CCPA Notice Requirements in 2026: What Businesses Need to Update

Introduction: why 2026 is a turning point for CCPA notices

While the California Consumer Privacy Act (CCPA) has been in effect for several years, 2026 marks a point where CPRA amendments and CPPA regulations are no longer transitional. Businesses are now evaluated against detailed operational rules, not just statutory principles.

In enforcement actions, regulators increasingly look at how notices function in practice: whether disclosures are clear, whether choices are symmetrical, and whether notices actually match how data is collected, used, retained, sold, or shared. This makes notice design, placement, and updating a central compliance risk area going into 2026.

This article outlines the notice‑related changes and clarifications businesses should review in 2026, with a focus on websites and digital collection points.

What changed in CCPA notice requirements for 2026

The core notice types under the CCPA remain the same, but the CPRA and CPPA regulations significantly expand how they must work in practice, as reflected in official CPPA guidance such as Things to Know Before 2026 Updates and the General Notices guidance. These rules are codified in Title 11 of the California Code of Regulations, which states that a violation of the regulations constitutes a violation of the CCPA itself. The operative statutory text is set out in the CCPA Statute effective 1 January 2026 and in California Civil Code section 1.81.5.

Key developments relevant in 2026 include:

• More detailed content requirements for notices at collection
• Clearer rules for opt‑out and limitation links
• Stronger expectations around usability and symmetry of choice
• Expanded disclosure requirements inside privacy policies
• Increased scrutiny of broken links, outdated notices, and misleading interfaces

These changes affect how businesses design and maintain notices across domains and user journeys.

Notice at collection updates to review for 2026

Under the CPPA regulations, a notice at collection must now clearly disclose, at or before collection:

• Categories of personal information and sensitive personal information
• Purposes for collection and use
• Whether each category is sold or shared
• Retention periods or retention criteria
• A link to the privacy policy
• A link to the opt‑out notice when selling or sharing occurs

Importantly, regulators clarify that directing users to the top of a privacy policy is not sufficient. Links must take users directly to the relevant section containing the required information.

Businesses should review whether their notice at collection content still reflects current practices and whether it appears consistently across cookies, forms, apps, and offline collection points.

For example, a business that adds a new analytics or advertising tool may update its privacy policy but forget to adjust the notice shown in its cookie banner or signup form. In enforcement reviews, regulators often examine whether these collection‑stage notices were updated at the same time as backend practices. For background context, see our guide on CCPA notice at collection.

“Do Not Sell or Share” and alternative link expectations in 2026

The CPPA regulations reinforce that the “Do Not Sell or Share My Personal Information” link must be:

• Conspicuous
• Easy to locate from the homepage
• Functionally symmetrical with opt‑in paths

Businesses may use an alternative opt‑out link (such as “Your Privacy Choices”), but only if it meets strict labeling, placement, and functionality requirements.

Regulators also emphasize that broken links, circular flows, or forcing users to scroll through long policies to opt-out may be considered dark patterns.

For example, a website footer may still display a “Do Not Sell or Share My Personal Information” link that points to an outdated section of the privacy policy, or to a page that no longer reflects current selling or sharing practices. Even when an opt‑out mechanism exists, these inconsistencies are frequently cited in enforcement reviews. These issues are frequently cited in enforcement reviews.

For a deeper breakdown, see our article on the Do Not Sell or Share requirement.

Privacy policy disclosure expansions under the CPRA

By 2026, privacy policies are expected to fully reflect CPRA‑level disclosure detail, including:

• Retention periods or criteria for each data category
• Clear explanations of selling vs sharing
• Disclosure of sensitive personal information use and limitation rights
• Explanations of how opt‑out preference signals are processed
• The date the policy was last updated

Privacy policies must also be available in the languages in which the business ordinarily provides information to California consumers and be reasonably accessible to users with disabilities.

If your privacy policy has not been materially updated since early CPRA enforcement began, it is likely due for review. For guidance, see how to create a CCPA privacy policy.

Choice architecture and dark pattern enforcement focus

One of the most significant shifts heading into 2026 is enforcement attention on choice architecture, a concept developed through CPPA rulemaking under the California Privacy Rights Act (CPRA).

The regulations explicitly require:

• Symmetry between accepting and declining choices
• Clear, non‑confusing language
• No unnecessary friction when exercising rights

Interfaces that make opting out harder than opting in, rely on double negatives, or obscure consumer choices may invalidate consent entirely. This applies to cookie banners, opt‑out flows, and preference centers.

How CCPA 2026 notice changes affect websites in practice

For website operators, the 2026 notice landscape means:

• Notices must be reviewed holistically, not in isolation
• Collection‑stage disclosures must link cleanly to policy content
• Opt‑out links must function consistently across desktop and mobile
• Updates to data practices require timely notice updates

These obligations intersect with other CCPA requirements, including CCPA notices and disclosures and data retention disclosures.

How Clym supports notice updates for 2026

As notice requirements become more detailed, many businesses struggle to keep disclosures aligned across domains and user journeys.

Clym supports this process by allowing businesses to manage privacy notices and policies centrally through the Clym Control Center. Businesses can add an existing privacy policy or generate one through a guided questionnaire, then display it consistently across their website.

Notice‑related elements, such as links from collection points or footers, can reference the same policy content, helping reduce disclosure drift as requirements evolve. This approach supports consistency while leaving legal interpretation and scope decisions with the business.