July 4, 2026
July 2026
/
Your Compliance Gap Is an Existential Threat: CIPA, CCPA, GDPR, and HIPAA in 2026
Digital privacy compliance is an arcane subject that sits in the grey space between general counsel, IT, and marketing, each business unit with an opinion, almost none with an answer. Privacy compliance is a whole-digital business operations problem, and when the complaint arrives, which it will, you need to understand where your policies, technologies, and organizational behaviors stand.
The numbers tell the story. More than 4,300 website wiretapping lawsuits have been filed nationwide since 2022, roughly 3,300 in California alone. California's CCPA enforcement crossed $23 million in cumulative penalties this spring, capped by a record $12.75 million settlement with General Motors in May 2026. GDPR fines have passed €6 billion, with cross-border transfer violations alone producing individual penalties in the hundreds of millions. And the HHS Office for Civil Rights nearly doubled its HIPAA penalty total last enforcement year, with tracking pixels squarely in its sights.
If your organization operates a website with any type of analytics, a chat widget, session replay, or an advertising pixel, which is to say, every organization, you are already inside this litigation and enforcement perimeter; you are already violating the law. The question is whether you are inside it deliberately or by accident.
Let’s explore the four frameworks that matter most for US digital properties, the platforms that address them, and the mistakes we see organizations repeat.
CIPA: The Lawsuit That’s On Its Way
The risk
The California Invasion of Privacy Act is a 1967 wiretapping statute, written for phone lines, that plaintiffs' firms have repurposed against modern web tooling.
The theory: when a session replay tool, chatbot, or advertising pixel transmits a visitor's interactions to a third-party vendor without consent, the vendor is "intercepting" a communication (Section 631), or the tracker is operating as an unlicensed "pen register" capturing IP addresses and search queries (Section 638.51).
Whatever you think of the legal theory, the economics are brutal. CIPA carries statutory damages of $5,000 per violation with no requirement to prove actual harm, which makes it a demand-letter machine. Filings routinely arrive as pre-suit demands seeking five-figure settlements, priced just below the cost of a motion to dismiss. Recent settlements show the ceiling: the LA Times agreed to pay $3.85 million over tracking technologies on its website and app.
Courts remain split. In early 2026, one federal court dismissed a session-replay claim for lack of standing (Maghoney v. Dotdash Meredith), and another held that CIPA's trap-and-trace provisions don't reach session replay at all (Balabbo v. Wildflower Brands). But four contradictory rulings landed within ten days of each other this year, and California's proposed safe harbor (SB 690), even if enacted, would not deliver relief before 2027. Plan for the filings to continue.
The exposure profile
Any site reachable by California residents running: session replay (Hotjar, FullStory, Microsoft Clarity), third-party chat (Intercom, Drift, Salesforce chat), advertising pixels (Meta, TikTok, LinkedIn, Google), heat mapping, or call tracking. The plaintiff does not need to be a customer. They need to have visited your site once.
The solution
Prior express consent defeats the core CIPA theories. That means a consent banner that blocks the offending scripts before they fire, not one that loads Meta's pixel on page load and asks permission afterward. Pair it with a tracker inventory (you cannot consent-gate what you don't know is running), vendor contracts that address interception language, and a hard look at whether each tool earns its risk. Session replay on a marketing site is often a "nice to have" carrying a five-figure-demand-letter risk premium.
CCPA: California Stopped Warning and Started Fining
The risk
The California Consumer Privacy Act (as amended by the CPRA) is now enforced by two bodies, the Attorney General and the California Privacy Protection Agency, and both spent the last eighteen months converting theory into precedent:
The GM settlement ($12.75M, May 2026) targeted the sale of drivers' location and behavior data without adequate notice or consent, a data minimization and purpose limitation case, not a cookie case. The Disney/ABC settlement ($2.75M, February 2026) punished failure to honor opt-outs across services and devices. Honda ($632K), Todd Snyder ($345K), and Tractor Supply ($1.35M) were penalized largely for broken opt-out mechanics: consent flows that demanded more information to opt out than to opt in, misconfigured cookie tools, and failure to honor the Global Privacy Control (GPC) browser signal.
Administrative fines run up to $2,663 per violation and $7,988 per intentional violation or violation involving minors, per consumer, per incident.
The 2026 rule change most organizations missed
New CCPA regulations took effect January 1, 2026, and they move the law from "disclosure and opt-outs" to "operational governance":
- Cybersecurity audits, required annually for larger businesses, with certifications due to the CPPA on a rolling schedule beginning April 1, 2028 (businesses over $100M in revenue first).
- Risk assessments, required before processing that presents significant risk (selling/sharing personal information, profiling, training AI on personal data); assessments conducted in 2026–27 must be submitted by April 1, 2028.
- ADMT rules, by January 1, 2027, businesses using automated decision-making technology for significant decisions (hiring, lending, housing, healthcare) must provide pre-use notice, opt-outs, and access rights.
If your organization is doing anything with AI and Californian personal data, the risk assessment requirement almost certainly reaches you.
The solution
Honor GPC signals, this is the single most-cited failure in enforcement actions to date. Test your opt-out flow end to end, including whether the opt-out propagates to downstream ad-tech vendors, and make opting out no harder than opting in. Map data flows so "do we sell or share?" has a documented answer (hint: running Meta's pixel is "sharing"). Then stand up the risk-assessment and audit muscle now; the submission deadlines are in 2028, but the underlying obligations are live.
GDPR: Still the Global Ceiling
The risk
For any organization with EU/EEA users, and "has EU users" describes nearly every website, GDPR remains the framework with the highest ceiling: 4% of global annual revenue or €20 million, whichever is greater. Cumulative fines now exceed €6 billion across roughly 2,700 enforcement actions, and 2025's headline was TikTok's €530 million penalty for transferring EEA user data to China without adequate safeguards.
Three enforcement themes dominate:
Cross-border transfers. Sending EU personal data to US processors outside the EU–US Data Privacy Framework, or on stale Standard Contractual Clauses without supplementary measures, remains the highest-value enforcement trigger.
Consent quality. Regulators are dissecting consent mechanics with increasing granularity, dark patterns, pre-ticked boxes, bundled consents, and "consent walls" that condition access on accepting tracking have all drawn penalties. A banner that makes "Reject" harder to find than "Accept" is itself a violation.
Transparency. In March 2026, the European Data Protection Board launched a coordinated enforcement sweep across national regulators focused specifically on transparency obligations (Articles 12–14), meaning privacy notices, in ordinary language, are being audited across the EU right now.
The solution
Establish a lawful basis for every processing activity and document it. Run a compliant consent layer: reject as easy as accept, granular purposes, no cookies before consent. Map every transfer of EU data to US vendors and confirm DPF certification or current SCCs with a transfer impact assessment. Rewrite the privacy notice for humans, the EDPB sweep makes this a 2026 priority, not a someday task. And remember breach notification runs on a 72-hour clock; regulators are receiving over 440 breach notifications per day, so silence stands out.
HIPAA: Where Pixels Become Breaches (Healthcare Audiences)
The risk
For covered entities and business associates, the tracking-technology problem is categorically worse: a Meta pixel on a patient portal isn't a consent gap, it's a potential breach of protected health information, triggering breach notification, OCR investigation, and class action exposure simultaneously.
The legal terrain shifted but did not soften. In June 2024, a federal court vacated the portion of OCR's tracking guidance that treated IP address + visit to an unauthenticated health page as PHI, and HHS withdrew its appeal. But the guidance for authenticated pages, portals, scheduling, anything behind a login, stands intact. And OCR has made tracking technologies one of its most active enforcement areas through 2025–26, alongside a risk-analysis initiative that is expanding into risk management under the current director. OCR imposed $4.18 million in penalties across 13 actions in the most recent enforcement year, nearly double the prior year.
Meanwhile the proposed Security Rule overhaul, mandatory MFA, encryption, asset inventories, with the comment period closed in March 2025, remains pending as of mid-2026. Don't wait for it; OCR is enforcing the existing rule aggressively in the interim.
The class action bar has not waited either. Pixel-based litigation against health systems proceeds under state wiretapping laws (including CIPA) and common law theories regardless of what happens to federal guidance, healthcare defendants face both regulators and plaintiffs on the same facts.
The solution
Audit every page for third-party scripts, with authenticated pages treated as zero-tolerance zones, no third-party trackers behind a login without a business associate agreement or valid HIPAA authorization, full stop. Standard ad pixels can't meet that bar; Meta and Google will not sign BAAs for their ad products. Where analytics are genuinely needed, use HIPAA-capable configurations (self-hosted or BAA-backed analytics platforms) rather than consumer ad-tech. Refresh the security risk analysis, it's the most common gap OCR cites, and document the reasoning for every tracker you keep.
Platforms: What the Tooling Solves
No platform makes you compliant; platforms make a sound compliance design operational. The stack, roughly in order of urgency:
Consent management platforms (CMPs). The load-bearing wall. Enterprise: OneTrust (broadest suite, consent, DSARs, vendor risk, data mapping, priced accordingly, now with a $10K minimum) and Didomi. Mid-market: Usercentrics (and its Cookiebot product), Osano, strong US state-law coverage with DSAR automation, and CookieYes/Termly at the value end. Selection criteria that matter: Google-certified for Consent Mode v2, GPC signal support, IAB TCF support if you run programmatic, per-region consent behavior, and true prior blocking of scripts.
Google Consent Mode v2 deserves its own line item because it's where compliance meets revenue. Google requires it for EEA advertisers, and on June 15, 2026, Google removed Google Signals as a fallback, Google Ads now relies exclusively on the consent signals your CMP transmits. A misconfigured CMP no longer merely risks fines; it silently erases 20–30% of your measurable conversions. We have seen organizations debug "attribution problems" for months that were consent-signal problems.
Website tracker scanning (Lokker, Feroot, or your CMP's scanner) provides continuous discovery of what scripts run, which routinely surprises the team that "knew" their stack. Tag governance through a properly configured Google Tag Manager container gives you one throat to choke when a script must die today.
Privacy operations, DSAR automation, data mapping, risk-assessment workflows (OneTrust, Osano, Transcend, DataGrail), moves from optional to necessary as the CCPA's risk-assessment and audit requirements phase in.
Healthcare-specific: server-side tagging architectures that strip identifiers before data leaves your infrastructure, and analytics platforms that will sign a BAA.
The Mistakes Everyone Makes
Across audits, the same failures recur regardless of company size or sophistication:
- The banner that blocks nothing. The most common failure we find: a consent banner sitting on top of pixels that fired on page load. It's worse than no banner, it documents that you knew consent was required and collected data before receiving it.
- Nobody owns the tag manager. Marketing adds pixels, agencies add pixels, a developer added session replay in 2023 and left. Without a gatekeeper and a change log, your compliance posture drifts weekly. Most CIPA demand letters trace to a script no one remembers approving.
- Treating compliance as a launch task. The banner went up in 2023; the certification was framed. Meanwhile the CCPA regs changed in January, Google changed the measurement rules in June, and three new scripts shipped with the site redesign. Compliance decays like any unmaintained system.
- Opt-outs that don't propagate. The form works; the suppression doesn't reach the email platform, the ad audiences, or the data broker feed. Disney's $2.75M settlement was precisely this, opt-outs that didn't carry across services and devices. Regulators test the full round trip. So should you.
- Ignoring GPC. The Global Privacy Control browser signal is a legally binding opt-out in California, and failure to honor it appears in nearly every CCPA enforcement action. It is also the easiest fix on this list.
- Assuming the vendor's compliance is your compliance. "Our chat provider says they're GDPR compliant" is not a defense. You are the controller; CIPA names you; OCR fines the covered entity. Vendor assurances without contracts (DPAs, BAAs) and verification are decoration.
- Collecting first, justifying later. GM's record penalty was fundamentally about collecting and monetizing data beyond what users understood they'd agreed to. Data minimization has crossed from principle to enforcement theory. Every field you don't collect is risk you don't carry.
- Healthcare organizations treating marketing sites as out of scope. The 2024 court ruling narrowed but did not eliminate exposure on public pages, state wiretapping claims and common-law suits fill any federal gap. And the authenticated side remains a bright line that standard ad-tech simply cannot cross.
- No paper trail. When the demand letter or the audit arrives, the difference between a nuisance and a crisis is documentation: tracker inventories, consent records, risk assessments, vendor agreements, decision logs. Organizations that can produce these settle cheap or not at all.
The Bottom Line
These four frameworks differ in origin and mechanics, but they converge on one architectural demand: know what runs on your properties, get permission before it fires, honor refusals completely, and write everything down. An organization that builds that spine satisfies most of CIPA, CCPA, and GDPR simultaneously, and healthcare organizations that add a hard boundary around PHI cover the fourth.
The era when a footer link and a cookie banner constituted a privacy program is over. The regulators built precedent, the plaintiffs' bar built a business model, and the ad platforms built consent enforcement into the measurement layer itself. Compliance is now infrastructure, and like all infrastructure, it's cheapest to build before it fails.
Agency 39A designs and builds compliant digital infrastructure, consent architecture, tag governance, and privacy-first analytics, for regulated and consumer brands. If you'd like an audit of your current exposure, get in touch.
This article is for general information and does not constitute legal advice. Consult counsel on your organization's specific obligations.
Sources & Further Reading
CIPA
- Courts Still Divided on Whether California Privacy Law Applies to Website Tracking, Fisher Phillips
- Could New Privacy Law Coalition Help Curb California Wiretapping Litigation? (SB 690), Fisher Phillips
- CIPA Lawsuit Tracker 2026, ConsentPixel
- CIPA Claims Surge: What Every Company with a California-Facing Website Must Know, Jackson Walker
- California Invasion of Privacy Act (CIPA): An Overview, Usercentrics
CCPA / CPPA
- California AG Announces Record $12.75M Settlement with GM, Hunton
- GM Just Paid a Record Penalty for Breaking California Privacy Law, CalMatters
- California AG Announces Largest CCPA Enforcement Settlement to Date (Disney/ABC), Troutman
- Lessons from 2026's First California Privacy Enforcement Actions, Koley Jessen
- CCPA Updates: Cybersecurity Audits, Risk Assessments, ADMT, California Privacy Protection Agency
- CPPA Finalizes Rules on ADMT, Risk Assessments, and Cybersecurity Audits, White & Case
- Revised and New CCPA Regulations Effective Jan. 1, 2026, Greenberg Traurig
- Breaking Down $23.2 Million in CCPA Fines, Termly
GDPR
- GDPR Enforcement Tracker Report: Numbers and Figures, CMS Law
- GDPR Fines and Data Privacy Enforcement Trends in 2026, Kiteworks
- GDPR Enforcement and Fines 2026, UniConsent
- GDPR Enforcement Trends in 2026, SecurityWall
HIPAA
- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS.gov
- Court Vacates HIPAA Online Tracking Guidance, Holland & Hart
- HHS Withdraws Appeal of Online Tracking Technology Court Order, Compliancy Group
- HIPAA Enforcement 2026: Sharper and Wider, LlamaLab
- HIPAA Security Rule 2026: The Final Rule Is Still Pending, But OCR Enforcement Is Not, ComplianceHub
- HIPAA Risk Analysis Enforcement in 2026, Healthcare Compliance Pros
Platforms & Consent Tooling
ready to start a conversation about digital transformation?
Speak with our team and discuss your digital transformation.
Learn How our Pathfinder™ process Can improve your website
Schedule a meeting with our strategy team and we’ll show you how Pathfinder™ leads to project success.
learn more about our fractional growth offering
Connect with our team to explore how a Fractional Growth Team can accelerate your marketing, UX, and digital execution — without the delays or costs of traditional models.
Curious how your site stacks up?
We’ll show you what’s working, what’s not, and where you’re leaving opportunities on the table.
Turn AI Search Into a Competitive Advantage.
Explore how your site can be structured to earn visibility in generative results and convert high-intent traffic into action.
Episode details
Your Compliance Gap Is an Existential Threat: CIPA, CCPA, GDPR, and HIPAA in 2026
Digital privacy compliance is an arcane subject that sits in the grey space between general counsel, IT, and marketing, each business unit with an opinion, almost none with an answer. Privacy compliance is a whole-digital business operations problem, and when the complaint arrives, which it will, you need to understand where your policies, technologies, and organizational behaviors stand.
The numbers tell the story. More than 4,300 website wiretapping lawsuits have been filed nationwide since 2022, roughly 3,300 in California alone. California's CCPA enforcement crossed $23 million in cumulative penalties this spring, capped by a record $12.75 million settlement with General Motors in May 2026. GDPR fines have passed €6 billion, with cross-border transfer violations alone producing individual penalties in the hundreds of millions. And the HHS Office for Civil Rights nearly doubled its HIPAA penalty total last enforcement year, with tracking pixels squarely in its sights.
If your organization operates a website with any type of analytics, a chat widget, session replay, or an advertising pixel, which is to say, every organization, you are already inside this litigation and enforcement perimeter; you are already violating the law. The question is whether you are inside it deliberately or by accident.
Let’s explore the four frameworks that matter most for US digital properties, the platforms that address them, and the mistakes we see organizations repeat.
CIPA: The Lawsuit That’s On Its Way
The risk
The California Invasion of Privacy Act is a 1967 wiretapping statute, written for phone lines, that plaintiffs' firms have repurposed against modern web tooling.
The theory: when a session replay tool, chatbot, or advertising pixel transmits a visitor's interactions to a third-party vendor without consent, the vendor is "intercepting" a communication (Section 631), or the tracker is operating as an unlicensed "pen register" capturing IP addresses and search queries (Section 638.51).
Whatever you think of the legal theory, the economics are brutal. CIPA carries statutory damages of $5,000 per violation with no requirement to prove actual harm, which makes it a demand-letter machine. Filings routinely arrive as pre-suit demands seeking five-figure settlements, priced just below the cost of a motion to dismiss. Recent settlements show the ceiling: the LA Times agreed to pay $3.85 million over tracking technologies on its website and app.
Courts remain split. In early 2026, one federal court dismissed a session-replay claim for lack of standing (Maghoney v. Dotdash Meredith), and another held that CIPA's trap-and-trace provisions don't reach session replay at all (Balabbo v. Wildflower Brands). But four contradictory rulings landed within ten days of each other this year, and California's proposed safe harbor (SB 690), even if enacted, would not deliver relief before 2027. Plan for the filings to continue.
The exposure profile
Any site reachable by California residents running: session replay (Hotjar, FullStory, Microsoft Clarity), third-party chat (Intercom, Drift, Salesforce chat), advertising pixels (Meta, TikTok, LinkedIn, Google), heat mapping, or call tracking. The plaintiff does not need to be a customer. They need to have visited your site once.
The solution
Prior express consent defeats the core CIPA theories. That means a consent banner that blocks the offending scripts before they fire, not one that loads Meta's pixel on page load and asks permission afterward. Pair it with a tracker inventory (you cannot consent-gate what you don't know is running), vendor contracts that address interception language, and a hard look at whether each tool earns its risk. Session replay on a marketing site is often a "nice to have" carrying a five-figure-demand-letter risk premium.
CCPA: California Stopped Warning and Started Fining
The risk
The California Consumer Privacy Act (as amended by the CPRA) is now enforced by two bodies, the Attorney General and the California Privacy Protection Agency, and both spent the last eighteen months converting theory into precedent:
The GM settlement ($12.75M, May 2026) targeted the sale of drivers' location and behavior data without adequate notice or consent, a data minimization and purpose limitation case, not a cookie case. The Disney/ABC settlement ($2.75M, February 2026) punished failure to honor opt-outs across services and devices. Honda ($632K), Todd Snyder ($345K), and Tractor Supply ($1.35M) were penalized largely for broken opt-out mechanics: consent flows that demanded more information to opt out than to opt in, misconfigured cookie tools, and failure to honor the Global Privacy Control (GPC) browser signal.
Administrative fines run up to $2,663 per violation and $7,988 per intentional violation or violation involving minors, per consumer, per incident.
The 2026 rule change most organizations missed
New CCPA regulations took effect January 1, 2026, and they move the law from "disclosure and opt-outs" to "operational governance":
- Cybersecurity audits, required annually for larger businesses, with certifications due to the CPPA on a rolling schedule beginning April 1, 2028 (businesses over $100M in revenue first).
- Risk assessments, required before processing that presents significant risk (selling/sharing personal information, profiling, training AI on personal data); assessments conducted in 2026–27 must be submitted by April 1, 2028.
- ADMT rules, by January 1, 2027, businesses using automated decision-making technology for significant decisions (hiring, lending, housing, healthcare) must provide pre-use notice, opt-outs, and access rights.
If your organization is doing anything with AI and Californian personal data, the risk assessment requirement almost certainly reaches you.
The solution
Honor GPC signals, this is the single most-cited failure in enforcement actions to date. Test your opt-out flow end to end, including whether the opt-out propagates to downstream ad-tech vendors, and make opting out no harder than opting in. Map data flows so "do we sell or share?" has a documented answer (hint: running Meta's pixel is "sharing"). Then stand up the risk-assessment and audit muscle now; the submission deadlines are in 2028, but the underlying obligations are live.
GDPR: Still the Global Ceiling
The risk
For any organization with EU/EEA users, and "has EU users" describes nearly every website, GDPR remains the framework with the highest ceiling: 4% of global annual revenue or €20 million, whichever is greater. Cumulative fines now exceed €6 billion across roughly 2,700 enforcement actions, and 2025's headline was TikTok's €530 million penalty for transferring EEA user data to China without adequate safeguards.
Three enforcement themes dominate:
Cross-border transfers. Sending EU personal data to US processors outside the EU–US Data Privacy Framework, or on stale Standard Contractual Clauses without supplementary measures, remains the highest-value enforcement trigger.
Consent quality. Regulators are dissecting consent mechanics with increasing granularity, dark patterns, pre-ticked boxes, bundled consents, and "consent walls" that condition access on accepting tracking have all drawn penalties. A banner that makes "Reject" harder to find than "Accept" is itself a violation.
Transparency. In March 2026, the European Data Protection Board launched a coordinated enforcement sweep across national regulators focused specifically on transparency obligations (Articles 12–14), meaning privacy notices, in ordinary language, are being audited across the EU right now.
The solution
Establish a lawful basis for every processing activity and document it. Run a compliant consent layer: reject as easy as accept, granular purposes, no cookies before consent. Map every transfer of EU data to US vendors and confirm DPF certification or current SCCs with a transfer impact assessment. Rewrite the privacy notice for humans, the EDPB sweep makes this a 2026 priority, not a someday task. And remember breach notification runs on a 72-hour clock; regulators are receiving over 440 breach notifications per day, so silence stands out.
HIPAA: Where Pixels Become Breaches (Healthcare Audiences)
The risk
For covered entities and business associates, the tracking-technology problem is categorically worse: a Meta pixel on a patient portal isn't a consent gap, it's a potential breach of protected health information, triggering breach notification, OCR investigation, and class action exposure simultaneously.
The legal terrain shifted but did not soften. In June 2024, a federal court vacated the portion of OCR's tracking guidance that treated IP address + visit to an unauthenticated health page as PHI, and HHS withdrew its appeal. But the guidance for authenticated pages, portals, scheduling, anything behind a login, stands intact. And OCR has made tracking technologies one of its most active enforcement areas through 2025–26, alongside a risk-analysis initiative that is expanding into risk management under the current director. OCR imposed $4.18 million in penalties across 13 actions in the most recent enforcement year, nearly double the prior year.
Meanwhile the proposed Security Rule overhaul, mandatory MFA, encryption, asset inventories, with the comment period closed in March 2025, remains pending as of mid-2026. Don't wait for it; OCR is enforcing the existing rule aggressively in the interim.
The class action bar has not waited either. Pixel-based litigation against health systems proceeds under state wiretapping laws (including CIPA) and common law theories regardless of what happens to federal guidance, healthcare defendants face both regulators and plaintiffs on the same facts.
The solution
Audit every page for third-party scripts, with authenticated pages treated as zero-tolerance zones, no third-party trackers behind a login without a business associate agreement or valid HIPAA authorization, full stop. Standard ad pixels can't meet that bar; Meta and Google will not sign BAAs for their ad products. Where analytics are genuinely needed, use HIPAA-capable configurations (self-hosted or BAA-backed analytics platforms) rather than consumer ad-tech. Refresh the security risk analysis, it's the most common gap OCR cites, and document the reasoning for every tracker you keep.
Platforms: What the Tooling Solves
No platform makes you compliant; platforms make a sound compliance design operational. The stack, roughly in order of urgency:
Consent management platforms (CMPs). The load-bearing wall. Enterprise: OneTrust (broadest suite, consent, DSARs, vendor risk, data mapping, priced accordingly, now with a $10K minimum) and Didomi. Mid-market: Usercentrics (and its Cookiebot product), Osano, strong US state-law coverage with DSAR automation, and CookieYes/Termly at the value end. Selection criteria that matter: Google-certified for Consent Mode v2, GPC signal support, IAB TCF support if you run programmatic, per-region consent behavior, and true prior blocking of scripts.
Google Consent Mode v2 deserves its own line item because it's where compliance meets revenue. Google requires it for EEA advertisers, and on June 15, 2026, Google removed Google Signals as a fallback, Google Ads now relies exclusively on the consent signals your CMP transmits. A misconfigured CMP no longer merely risks fines; it silently erases 20–30% of your measurable conversions. We have seen organizations debug "attribution problems" for months that were consent-signal problems.
Website tracker scanning (Lokker, Feroot, or your CMP's scanner) provides continuous discovery of what scripts run, which routinely surprises the team that "knew" their stack. Tag governance through a properly configured Google Tag Manager container gives you one throat to choke when a script must die today.
Privacy operations, DSAR automation, data mapping, risk-assessment workflows (OneTrust, Osano, Transcend, DataGrail), moves from optional to necessary as the CCPA's risk-assessment and audit requirements phase in.
Healthcare-specific: server-side tagging architectures that strip identifiers before data leaves your infrastructure, and analytics platforms that will sign a BAA.
The Mistakes Everyone Makes
Across audits, the same failures recur regardless of company size or sophistication:
- The banner that blocks nothing. The most common failure we find: a consent banner sitting on top of pixels that fired on page load. It's worse than no banner, it documents that you knew consent was required and collected data before receiving it.
- Nobody owns the tag manager. Marketing adds pixels, agencies add pixels, a developer added session replay in 2023 and left. Without a gatekeeper and a change log, your compliance posture drifts weekly. Most CIPA demand letters trace to a script no one remembers approving.
- Treating compliance as a launch task. The banner went up in 2023; the certification was framed. Meanwhile the CCPA regs changed in January, Google changed the measurement rules in June, and three new scripts shipped with the site redesign. Compliance decays like any unmaintained system.
- Opt-outs that don't propagate. The form works; the suppression doesn't reach the email platform, the ad audiences, or the data broker feed. Disney's $2.75M settlement was precisely this, opt-outs that didn't carry across services and devices. Regulators test the full round trip. So should you.
- Ignoring GPC. The Global Privacy Control browser signal is a legally binding opt-out in California, and failure to honor it appears in nearly every CCPA enforcement action. It is also the easiest fix on this list.
- Assuming the vendor's compliance is your compliance. "Our chat provider says they're GDPR compliant" is not a defense. You are the controller; CIPA names you; OCR fines the covered entity. Vendor assurances without contracts (DPAs, BAAs) and verification are decoration.
- Collecting first, justifying later. GM's record penalty was fundamentally about collecting and monetizing data beyond what users understood they'd agreed to. Data minimization has crossed from principle to enforcement theory. Every field you don't collect is risk you don't carry.
- Healthcare organizations treating marketing sites as out of scope. The 2024 court ruling narrowed but did not eliminate exposure on public pages, state wiretapping claims and common-law suits fill any federal gap. And the authenticated side remains a bright line that standard ad-tech simply cannot cross.
- No paper trail. When the demand letter or the audit arrives, the difference between a nuisance and a crisis is documentation: tracker inventories, consent records, risk assessments, vendor agreements, decision logs. Organizations that can produce these settle cheap or not at all.
The Bottom Line
These four frameworks differ in origin and mechanics, but they converge on one architectural demand: know what runs on your properties, get permission before it fires, honor refusals completely, and write everything down. An organization that builds that spine satisfies most of CIPA, CCPA, and GDPR simultaneously, and healthcare organizations that add a hard boundary around PHI cover the fourth.
The era when a footer link and a cookie banner constituted a privacy program is over. The regulators built precedent, the plaintiffs' bar built a business model, and the ad platforms built consent enforcement into the measurement layer itself. Compliance is now infrastructure, and like all infrastructure, it's cheapest to build before it fails.
Agency 39A designs and builds compliant digital infrastructure, consent architecture, tag governance, and privacy-first analytics, for regulated and consumer brands. If you'd like an audit of your current exposure, get in touch.
This article is for general information and does not constitute legal advice. Consult counsel on your organization's specific obligations.
Sources & Further Reading
CIPA
- Courts Still Divided on Whether California Privacy Law Applies to Website Tracking, Fisher Phillips
- Could New Privacy Law Coalition Help Curb California Wiretapping Litigation? (SB 690), Fisher Phillips
- CIPA Lawsuit Tracker 2026, ConsentPixel
- CIPA Claims Surge: What Every Company with a California-Facing Website Must Know, Jackson Walker
- California Invasion of Privacy Act (CIPA): An Overview, Usercentrics
CCPA / CPPA
- California AG Announces Record $12.75M Settlement with GM, Hunton
- GM Just Paid a Record Penalty for Breaking California Privacy Law, CalMatters
- California AG Announces Largest CCPA Enforcement Settlement to Date (Disney/ABC), Troutman
- Lessons from 2026's First California Privacy Enforcement Actions, Koley Jessen
- CCPA Updates: Cybersecurity Audits, Risk Assessments, ADMT, California Privacy Protection Agency
- CPPA Finalizes Rules on ADMT, Risk Assessments, and Cybersecurity Audits, White & Case
- Revised and New CCPA Regulations Effective Jan. 1, 2026, Greenberg Traurig
- Breaking Down $23.2 Million in CCPA Fines, Termly
GDPR
- GDPR Enforcement Tracker Report: Numbers and Figures, CMS Law
- GDPR Fines and Data Privacy Enforcement Trends in 2026, Kiteworks
- GDPR Enforcement and Fines 2026, UniConsent
- GDPR Enforcement Trends in 2026, SecurityWall
HIPAA
- Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS.gov
- Court Vacates HIPAA Online Tracking Guidance, Holland & Hart
- HHS Withdraws Appeal of Online Tracking Technology Court Order, Compliancy Group
- HIPAA Enforcement 2026: Sharper and Wider, LlamaLab
- HIPAA Security Rule 2026: The Final Rule Is Still Pending, But OCR Enforcement Is Not, ComplianceHub
- HIPAA Risk Analysis Enforcement in 2026, Healthcare Compliance Pros