LawSnap

Privacy Artificial Intelligence Law And Technology

Cookies, “Significant Risk,” and 2026 CCPA Assessments

Published March 22, 2026

Source National Law Review open_in_new

Score

7

Why it matters

Core event: New California Consumer Privacy Act (CCPA) regulations, approved by the California Privacy Protection Agency (CPPA) in September 2025 and effective January 1, 2026, mandate risk assessments for businesses using cookies in behavioral or cross-context advertising, classifying such practices as posing a "significant risk" to consumer privacy.[1][7][9]

Involved parties: The CPPA enforces the rules, targeting businesses meeting CCPA thresholds (e.g., $25M+ revenue, 100K+ CA consumers, or 50%+ revenue from data sales/sharing) that collect personal information via cookies for sale or sharing.[2][6][13] No specific companies or individuals named; law firms like Sheppard Mullin and Butler Snow provide compliance guidance.[1][4]

Context and timeline: CCPA (2018) evolved via CPRA (2023 amendments adding "share" for cross-context ads) and prior enforcements (e.g., fines since 2022 for opt-out failures).[3][5] 2024 advisories addressed dark patterns; 2025 final rules expanded requirements for risk assessments, cybersecurity audits, automated decision-making tech (ADMT), opt-out confirmations, and broadened "sensitive personal information" (e.g., health data, minors under 16).[6][8][9][11] Key: opt-out model (not GDPR-style opt-in), mandatory "Do Not Sell or Share" links, GPC signal recognition since 2023, and DROP platform launch January 2026 for data broker deletions.[3][10][15]

Newsworthy now: Headline flags urgency pre-deadline (March 22, 2026, story amid ~2-month compliance window), as non-compliant websites risk CPPA fines; updates demand immediate audits, policy tweaks, and tech changes for millions of CA-impacted businesses amid rising US privacy laws (20 states by 2026).[1][2][14]

Sources

[1] https://www.sheppardmullin.com/insights/blogs/cookies-significant-risk-and-2026-ccpa-assessments

[2] https://cppa.ca.gov/pdf/things_to_know_before_2026_updates.pdf

[3] https://kukie.io/blog/ccpa-cookie-consent

[4] https://www.butlersnow.com/news-and-events/ccpa-regulations-amendments-effective-january-1-2026-a-practical-roadmap-for-in-house-counsel

[5] https://usercentrics.com/knowledge-hub/ccpa-cookie-banner/

[6] https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126

[7] https://natlawreview.com/article/cookies-significant-risk-and-2026-ccpa-assessments

[8] https://www.cyberadviserblog.com/2026/01/navigating-the-2026-ccpa-updates/

[9] https://www.lathropgpm.com/insights/ccpa-2026-navigating-the-expanded-consumer-privacy-compliance-requirements-for-businesses/

[10] https://www.paulhastings.com/insights/ph-privacy/plan-ahead-updated-ccpa-regulations-go-into-effect-jan-1

[11] https://www.kiteworks.com/cybersecurity-risk-management/ccpa-2026-compliance-guide-california-privacy-requirements/

[12] https://www.hinshawlaw.com/en/insights/privacy-cyber-and-ai-decoded-alert/2026-privacy-compliance-california-and-colorado-regulations

[13] https://geotargetly.com/blog/ccpa-cookie-consent-what-you-need-to-know

[14] https://www.squirepattonboggs.com/insights/publications/2025-state-privacy-roundup-key-trends-and-california-developments-to-watch-in-2026/

[15] https://www.consentmo.com/blog-posts/ccpa-2026-update-opt-out-confirmation-mandatory

mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.