CPPA compliance for marketers 2026: what changed Jan 1

The California Privacy Protection Agency’s full CPPA regulations took effect January 1, 2026. They are the most significant US privacy regulation since CCPA in 2020 and they materially change how marketers can track, retain, share, and use consumer data — not just for California residents, but for any business with a California customer base above the thresholds. Penalties run $2,500 per violation, $7,500 per intentional violation, and there is no cure period for most breaches.

This post is the practical guide for marketing operators: what actually changed January 1, what you have to do about it, and the 30-day audit checklist that gets a typical SMB stack into compliance.

What the CPPA actually requires (in marketer terms)

The CPPA expands and operationalizes CCPA in five areas that touch marketing directly:

Universal Opt-Out Signal (GPC) must be honored — the Global Privacy Control browser signal now has the legal force of an explicit opt-out request
Sensitive personal information (precise geolocation, health, race, religion, sexual orientation, immigration status) requires affirmative consent before use in advertising
Data retention limits must be specific and disclosed — vague “as long as needed” notices no longer qualify
Vendor contracts (DPAs) must include specific CPPA flow-down language — older DPAs are now non-compliant
Risk assessments and cybersecurity audits are required for businesses processing data above defined thresholds

Each requirement maps to concrete changes in marketing infrastructure. Below is what they look like in practice.

The single biggest operational shift: GPC support is no longer optional. Browser-level opt-out signals from Brave, Firefox, DuckDuckGo, and increasingly Chrome (via extension) must be honored as opt-outs of “sale and share.”

What this means concretely:

Your consent management platform (CMP) must detect GPC and apply it to all downstream tags. OneTrust, Cookiebot, Osano, Termly, and the major CMPs all shipped GPC detection in late 2025. Verify yours has it enabled — many do not by default.
Server-side tags must respect the GPC signal. If you use Meta CAPI, GA4 server-side, or any first-party server proxy, the GPC opt-out must flow through to those server-side calls. This is the most-missed compliance gap.
A user who opts out via GPC cannot be added to your custom audiences. Verify your audience-building pipelines respect the opt-out flag.

The CPPA gave first enforcement priority to GPC compliance. The agency has stated publicly that they are testing 2,000+ California-facing sites monthly for GPC respect.

Sensitive personal information handling

Health-related ads, location-based targeting at sub-ZIP-code precision, and ads keyed on race, religion, or sexual orientation now require an explicit opt-in. The default lawful basis is “no use” — not “no objection.”

Marketing categories where this matters most:

Health and wellness brands — any audience built from health-related signals (visited health-content page, clicked symptom checker, etc.) requires opt-in
Hyperlocal businesses — precise geolocation at neighborhood or property level requires opt-in; ZIP-code-level remains allowed
Faith-based and ethnic-targeted brands — religious and racial audience targeting requires explicit opt-in regardless of source

The compliance pattern: a clear, separately-labeled consent dialog (often a secondary modal) for sensitive use, with a real “no thanks” path that does not punish the user. Bundled “accept all” buttons do not satisfy the requirement for sensitive data.

Data retention defaults

Vague retention notices are now a violation. “We retain data as long as necessary” is not a specific retention period. You must publish, in your privacy policy, retention periods by data category — or a documented method for determining them.

A workable retention policy template for marketing data:

Web analytics (GA4, etc.) — 14-26 months (the platform default), disclosed
Email subscriber data — until unsubscribe + 90 days, then purged or anonymized
Pixel/tag-collected behavioral data — 12 months from last interaction
Custom audience source data — 6-12 months, refreshed as the audience refreshes
Form submission data — 24 months from submission unless the customer is active

These are starting points, not legal advice. Adjust to your specific use cases and document the reasoning. The CPPA does not require the shortest retention period — it requires specificity and justification.

Vendor contracts (DPA updates)

Every data processor your marketing team uses needs an updated DPA with specific CPPA flow-down language. The list to audit:

Email service provider (Klaviyo, Mailchimp, Hubspot, etc.)
CRM (Salesforce, Hubspot, Pipedrive)
CDP (Segment, Rudderstack, mParticle)
Ad platforms (Google, Meta, TikTok, LinkedIn — these provide updated DPAs through their business hubs)
Analytics (GA4, Mixpanel, Amplitude)
Tag management (GTM, Tealium)
Server-side proxy (any first-party measurement layer)
Form/landing page tools (Unbounce, Webflow, Carrd, etc.)
Customer support and chat tools (Intercom, Zendesk)

Most major SaaS vendors published updated DPAs in Q4 2025. Smaller and niche tools often have not — those are the highest compliance risk in 2026.

Universal opt-out signal (GPC) support

A deeper note on GPC because it is the area with the highest enforcement risk in 2026.

GPC is a browser HTTP header — Sec-GPC: 1 — that signals the user has chosen to opt out of “sale and share” of their personal information. The signal is sent automatically; the user does not have to click a banner. Under CPPA, a business receiving this header for a California user must:

Treat it as an opt-out of sale and share (equivalent to clicking “Do Not Sell or Share My Personal Information”)
Apply the opt-out to all downstream advertising tags, identity resolution services, and shared audiences
Not require the user to take any additional action to confirm the opt-out
Not penalize the user with degraded experience, paywalls, or repeated consent prompts

The compliance gap most operators have: GPC fires before a CMP banner can display, so the CMP must detect GPC at script load and apply opt-out preferences immediately, without showing a banner. Many CMPs default to “show banner first, apply preferences after click” — that order needs to flip for GPC users.

Test your implementation: install Brave or enable the GPC extension in Chrome, visit your site, then check your tag activity. If pixels fire that should be opt-out-restricted, you have a compliance gap.

A 30-day audit checklist for SMB marketers

The minimum-viable CPPA compliance audit for an SMB marketing stack:

Week 1 — Discovery

Map every marketing tool that collects or processes consumer data
Identify which tools serve California traffic (almost all do)
Pull current privacy policy and identify generic retention language

Week 2 — Configuration

Enable GPC detection in your CMP (verify it works in a Brave browser test)
Confirm GPC opt-out flows through to server-side tags and CAPI
Configure retention periods for analytics tools (default GA4 retention is 26 months)
Document retention periods for each data category in a written policy

Week 3 — Contracts

Request updated CPPA-compliant DPAs from each vendor on your stack
Track DPAs received vs. outstanding in a shared spreadsheet
Escalate or replace vendors who cannot produce a compliant DPA

Week 4 — Disclosure

Update privacy policy to include specific retention periods, sensitive data disclosures, and GPC honoring
Update consent banner copy to align with the policy
Add a “Do Not Sell or Share My Personal Information” link in site footer (already required under CCPA; verify it works)
Run a first-party measurement audit to ensure no broken tracking after compliance changes

Most SMBs we have walked through this checklist complete it in 25-40 hours over 30 days, including legal review.

FAQ

Does CPPA apply to my business if I’m not based in California? Yes, if you sell to California consumers and meet one of: (a) $25M+ annual revenue, (b) buy/sell/share personal info of 100K+ California residents annually, or (c) derive 50%+ of annual revenue from selling/sharing California consumer personal info. For most US ecommerce and SaaS businesses, threshold (b) is the binding one — you can hit 100K California residents with surprisingly modest scale.

What are the actual penalties? $2,500 per violation. $7,500 per intentional violation or violation involving a minor’s data. There is no cap on total penalties — they accumulate per violation per consumer.

Is there a cure period? For most violations under CPPA (as opposed to CCPA), no. The cure period was eliminated in the 2023 amendments. Some violations involving cybersecurity have cure periods; most marketing-related violations do not.

Does CPPA conflict with GDPR? The two are complementary but not identical. GDPR is more restrictive in some areas (lawful basis requirements, data minimization), CPPA is more restrictive in others (universal opt-out, specific retention disclosures). A GDPR-compliant stack is typically 80% of the way to CPPA compliance but needs the GPC and retention-specificity work to close the gap.

Where do I get authoritative guidance? The California Privacy Protection Agency’s official site publishes regulations and enforcement guidance. The IAPP and major law firms publish regular updates. The CMP vendors (OneTrust, Cookiebot, Osano) publish implementation guides.

The honest 2026 framing

CPPA compliance is annoying but mechanical. The marketing-stack changes are: GPC detection, server-side flow-through, retention specificity, DPA refresh, and updated disclosures. Most SMBs can complete the work in 30 days for a few thousand dollars of legal review. The penalty exposure for skipping is real and accumulating — the CPPA is staffed up and actively enforcing throughout 2026.

Treat this as overdue infrastructure cleanup, not a separate compliance project. The same changes that produce CPPA compliance also improve your attribution stack and your customer trust posture. Get it done in Q2.