The enforcement map has expanded faster than most operators realize
As of January 2026, comprehensive privacy laws are enforced in 19 US states, with Indiana, Kentucky, and Rhode Island joining the list this year 1. This is not a future concern. Regulators are enforcing, and they are enforcing against companies that use advertising tracking in ways that violate consent requirements.
The shift from 2025 to 2026 is the move from "law creation" to "law enforcement." Settlement precedents now exist. Technical expectations around opt-out signals, data sharing, and dark patterns are documented. Regulators know what to look for and have the budget to look 2.
Global Privacy Control is no longer optional
Global Privacy Control, the browser signal that tells websites the user has opted out of data selling and sharing, is effectively mandatory in California, Colorado, Connecticut, and Oregon 1. Failure to honor GPC has already resulted in seven-figure settlements.
For paid media operators, this matters because GPC affects how your tracking pixels fire. If a user's browser sends a GPC signal and your site ignores it, continuing to fire Meta Pixel, Google Ads conversion tags, or TikTok Pixel events that share data with those platforms, you are in violation. The platforms themselves are not the ones at risk. You are.
Most consent management platforms (CMPs) can detect and honor GPC. But many operators installed a CMP two years ago, configured it once, and have not checked whether it correctly suppresses third-party tags when GPC is active. The technical implementation matters. A CMP that displays a cookie banner but does not suppress tracking scripts when GPC is present is not compliant.
California's new requirements raise the bar further
The CCPA regulations that took effect January 1, 2026 require comprehensive privacy risk assessments before initiating processing that presents "significant risk" to consumer privacy 3. The activities that trigger this requirement include selling or sharing personal information, processing sensitive personal information, and using automated decision-making technology.
If you are running remarketing campaigns, your ad platform is making automated decisions about which users to target based on their prior behavior on your site. That is automated decision-making. If you are sharing conversion data with Meta or Google through their pixels, you may be selling or sharing personal information under the CCPA definition. Both activities may now require a documented risk assessment.
Few small to mid-sized businesses have conducted these assessments. The requirement is new, enforcement is ramping, and the operational burden is real.
What paid media operators should check
First, verify your CMP is honoring GPC. Visit your site in a browser with GPC enabled (Firefox sends it by default). Open the browser's developer tools and check whether tracking scripts fire after the page loads. If Meta Pixel, Google Ads tags, or other third-party scripts load without the user affirmatively opting in, your implementation is broken.
Second, audit your consent flow. Several states now require opt-in consent for targeted advertising involving users under 16 2. Oregon specifically bans the sale of precise location data. If your campaigns use geo-targeting at a granular level and collect location data through your site or app, check whether your consent mechanism covers it.
Third, review your data-sharing relationships with ad platforms. Server-side tracking setups using Meta's Conversions API or Google's enhanced conversions send user data from your server to the platform's server. This data sharing may constitute "selling" under the CCPA definition. Ensure your privacy policy discloses it and your consent mechanism covers it.
The practical impact on campaign performance
Compliance will shrink your trackable audience. When GPC is honored, users who send the signal are excluded from remarketing lists and their conversions are not reported through standard pixel tracking. In California alone, GPC adoption is estimated at 10 to 15% of browser sessions. As more states mandate GPC recognition, that percentage grows.
This makes server-side tracking and first-party data more important, not less. Conversions API and enhanced conversions can capture conversion data in ways that are compliant because the data is hashed and sent server-to-server with proper consent. But they require implementation work and ongoing maintenance.
The operators who will navigate this cleanly are the ones who invested in proper tracking infrastructure over the past two years. The operators who are still relying solely on client-side pixels and have not updated their CMP since 2024 are the ones most at risk, both for compliance penalties and for measurement degradation.
This is not going away
No federal privacy law is imminent. The state-by-state patchwork will continue to expand. Every year, two to four new states begin enforcement. The requirements converge in direction but diverge in specifics, which makes compliance harder the more states you operate in. The practical answer for most operators is to build once for the strictest standard (California) and apply it everywhere. That way, when the next state starts enforcing, you are already compliant.