CCPA Cookie Banner Requirements (2026): The Practitioner's Guide to Compliant Opt-Out, GPC, and Banner Design

Most CCPA cookie banners you can find on the open web today would not survive a California Privacy Protection Agency (CPPA) enforcement review. That isn't a rhetorical flourish. Between March 2025 and March 2026, the California Attorney General and the CPPA together announced settlements against American Honda ($632,500), Todd Snyder ($345,178), Healthline ($1.55M), Tractor Supply ($1.35M), The Walt Disney Company ($2.75M, the largest to date), and Ford Motor Company ($375,703). In every one of those actions, the banner, the opt-out flow, or the Global Privacy Control (GPC) handling was part of the allegations.

This is a working guide to CCPA cookie banner compliance in 2026, written for privacy engineers, in-house counsel, and the marketing and product teams who actually ship the consent UI. Where it matters, it quotes the regulation and cites the enforcement order. Where the industry is full of bad takes, it corrects them.

TL;DR. A compliant CCPA cookie banner in 2026 needs: (1) a notice at collection before non-essential cookies fire, (2) symmetrical choice on the first layer ("Accept All" vs. "Reject All", not "Accept All" vs. "Manage Preferences"), (3) a "Do Not Sell or Share My Personal Information" link or a "Your Privacy Choices" link with the blue icon in header/footer, (4) server-side recognition of the Sec-GPC HTTP header and navigator.globalPrivacyControl property, (5) a visible confirmation that the GPC signal was honored (new § 7025(c)(6), effective January 1, 2026), and (6) no verification barriers on opt-out requests. Miss any one of these and you're in the pattern the CPPA has been fining since 2025.

Who this applies to: the threshold question (and the mistake everyone makes)

The CCPA applies to a for-profit business that does business in California and meets at least one of three tests in Cal. Civ. Code § 1798.140(d):

1. Annual gross revenue over $25,000,000 in the preceding calendar year, or
2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households, or
3. Derives 50% or more of annual revenue from selling or sharing consumers' personal information.

The mistake you will see everywhere, including in published legal-adjacent content, is dropping the word "households" from test (2). The CPRA threshold is 100,000 consumers or households. A single California household counts. For any site running ad-tech at meaningful scale, prong (2) is the one that triggers applicability, and "households" widens the net considerably compared to the pre-CPRA language.

One more practical note: the threshold is evaluated against the preceding calendar year. If your site crossed 100,000 California consumers or households in 2025, you are a "business" for CCPA purposes in 2026, regardless of current traffic.

What a compliant CCPA cookie banner actually needs

The banner has to do four things at once: give notice at collection, offer a symmetrical first-layer choice, expose a granular preference layer, and integrate with the downstream opt-out mechanisms. Each of these maps to a specific provision.

1. Notice at collection, before non-essential cookies fire

11 CCR § 7003 requires notice that is easy to read, prominent, accessible under WCAG 2.1 AA, and delivered at or before the point of collection. In practice that means:

• Analytics, advertising, and social pixels should not execute before the banner is shown and a choice is made or a GPC signal is honored.
• The banner copy needs to state, at minimum, the categories of personal information being collected and the purposes. Linking to the privacy policy is acceptable as the second layer of detail, but the first layer has to be actually informative, not "we use cookies."
• Accessibility is an explicit requirement under § 7003. If your banner fails a basic screen-reader or keyboard-navigation check, that is a compliance issue, not just a UX one. Every top-ranking page on this topic skips this point; the regulator does not.

2. Symmetrical choice on the first layer (the Honda rule)

This is the provision that has driven the largest volume of 2025 enforcement. 11 CCR § 7004(a)(2) states, verbatim:

"The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option, because that would impair or interfere with the consumer's ability to make a choice."

The regulation then gives an example, also verbatim:

"A website banner that provides only the two options 'Accept All' and 'More Information,' or 'Accept All' and 'Preferences,' is not equal or symmetrical because it allows the consumer to accept the sale in one step but requires the consumer to execute more steps to exercise their right to opt-out. An equal or symmetrical choice could be between 'Accept All' and 'Decline All.'"

That is exactly the pattern the CPPA cited in its first-ever enforcement action against American Honda in March 2025. Honda's banner offered "Allow All" in a single click but required clicking through "Manage Preferences" and unchecking toggles to refuse. The CPPA found this asymmetrical and fined Honda $632,500 in aggregate, treating the violations on a per-consumer basis. CPPA Deputy Director Michael Macko, announcing the settlement, put it plainly: "The remedy should fit the problem behavior. We won't hesitate to use our cease-and-desist authority to change business practices, and we'll tally fines based on the number of violations." (CPPA announcement, March 12, 2025)

If your current banner has "Accept All" and "Manage Preferences" as the two first-layer buttons, you are running the Honda pattern. Replace it. The compliant first layer is a pair of equally prominent, same-weight, same-click-distance buttons: "Accept All" and "Reject All" (or the semantically equivalent "Decline All"). "Manage Preferences" can appear as a third option or behind a link, but it cannot replace "Reject All."

3. Dark patterns: why effect beats intent

§ 7004(c) defines a dark pattern as an interface that "has the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice." Intent is not required. The CPPA formalized this position in Enforcement Advisory 2024-02 (September 4, 2024), and Macko captured the standard in the announcement: "Dark patterns aren't about intent, they're about effect. The law gives consumers the right to make their privacy choices without jumping through confusing hoops or solving puzzles."

The concrete consequence under § 7004(b): "Any agreement obtained through the use of dark patterns shall not constitute consumer consent." If your banner uses dark patterns, the consent you collect is void by regulation, which means every tag that fires based on that consent is firing without a lawful basis under the CCPA's notice-and-choice framework.

Common dark patterns the CPPA has flagged in enforcement so far:

• Asymmetrical button weight, color, or size (Honda)
• Language that confuses the direction of choice ("don't not share my data" style toggles)
• Requiring users to click more than once to reject while accepting is one-click
• Disruptive screens between the user and the content that only lift after acceptance
• Pre-checked toggles for non-essential processing

4. The "Do Not Sell or Share" link, or the "Your Privacy Choices" alternative

Independent of the banner itself, 11 CCR § 7013 requires a conspicuous link titled "Do Not Sell or Share My Personal Information" in the header or footer of every page that collects personal information. The wording is prescribed. "Do Not Sell" alone is not compliant after CPRA, because it omits the "share" right (cross-context behavioral advertising). "Manage Cookies" is also not a substitute.

The approved alternative is a single link titled "Your Privacy Choices" or "Your California Privacy Choices" accompanied by the official blue toggle Privacy Options icon (designed by Carnegie Mellon's CyLab and the University of Michigan, available for download at oag.ca.gov/privacy/ccpa/icons-download). The single alternative link can consolidate both the "Do Not Sell or Share" and the "Limit the Use of My Sensitive Personal Information" obligations. Walmart, Spotify, Verizon, and Procter & Gamble have all deployed this pattern in production.

You are relieved of the link requirement only in two narrow circumstances: you do not sell or share personal information at all and you say so in your privacy policy, or you process opt-out preference signals in a genuinely "frictionless" manner under § 7025(f).

5. Global Privacy Control: a browser signal with enforcement teeth

GPC is a browser-level signal that a consumer wants to opt out of the sale and sharing of their personal information. It is delivered two ways, both defined in the W3C draft specification:

• An HTTP request header: Sec-GPC: 1 (the character "1" is the only valid value)
• A JavaScript DOM property: navigator.globalPrivacyControl, which returns a boolean

Brave and DuckDuckGo enable GPC by default. Firefox exposes it as a user-controllable setting. Chrome, Edge, and Safari do not ship it natively, so Chrome users typically opt in via extensions like EFF's Privacy Badger, DuckDuckGo's Privacy Essentials, or Disconnect. The Global Privacy Control homepage reports 150M+ users and 66,000+ compliant sites as of 2026.

California law treats GPC as a mandatory opt-out preference signal under 11 CCR § 7025. The relevant rules:

• A business that sells or shares personal information must process the signal as a valid request to opt out of sale and sharing under Civ. Code § 1798.120.
• The signal must be honored within 15 business days.
• For a logged-in user, the opt-out must propagate to all linked accounts (the rule that tripped Disney).
• At minimum, the signal applies to the browser or device that sent it.

The January 1, 2026 change you need to know about. The CPPA rulemaking package approved by the Office of Administrative Law on September 22, 2025 amended § 7025(c)(6) from "may" to "must". A business that processes a GPC signal now must display to the consumer that the opt-out has been recognized and processed. This is enforceable as of 2026. (See CPPA September 23, 2025 announcement and Skadden's analysis.)

The practical implication: your site should render a small, non-disruptive confirmation in the banner region or preferences UI when a GPC signal is detected. Something as simple as "We detected your Global Privacy Control signal and have opted you out of sale and sharing." The confirmation does not have to be elaborate, but the absence of it after 2026 is a finding a CPPA investigator can cite.

Reference implementation. The server-side detection is three lines:

// Next.js / Node example
export function detectGPC(req: Request): boolean {
  const header = req.headers.get("sec-gpc");
  return header === "1";
}

And on the client, before any tag manager or analytics library loads:

if (typeof navigator !== "undefined" && navigator.globalPrivacyControl === true) {
  // Set opt-out state, block sale/share tags, and render the confirmation banner.
}

A deeper technical walkthrough lives in the Global Privacy Control and universal opt-out explainer.

The 2025 to 2026 enforcement record: what actually gets fined

Eleven actions in roughly eighteen months, across two enforcers, with a consistent pattern. The table below is the set of cases that should inform banner design decisions for any business operating in California today.

Date	Enforcer	Company	Fine	Core banner-relevant finding
Aug 2022	CA AG	Sephora	$1.2M	Didn't honor GPC; didn't disclose GA/ad vendor data flows as a "sale"
Feb 2024	CA AG	DoorDash	$375K	Sold data via marketing co-op without notice or opt-out
June 2024	CA AG	Tilting Point	$500K	Non-neutral age gate, misconfigured SDKs, children's data
Jan 2025	CA AG	Sling TV	$530K	Opt-out friction on streaming and CTV
Mar 2025	CPPA	Honda	$632,500	Asymmetrical banner; verification required for opt-out
May 2025	CPPA	Todd Snyder	$345,178	Broken opt-out for 40 days; required ID before opt-out
Jul 2025	CA AG	Healthline	$1,550,000	Shared diagnosis-level data via pixels; opt-out misrouted
Sep 2025	CPPA	Tractor Supply	$1,350,000	"Do Not Sell" link didn't stop tracking; stale policy
Feb 2026	CA AG	Disney	$2,750,000	Device-scoped opt-out, GPC honored only on signal device
Feb 2026	CPPA	Sports media co.	$1,100,000	Multiple CCPA violations
Mar 2026	CPPA	Ford	$375,703	Email verification before opt-out ("unnecessary friction")

Four of these deserve additional attention, because the banner and opt-out flow facts are directly transferable.

Honda (March 2025). Beyond the asymmetry problem, Honda's opt-out webform required eight data elements before it would process an opt-out request, even for unverified opt-outs. Civ. Code § 1798.120(d) forbids requiring a verifiable consumer request for an opt-out. And Honda's authorized-agent process required the consumer to self-verify, which violates CCPA's agent rules in § 1798.185. If your opt-out form asks for more than what is technically needed to identify the browser or account scope, you are running the Honda pattern.

Healthline (July 2025). This action established that article titles indicating a diagnosis ("You've Been Newly Diagnosed with MS") are personal information in context, and sharing them with ad partners is a "share" under § 1798.140(ah). The opt-out was misconfigured so that after a user opted out, the event data still flowed to certain downstream partners. The holding that matters is the contextual one: the sensitivity of personal information is determined by what the combination of data points reveals, not by any single field in isolation.

Tractor Supply (September 2025). The stated "Do Not Sell or Share" link existed, but clicking it did not actually stop third-party tracking. The CPPA treated the presence of a non-functional link as a worse violation than no link at all, because it misrepresents the consumer's actual choice. This case also produced the first enforcement against a CCPA violation affecting job applicants, who are consumers under the post-CPRA employment carve-out removal.

Disney (February 2026). At $2.75M, this is the largest CCPA settlement to date. The critical finding: Disney's opt-out toggles were scoped per device and per service. A logged-in Disney+ user opting out in the web app did not opt out for the same account on a Roku device or on Hulu. GPC was honored only on the specific device that sent the signal. The CTV apps lacked an in-app opt-out entirely, which forced users to go to the webform. And the webform only stopped sharing with Disney's own ad platform, not third-party ad-tech. AG Bonta's press statement captured it: "Consumers shouldn't have to go to infinity and beyond to assert their privacy rights." (CA AG press release, February 11, 2026)

Ford (March 2026). The most recent case as of this writing. Ford required email verification before it would process an opt-out, which the CPPA characterized as "unnecessary friction" in violation of § 1798.120(d). The settlement order requires Ford to audit every tracking technology on its properties (cookies, beacons, pixels, SDKs) for GPC handling. This is now the baseline audit obligation the CPPA will reach for in similar matters.

The engineering picture: what "sale" and "share" actually mean for cookies

The CCPA uses two statutory concepts, and a given cookie or pixel can trigger either or both.

Sale (§ 1798.140(ad)): transferring personal information to a third party for monetary or other valuable consideration. "Other valuable consideration" is broad enough to capture barter, data-for-service, and the value exchange inherent in most ad-tech integrations.

Share (§ 1798.140(ah)): transferring personal information to a third party for cross-context behavioral advertising, whether or not any money changes hands. This is the CPRA provision that pulls retargeting, lookalike audiences, and most pixel-based ad-tech into scope even when you aren't selling anything in the lay sense.

Mapping this to the common integrations you're likely to have:

• Meta Pixel, Google Ads conversion pixels, TikTok pixels, LinkedIn Insight Tag. Almost always constitute "share" because they drive cross-context behavioral advertising. Healthline confirms the risk.
• Google Analytics 4. The CA AG's position, established in the Sephora complaint and not retracted since, is that default GA4 configurations constitute a "sale." Defense-side privacy counsel disagree depending on configuration (Google Signals off, IP anonymization, Data Sharing Settings disabled, etc.). Treat this as an enforcement position, not settled law, and make a documented risk decision.
• Remarketing and retargeting cookies. Unambiguously "sharing" under § 1798.140(ah). Retargeting is the textbook cross-context behavioral advertising case.
• First-party server-side analytics with no downstream third parties. Generally not a sale or share.

IAB signals. The IAB's legacy US Privacy String (usprivacy) was officially deprecated on January 31, 2024 in favor of the Global Privacy Platform (GPP). However, Google Ad Manager and AdMob continue to read the legacy USP string for backward compatibility. The current best practice is GPP with the California Privacy section (Section 8), with USP retained only if specific downstream ad-tech partners require it. Plan to remove USP.

Google Consent Mode v2: what it does and doesn't do for CCPA

Consent Mode v2 is four boolean parameters that let Google's tags modulate behavior based on consent state. The official docs are the reference:

• ad_storage: storage of advertising cookies and identifiers
• analytics_storage: storage of analytics cookies and identifiers
• ad_user_data: sending user data to Google for advertising purposes (added November 2023)
• ad_personalization: using data for personalized advertising and remarketing (added November 2023)

Google made Consent Mode v2 mandatory for EEA and UK traffic for advertisers using Google Ads and Google Tag on March 6, 2024. For California traffic, Google has not mandated it, but implementing v2 is table stakes for correct ad measurement and defensible CCPA handling.

The CCPA-relevant implementation pattern is straightforward. On GPC detection or user opt-out:

// Default to denied in the region where you must collect opt-out signals
gtag('consent', 'default', {
  ad_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  analytics_storage: 'denied',
  region: ['US-CA'],
});

// On affirmative accept
gtag('consent', 'update', {
  ad_storage: 'granted',
  ad_user_data: 'granted',
  ad_personalization: 'granted',
  analytics_storage: 'granted',
});

A fuller walkthrough, including Basic vs. Advanced mode trade-offs, lives in the Google Consent Mode v2 implementation guide and the comparison in Basic vs Advanced Google Consent Mode. If you use Microsoft advertising or Clarity, there are parallel obligations covered in Microsoft UET Consent Mode and the Microsoft Clarity Consent API explainer.

The CCPA cookie banner compliance checklist

Use this as a pre-deploy audit. A "no" on any of the top-layer items in sections 1 to 3 is the Honda or Disney pattern.

Notice at collection

• Banner appears before any non-essential cookie or pixel fires
• Lists categories of personal information collected and purposes
• Links to the full privacy policy
• Meets WCAG 2.1 AA (screen-reader labels, keyboard navigation, color contrast)
• Available in every language the site ordinarily uses

First-layer choice (the symmetry test)

• Two equally prominent, same-weight buttons: "Accept All" and "Reject All"
• Same click distance, same color or contrast, same size
• No pre-checked toggles for non-essential categories
• "Manage Preferences" appears as a text link or third button, not a replacement for "Reject All"

Opt-out link

• Conspicuous link in header or footer titled exactly "Do Not Sell or Share My Personal Information," or "Your Privacy Choices" + blue icon
• Link works on every page that collects personal information
• Clicking the link actually stops sale and sharing, not just Disney's own ad platform

Global Privacy Control

• Server reads Sec-GPC: 1 header
• Client reads navigator.globalPrivacyControl
• On detection, treat as valid opt-out within 15 business days
• Render a visible confirmation that GPC was recognized (new § 7025(c)(6) as of 2026)
• For logged-in users, propagate opt-out across all linked accounts and devices

Opt-out mechanics

• No identity verification required to submit the opt-out
• No excessive form fields (Honda's eight-field form was explicitly cited)
• Opt-out processed within 15 business days
• Authorized agent requests accepted without consumer self-verification

Downstream data flow

• When a user opts out or GPC is on, Meta Pixel, Google Ads, TikTok, LinkedIn do not receive identifiable data
• GA4 configuration reviewed against CA AG's Sephora-era position
• IAB GPP deployed (and USP retained only for specific backward-compat partners)
• Consent Mode v2 signals set correctly on denied consent states

Multi-platform scope (the Disney rule)

• Opt-out applies across all devices and services for a logged-in account
• CTV and mobile apps have an in-app opt-out, not just a webform
• Opt-out stops sharing with third-party ad-tech, not only with your own ad platform

If your current banner is a single "Accept All" button with "Manage Preferences" as the secondary choice and no GPC handling, the fastest path to defensibility is to replace the first layer with symmetrical Accept/Reject buttons, wire up GPC detection on both server and client, and route the preferences UI behind a text link. Every other improvement is downstream of those three.

Penalties, cure periods, and what actually happens

Civil Code § 1798.155(a) sets CCPA civil penalties at $2,500 per unintentional violation and $7,500 per intentional violation (and per violation involving consumers under 16). The "per violation" language is why the aggregate fines get large: the CPPA and AG count violations on a per-affected-consumer basis for many findings, so a site with large California traffic can accumulate meaningful exposure from a single banner flaw.

Cure period. CPRA removed the mandatory 30-day cure period effective January 1, 2023. The CPPA may, at its discretion, consider a business's good-faith cooperation and opportunity to cure, but this is no longer a statutory right. The 2023 Sacramento Superior Court ruling that initially delayed CPPA enforcement was reversed by the Third District Court of Appeal in February 2024, restoring the CPPA's full authority.

The operational takeaway is that by the time you see a CPPA sweep letter, the window to pre-empt a finding with a quick fix is not guaranteed.

How this fits with other state laws

California is the largest and earliest market, but the pattern is replicating. Colorado made GPC the first approved Universal Opt-Out Mechanism when the Colorado Privacy Act took effect July 1, 2024 (CO AG opt-out page). Connecticut's CTDPA has required honoring UOOMs since January 1, 2025. Delaware, New Jersey, Oregon, Montana, and New Hampshire all have UOOM recognition obligations in effect or coming online. California, Colorado, and Connecticut have publicly coordinated investigations of GPC non-compliance.

For a business operating nationwide, the defensible posture is a single opt-out signal handling pipeline (GPC detection to state-scoped opt-out persistence to confirmed across accounts and devices) rather than separate implementations per state. The states' statutes differ in detail but converge on the same architectural requirements. The broader multi-state picture is covered in Does CCPA Apply to Other States? and in the full US State Privacy Law Tracker for 2026.

FAQ

Does CCPA require a cookie banner?

The CCPA does not use the word "banner." It requires a notice at collection, delivered in the format the business primarily uses to interact with the consumer. On a website that collects personal information through cookies or similar technologies, a banner or equivalent on-page notice is the practical way to deliver § 7003-compliant notice at or before collection. So while "banner" is not in the statute, the functional requirement is effectively a banner or an equivalent in-context disclosure.

Is "Do Not Sell My Personal Information" still valid, or does it have to say "Sell or Share"?

It has to say "Sell or Share." CPRA added the "share" right for cross-context behavioral advertising in § 1798.120, and 11 CCR § 7013 prescribes the link text "Do Not Sell or Share My Personal Information." The legacy "Do Not Sell My Personal Information" wording by itself is non-compliant. The single-link alternative is "Your Privacy Choices" or "Your California Privacy Choices" with the official blue icon.

Do I need opt-in consent under CCPA?

Generally no. CCPA is an opt-out regime for adult consumers: processing is permitted by default, subject to notice and the right to opt out of sale and sharing. The exceptions are (1) consumers under 16, where opt-in is required (and parental consent for under-13), and (2) any operation that separately falls under a different law requiring opt-in, such as GDPR for EEA residents. Running the same site globally usually means you run opt-in for EEA traffic and opt-out with symmetrical choice for California traffic.

What exactly counts as "sale" or "share" for a typical website?

"Sale" includes any transfer to a third party for monetary or other valuable consideration. "Share" includes any transfer to a third party for cross-context behavioral advertising, regardless of payment. In practice: Meta Pixel, Google Ads conversion pixels, TikTok pixels, LinkedIn Insight Tag, and retargeting cookies almost always trigger one or both. Default Google Analytics 4 is an enforcement position of the CA AG (Sephora), not settled law, and should be a documented risk decision. First-party analytics with no third-party transfer is generally neither.

Does the CCPA require my site to recognize Global Privacy Control?

Yes. 11 CCR § 7025 requires businesses that sell or share personal information to process opt-out preference signals, and GPC is the signal in active use. As of January 1, 2026, § 7025(c)(6) also requires the site to display that the signal was recognized and honored. Sephora, Healthline, and Disney all had GPC-handling deficiencies cited in their enforcement actions.

Can I verify a consumer's identity before processing an opt-out?

No. The CCPA explicitly forbids requiring a verifiable consumer request to process an opt-out of sale or sharing. That was the Ford finding in March 2026, and the Honda finding a year earlier. Verification is appropriate for access, deletion, and correction requests, but not for opt-outs.

What's the current penalty structure?

$2,500 per unintentional violation, $7,500 per intentional violation or violation affecting a consumer under 16, under Cal. Civ. Code § 1798.155(a). The CPRA removed the automatic 30-day cure period on January 1, 2023. In practice, settlement amounts depend on how violations are counted (often per-consumer) and whether injunctive relief is ordered.

Is there a single banner that works for both CCPA and GDPR?

A banner can serve both regimes, but the logic behind it has to be region-aware. GDPR requires opt-in consent before non-essential cookies fire; CCPA requires symmetrical first-layer choice with the opt-out right exposed and GPC honored. One pattern that works: run GDPR-style prior consent globally, which satisfies GDPR in the EEA/UK and exceeds CCPA's minimum in California. The downside is conversion impact on US traffic. A region-aware banner that shows a symmetrical CCPA experience to California visitors and a prior-consent experience to EEA/UK visitors is the more nuanced approach and is what most large-traffic sites run. For the EEA/UK side, see the GDPR Cookie Consent pillar.

Where to go from here

If your banner is still running the "Accept All vs. Manage Preferences" pattern, the single most valuable change you can make this quarter is replacing the first layer with symmetrical Accept/Reject buttons and wiring GPC detection end-to-end. That puts you on the right side of the pattern the CPPA has fined in every 2025 and 2026 action. Everything else (consent mode integration, per-state logic, CTV and mobile app parity, authorized-agent workflows) is downstream.

For the broader operational picture, the CCPA Audit Essentials walkthrough covers the full control set beyond the banner, and the CCPA vs. CPRA key differences overview is useful if you're still mapping which provisions bind you post-CPRA.

If you want a second pair of eyes on your current banner or want help wiring the GPC and Consent Mode v2 handling correctly, Consenteo's implementation team has done this on 200+ corporate sites across most major jurisdictions. Get in touch and we'll do a fast read on where you sit relative to the enforcement patterns in this post.