U.S. Privacy and Data Protection Updates | Insights | Q1 2026 (State Law)

California Continues to Evolve Standards on Consent for Cookies (State)

California privacy regulators are using recent enforcement to send a clear message: make cookie and opt-out flows truly low-friction or expect CCPA scrutiny and potential fines.

California’s Evolving Guidelines for Cookies and Tracking

California continues to refine expectations around consent and tracking, especially for cookies, pixels, and other online identifiers. Regulators now treat Global Privacy Control (GPC) and similar signals as a litmus test for whether an opt-out program is real or just on paper. In parallel, state AGs and the California Privacy Protection Agency (CalPrivacy) are using coordinated sweeps and representative cases to define what counts as a valid cookie banner and opt-out mechanism for sale/sharing and cross-site advertising.

For businesses, this means that “take it or leave it” cookie banners, dark patterns, and consent walls tied to basic access are increasingly risky under California law, especially where tracking supports targeted advertising or profiling. Businesses should also assess whether opt-in consent is necessary, such as if there are data “sales” about users under age 16 or certain sensitive personal information such as precise geo-location.

New CCPA Enforcement: Friction in Opt-Outs

Recent CalPrivacy decisions against Ford Motor Company and PlayOn Sports illustrate how the agency is operationalizing CCPA’s requirement that opt-outs be easy, accessible, and honored in practice.

• Ford: unnecessary verification step

• CalPrivacy required Ford to pay a $375,703 fine and change its practices after it forced consumers to verify their email address before processing opt-out requests for sale/sharing of personal information collected via digital properties and connected vehicle services.

• The agency concluded that this extra email verification step created “unnecessary friction” and effectively imposed a “verifiable consumer request” standard on an opt-out right where verification is not required.

• Regulators emphasized that if a business can process an opt-out with the information already provided, it must do so without layering on additional steps.

• PlayOn Sports: forced consent and inadequate opt-out

• CalPrivacy’s stipulated order requires PlayOn Sports (GoFan) to pay $1.1 million for failing to provide adequate mechanisms to opt out of sale/sharing via tracking technologies and for misusing cookie banners.

• PlayOn allegedly forced users, including minors, to click “Agree” on a tracking technology banner to access already purchased tickets, without offering any opt-out path and without honoring opt-out preference signals.

• The settlement underscores that consumers must have effective and easy to use opt-outs.

Both decisions reinforce a core theme emerging from 2025 and early 2026: CCPA opt-out flows cannot include extra verification, hidden steps, or practical roadblocks that complicate completion rates.

What AG and CalPrivacy Cases Say about “Easy” OptOuts

Recent enforcement by the California Attorney General and CalPrivacy shows how regulators are filling in the contours of “easy” opt-outs and compliant tracking practices.

• In-app and in-context controls

• Enforcement against mobile app and gaming companies shows that it is no longer acceptable to limit opt-outs to a website or a buried account portal when the primary data collection occurs in-app.​

• Regulators have required in-app opt-out methods, clear “kids” profiles, and default settings that limit targeted advertising when children are likely to be present.​

• Youth and Teen Data

• Several actions and settlements underscore heightened scrutiny when platforms collect data about users under 18, including requirements for affirmative “opt-in” consent to sell or share data for consumers ages 13–15.

• Businesses that market to schools or minors should expect closer examination of tracking technologies, consent flows, and whether any targeted advertising to minors is occurring.

Against this backdrop, California’s enforcement playbook has become more structured and signal-driven, with announced priority areas (e.g., opt-outs, kids, data brokers) followed by sweeps and representative cases. For companies operating nationally, these California trends often ripple into other state investigations and multi-state coalitions.

Why Cookie Banners Still Matter: CIPA Exposure

Even as California narrows what counts as a compliant CCPA consent or opt-out flow, cookie banners, notices, and consent mechanisms remain an important tool for mitigating risk under other laws, including California’s Invasion of Privacy Act (CIPA).

Recent litigation has allowed CIPA claims to proceed where websites deploy third-party session replay tools, chat widgets, or similar technologies that capture the substance of user communications without adequate notice or consent, such as through a cookie consent tool. Plaintiffs have argued that this conduct amounts to unlawful interception of communications, particularly when the data flows to third-party vendors.​

Practical Next Steps for Businesses in 2026

To align with California’s evolving expectations on cookies, consent, and opt-outs, businesses should consider the following roadmap for 2026.

• Remove unnecessary steps (e.g., extra email verification) and process opt-outs with the information already provided;

• Avoid forced “Agree” walls for basic access; provide clear decline/opt-out options;

• Implement and test Global Privacy Control and similar signals across web and mobile, and treat them as binding opt-outs;

• Add in-app opt-out tools where data collection is app-centric, especially for streaming, gaming, and ed-tech products;

• ​Build age-appropriate experiences, add teen/parental opt-in controls for sale/sharing, and minimize tracking on school or youth-oriented properties;

• Use clear tracking notices and consent for session replay, chat tools, and other “communication-like” technologies.​

For organizations updating their privacy programs, this is an opportune time to audit cookie banners, consent flows, and opt-out mechanisms across web and mobile, and to document how GPC and other preference signals are detected and honored. Kronenberger Rosenfeld has years of experience with California and multi-state privacy laws. Our firm can help translate these enforcement trends into practical design requirements for engineers, product teams, and marketers. Contact us today through our online submission form.