All insights
Regulatory TrackerJuly 3, 2026 7 min read

The State Privacy Patchwork in 2026: Opt-Out Rights, Global Privacy Control, and Where Website Enforcement Landed

Roughly twenty states now run comprehensive privacy laws, and the one requirement with the sharpest website teeth is the least visible: honoring a browser opt-out signal your site probably ignores.

Risk intelligence, not legal advice. The patterns below are indicators that have appeared in real litigation or enforcement — not proof of a violation, and not a substitute for counsel.

The federal privacy bill that would have preempted all of this never arrived. In its absence, the states built the map. By mid-2026 roughly twenty states operate comprehensive consumer privacy laws, and while their definitions and thresholds differ, they converge on a small set of consumer rights — access, deletion, correction, and, most consequential for websites, the right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.

This tracker focuses on the piece of that framework that is both the most observable on a live site and the most commonly ignored: the opt-out preference signal. It is risk intelligence, not legal advice.

Why "sale" and "sharing" sweep in ordinary ad tech

The word "sale" misleads operators who assume it means an exchange of money. Under the California Consumer Privacy Act, as amended by the CPRA, a "sale" is any disclosure of personal information to a third party for "monetary or other valuable consideration," and "sharing" expressly reaches disclosures for cross-context behavioral advertising. Loading a third-party advertising pixel that transmits identifiers to an ad platform is, under that definition, frequently a sale or a share — even when no invoice changes hands. That is the interpretive move that pulls routine tag stacks into the statute.

Several other states use different labels — "targeted advertising," "profiling" — but land in a similar place: if your site sends identifiers to advertising partners, a consumer generally has a right to tell you to stop, and you have to provide a working way for them to do it.

Global Privacy Control: the opt-out you can't see but must honor

The requirement with the sharpest website consequences is the opt-out preference signal. California's regulations require businesses to treat a Global Privacy Control (GPC) signal — a header the browser or an extension sends automatically — as a valid request to opt out of sale and sharing. The consumer does not click anything on your banner; the signal arrives with the request, and the law expects your site to recognize it and suppress the relevant data flows.

This is where implementations fail quietly. A site can display a polished "Your Privacy Choices" link and still transmit identifiers to ad platforms for a visitor whose browser is broadcasting GPC, because the banner and the signal are never wired together. The California Attorney General's 2022 settlement with Sephora put a marker down: the failure to process GPC as a valid opt-out was treated as a CCPA violation, and later enforcement sweeps and California Privacy Protection Agency actions have kept the signal near the center of website enforcement. A growing number of states now also require honoring a universal opt-out mechanism.

What changed heading into 2026

Three shifts are worth tracking:

  • More states, more live enforcement. The wave of laws that passed in 2023 to 2025 moved from "effective dates" to actual enforcement, and dedicated regulators — the CPPA in California most prominently — began issuing orders rather than guidance.
  • Sensitive data got its own gate. Most of the newer laws single out sensitive categories — precise geolocation, health, biometric, and data revealing protected characteristics — for opt-in consent or a separate limitation right, which raises the stakes on trackers that can infer them.
  • Opt-out signals became the enforcement shortcut. GPC is attractive to regulators precisely because it is testable at scale: a browser sends the signal, and either the site honors it or it does not. No intent, no ambiguity — just behavior on the wire.

What contested questions remain

The patchwork is not settled. States differ on private rights of action (most rely on AG enforcement; California's is limited to data-breach claims, not the opt-out rules), on the definition of a covered business, and on how cure periods work as those provisions sunset. The interaction between these laws and the wiretapping theories covered elsewhere in these pages is still being worked out, since the same tracker can implicate both a state opt-out obligation and a CIPA claim.

What is observable from outside

Most of a privacy-law compliance program is documentary, but the opt-out mechanics are directly measurable:

  • Whether the site transmits identifiers to advertising third parties at all — the predicate for "sale"/"sharing."
  • Whether it detects and honors a GPC signal, suppressing those transmissions when the signal is present.
  • Whether a "Your Privacy Choices" or equivalent control exists and actually changes what fires, rather than only recording a preference.
  • Whether trackers capable of inferring sensitive categories load before any consent.

The gap between a privacy-choices link and what the page actually sends is the same gap that drives the consent-timing cases — and, for the state laws, it is the part a regulator can test without ever reading your policy. Loading your own site with a GPC signal active and watching the request waterfall is the fastest way to see which side of that line you are on.

Sources

See what your own pages do

The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.

Run a free scan

Keep reading