Your WordPress Consent Banner Now Has to Show the Opt-Out Was Honoured

May 6, 2026
by Cherry Rose

California’s revised CCPA regulations took effect January 1, 2026 with no delayed enforcement window. The headline change: a business must provide visible confirmation that an opt-out request — including a Global Privacy Control signal — has been processed. Silent honouring in the back-end is no longer compliance. Complianz, CookieYes, Real Cookie Banner, and WPConsent in their default configurations all drop the tracking cookie quietly and show the visitor nothing. That is the exact pattern the new rule names as a failure.

The enforcement curve has already moved. Disney settled for $2.75M, Tractor Supply for $1.35M, and a March 2026 Ford settlement requires Ford to audit every tracking technology on its properties for GPC handling.

What the Rule Actually Says

Per Lathrop GPM’s analysis of the CPPA-effective rules: “A business must provide confirmation that the opt-out request for the selling and sharing of personal information has been processed, regardless of whether the opt-out request occurred through a cookie banner, a link or a universal opt-out signal like the Global Privacy Control.”

The phrase that matters is regardless of whether. The rule does not distinguish between an opt-out the visitor actively clicked and an opt-out signalled passively by their browser. Both require visible confirmation.

The plain test: what does your visitor SEE when they have GPC enabled? If the answer is “nothing different to a visitor without GPC”, you are operating against the rule.

I read the rule and then I read the plugins. Here is what each does today on a default install:

  • Complianz: Reads navigator.globalPrivacyControl, sets the consent state to “do-not-sell” automatically, and suppresses the banner entirely on subsequent loads. The visitor sees no banner — and no confirmation that GPC was honoured.
  • CookieYes: Detects GPC, applies the Do Not Sell preference silently, and continues to show its standard cookie banner without any GPC-specific message. The visitor cannot distinguish a GPC-honoured visit from a non-GPC visit.
  • Real Cookie Banner: Honours the Sec-GPC header for US visitors and writes a server-side preference, but the front-end UI shows no acknowledgement of the signal.
  • WPConsent: Same pattern — back-end honours the signal, front-end shows nothing.

Every one of these plugins is technically compliant under the 2025 reading of the rule and technically non-compliant under the 2026 reading. The change is in the visible layer, not the data layer.

You may be interested in: Browser Consent Signals 2026: Why WordPress Sites Must Prepare for Global Privacy Control Now

The Enforcement Context Behind the Rule

The visible-confirmation requirement did not appear in a vacuum. Three pieces of context explain why it landed where it did:

The September 9 joint sweep. The California, Colorado, and Connecticut Attorneys General announced a coordinated investigative sweep targeting non-compliance with opt-out preference signals on September 9, 2025 (CPPA / joint AGs, 2025). It was the first cross-state coordinated action on a single privacy-technical issue, and it told every privacy team that GPC handling was now its own enforcement category.

Disney, $2.75M. The Disney CCPA settlement found that Disney restricted GPC signals to individual devices even when users were logged into their accounts (TrustArc, 2025). The settlement established the principle that GPC must propagate across the entire data stack — not just per-device. Logged-in users carry the signal with them.

The Ford and Honda settlements. The March 2026 Ford settlement requires Ford to audit every tracking technology on its properties for GPC handling. The earlier Honda settlement ($632,500) explicitly required UX-expert sign-off on the redesigned consent flow. The pattern is clear: enforcement is now reaching into the implementation, not stopping at the privacy policy.

Per Secure Privacy’s enforcement summary, CCPA penalties are $2,500 per violation and $7,500 per intentional violation. A single technical failure affecting 100,000 California consumers could theoretically generate $250M in maximum exposure.

What Visible Confirmation Actually Looks Like

The rule names the requirement but does not prescribe the UI. Four implementation patterns are emerging from privacy counsel and the early Q1 2026 settlements:

  • Persistent header banner. A small, dismissible top-strip on every page reading “Your privacy preference: Do Not Sell or Share — honoured via your browser’s GPC signal.”
  • Account-settings toggle. For logged-in WooCommerce customers, a privacy section in My Account showing the current state, the source (browser GPC, banner click, manual change), and the date.
  • On-banner success message. The cookie banner replaces its standard text with a confirmation that auto-dismisses after a few seconds: “Your browser sent a Do Not Sell signal. We have honoured it.”
  • Server-side Sec-GPC handler. Reading the Sec-GPC header at the edge before any tracking pipeline starts, then surfacing the state to the front-end as a single source of truth.

The first three are per-plugin scrambles. The fourth is the architectural decision.

Why Per-Plugin Patches Will Not Hold

The CPPA rule is not the only deadline. California’s Opt Me Out Act takes effect January 1, 2027 and adds a per-platform universal opt-out registry on top. 12 US state privacy laws now require honouring GPC as of January 2026 (Consenteo, 2026), and that number is still climbing.

Every consent plugin in the WordPress ecosystem will eventually ship visible-confirmation features. The question is whether the store waits for each plugin’s release cycle, manages the configuration drift across plugins as state laws evolve, and re-audits the front-end every time the plugin updates — or makes the visible-confirmation decision once at the server layer.

You may be interested in: 19 US States Have Privacy Laws and Your Consent Plugin Only Handles GDPR

The Server-Side Pattern

The Sec-GPC header arrives on every request a GPC-enabled browser sends. Reading it at the edge — before any tracking pipeline starts — turns “did we honour GPC?” into a single decision rather than a per-plugin question.

Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). Because every WooCommerce event flows through it before reaching any destination, the Sec-GPC header is read once, the opt-out state is set once, and visible confirmation can be wired into the response headers and exposed to the front-end as a single signal — without depending on each consent plugin to handle the rule consistently.

Key Takeaways

  • Effective January 1, 2026: California requires visible confirmation that an opt-out — including a GPC signal — was processed. Silent compliance is no longer compliance.
  • Default is now non-compliant: Complianz, CookieYes, Real Cookie Banner, and WPConsent all honour GPC silently in their default configurations.
  • Enforcement is active: Disney $2.75M, Tractor Supply $1.35M, Honda $632.5K, Ford settlement requiring a tracking-technology audit, and a September 9, 2025 joint California-Colorado-Connecticut sweep.
  • Disney rule: GPC must propagate across the entire data stack, not just per-device — logged-in customers carry the signal with them.
  • Penalty math: $2,500 per violation, $7,500 per intentional violation. 100,000 affected consumers = $250M maximum exposure.
  • Architectural fix: Read Sec-GPC at the edge, surface confirmation as a single front-end signal, stop chasing the rule per-plugin.

Frequently Asked Questions

Does my WordPress consent banner have to visibly confirm that a GPC opt-out was honoured under the new 2026 CCPA rules?

Yes. The CPPA’s revised CCPA regulations effective January 1, 2026 require businesses to provide confirmation that an opt-out request has been processed — whether the opt-out came through a banner, a link, or a universal signal like Global Privacy Control. Silent honouring of the signal in the back-end is no longer sufficient. The visitor must see something that confirms the request was received.

What does CCPA 2026 require my cookie banner to do that it didn’t require in 2025?

Three things. First, visible confirmation when an opt-out is processed (including from a GPC signal). Second, symmetric choice — opting out must be no harder than opting in. Third, GPC signals must propagate across the entire data stack, not be restricted to a single device or session, which is the failure mode in the Disney settlement.

Do Complianz, CookieYes, or Real Cookie Banner show a GPC opt-out confirmation by default?

No. As of early 2026, the default configuration of the four major WordPress consent plugins — Complianz, CookieYes, Real Cookie Banner, and WPConsent — silently drops the tracking cookie when a GPC signal is detected and shows the visitor nothing. This is the exact pattern the new rule names as a failure. Each plugin can be configured to display a confirmation, but the configuration is not the default.

What is the September 9 joint California-Colorado-Connecticut sweep?

On September 9, 2025, the California, Colorado, and Connecticut Attorneys General announced a coordinated investigative sweep targeting non-compliance with opt-out preference signals. It was the first cross-state coordinated action on a single privacy-technical issue, and it is the active investigation behind the visible-confirmation rule.

How much can a single technical failure cost?

CCPA penalties are $2,500 per violation and $7,500 per intentional violation. A single technical failure affecting 100,000 California consumers could theoretically generate $250M in maximum exposure. Recent settlements include Disney ($2.75M), Tractor Supply ($1.35M), and Honda ($632,500), with the Honda settlement explicitly requiring UX-expert sign-off on the redesign.

Audit what your GPC visitors actually see — then make it a single architectural decision instead of four plugin configurations. Start at seresa.io.

Share this post
Related posts