This article is operational guidance on data plumbing changes, not legal advice. The New Jersey Data Protection Act’s 18-month cure period sunsets on July 15, 2026 — 64 days from publication. After that date, the New Jersey Attorney General can pursue enforcement under the New Jersey Consumer Fraud Act without offering a 30-day cure window, … Read more
On September 9, 2025, the California Privacy Protection Agency, Colorado Attorney General, and Connecticut Attorney General announced a coordinated investigative sweep targeting non-compliance with universal opt-out signals (GPC). The sweep produced the Disney settlement ($2.75M, February 2026) and Ford settlement ($375K + audit obligation, March 2026); Healthline ($1.55M, 2025) was the warm-up. Two architectural failures show up in nearly every WooCommerce stack: GPC honored only on the device that signaled it, and GPC honored on the page while data continues to flow to downstream partners. The CCPA fine ceiling is $7,988 per intentional violation, multiplied across three jurisdictions sharing evidence.
Most WooCommerce stores are over-complying with US privacy law — and it’s costing them data. CCPA, VCDPA, CPA, and most of the 22+ US state privacy frameworks enacted by 2026 (IAPP, 2026) are opt-out regimes. They do not require consent before tracking. They require you to stop tracking when a consumer tells you to. That’s … Read more
The letter arrived without warning. A California plaintiff’s attorney, citing the California Invasion of Privacy Act. The WooCommerce store had installed Google Analytics and Meta Pixel the normal way — through a plugin, in ten minutes — and had never considered that those pixels might constitute wiretapping under California law. CIPA litigation against websites using … Read more
By 2026, 19 US states enforce comprehensive privacy laws—covering nearly 50% of US consumers (IAPP, 2026). Most WordPress tracking setups violate at least one because client-side pixels “share” personal data with advertising platforms, triggering compliance requirements under CPRA, Virginia’s VCDPA, and others. Consent banners alone don’t fix this: client-side tags fire before consent is captured, and WordPress plugin conflicts create gaps. The architectural fix is server-side tracking, where events pass through a first-party server and consent decisions are applied programmatically before data reaches any platform.
As of January 2026, 19 US states have comprehensive consumer privacy laws in force — up from just California in 2020. These laws use an opt-out model fundamentally different from GDPR’s opt-in approach, meaning WordPress consent plugins configured for EU compliance don’t cover US requirements. CCPA fines reach $2,500 per violation per person ($7,500 for intentional violations), with the largest settlement hitting $1.55 million in 2025. Twelve states now require honoring Global Privacy Control signals. WooCommerce stores selling to US customers need separate consent architecture, GPC signal detection, and centralized data deletion capabilities across all tracking platforms.
