Column & Row

California Digital Consent: 2026 Compliance Guide

I. Applicability: Who Must Follow These Rules?

Compliance is triggered by different metrics for the two primary laws.


1. CCPA / CPRA (The $26.6M+ or 100k Rule)

Applies to for-profit entities doing business in California that meet ANY of these:

  • Annual Gross Revenue: Exceeds $26,625,000 (2026 adjusted threshold).
  • Data Volume: Annually buys, sells, or shares the personal information of 100,000 or more California residents or households.
  • Data Revenue: Derives 50% or more of annual revenue from selling or sharing personal information.


2. CIPA (The “Any Size” Rule)

The California Invasion of Privacy Act (CIPA) has no minimum revenue or data threshold.

  • Applicability: Applies to any business of any size that uses “wiretapping” technologies (Chatbots, Session Replay, Tracking Pixels) on California residents.
  • The Risk: Statutory damages are $5,000 per violation. Because this applies to every single site visit, it is the primary driver of class-action litigation in 2026.


II. 2026 Compliance Requirements

1. Consent Framework (CCPA & CIPA)

  • Global Privacy Control (GPC): You must detect and honor GPC signals. When detected, the site must display a confirmation like “Opt-Out Request Honored.”
  • Symmetry of Choice: “Accept All” and “Reject All” buttons must be identical in size, color, and prominence. “X-ing” out of a banner is not consent.
  • Prior Consent (CIPA): High-risk scripts (Chatbots, Website tracking, Meta pixel, any embedded 3rd party content) must not load or “fire” until the user has affirmatively clicked “Accept.”


2. Required Disclosures

  • Just-in-Time Notice: Chatbots must show a notice before the first message: “By using this chat, you consent to our use of a third-party provider to record and process this conversation.”
  • Footer Links: Must include two distinct links:
    1. “Do Not Sell or Share My Personal Information”
    2. “Limit the Use of My Sensitive Personal Information” (if collecting SPI).


III. Integration Steps: Cookiebot + Google Tag Manager

Step 1: Cookiebot Setup

  1. Account: Add your domain to Cookiebot and ensure the “Reject All” button is enabled in the banner settings.
  2. Enable GPC: In the Cookiebot dashboard, toggle Global Privacy Control to “On.”
  3. ID: Copy your Domain Group ID from the “Implementation” tab.


Step 2: GTM Configuration

  1. Enable Overview: In GTM, go to Admin > Container Settings and check “Enable consent overview.”
  2. Install Tag: Use the “Cookiebot CMP” template from the Community Gallery.
  3. Default State: Set the default consent for US-CA (California) to Denied for all categories.
  4. Trigger: Use the “Consent Initialization – All Pages” trigger.


Step 3: Gatekeeping High-Risk Tags (CIPA Protection)

To prevent “wiretapping” claims, ensure pixels and chats only fire after consent.

  1. Create Trigger: Create a Custom Event trigger named cookie_consent_update.
  2. Update Tags: For all GA4, Meta Pixel, and Chat tags:
    • Change the trigger from “All Pages” to cookie_consent_update.
    • Under Advanced Settings > Consent Settings, select “Require additional consent for tag to fire.”


IV. Verification Checklist

  • Incognito Test: Open the Network tab in DevTools. Search for google-analytics or facebook. No requests should appear before clicking “Accept.”
  • GPC Test: Use a browser with GPC enabled. The banner should automatically treat the user as “Opted Out.”

Symmetry Test: Ensure the “Reject All” button isn’t hidden in a “Settings” sub-menu.

About C&R

We create custom solutions for big f*cking problems — no rinse-and-repeats, no copy-and-paste, every engagement is tailored to support purpose-driven marketing teams adn their unique constraints.

About us

Got Questions?
Let's Chat

I want to unlock data for as many organizations as possible. Let’s do this. 
– Jessica, Founder C&R

Lets Connect
Jessica Poulin profile

Latest Thoughts & Learnings

View All Posts
  • Jess P
  • Posted by Jess P
4 min read

California Digital Consent: 2026 Compliance Guide

Privacy compliance is no longer optional — and it’s not just for large companies. Laws like CCPA/CPRA apply based on revenue and data usage, while CIPA extends to any business using tools like chatbots or tracking pixels, with penalties of up to $5,000 per interaction. In practice, this means obtaining clear user consent before any tracking runs, honouring Global Privacy Control signals, and providing clear opt-out options. If your site loads tracking tools before a user clicks “Accept,” you could already be at risk.

Read More
  • Jess P
  • Posted by Jess P
6 min read

Why Your Google Analytics Is Suddenly Flooded with “Direct” Traffic from China

If your traffic has suddenly spiked but engagement doesn’t add up, you’re not imagining things. Many websites are seeing an increase in low-quality traffic from bots and automated crawlers, often appearing as direct visits from unexpected regions. These visits show near-zero engagement and unrealistic behaviour — clear signs they’re not real users. As AI-driven scraping grows, this is becoming more common. The takeaway? Not all traffic is good traffic, and without filtering, your data can quickly become misleading.

Read More
  • Jess P
  • Posted by Jess P
6 min read

The Hidden Bot Problem Inflating Your Google Analytics

If your Google Analytics data has started showing sudden spikes in traffic with little to no engagement, there’s a good chance you’re not looking at real users. We’ve been seeing a consistent pattern across multiple websites: traffic from unexpected regions, identical device data, and behaviour that simply doesn’t align with how people browse. Instead of genuine visitors, this points to automated bots and large-scale crawling activity — often linked to data scraping and AI processes. It’s a growing issue, and it means one thing: more traffic doesn’t always mean better performance. Without proper filtering and analysis, your data could be telling the wrong story.

Read More