The State Privacy Patchwork in 2026: Opt-Out Rights, Global Privacy Control, and Where Website Enforcement Landed
Roughly twenty states now run comprehensive privacy laws, and the one requirement with the sharpest website teeth is the least visible: honoring a browser opt-out signal your site probably ignores.
The federal privacy bill that would have preempted all of this never arrived. In its absence, the states built the map. By mid-2026 roughly twenty states operate comprehensive consumer privacy laws, and while their definitions and thresholds differ, they converge on a small set of consumer rights — access, deletion, correction, and, most consequential for websites, the right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.
This tracker focuses on the piece of that framework that is both the most observable on a live site and the most commonly ignored: the opt-out preference signal. It is risk intelligence, not legal advice.
Why "sale" and "sharing" sweep in ordinary ad tech
The word "sale" misleads operators who assume it means an exchange of money. Under the California Consumer Privacy Act, as amended by the CPRA, a "sale" is any disclosure of personal information to a third party for "monetary or other valuable consideration," and "sharing" expressly reaches disclosures for cross-context behavioral advertising. Loading a third-party advertising pixel that transmits identifiers to an ad platform is, under that definition, frequently a sale or a share — even when no invoice changes hands. That is the interpretive move that pulls routine tag stacks into the statute.
Several other states use different labels — "targeted advertising," "profiling" — but land in a similar place: if your site sends identifiers to advertising partners, a consumer generally has a right to tell you to stop, and you have to provide a working way for them to do it.
Global Privacy Control: the opt-out you can't see but must honor
The requirement with the sharpest website consequences is the opt-out preference signal. California's regulations require businesses to treat a Global Privacy Control (GPC) signal — a header the browser or an extension sends automatically — as a valid request to opt out of sale and sharing. The consumer does not click anything on your banner; the signal arrives with the request, and the law expects your site to recognize it and suppress the relevant data flows.
This is where implementations fail quietly. A site can display a polished "Your Privacy Choices" link and still transmit identifiers to ad platforms for a visitor whose browser is broadcasting GPC, because the banner and the signal are never wired together. The California Attorney General's 2022 settlement with Sephora put a marker down: the failure to process GPC as a valid opt-out was treated as a CCPA violation, and later enforcement sweeps and California Privacy Protection Agency actions have kept the signal near the center of website enforcement. A growing number of states now also require honoring a universal opt-out mechanism.
What changed heading into 2026
Three shifts are worth tracking:
- More states, more live enforcement. The wave of laws that passed in 2023 to 2025 moved from "effective dates" to actual enforcement, and dedicated regulators — the CPPA in California most prominently — began issuing orders rather than guidance.
- Sensitive data got its own gate. Most of the newer laws single out sensitive categories — precise geolocation, health, biometric, and data revealing protected characteristics — for opt-in consent or a separate limitation right, which raises the stakes on trackers that can infer them.
- Opt-out signals became the enforcement shortcut. GPC is attractive to regulators precisely because it is testable at scale: a browser sends the signal, and either the site honors it or it does not. No intent, no ambiguity — just behavior on the wire.
What contested questions remain
The patchwork is not settled. States differ on private rights of action (most rely on AG enforcement; California's is limited to data-breach claims, not the opt-out rules), on the definition of a covered business, and on how cure periods work as those provisions sunset. The interaction between these laws and the wiretapping theories covered elsewhere in these pages is still being worked out, since the same tracker can implicate both a state opt-out obligation and a CIPA claim.
What is observable from outside
Most of a privacy-law compliance program is documentary, but the opt-out mechanics are directly measurable:
- Whether the site transmits identifiers to advertising third parties at all — the predicate for "sale"/"sharing."
- Whether it detects and honors a GPC signal, suppressing those transmissions when the signal is present.
- Whether a "Your Privacy Choices" or equivalent control exists and actually changes what fires, rather than only recording a preference.
- Whether trackers capable of inferring sensitive categories load before any consent.
The gap between a privacy-choices link and what the page actually sends is the same gap that drives the consent-timing cases — and, for the state laws, it is the part a regulator can test without ever reading your policy. Loading your own site with a GPC signal active and watching the request waterfall is the fastest way to see which side of that line you are on.
Sources
See what your own pages do
The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.
Run a free scan