Furthermore, since January 2026, businesses must provide a visible confirmation once an opt-out request has been processed. Silent processing is no longer sufficient. If a user clicks your opt-out link or sends a Global Privacy Control (GPC) signal, your site must display a message such as "Opt-Out Request Honored."
| Requirement | Standard CCPA Implementation | 2026 Mandatory Update |
|---|---|---|
| Opt-Out Link | "Do Not Sell My Personal Information" | "Do Not Sell or Share My Personal Information" |
| GPC Signal | Optional for some businesses | Mandatory detection and confirmation |
| Confirmation | No feedback required | Visible "Opt-Out Honored" indicator |
| Symmetry | N/A | Opt-out must be as easy as opt-in |
4. The Right to Correct
The right to correct inaccurate personal information was introduced by the CPRA. If a consumer identifies that the data you hold about them is incorrect, they can request a correction. Website owners must use commercially reasonable efforts to update the data across their systems and notify any service providers who process that data on their behalf.
For websites, this often means ensuring that user profile sections are easily editable or providing a clear path for users to submit correction requests. Failure to maintain accurate data can lead to compliance risks, especially if that data is used for automated decision-making or financial profiling.
5. The Right to Limit the Use of Sensitive Personal Information
The CCPA creates a sub-category of "sensitive personal information" (SPI). This includes precise geolocation, racial or ethnic origin, religious beliefs, biometric data, and health information. If your website collects SPI for purposes other than providing the basic service requested by the user, you must provide a "Limit the Use of My Sensitive Personal Information" link.
A common trigger for this right is the use of functional cookies that track precise user location to provide localised content. If you use this data to build a profile or for advertising, the user must have the ability to restrict that use to only what is strictly necessary.
6. The Right to Non-Discrimination
You cannot discriminate against a user for exercising their privacy rights. This means you cannot deny goods or services, charge different prices, or provide a lower quality of service just because a user opted out of tracking or requested data deletion.
While you can offer financial incentives for data collection (such as a discount code for signing up for a newsletter), these programs must not be selected by default. The 2026 regulations specifically prohibit "dark patterns" that make the opt-out process more difficult than the opt-in process. Choices must be symmetrical; if your "Accept All" button is large and colourful, your "Reject All" or "Opt-Out" button must be equally prominent.
How Enforcement is Changing
In July 2025, the California Attorney General announced a $1.55 million settlement with Healthline Media. The investigation found the company had unlawfully shared sensitive health-related data via third-party trackers even after users attempted to opt out. This case serves as a warning that the CPPA is actively auditing whether CCPA cookie consent tools actually block data transmission as promised.
Implementing a Compliant Interface
To meet these requirements, your website needs a technical solution that goes beyond a simple pop-up. You must ensure that:
- The "Do Not Sell or Share" link is easy to find.
- Cookie scripts are blocked until the user interacts with the banner.
- Universal opt-out signals like GPC are automatically respected.
- Users can easily access their rights via your privacy policy or a dedicated portal.
Using a consent management platform allows you to automate the detection of California visitors and display the correct regional links and disclosures automatically.
Frequently Asked Questions
Does the CCPA apply to my website if I am not based in California?
Yes, the CCPA applies to any for-profit business that does business in California and meets the revenue or data processing thresholds, regardless of where the company is physically headquartered. If you serve California residents, you likely need to comply.
What is the difference between "selling" and "sharing" data?
Selling involves transferring personal information to a third party for monetary or other valuable consideration. Sharing refers specifically to the transfer of personal information for cross-context behavioural advertising, which is how most marketing cookies operate.
Do I need a "Do Not Sell or Share" link if I don't sell data?
Most businesses do not "sell" data in the traditional sense, but if you use third-party advertising pixels (like Meta or Google Ads), you are likely "sharing" data under California law and must provide the opt-out link.
What are dark patterns in CCPA compliance?
Dark patterns are user interface designs that subvert or impair user choice. Examples include making the "Reject All" button hard to find, using confusing language, or requiring more clicks to opt out than to opt in.
How long do I have to respond to a CCPA request?
You must respond to a right to know, delete, or correct request within 45 days. Opt-out requests must be processed much faster, typically within 15 business days of receipt.
Is Global Privacy Control (GPC) mandatory in 2026?
Yes, as of 2026, California regulators require businesses to detect and honour GPC signals as a valid opt-out request, and you must provide a visible confirmation that the signal was respected.
Take Control of Your Cookie Compliance
If you are not sure how your website handles California visitor rights, start with a comprehensive audit. Kukie.io's scanner identifies every tracker on your site and helps you deploy a CCPA-compliant banner with the necessary opt-out links and GPC support. You can manage all your compliance needs from a single dashboard, tailored to the latest 2026 standards.
