Privacy Knowledge Hub

Three enforcement actions, $3.76M in combined fines, and a pattern so consistent it amounts to a design spec. A close reading of the Honda, Ford, and Disney CCPA settlements for privacy engineers and product teams who own the banner.

Honda and Ford were fined for the same pattern: requiring identity verification before processing a CCPA opt-out. A practitioner's guide to designing an opt-out form that scopes the request, honors the right, and doesn't trip the per-violation enforcement math.

The ePrivacy Regulation was withdrawn in February 2025. The CNIL fined Google €325M and Shein €150M in September 2025. The EDPB expanded the scope of Article 5(3) to pixels and fingerprinting. A practitioner's guide to GDPR cookie consent in 2026, grounded in the regulation text, the CJEU case law, and the enforcement actions that define the line.

A code-first walkthrough of the three signals that actually matter for consent in 2026: Google Consent Mode v2 (ad_storage, analytics_storage, ad_user_data, ad_personalization), Global Privacy Control (Sec-GPC header), and the IAB Global Privacy Platform (GPP string). How to wire them together, the common race conditions, and the middleware code.

Twenty US states now have comprehensive privacy laws. Twelve require honoring Global Privacy Control. Only California gives consumers a private right of action. A practitioner's map of the applicability thresholds, the rights, the UOOM requirements, and the realistic compliance baseline for a business operating nationally.

Google kept third-party cookies. Safari, Firefox, and Brave still block them. Privacy Sandbox shut down in October 2025. And browser behavior doesn't change your legal obligations under ePrivacy or CCPA. A clear-eyed read on where cookies actually stand in 2026.

The California Privacy Rights Act amended the CCPA in 2020 and took effect in 2023. Three years of enforcement later, the operational differences are clear: the 'share' right, the new sensitive-PI category, the CPPA as a dedicated regulator, and the cure period's disappearance. A practitioner's read on what changed and what it costs.

A deeply cited, implementation-first guide to CCPA cookie banner requirements after the Disney, Honda, Ford, and Healthline enforcement actions. Covers symmetrical choice under § 7004, the new 2026 GPC display rule, and how to build a banner that survives CPPA scrutiny.

How to wire the Microsoft Clarity Consent API correctly so Clarity respects user consent state under GDPR and CCPA, with the common implementation mistakes to avoid.

A CCPA audit helps bridge the gap between your intentions and legally compliant, day-to-day data practices. Refreshed for 2026 with the post-Honda enforcement pattern.

Sensitive personal information has distinct statutory definitions and distinct rights attached under CCPA, GDPR, and now Maryland's MODPA. A practitioner's breakdown of what counts as SPI, which categories trigger opt-in consent, and which states ban SPI sale outright.

Microsoft UET Consent Mode gates Bing Ads and Microsoft Advertising conversion tracking on user consent state. How it works, how to wire it, and how it relates to Google Consent Mode v2.

Server-side tracking moves measurement off the browser and onto your own infrastructure. A practitioner's intro: the architecture, the trade-offs, and why it is not a compliance workaround under GDPR or CCPA.

Basic mode blocks Google tags until consent; Advanced mode sends cookie-less pings for conversion modeling. The trade-off, the ePrivacy concern with Advanced mode, and when each makes sense.

CCPA reaches beyond California's borders, and by 2026 it runs alongside 19 other active state privacy laws. A practitioner's read on extraterritorial reach, applicability thresholds, and how to build one compliance baseline that covers the whole US.