Navigating California’s digital laws can feel like a part-time job, as the state is
often more aggressive with its requirements than the rest of the U.S
As of 2026, California has made significant updates, particularly regarding how you handle opt-outs and accessibility for public entities. Here is a breakdown of the current landscape for ADA, cookie consent, and privacy policies.
Digital ADA Compliance
In California, website accessibility isn't just a "good idea" it’s a legal necessity enforced through both federal and state laws.
The Unruh Civil Rights Act:
This is the big one for private businesses. It prohibits discrimination based on disability. California courts generally rule that a website is a place of public accommodation.The Standard:
While the law doesn't explicitly name a technical standard, courts almost universally use WCAG 2.2 Level AA (Web Content Accessibility Guidelines) as the benchmark.The Risk:
Unlike federal law (which often just requires you to fix the site), the Unruh Act allows for statutory damages of $4,000 per violation plus attorney fees. This makes California a hotspot for accessibility lawsuits.New 2026 Requirements (Title II):
As of April 2026, the U.S. DOJ has mandated that state and local government entities (and public universities) must strictly adhere to WCAG 2.2 Level AA. If you provide services to a California government body, your digital assets must meet these standards.
Cookie Consent (CCPA/CPRA)
California handles cookies differently than the EU (GDPR). While the EU is "Opt-in" (ask before dropping cookies), California is primarily "Opt-out" (let them stop it).
The "Do Not Sell or Share" Link:
If you use third-party tracking cookies (like Meta Pixel or Google Ads) for behavioral advertising, you are "sharing" or "selling" data under the law. You must have a clear link in your footer labeled
"Do Not Sell or Share My Personal Information."Opt-Out Preference Signals (GPC):
You must honor Global Privacy Control (GPC) signals. If a user has a browser setting that says "don't track me," your site must automatically treat that as a request to opt-out of tracking cookies.New for 2026 – Mandatory Confirmation:
As of January 1, 2026, when a user clicks your "Do Not Sell" link or sends a GPC signal, you must provide a confirmation message (e.g., "Opt-Out Request Honored") so the user knows it worked.Dark Patterns:
You cannot make the "Accept All" button bright green and the "Reject All" button a tiny, invisible grey link. The choices must be symmetrical in design and ease of use.
Privacy Policy Requirements
Your Privacy Policy is the "instruction manual" for how you handle data. Under the CCPA/CPRA, it must be updated every 12 months and include:
Categories of Data:
A list of the types of personal information you’ve collected in the last 12 months (e.g., identifiers, geolocation, professional info).Sensitive Personal Information (SPI):
You must disclose if you collect "Sensitive" data (like SSNs, precise location, or race). Users have a specific right to "Limit the Use of My Sensitive Personal Information."The "Look-Back" Rule:
In 2026, users have the right to request access to personal information collected beyond the typical 12-month window, reaching back to January 1, 2022, if you still have the data.Minors:
If you know (or should know) you have users under 16, you must get affirmative "opt-in" consent before selling or sharing their data.
