Is Your Privacy Policy Out of Date? What California’s 2026 Rules Mean for Ecommerce and SaaS Businesses
Most business owners write a privacy policy exactly once — usually by pasting a generator’s template into the website footer the week they launch — and never look at it again. In 2026, that neglected document has quietly become one of the more common sources of legal exposure for online businesses. California’s newest CCPA regulatory package became effective January 1, 2026, Texas has been enforcing an unusually broad consumer-privacy law since 2024, and the gap between what your policy says and what your website actually does is precisely what regulators, plaintiffs’ attorneys, and platform reviewers look for.
This is not a problem reserved for large technology companies. If you run an ecommerce store, a SaaS product, a mobile app, a marketplace, or frankly almost any site that collects visitor data through analytics, advertising pixels, cookies, or a checkout form, your privacy policy is a legally significant public representation about how you handle personal information. When that representation is inaccurate, outdated, or missing required disclosures, it can create liability you never see coming — until an enforcement letter, a demand letter, or a held payment account arrives.
Because Accord & Shield is licensed in Arizona, California, and Texas, we field a version of this question constantly from founders and business owners: “Which of these laws actually applies to me, and what do I really have to do?” This guide answers that in depth — what the three states require, what changed for 2026, why an out-of-date policy is a genuine liability rather than a formality, and how to bring your policy back into alignment without overcomplicating it.
First, Why a Privacy Policy Is a Legal Document — Not a Formality
It helps to be precise about what a privacy policy actually is in legal terms, because the misunderstanding is where most of the risk originates. A privacy policy is a public-facing representation about how your business collects, uses, shares, sells, retains, and protects personal information. It is not marketing copy and it is not boilerplate. When you publish one, you are making statements that consumers, regulators, and courts can hold you to.
That framing changes everything. If your policy says you “do not sell personal information,” but your advertising pixels pass data to third parties in a way the law defines as a “sale” or “sharing,” you have arguably made a false statement about a material business practice. If your policy is silent about the tracking technologies your site actually runs, you have arguably omitted a material disclosure. Either way, the document meant to protect you becomes the evidence used against you.
This is why the single most important principle in this entire article is alignment: your privacy policy, your terms of service, and the real behavior of your website must all tell the same story. When they diverge — and over time they almost always do, as new tools and vendors get added and the policy never catches up — that divergence is the exact thing an enforcement action or class-action complaint points to.
The Four Ways an Out-of-Date Policy Creates Real Liability
When we tell clients an outdated privacy policy is a liability, we mean something concrete. The exposure comes from four different directions, often at the same time:
- Regulatory enforcement. State attorneys general and, in California, a dedicated privacy agency can investigate and impose penalties for inaccurate or insufficient disclosures. These are not theoretical. In 2025, the California Attorney General reached a $1.55 million settlement with a health-information website over disclosure and data-use failures — at the time, the largest CCPA-related fine on record. That matter is especially instructive for content, ecommerce, and SaaS sites because it centered on tracking technology, targeted advertising, and the gap between user-facing privacy rights and backend data flows. Per-violation penalties, multiplied across thousands of consumers, add up quickly.
- Consumer and class-action lawsuits. The CCPA’s own private right of action is limited — it applies principally to certain data breaches, not to disclosure defects generally. But that limit does not eliminate litigation risk. A separate and very active wave of class actions relies on older California wiretapping and eavesdropping law — the California Invasion of Privacy Act (CIPA) — against websites that deploy tracking pixels, chat tools, analytics, and session-replay technology without clear disclosure or consent. The lesson cuts across both: if your tracking technologies collect or transmit information in ways your policy doesn’t disclose and your consent or opt-out flow doesn’t address, that policy becomes part of the plaintiff’s evidence.
- Payment processors and platforms. Payment processors, ecommerce platforms, app stores, and advertising networks commonly require merchants and developers to maintain accurate privacy disclosures. Depending on the platform’s terms and risk review, a missing or deficient policy can create onboarding delays, account review issues, advertising disapprovals, or reserves and holds on funds. For an ecommerce or SaaS business, that is not a paperwork problem — it is revenue interrupted, sometimes with little warning.
- Investor and acquirer due diligence. The moment you raise a priced round or entertain an acquisition, privacy becomes a data-room issue: your policy, cookie banners, data maps, data-processing agreements, vendor and subprocessor lists, prior incidents, consumer requests, and advertising practices can all be pulled and reviewed. A stale footer policy can become a representation in the purchase agreement, a special indemnity, a holdback, or a valuation adjustment. Founders are frequently surprised that a footer document affects their exit — it does.
The common thread is that none of these risks require you to have suffered a data breach. They flow simply from a mismatch between what you say and what you do. That mismatch is inexpensive to fix in advance and expensive to defend after the fact.
What Changed in California for 2026
California remains the strictest and most closely watched privacy regime in the United States, and it did not stand still. A new regulatory package from the California Privacy Protection Agency (CPPA) — covering CCPA updates, cybersecurity audits, risk assessments, automated decision-making technology, and insurance-related provisions — was finalized in 2025 and took effect January 1, 2026. It meaningfully expanded what covered businesses must do, and several of the changes matter directly to ecommerce and SaaS operators:
- Heightened treatment of minors’ data. California continues to treat children’s data as a heightened-risk category, and the framework tied to consumers under 16 carries elevated consent requirements and increased penalties for violations. If your site collects information indicating a user is a minor — a birthdate at signup, an age gate, a grade level — you should review whether your disclosures, your consent and opt-out flows, and your handling of sensitive information are adequate. The obligation turns on awareness: if you know, or reasonably should know from your own data collection, that you are processing a minor’s information, the heightened rules are in play.
- Opt-out preference signals are an enforcement priority. California regulations already require covered businesses to detect and honor browser-level opt-out preference signals such as the Global Privacy Control (GPC), and California’s privacy regulators have made GPC compliance a stated enforcement focus. Covered businesses should ensure their sites recognize a valid GPC signal, apply it, and don’t leave the consumer guessing whether an opt-out was received and honored.
- The “right to know” look-back is no longer a simple 12-month exercise. California access rights can reach personal information collected beyond the prior 12 months (for information collected on or after January 1, 2022), subject to statutory limits such as impossibility or disproportionate effort. In practice that means your retention schedule and data map — how long you keep information and where it lives — now carry real compliance weight.
- New governance obligations for higher-risk processing. The 2026 regulatory package layers in requirements around formal risk assessments, independent cybersecurity audits, and the use of automated decision-making technology (ADMT) — tools that process personal data to make significant decisions about people. Not every small ecommerce or SaaS business will owe every one of these duties; applicability depends on your processing activities and whether you cross the relevant thresholds. But the direction of travel is unmistakable: higher-risk processing, automated decision-making, and security practices are moving from best-practice territory into documented compliance obligations for covered businesses. These changes phase in on staggered schedules.
The practical upshot: even a policy that was fully compliant in 2024 very likely needs revision now. The language around minors, the opt-out mechanics, the tracking disclosures, and the treatment of sensitive information all changed.
Does California’s Law Even Apply to You?
This question trips people up in both directions — some businesses assume they’re covered when they aren’t, and plenty assume they’re too small when they actually cross a threshold. Under the CCPA, a for-profit business that does business in California and handles California residents’ personal information is generally covered if it meets any one of these thresholds:
- Gross annual revenue over the CCPA’s inflation-adjusted threshold — a $25 million statutory baseline that the CPPA currently identifies as $26,625,000 — or
- Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households, or
- Derives 50% or more of annual revenue from selling or sharing personal information.
Two features of this list surprise founders. First, the revenue threshold is total gross revenue — not just revenue earned in California or from California customers. Second, and more important for growing companies, the 100,000-resident threshold is easier to cross than it sounds. A direct-to-consumer ecommerce brand with strong California sales, or a SaaS product with meaningful California adoption, can pass 100,000 California users or households without ever consciously noticing — and coverage attaches the moment it does.
Here is the part worth internalizing: even when the strict CCPA thresholds don’t apply to you, an accurate privacy policy is still expected by your payment processors, ad platforms, and app stores, and an inaccurate one can still support a deceptive-practices claim or a tracking-based lawsuit. “We’re under the threshold” is not the same as “we have no privacy obligations.” It never is.
How the Three States Compare: California, Texas & Arizona
This is where our three-state footprint gives us a useful vantage point, because the differences between California, Texas, and Arizona are larger than most business owners assume — and the interplay between them is what determines your real obligations. Here is the side-by-side:
| California (CCPA/CPRA) | Texas (TDPSA) | Arizona | |
|---|---|---|---|
| Comprehensive privacy law? | Yes — the strictest in the U.S. | Yes — broad scope | No comprehensive law yet |
| Effective date | 2020; major 2023 & 2026 updates | July 1, 2024 | N/A (2026 bill introduced, not enacted) |
| Coverage threshold | Revenue over ~$26.6M (adjusted; $25M baseline), or 100,000+ residents, or 50%+ revenue from data | No revenue or volume threshold | No statute-specific threshold |
| Main exemption | Falls below all thresholds | SBA-defined small business (generally <500 employees) | — |
| Sensitive-data consent | Opt-out (opt-in for under-16 data) | Opt-in before collection; applies even to exempt small businesses that sell sensitive data | Genetic data only (narrow statute) |
| Honor browser opt-out (GPC)? | Yes, required | Yes, required since Jan 1, 2025 | Not required |
| Consumer lawsuits? | Limited private right of action | No private right of action (AG only) | Via Consumer Fraud Act (AG-led) |
| Cure period | Limited | 30 days, permanent (does not sunset) | — |
| Max penalty | Per-violation civil penalties + settlements | Up to $7,500 per violation | Consumer-fraud & breach penalties |
| Enforcer | CA Attorney General + CA Privacy Protection Agency | Texas Attorney General | Arizona Attorney General |
A few takeaways from that comparison are worth pulling out, because they run counter to what most people expect.
California: strict, and getting stricter
California is the reference point everyone knows, and for good reason. It has the most detailed requirements, the only dedicated privacy enforcement agency in the country (the California Privacy Protection Agency), a limited private right of action (tied principally to certain data breaches), and the 2026 regulations described above that keep raising the bar. If you design your compliance to satisfy California, you are usually most of the way to satisfying everywhere else. That is exactly why many multi-state businesses build one nationwide privacy program pegged to the strictest state that touches their customer base.
Texas: broader reach than California, in one key way
This surprises people: the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, is in one respect broader than California’s law. Unlike the CCPA, it has no revenue threshold and no consumer-count threshold. It applies to any business that operates in Texas or serves Texas residents and processes personal data — unless the business qualifies as a “small business” under the U.S. Small Business Administration definition (generally fewer than 500 employees).
But that small-business exemption has a sharp exception that closes it for many modern digital businesses: even an otherwise-exempt small business may not sell sensitive personal data without obtaining consumer consent. Since many websites collect sensitive categories — precise geolocation, health-related browsing, biometric signals — through third-party tools without realizing it, the exemption is narrower than it looks. Covered controllers must also provide a clear privacy notice, honor consumer rights and opt-outs, disclose any sale of data and targeted advertising, obtain consent before processing sensitive data, and conduct data-protection assessments for higher-risk processing such as targeted advertising, data sales, and certain profiling. Texas requires businesses to honor the Global Privacy Control, offers a permanent 30-day cure period, and caps penalties at $7,500 per violation. Enforcement is exclusively by the Texas Attorney General, who has become one of the most aggressive privacy enforcers in the country, securing settlements from large data collectors measured from the hundreds of millions into the billions of dollars. There is, notably, no private right of action in Texas — so the litigation risk profile is different from California’s, but the regulatory risk is very real.
Arizona: no comprehensive law — which does not mean no risk
Arizona has not yet enacted a comprehensive consumer privacy statute. A bill was introduced in the 2026 legislative session, but it had not become law as of this writing. It would be a mistake, though, to read that as “Arizona businesses have no privacy obligations.” Arizona has a data-breach notification law (A.R.S. § 18-552), sector-specific statutes such as its Genetic Information Privacy Act, and a Consumer Fraud Act that the Attorney General has used against companies for deceptive data practices — including a notable action against a major technology company over location tracking.
More to the point for most of our Arizona clients: an Arizona ecommerce or SaaS business almost always serves customers in California and Texas. The moment it does, those states’ laws reach it. For an Arizona company selling nationwide, the practical compliance floor is set by California and Texas — not by Arizona’s lighter framework. Building only to Arizona’s current standard leaves you exposed everywhere your customers actually are.
The unifying lesson across all three states is simple and important: your customer base, not your headquarters, determines which laws apply to you. A Scottsdale-based SaaS company with users in Los Angeles and Dallas is subject to California and Texas law regardless of where its office sits. Most online businesses end up needing to satisfy the strictest law that touches any meaningful part of their audience.
What an Up-to-Date Policy Actually Needs to Cover
Without turning this into a compliance manual, a current and defensible privacy policy for an ecommerce or SaaS business generally needs to clearly and accurately address the following. The emphasis is on accurately — each item has to match what your website really does:
- The categories of personal information you collect, the sources you collect it from, and the business purposes for each — including analytics, advertising pixels, cookies, and anything captured at checkout or signup.
- The categories of third parties you share data with, and an honest determination of whether any of that sharing counts as a “sale” or as “sharing” for cross-context behavioral advertising under the applicable law.
- The consumer rights that apply — access, deletion, correction, opt-out of sale/sharing, and the right to limit use of sensitive information — along with a genuinely working method for consumers to exercise them.
- A visible, functioning opt-out path, including automatic recognition of Global Privacy Control signals where required, with confirmation to the user that their request was received and honored.
- How you handle data that may belong to minors, given California’s expanded 2026 definition of sensitive information and the child-data rules in other states.
- Your data retention practices, your security measures, and — deceptively important — a real “last updated” date and a description of how and when you revise the policy.
The most common failure we see is not a missing clause. It is a policy that has silently fallen out of sync with the website. A business adds a new analytics platform, a retargeting pixel, a chat widget, a CRM integration, or a new payment vendor — each of which changes the data story — and the policy never catches up. That drift, accumulated over a couple of years, is exactly what an enforcement action or a plaintiff’s attorney seizes on.
Two Traps That Catch Ecommerce and SaaS Businesses
Before the practical steps, two recurring misunderstandings are worth calling out, because they trip up sophisticated founders as often as first-timers.
The vocabulary trap. Privacy statutes use ordinary words in extraordinary ways. Founders hear “sale” and picture handing a customer list to a data broker for cash — so they confidently write “we don’t sell your data.” But California separately regulates both “selling” and “sharing,” and “sharing” expressly reaches cross-context behavioral advertising — the ordinary retargeting pixels most online stores run. Texas defines a “sale” as disclosure for monetary or other valuable consideration, and separately regulates “targeted advertising.” The upshot: a business can trigger opt-out and disclosure duties through routine ad tech even though it never thinks of itself as selling anything. If your policy’s “we don’t sell data” line hasn’t been tested against these statutory definitions, it may already be inaccurate.
The role trap (especially for SaaS). Your obligations also depend on which role you play for a given set of data. Sometimes your company is the business or controller — you decide why and how personal information is processed. Other times you’re a processor or service provider handling data on your customer’s instructions. The two roles carry different duties, and your privacy policy, your data-processing addendum, your customer contracts, your subprocessor list, and your product’s telemetry settings all need to reflect the role you actually occupy. Role confusion is a common source of overbroad promises, missing disclosures, and contracts that contradict the public policy — exactly the kind of inconsistency that creates exposure.
A Practical Way to Bring Your Policy Current
You do not need to panic, and you do not need a forty-page document. You need a policy that is accurate, current, and consistent with your website’s actual behavior, scoped to the states whose laws apply to your customers. A sensible order of operations:
- Inventory reality first. List everything your site actually collects and everywhere data flows — every analytics tool, advertising pixel, cookie, embedded widget, form, and third-party vendor. Most businesses are surprised by how long this list is.
- Compare reality to the policy. Read your current policy against that inventory and note every gap, every outdated statement, and every practice that isn’t disclosed.
- Map your thresholds. Determine which states’ laws apply based on where your customers are and whether you cross any coverage thresholds — then plan to the strictest applicable standard.
- Update the policy, the opt-out mechanics, and the terms of service together, so all three tell one consistent story rather than three conflicting ones.
- Set a review cadence. Revisit the policy at least annually, and every single time you add a significant new tool, vendor, or data practice, or enter a new market.
Most of the exposure here comes from small, fixable gaps — a policy that predates your current advertising stack, a missing or non-functional opt-out, an undisclosed pixel, a “we don’t sell data” line that isn’t quite true anymore. Each is inexpensive to correct now and expensive to defend later. That asymmetry — cheap to fix, costly to ignore — is the whole reason this belongs on your near-term list rather than your someday list.
Legal framework. A privacy policy is a public-facing representation, and false, misleading, or materially incomplete disclosures can be actionable. At the federal level, the Federal Trade Commission has long treated deceptive privacy statements and notice failures as violations of Section 5 of the FTC Act. State consumer-protection (UDAP) statutes apply the same principle.
State authorities. California — the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.; covered-business thresholds at § 1798.140), plus the CPPA regulatory package on CCPA updates, cybersecurity audits, risk assessments, automated decision-making, and insurance, effective January 1, 2026. Tracking-technology litigation frequently arises under the California Invasion of Privacy Act (CIPA), separate from the CCPA. Texas — the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code ch. 541), effective July 1, 2024 (authorized-agent opt-out January 1, 2025), enforced exclusively by the Texas Attorney General with a 30-day cure period. Arizona — no comprehensive consumer-privacy statute; relevant law includes the Arizona Consumer Fraud Act (A.R.S. § 44-1522), the state data-breach notification statute (A.R.S. § 18-552), and applicable federal and sectoral rules. Thresholds, penalties, and specific requirements depend on your data practices and which states’ laws reach your customers; details here are current as of publication and subject to regulatory change.
This article is for general informational purposes only and does not constitute legal advice. Privacy obligations vary based on a business’s data practices, location, customers, vendors, and regulatory status. You should consult qualified counsel before relying on this information for a specific business or compliance decision.
Frequently Asked Questions
Almost certainly yes — and not only because of state law. Even if you fall below California’s CCPA thresholds, your payment processor, ad platforms, and app stores all require an accurate privacy policy, and Texas’s law has no revenue or volume threshold at all. A missing or inaccurate policy can also support a deceptive-practices claim regardless of your size. For practical purposes, if you have a website that collects any visitor data, you need a real policy.
Often, yes. The CCPA can apply to a business located anywhere if it does business in California, handles California residents’ personal information, and meets one of the coverage thresholds. Because California is the largest U.S. market, most online businesses can’t practically exclude it. Your customer base, not your headquarters, drives which laws apply — so an Arizona or Texas company with California users is frequently subject to California’s rules.
A for-profit business doing business in California is generally covered if it meets any one of three thresholds: gross annual revenue over roughly $26.6 million (adjusted for inflation); buying, selling, or sharing the personal information of 100,000 or more California consumers or households per year; or deriving 50% or more of annual revenue from selling or sharing personal information. Note that the revenue figure is total gross revenue, not just California revenue.
The biggest difference is scope. Texas’s TDPSA has no revenue or consumer-count threshold — it applies to most businesses serving Texas residents unless they qualify as an SBA-defined small business (generally under 500 employees). Even exempt small businesses, however, cannot sell sensitive personal data without consent. Texas has no private right of action (only the Attorney General enforces), offers a permanent 30-day cure period, and caps penalties at $7,500 per violation. In short: broader coverage than California, but a different, AG-driven enforcement profile.
Not a comprehensive one, as of this writing. A consumer privacy bill was introduced in Arizona’s 2026 session but had not become law. Arizona does have a data-breach notification statute (A.R.S. § 18-552), a Genetic Information Privacy Act, and a Consumer Fraud Act the Attorney General has used against deceptive data practices. Importantly, most Arizona online businesses serve California and Texas customers, so those stricter laws typically reach them regardless of Arizona’s lighter framework.
New CCPA/CPRA regulations took effect January 1, 2026. Key changes for ecommerce and SaaS: minors’ data carries heightened consent requirements and increased penalties; California continues to prioritize honoring browser Global Privacy Control opt-out signals; the ‘right to know’ look-back expanded beyond 12 months; and new risk-assessment, cybersecurity-audit, and automated-decision-making obligations phase in for larger or higher-risk operators.
Because a privacy policy is a public statement about your data practices, an inaccurate one can be treated as misleading. That exposes you to regulatory penalties, consumer or class-action claims (including tracking- and wiretapping-based theories), payment-processor or platform account holds, and problems during investor or acquisition due diligence. None of these require a data breach — they flow from the gap between what your policy says and what your site does. The most common trigger is simple drift: the policy no longer matches the analytics, pixels, and vendors your site actually uses.
A generator can be a starting point, but the danger is that a generic policy describes generic practices — not yours. If the template says you don’t sell data while your ad pixels share it, or it omits tracking you actually run, that mismatch is precisely the problem regulators and plaintiffs look for. The value isn’t the boilerplate; it’s making the policy accurately reflect your specific data flows and the states whose laws apply to you.
At least once a year, and any time you make a material change — adding a new analytics tool, advertising pixel, chat widget, CRM, or data vendor, changing your checkout flow, or entering a new market. Privacy law is also still evolving across states, so a policy that was compliant a year or two ago may already be behind. A good habit is to pair the review with something you already do annually, so it doesn’t get forgotten.