What did California CPPA actually publish in its Q2 2026 enforcement guidance?

The California Privacy Protection Agency published a series of enforcement guidance documents through Q1 and Q2 2026 that operationalised CPRA in ways advertisers had been waiting for since the law took effect. The April 2026 cluster of guidance covered cross-context behavioural advertising scope, sensitive personal information targeting limits, opt-out preference signal handling, and the classification of common advertising configurations as selling or sharing under CPRA. The guidance was unusually specific by California regulator standards. Rather than restate statutory definitions the CPPA staff identified named advertising mechanics — Meta Lead Ads, Meta lookalike audiences, Google customer match, retargeting pixel deployment, server-side conversion APIs — and described how each maps to the selling, sharing, and cross-context behavioural advertising definitions. Advertisers received concrete answers to questions that had been ambiguous since CPRA took effect, and the guidance triggered immediate operational change across e-commerce, financial services, healthcare, and educational sectors. The April 2026 guidance also clarified the sensitive PI scope. The CPPA confirmed that inferences drawn from non-sensitive data points that produce sensitive-category audience attributes fall within the sensitive PI definition. The clarification matters because audience targeting platforms routinely produce inferences from broad signals, and the inference output may carry the sensitive-category restriction even when the underlying signal does not. Advertisers running audience targeting that approximates sensitive categories through combination patterns face direct exposure under the clarified scope. The guidance includes a six-month grace window from the April 2026 publication, with formal enforcement actions expected to begin in October 2026. The grace window is operational rather than legal — the CPPA reserved authority to take enforcement action during the grace window for clear-cut violations, and the agency has indicated that the grace is calibrated to the operational burden of remediation rather than to the legal validity of the obligations. Advertisers should treat the grace window as a hard deadline rather than a soft suggestion. For the broader US regulatory frame, see United States Meta Compliance and track in-flight regulatory updates through the Policy Tracker .

How does CPRA define sensitive personal information for ad targeting purposes?

CPRA's sensitive personal information definition under Section 1798.140(ae) covers eight categories that materially affect ad targeting configurations. The categories are government identifiers, account log-in and financial account information, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email, and text messages, and genetic data, biometric information for unique identification, health information, and information concerning sex life or sexual orientation. The combined list aligns broadly with GDPR Article 9 special categories with some California-specific variation. For ad targeting the operative question is which categories produce restricted audience attributes and which produce hard prohibitions. Under CPRA Section 1798.121, consumers have the right to limit the use and disclosure of sensitive personal information to purposes that are necessary to perform the services or provide the goods reasonably expected by an average consumer. The right-to-limit is a use-and-disclosure restriction rather than a categorical prohibition, and the operational effect on advertising is that advertisers cannot use sensitive PI for cross-context behavioural advertising where the consumer has exercised the right-to-limit. The CPPA's April 2026 guidance clarified that inferences drawn from non-sensitive data points that produce sensitive-category audience attributes fall within the sensitive PI scope. The clarification is significant because audience targeting platforms routinely produce inferences from broad signals — fitness, nutrition, and wellness signals can produce a health-adjacent audience attribute, and the audience attribute carries the sensitive PI restriction even when the underlying signals do not. Advertisers running audience targeting that approximates sensitive categories through combination patterns face direct exposure under the clarified scope. The right-to-limit mechanism requires advertisers to provide a clear and conspicuous Limit the Use of My Sensitive Personal Information link on advertiser-controlled properties, to honor the right when exercised, and to propagate the limitation to all downstream advertising platforms and processors. The CPPA's enforcement guidance specified that the link must appear on the same surface as the Do Not Sell/Share link and must use language that consumers can understand without specialised knowledge. Advertisers running campaigns that target California audiences must implement several operational changes to align with the sensitive PI scope. Audience definitions must be reviewed against the sensitive-category proxy patterns, lookalike audience seeds must be audited for sensitive-category contamination, the right-to-limit link must be implemented and monitored, and the propagation workflow must reach all downstream platforms. For automated audit of audience definitions against sensitive-category proxies, route through AI Compliance Audit .

What are the operational requirements for honoring Global Privacy Control and other opt-out preference signals under CPRA?

CPRA Section 1798.135 requires businesses that sell or share personal information to honor opt-out preference signals sent by consumers through technical means including browser-level signals. Global Privacy Control is the dominant opt-out preference signal in the California market and is the only signal that the California Privacy Protection Agency has explicitly recognised as compliant with the regulatory standard. Other signals exist — DNT (Do Not Track) is technically present in most browsers but the CPPA has indicated that DNT alone does not satisfy the CPRA opt-out preference signal standard. The operational requirement on advertisers is to detect GPC at the page level on California-served traffic and to treat the signal as an opt-out of selling and sharing. The detection must happen before any advertising-related data collection occurs — meaning before pixel fires, before server-side conversion API events, before lookalike audience seed contribution. The detection-then-suppress pattern is the core operational mechanic. Advertisers running pixel-based tracking must configure conditional firing logic that suppresses the pixel when GPC is detected on California-served traffic. Advertisers running server-side conversion APIs must include the GPC signal status in the event payload and the platform must honor the signal at ingestion. Advertisers running lookalike audience modelling must exclude GPC-opted-out users from the seed audience. The propagation discipline is critical. Honoring GPC at the website level but failing to propagate the opt-out to downstream platforms produces a partial compliance posture that the CPPA enforcement staff has flagged as insufficient. The propagation must reach all platforms that receive the user's data including Meta's audience layer, Google's customer match, TikTok's audience platform, LinkedIn's audience network, and any programmatic ad-tech vendor. The propagation must occur within a reasonable timeframe — the CPPA guidance suggested seventy-two hours as a soft standard. Several jurisdictions beyond California now recognise GPC or related signals. Colorado's Universal Opt-Out Mechanism is a CPRA-equivalent signal honored under CPA from July 2024. Connecticut honors UOOM from January 2025. Texas honors UOOM under TDPSA. Advertisers running national campaigns should implement a single signal detection layer that treats all opt-out preference signals identically rather than configure region-specific signal recognition. The single-layer pattern simplifies operational maintenance and reduces the risk of misconfiguration. For the consolidated US privacy regulatory frame, see United States Meta Compliance . Run Legal Compliance Scan for jurisdiction-specific configuration audit.

How does cookie consent workflow need to change for advertisers serving California traffic in Q2 2026?

Cookie consent workflow for advertisers serving California traffic operates under several converging requirements — CPRA's notice-at-collection obligation, CPRA's opt-out of selling and sharing, the CPPA's April 2026 guidance on cross-context behavioural advertising, and the broader patchwork of state laws that apply to overlapping audiences. The combined effect is a workflow that is materially more complex than the simple opt-in or opt-out cookie banners that dominated US advertiser practice through 2024 and 2025. The notice-at-collection obligation requires advertisers to inform consumers of the categories of personal information collected and the purposes of collection at or before the point of collection. For website tracking the notice typically appears as a layered notice with a short-form summary and a link to the full privacy policy. The notice must be conspicuous, must be in plain language, and must specifically address sensitive personal information when sensitive PI is collected. The opt-out of selling and sharing requirement operates separately from notice and consent. The Do Not Sell or Share My Personal Information link must be present on the same surface as the privacy policy, must be functional within a reasonable timeframe of click, and must propagate the opt-out to all downstream platforms. The CPPA's April 2026 guidance clarified that the link must use the exact statutory language Do Not Sell or Share My Personal Information rather than functionally equivalent alternatives. The cross-context behavioural advertising classification means that most retargeting and lookalike audience configurations fall within the selling-or-sharing definition. Advertisers running cross-context behavioural advertising must provide opt-out mechanism, must honor opt-out preference signals, must update privacy policy disclosures, and must propagate opt-outs to downstream platforms. Cookie consent management platforms have updated their default California configurations through Q2 2026 to accommodate the changes. The updated configurations typically include GPC detection at page load, automatic suppression of advertising cookies when GPC is detected, propagation of opt-out status to server-side conversion APIs, integration with platform-side audience layers for downstream suppression, and audit logging of opt-out events for accountability. Advertisers running custom-built consent management should review their configurations against the updated CMP defaults. For automated audit of cookie consent and advertising cookie deployment, route through AI Compliance Audit and reference the cross-platform regulatory frame through Google Consent Mode v2 implementation guide .

How does CPRA cross-context behavioural advertising classification affect Meta, Google, TikTok, and LinkedIn campaigns specifically?

CPRA's cross-context behavioural advertising definition under Section 1798.140(k) captures advertising directed to consumers based on personal information obtained from activity outside the business with which the consumer intentionally interacts. The definition is broad enough that several common platform configurations fall within scope, and the CPPA's April 2026 guidance identified named platform mechanics that constitute cross-context behavioural advertising. On Meta the affected configurations include retargeting audiences built from pixel-collected behavioural data, lookalike audiences seeded from off-Meta behavioural signals, custom audiences uploaded from CRM data that informs cross-context targeting, and Advantage+ audience expansion that combines on-platform and off-platform signals. The remediation pattern is to provide opt-out mechanism at the website level, propagate opt-outs to Meta's audience layer through the conversion API, and exclude opted-out users from custom audiences and lookalike seeds. On Google the affected configurations include remarketing lists built from website tag data, customer match audiences built from CRM uploads, similar audiences derived from remarketing seeds, and Performance Max audience signals that combine first-party and third-party data. The remediation pattern follows the same logic — opt-out mechanism at the website level, propagation through Google Ads enhanced conversions API, and exclusion from audience definitions and similar audience seeds. On TikTok the affected configurations include retargeting audiences from TikTok pixel data, lookalike audiences seeded from off-TikTok signals, and custom audience uploads. The remediation pattern includes opt-out mechanism, propagation through TikTok Events API, and exclusion from audience and lookalike construction. TikTok's compliance posture for California audiences has tightened through Q2 2026 in response to CPPA guidance. On LinkedIn the affected configurations include matched audiences from CRM upload, retargeting from LinkedIn Insight Tag data, and lookalike audiences seeded from matched audiences. The B2B context creates some interpretive variation under CPRA — the CPPA has indicated that B2B audiences are within scope when the underlying targeting reaches identified individuals rather than business roles, and most LinkedIn matched audiences reach identified individuals. The remediation pattern follows the consumer pattern. The cross-platform recommendation is to implement a single opt-out propagation layer that reaches all platforms through their respective server-side APIs rather than maintain platform-specific opt-out workflows. The single-layer pattern reduces operational maintenance and reduces the risk of partial-propagation failures that the CPPA enforcement staff has flagged as a common failure mode. For audit of cross-platform audience configurations, run Legal Compliance Scan . Reference the broader Meta policy frame through Meta Ad Policies .

What is the practical advertiser workflow to reach CPRA Q2 2026 compliance before the October enforcement deadline?

The practical advertiser workflow to reach CPRA Q2 2026 compliance before the October 2026 formal enforcement deadline involves five workstreams that can run in parallel. Advertisers running large-scale California campaigns should treat the grace window as a hard deadline and should staff the workstreams with sufficient resourcing to complete within five to six months. The first workstream is audience definition audit. Every active audience definition that targets California or could include California users must be reviewed against the sensitive-category proxy matrix. The audit produces a list of audience definitions that need to be reconfigured, a list of lookalike seeds that need to be audited for sensitive-category contamination, and a list of custom audience uploads that need to be reviewed for compliance with the right-to-limit propagation. The audience definition audit typically takes four to eight weeks for a multi-platform advertiser and produces remediation work that takes another four to eight weeks. The second workstream is opt-out signal infrastructure. Global Privacy Control detection must be implemented at the page level on all California-served traffic, the detection must be wired to suppress advertising-related data collection, and the suppression must propagate to all downstream platforms through the respective server-side APIs. The implementation typically requires coordination across web engineering, ad-ops, and CRM teams. The infrastructure workstream typically takes six to twelve weeks depending on the existing technical baseline. The third workstream is cookie consent and notice update. The notice-at-collection layer must be updated to address sensitive PI specifically, the Do Not Sell or Share My Personal Information link must be implemented or updated to use the exact statutory language, and the cookie consent management platform configuration must be updated to align with the April 2026 CPPA guidance. The workstream typically takes four to eight weeks. The fourth workstream is downstream platform configuration. Each ad platform requires specific configuration updates to honor opt-outs propagated through server-side APIs, to exclude opted-out users from audience definitions, and to align lookalike audience construction with the right-to-limit. The configuration is platform-specific and requires platform-level expertise. The workstream typically takes six to twelve weeks. The fifth workstream is documentation and accountability. CPRA accountability obligations require advertisers to document audience definitions, sensitive-category review, opt-out propagation logs, and policy update timeline. The documentation supports response to CPPA inquiries and to consumer access requests. The workstream is ongoing rather than time-bounded but requires initial investment in template development and process implementation. Advertisers should commission a third-party CPRA compliance audit before the October 2026 deadline to validate the workstream output and to identify residual gaps. For end-to-end CPRA compliance audit, run Legal Compliance Scan and reference the consolidated US regulatory framework through United States Meta Compliance .

California CPRA Q2 2026: Audience Targeting & GPC Guide

California CPRA Q2 2026 Audience Targeting Audit: Sensitive PI, Opt-Out Signals & Advertiser Cookie Consent Workflow

What CPPA Published in Q2 2026

The California Privacy Protection Agency published a series of enforcement guidance documents through Q1 and Q2 2026 that operationalised CPRA in ways advertisers had been waiting for since the law took effect. The April 2026 cluster covered cross-context behavioural advertising scope, sensitive personal information targeting limits, opt-out preference signal handling, and the classification of common advertising configurations as selling or sharing under CPRA.

The guidance was unusually specific by California regulator standards. Rather than restate statutory definitions the CPPA staff identified named advertising mechanics — Meta Lead Ads, Meta lookalike audiences, Google customer match, retargeting pixel deployment, server-side conversion APIs — and described how each maps to the selling, sharing, and cross-context behavioural advertising definitions. The specificity triggered immediate operational change across e-commerce, financial services, healthcare, and educational sectors.

The April 2026 guidance includes a six-month grace window with formal enforcement actions expected to begin in October 2026. The grace window is operational rather than legal — the CPPA reserved authority to take enforcement action during the grace window for clear-cut violations, and the agency has indicated that the grace is calibrated to the operational burden of remediation rather than to the legal validity of the obligations.

"The Q2 2026 guidance moves CPRA from abstract obligation to concrete configuration. Advertisers running default 2024 audience setups should treat the October enforcement window as a hard deadline."
— AuditSocials California privacy brief, May 2026

For the broader US regulatory frame, see United States Meta Compliance and track in-flight regulatory updates through the Policy Tracker.

Sensitive Personal Information Scope

CPRA Section 1798.140(ae) defines eight sensitive personal information categories that materially affect ad targeting. Under Section 1798.121 consumers have the right to limit the use and disclosure of sensitive PI to purposes necessary to perform the services or provide the goods reasonably expected by an average consumer. The right-to-limit mechanism is a use-and-disclosure restriction with direct operational effect on cross-context behavioural advertising.

Sensitive PI Categories Under CPRA

Category	Ad Targeting Impact	Right-to-Limit Effect
Government identifier	Cannot be used as targeting attribute	Categorical exclusion
Account log-in / financial account	Restricted to advertiser's own customer relationship	Cannot inform cross-context behavioural ads
Precise geolocation	Restricted to product-necessary use	Cannot inform cross-context behavioural ads
Race or ethnic origin	Cannot be used as targeting attribute	Categorical exclusion
Religious or philosophical belief	Cannot be used as targeting attribute	Categorical exclusion
Union membership	Cannot be used as targeting attribute	Categorical exclusion
Mail / email / text content	Cannot be used as targeting attribute	Categorical exclusion
Genetic / biometric / health	Cannot be used as targeting attribute	Categorical exclusion
Sex life / sexual orientation	Cannot be used as targeting attribute	Categorical exclusion

Inference Scope Clarification

The April 2026 CPPA guidance clarified that inferences drawn from non-sensitive data points that produce sensitive-category audience attributes fall within the sensitive PI scope. Audience definitions that approximate health, political, or religious categories through combination patterns carry the sensitive PI restriction even when the underlying signals do not.

For automated audit of audience definitions against sensitive-category proxies, route through AI Compliance Audit.

GPC & Opt-Out Preference Signals

CPRA Section 1798.135 requires businesses that sell or share personal information to honor opt-out preference signals sent by consumers through technical means including browser-level signals. Global Privacy Control is the dominant signal in the California market and is the only signal explicitly recognised by the CPPA as compliant with the regulatory standard.

Detection-Then-Suppress Pattern

Detect at page load: GPC header detection on every California-served pageview before any advertising data collection
Suppress pixel firing: Conditional logic that prevents pixel fire when GPC is detected
Server-side propagation: Include GPC status in conversion API event payloads
Exclude from audiences: GPC-opted-out users excluded from custom audience and lookalike seeds
Audit logging: Log opt-out events for accountability response

Cross-State Signal Recognition

California: GPC required from January 2024
Colorado: Universal Opt-Out Mechanism honored from July 2024
Connecticut: UOOM honored from January 2025
Texas: UOOM honored under TDPSA

Advertisers running national campaigns should implement a single signal-detection layer that treats all opt-out preference signals identically rather than configure region-specific signal recognition. For multi-jurisdiction signal-handling audit, run Legal Compliance Scan.

Cookie Consent Workflow

Cookie consent workflow for advertisers serving California traffic operates under several converging requirements — CPRA's notice-at-collection obligation, CPRA's opt-out of selling and sharing, the CPPA's April 2026 guidance on cross-context behavioural advertising, and the broader US state patchwork that applies to overlapping audiences. The combined effect is a workflow materially more complex than the simple banners that dominated US advertiser practice through 2024 and 2025.

Required Surface Elements

Surface Element	Statutory Anchor	2026 Standard
Notice at collection	CPRA § 1798.100(a)	Layered notice with sensitive PI specifically addressed
Do Not Sell or Share link	CPRA § 1798.135(a)	Exact statutory language; conspicuous placement
Limit Use of Sensitive PI link	CPRA § 1798.121	Same surface as Do Not Sell/Share link
GPC detection	CPRA § 1798.135(b)	Page-load detection; suppression of advertising data collection
Privacy policy disclosure	CPRA § 1798.130	Cross-context behavioural advertising disclosure included

Cookie consent management platforms have updated their default California configurations through Q2 2026. Advertisers running custom-built consent management should review their configurations against the updated CMP defaults. For automated audit of cookie consent deployment, route through AI Compliance Audit.

Cross-Platform Audience Targeting Impact

The CPPA's April 2026 guidance identified named platform mechanics that constitute cross-context behavioural advertising under CPRA. Each major advertising platform produced configuration updates through Q2 2026 to align platform behaviour with the guidance, and advertisers running cross-platform campaigns must implement platform-specific updates.

Platform-Specific Configuration Matrix

Platform	Affected Mechanics	Q2 2026 Remediation
Meta	Retargeting, lookalike, custom audience, Advantage+ expansion	Opt-out propagation through Conversion API; audience exclusion
Google	Remarketing, customer match, similar audiences, Performance Max signals	Enhanced conversions API integration; audience exclusion
TikTok	Retargeting, lookalike, custom audience	Events API propagation; audience exclusion
LinkedIn	Matched audiences, Insight Tag retargeting, lookalike	Conversions API propagation; B2B-context interpretation

The cross-platform recommendation is a single opt-out propagation layer that reaches all platforms through their respective server-side APIs rather than platform-specific opt-out workflows. For platform-specific audit, see Meta Ad Policies and Google Ads Policy Guide.

CPRA Compliance Checklist

[ ] Audit every active audience definition for sensitive-category proxy patterns
[ ] Audit lookalike seeds for sensitive-category contamination
[ ] Implement GPC detection at the page level on California-served traffic
[ ] Wire GPC suppression to advertising data collection
[ ] Propagate GPC status through Meta, Google, TikTok, and LinkedIn server-side APIs
[ ] Add Do Not Sell or Share My Personal Information link with exact statutory language
[ ] Add Limit Use of Sensitive Personal Information link on the same surface
[ ] Update notice-at-collection layer to address sensitive PI explicitly
[ ] Update privacy policy disclosure for cross-context behavioural advertising
[ ] Implement audit logging of opt-out events
[ ] Commission third-party CPRA compliance audit before October 2026
[ ] Track in-flight CPPA guidance through the Policy Tracker

Don't miss the next policy change.

Subscribe to the Policy Tracker — get weekly digests or instant Pro alerts across all 8 platforms. Or try our free Keyword Risk Checker first.

Subscribe Free

Report Keywords — Run AI Compliance Audit

#CPRA#CCPA#Sensitive PI#GPC#Opt-Out#Cookie Consent#California Privacy#Cross-Context Behavioral Advertising#2026 Policy#Advertisers#Compliance Guide 2026#Audience Targeting

Share This Report

Tweet Share

EU DSA Second-Wave VLOP Designations April 2026 — 12+ New Platforms Under Article 33, Cross-Product User Counts & 2027 Audit Timeline

The European Commission's second-wave DSA designations effective April 2026 add 12+ platforms to the Very Large Online Platform list under tighter user-count methodology. The January 2027 compliance review will be the first formal audit of the second-wave cohort with fines up to 6% of global revenue.

EU DSA Second Wave Enforcement April 2026 — New VLOP Designations, Expanded Advertising Transparency Obligations & 6 Percent Turnover Fines

The EU activated its DSA second enforcement wave in April 2026, designating additional platforms as VLOPs and extending advertising transparency obligations. The €120M X fine set the penalty ceiling at 6 percent of global turnover — advertisers on newly designated platforms face new creative, targeting, and reporting constraints.

EU AI Act Article 50 Advertising Compliance 2026 — Synthetic Content Labeling, Marketer Obligations & August Enforcement Deadline

Article 50 of the EU AI Act requires every advertiser using AI-generated creative or synthetic personas to label that content for EU audiences. Enforcement begins August 2, 2026.

California CPRA Q2 2026 Audience Targeting Audit: Sensitive PI, Opt-Out Signals & Advertiser Cookie Consent Workflow