Wire / GDPR & Privacy Law / Article
┌── POST 06.16 · GDPR & Privacy Law · 4 min read

CCPA vs CPRA 2026: What California Businesses Must Update

The CCPA vs CPRA 2026 gap is wider than most California businesses realise. CPRA — which amended CCPA and became fully enforceable in 2023 — introduced new rights and obligations that directly change how you configure cookie banners, process sensitive data, and contract with vendors. If your consent setup was built for the original CCPA, it is almost certainly out of date.

How CCPA and CPRA Differ on Tracking and Cookies

Original CCPA gave consumers one core opt-out: the right to say “Do Not Sell My Personal Information.” That framing fit a data-broker world. However, modern advertising runs on cross-site tracking, pixels, and cookie syncing — activities that CCPA never explicitly addressed.

CPRA fixed this by adding “sharing” as a separate act. Sharing means disclosing personal information to third parties for cross-context behavioural advertising, even when no money changes hands. In practice, loading a Meta Pixel or Google Ads tag that passes identifiers to a third-party ad network is sharing under CPRA. Your banner must offer an opt-out of both selling and sharing, not just one.

The California Privacy Protection Agency confirmed in its enforcement guidance that loading third-party ad scripts without an opt-out path constitutes a violation for businesses that meet the CPRA thresholds.

The Sensitive Personal Information Category

CPRA created a new class: sensitive personal information (SPI). For tracking purposes the categories that matter most are precise geolocation, contents of communications, and inferences drawn to create consumer profiles about health or sexuality.

Consumers now have the right to limit the use and disclosure of their SPI. You cannot simply bury this in a general privacy policy. Instead, you must offer a clear “Limit the Use of My Sensitive Personal Information” link — similar in prominence to “Do Not Sell or Share.” If your site uses IP-based geolocation for ad targeting, or any enrichment service that infers sensitive attributes, SPI rules apply to you.

Contractual Flow-Down to Processors

CCPA required service-provider contracts. CPRA tightens this significantly. Contracts with processors and contractors must now include specific CPRA-required terms: purpose limitations, deletion obligations, audit rights, and a ban on further selling or sharing the data they receive.

For teams running a CMP, this means your data-processing agreements with the CMP vendor, analytics provider, and any tag that fires post-consent must all carry updated CPRA clauses. A generic CCPA service-provider agreement from 2021 will not satisfy a CPCA audit in 2026.

CCPA vs CPRA 2026 Cookie Banner Checklist

Use this checklist to audit what needs to change relative to your old CCPA banner:

  1. “Do Not Sell or Share My Personal Information” — update the link text from “Do Not Sell” to include “or Share.”
  2. “Limit the Use of My Sensitive Personal Information” — add a second opt-out link if your site processes SPI (precise geo, health inferences, etc.).
  3. Global Privacy Control (GPC) support — CPRA regulations require you to honour the GPC browser signal as a valid opt-out of sale and sharing. Your CMP must detect and act on it automatically.
  4. No dark patterns — CPCA regulations explicitly prohibit consent flows that use deceptive design. Asymmetric button sizes or pre-ticked opt-ins are non-compliant.
  5. Updated privacy policy — disclose SPI categories collected, purpose of use, and retention periods. CPRA sets a default maximum retention of what is “reasonably necessary.”
  6. Vendor contract audit — confirm every tag vendor has signed CPRA-compliant DPAs before their script fires, even in a consented state.

For teams managing multiple consent frameworks at once, our guide on the top CMP implementation errors covers the cross-regulation pitfalls that most teams miss during a banner rebuild.

Enforcement Reality in 2026

The CPCA began issuing fines without a 30-day cure period for most violations from 2023 onwards. In 2026 the agency has expanded its investigative capacity. The highest-risk areas remain ad-tech integrations, GPC non-compliance, and missing SPI disclosures — all directly tied to cookie and tracking configuration rather than back-office data handling.

Businesses below the CPRA thresholds (fewer than 100,000 consumers, under $25 million revenue, less than 50% revenue from selling data) are not exempt from CCPA entirely. However, the SPI and sharing rules are CPRA additions that only bind covered businesses.

Conclusion

The CCPA vs CPRA 2026 distinction is not academic. The shift from “sell” to “sell or share,” the addition of sensitive data rights, the GPC mandate, and stricter processor contracts all require concrete changes to your cookie banner and vendor stack. Audit your consent UI against the checklist above, update your DPAs, and confirm your CMP honours GPC signals before your next California-facing campaign.

C
About the author
Consent Mode HQ
Editorial team at Consent Mode HQ
Read more by author ↗