All Blog Posts

10 Reasons CPPA Enforcement Is Getting Stronger and What Businesses Should Do

Close
Read time
14 mins
Published
Mar 30, 2026
Share

If your business collects data from California residents, the regulatory environment you're operating in today looks meaningfully different from two years ago. CalPrivacy — the chosen name of the California Privacy Protection Agency (CPPA) — has acquired new enforcement tools, new legal authority, and new allies across nine states, all at the same time. This article breaks down the ten structural forces driving that expansion and what they mean for how businesses need to approach compliance.

At a glance

  • CPPA enforcement is not temporary, it’s structural. An operational Audits Division, automated detection capabilities, and a nine-state coalition are all expanding enforcement capacity at once, with no sign of slowing through 2028.
  • Investigations can open without a consumer complaint. Automated scanning of public-facing websites identifies GPC non-compliance, dark patterns, and broken opt-outs — meaning businesses may be under scrutiny before receiving any notice.
  • New legal obligations arrived in 2026. Privacy risk assessments, annual cybersecurity audits, and rules governing automated decision-making are now in force. Businesses that were compliant in 2024 may not meet 2026 standards.
  • The 2028 submission deadline creates an enforcement tool. Executive-certified attestations will give CalPrivacy a structured, economy-wide compliance map — and a ready-made source of investigative leads.
  • Self-remediation no longer shields against penalties. The PlayOn Sports settlement confirmed that identifying and fixing violations before agency contact does not prevent significant fines.
  • Compliance now requires continuous operational discipline. Documented risk assessments, consent records, and audit-ready logs aren’t aspirational best practices — they’re what investigators will ask for.

1. The Historical CPPA Enforcement Backlog Is Being Actively Resolved

CalPrivacy’s Enforcement Division only gained formal authority in July 2023, even though the California Consumer Privacy Act (CCPA) has been in effect since January 2020. That gap left more than three years of potential violations that weren’t necessarily extinguished by the agency’s prior limitations.

That gap is now being tested. When CalPrivacy investigated Tractor Supply in 2024, it pulled records back to 2020, and Tractor Supply accepted the agency's authority to do so. For businesses that treated pre-enforcement-era conduct as untouchable, that precedent changes the calculation.

Between July 2023 and September 2025, CalPrivacy received 8,265 consumer complaints, roughly 150 per week, per Calprivacy’s 2025 Annual Report. By early 2026, the agency had more than 100 active investigations running simultaneously, with many businesses under examination unaware it had begun.

2. A New CPPA Audits Division Means Proactive Scrutiny Across Every Sector

Until February 2026, the CPRA's audit mandate, which was written into law when voters passed Proposition 24 in 2020, had never been operationalized. That changed when CalPrivacy appointed Sabrina Boyson Ross as inaugural Chief Privacy Auditor and started ramping up a dedicated Audits Division

What the Audits Division adds to the enforcement picture:

Examination without a trigger

The Enforcement Division responds primarily to complaints and reported incidents. The Audits Division is not bound by either. It can open an examination of any CCPA-covered business based on sector risk, its own research, or regulatory priority alone.

Technical scrutiny

Ross's prior experience at Meta points to a methodology focused on how systems actually work — data flows, technical configurations, and system architecture — rather than whether policy documents say the right things. That's where most compliance failures come from.

A path to enforcement

An audit is not a parallel track. Findings can be referred directly to the Enforcement Division, making an audit an early stage of the same process that ends with fines and remediation orders.

Expanding reach

The division is actively hiring. More staff means more simultaneous examinations across more industries, which is a capacity that will only grow.

CalPrivacy has been clear that the Audits Division is not purely punitive. The 2025 Annual Report signals an intention to engage businesses directly through stakeholder meetings, plain-language guidance, and webinars, while the Enforcement Division continues issuing advisories to indicate where scrutiny is headed.

3. CPPA's 2026 Ruleset Adds Risk Assessments, Cybersecurity Audits, and ADMT Rules

January 1, 2026 marked the largest single expansion of CCPA obligations since the law took effect. Three new requirement categories are now in force, and businesses that were fully compliant two years ago may not be today.

Privacy Risk Assessments

Before starting any new high-risk processing activity, businesses must now complete and document a formal risk assessment. For processing already underway, assessments must be finished by December 31, 2027. The threshold is triggered by:

Selling or sharing personal information

Processing sensitive data

Using automated decision-making for significant decisions

Training AI systems on personal data

CalPrivacy has made clear it won't wait for the 2028 submission deadline to start asking questions. The agency signaled it would request risk assessments during active investigations as early as 2026. 

The March 2026 PlayOn Sports settlement reinforced that: A mandatory risk assessment was included as a remedial condition, confirming the agency treats this as an enforcement tool now, not a future compliance milestone.

Cybersecurity Audits

Businesses whose data processing presents significant risk to California consumers must now commission annual independent cybersecurity audits covering 18 specified technical and organizational components [Cal. Code Regs. tit. 11, § 7123(b-c)]. 

The audit must be conducted by a qualified independent professional. Its findings must be certified annually by a member of executive management under penalty of perjury. Nothing in the prior CCPA framework required anything comparable.

Automated Decision-Making Technology (ADMT)

AI and automated systems that make significant decisions about consumers in areas like employment, housing, credit, education, or healthcare, are subject to new notice and opt-out requirements from January 1, 2027. Risk assessment obligations for those same systems are already in effect.

The definition of ADMT is deliberately broad. Machine learning models, rule-based scoring systems, and analytics tools that materially shape decisions about individuals all fall within scope, regardless of whether the business labels them "AI."

4. The 2028 CPPA Deadline Will Hand Regulators an Economy-Wide List of Investigative Leads

The April 1, 2028 deadline is where years of accumulated compliance obligations converge into a single structured disclosure. 

Three categories of submission will be required:

1

Executive-certified attestations confirming that risk assessments were conducted for all qualifying processing activities in 2026 and 2027

2

Summary information from those assessments, signed by a senior executive with direct compliance responsibility

3

Annual cybersecurity audit certifications on a staggered schedule: large businesses from 2028, mid-size from 2029, smaller businesses from 2030 (all signed under penalty of perjury)

What makes this consequential is not the paperwork but rather what the submissions create. For the first time, CalPrivacy will hold a structured, economy-wide picture of compliance across every sector in California — a state whose economy ranks among the four or five largest in the world by most measures.

That picture will be read carefully. Submissions that reveal gaps or make claims the agency has reason to question become ready-made grounds for an audit referral. And executives who sign off on compliance attestations that don't hold up face personal liability for false certification, not just corporate exposure.

The 2028 submission cycle is, in effect, the Audits Division's most powerful investigative tool. It hasn't launched yet, but businesses are already generating the underlying records that it will be scrutinizing.

5. DROP Is In Force and Complaint Volumes Are Rising

Before the Delete Request and Opt-Out Platform (DROP) was launched, a California resident wanting to remove their personal information from data broker databases had to contact each one individually. That process could involve hundreds of separate requests. DROP, which launched January 1, 2026, collapses that into a single submission covering all 500-plus registered data brokers at once.

Adoption has been rapid. More than 217,000 California residents enrolled within the first two months. CalPrivacy Executive Director Tom Kemp has said publicly that he expects complaint volume to climb as the platform's user base grows, and the trajectory so far gives little reason to doubt that.

The platform has two enforcement-relevant phases. Drop launched for consumers on January 1, 2026. The obligation for data brokers to actually process and fulfill the deletion requests it generates kicks in on August 1, 2026. After that date, non-fulfillment triggers immediate enforcement exposure. There is no cure period.

The penalty structure is designed to compound quickly. Each unprocessed deletion request carries a USD 200-per-day fine. Brokers also face a separate USD 200-per-day penalty for any registration lapse. For a broker managing tens of thousands of consumer records, those figures accumulate fast.

What DROP ultimately creates is a permanent, consumer-powered audit mechanism for data broker compliance. Every enrolled resident is an ongoing check on whether brokers are honoring their obligations. Every unfulfilled request is a potential enforcement referral. The platform finances itself through the same registration fees that data brokers are already required to pay.

6. CPPA Automated Detection Is Expanding Investigation Capacity

Most regulatory enforcement starts with a complaint. A consumer files one, the agency reviews it, and an investigation may follow. But CalPrivacy has built a parallel track that doesn't require any of that.

The agency's dedicated technology team conducts its own independent research into privacy harms and data flows. This is entirely separate from complaint intake. Using automated scanning of public-facing websites and applications, it can assess non-compliance at scale across four areas in particular:

GPC signal recognition: whether sites are correctly processing Global Privacy Control opt-out signals

Opt-out mechanism functionality: whether the mechanisms businesses provide actually work

Dark patterns: in consent interfaces, design choices that nudge or manipulate users away from privacy-protective choices

Consent banner behavior: whether banners meet CCPA requirements for symmetry and clarity

7. One CPPA Investigation Can Now Trigger Enforcement Across Nine States

In April 2025, nine state privacy regulators formalized something that had previously been ad hoc: a coordinated, cross-jurisdictional enforcement coalition. 

Established by a memorandum of understanding, the Consortium of Privacy Regulators brings together CalPrivacy and California’s Attorney General alongside regulators from Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.

The consortium's structure enables member regulators to share investigative findings, align on enforcement priorities, build collective expertise on technically complex data practices, and bring joint actions where warranted. For businesses, the implications go well beyond California:

  • Resolving a privacy violation with CalPrivacy does not close the matter in other consortium states. The same conduct can be investigated and penalized independently by any member.
  • Evidence developed in one state's investigation is available to inform parallel or subsequent investigations by others.
  • A CalPrivacy investigation can become a nine-state investigation without any additional triggering event.
  • The consortium's coordinated priorities — GPC compliance, data broker registration, children's data, and dark patterns — mean businesses face a unified enforcement agenda, not nine separate ones.

The closest historical analogy is the wave of multistate data breach enforcement coalitions that took shape in the 2010s. Those coalitions reshaped how corporations approached data security investment, producing landmark settlements and establishing cross-state enforcement as a standard feature of the regulatory landscape. Privacy law enforcement appears to be following the same trajectory.

8. Proposed Whistleblower Legislation Would Open CPPA Enforcement from Within Businesses

CalPrivacy's existing enforcement tools, which include automated scanning, consumer complaints, audit authority, all operate from the outside looking in. 

AB 2021, legislation introduced in February 2026, would add a fundamentally different mechanism: enforcement intelligence sourced from inside the organizations being regulated.

Modeled on the SEC whistleblower program, the bill would establish:

  • Financial awards of 15–33 percent of collected fines or settlement proceeds for verified reports
  • The ability to file anonymously through legal counsel
  • Anti-retaliation protections for employees and contractors who come forward
  • A standalone civil cause of action for anyone who faces retaliation for reporting

The significance of that last point shouldn't be understated. Internal privacy violations, which can include decisions made in meetings, configurations set by engineers, or policies quietly deprioritized under cost pressure, among others, are largely invisible to external regulators. 

AB 2021 would give people with direct knowledge of those decisions a meaningful financial incentive to report them, and a legal backstop if their employer retaliates.

The SEC program offers a useful benchmark for what that could mean in practice. Since its introduction, it has generated some of the largest and most consequential enforcement actions in the history of financial regulation. Not because regulators got better at detecting violations from the outside, but because insiders started bringing the evidence directly to them.

9. Deterrence Approach: Fixing a CPPA Violation Before Contact No Longer Guarantees a Reduced Fine

For much of CalPrivacy's short enforcement history, the implicit understanding was that businesses that identified and fixed their own compliance issues before the agency came calling would receive some credit for doing so. The PlayOn Sports settlement ended that assumption.

PlayOn had found and remediated its compliance failures in December 2024, months before CalPrivacy made contact. The agency imposed a USD 1.1 million penalty regardless. Its public statements left little ambiguity about why: The fine was intended to send a message to an entire industry, not just to correct one company's behavior.

Several things follow from that shift, about which businesses across sectors should take note:

Self-remediation is no longer a reliable mitigant

Fixing violations before agency contact may still be the right thing to do operationally, but it does not insulate a business from significant penalties.

Penalty size reflects deterrence objectives, not violation cost

Fines are calibrated to produce industry-wide behavioral change, which means they will often exceed what the specific violation would seem to warrant.

Enforcement targets are chosen for their signaling value

PlayOn put the schools and youth sports sector on notice; Tractor Supply addressed rural retail; Honda addressed automotive; and the Attorney General’s case against Disney addressed entertainment. Actions reached entire industries through a single case.

The "captive audience" doctrine travels

CalPrivacy's enforcement position in PlayOn — that users who had no meaningful alternative deserved heightened protection — applies directly to subscription platforms, workplace tools, ticketing services, and any other context where opting out is genuinely difficult.

10. 4 CPPA Rulemaking Areas Will Add New Obligations Through 2027 and Beyond

The ten forces described in this article represent the current state of CPPA enforcement. Rulemaking underway at CalPrivacy will expand that picture further in at least four areas, with a fifth possible depending on what the undisclosed fourth rulemaking covers.

The three confirmed areas:

1
Employee and contractor data

CCPA protections for job applicants, employees, and contractors have long been treated as a lower-compliance-burden category. Upcoming rulemaking will challenge that assumption, clarifying and potentially expanding what businesses must do to protect employment-related personal information.

2
Privacy policy standards

Readability, accuracy, and completeness requirements are all under review. A policy that passed muster in 2024 may not satisfy what CalPrivacy finalizes for 2026 or 2027, and outdated privacy policies have already featured in enforcement actions.

3
Opt-out preference signals

CalPrivacy is moving to codify and expand the obligation to recognize and honor browser-level opt-out signals, including GPC. What is currently a compliance expectation enforced through investigations will become a formal, auditable regulatory requirement.

A fourth rulemaking area has been confirmed but not yet publicly described. Its scope and timeline remain unknown.

Each package that emerges from this process adds new obligations, creates new standards against which audits will measure businesses, and opens new grounds for enforcement action. The rulemaking calendar is, in effect, a forward-looking list of future compliance gaps for businesses that aren't tracking it.

What Businesses Need to Do as CPPA Enforcement Continues to Escalate

The enforcement pressure building at CalPrivacy is structural, not cyclical. Each mechanism described above adds capacity that persists and compounds over time; each new body of regulation creates new categories of potential violation.

The table below summarises how enforcement pressure is likely to evolve:

TimeframeImportant Initiatives
2026- Historical enforcement backlog under active review
- Audits Division hiring and building examination capacity
- August 1 DROP processing deadline for data brokers
- January 2026 regulations — risk assessments, cybersecurity audits, ADMT — now in force
- Automated detection sweeps ongoing
2026–2027- Growing consumer participation in DROP driving complaint volume up
- ADMT notice and opt-out requirements take effect January 1, 2027
- Consortium joint investigations expanding in scope and frequency
- AB 2021 whistleblower legislation moving through legislature
- Rulemaking packages on employee data, privacy policies, and GPC being finalized
2028 and beyond- April 2028 submission deadline: executive-certified risk assessment attestations and cybersecurity audit certifications due
- Audits Division has a structured, economy-wide compliance picture for the first time
- Annual submission and examination cycles begin
Ongoing- DROP enrolment and complaint volume continuing to grow
- Automated scanning capacity expanding
- Nine-state consortium making multi-state enforcement routine
- Penalty levels rising as deterrence-focused approach embeds across enforcement actions

These ten forces are not operating independently; they are compounding. Each new regulation creates new audit criteria. Each audit finding feeds into the enforcement pipeline. Each new consortium member multiplies the jurisdictional reach of any single investigation.

Businesses that treat CCPA compliance as a periodic exercise are already operating at a structural disadvantage, and that gap will widen as the 2028 submission cycle approaches. 

Cookiebot by Usercentrics helps businesses maintain the consent records, documented opt-out flows, and consent management infrastructure that regulators will expect to see. Having systems in place that can demonstrate compliance rather than just aspiring to it is increasingly a baseline requirement, not a competitive differentiator.

Start free

Frequently asked questions

What is the CPPA currently prioritizing for enforcement?

CalPrivacy's current focus areas, based on public actions and active scanning:

  • GPC compliance
  • Data broker registration and DROP compliance
  • Dark patterns in consent interfaces
  • Children's and students' data 
  • Automated decision-making systems
How does the CPPA open an enforcement investigation?

CPPA enforcement investigations are initiated in three ways:

  • Consumer complaint
  • Audits Division referral
  • Proactive detection by the agency's own technology team

The third one requires no external trigger. CalPrivacy scans public-facing websites autonomously for GPC non-compliance, broken opt-out mechanisms, and dark patterns. A business can be under active investigation without having received any contact from the agency.

If a business fixes a privacy violation before the CPPA makes contact, does that prevent a fine?

Not necessarily. The March 2026 PlayOn Sports settlement is the controlling precedent. CalPrivacy imposed a USD 1.1 million penalty on a company that had self-identified and remediated its violations months before agency contact. The agency's stated position is that enforcement is calibrated for industry-wide deterrence. Prior remediation does not function as a penalty shield.

Which businesses are required to complete annual cybersecurity audits under the CCPA?

Businesses that are required to complete annual cybersecurity audits are those with data processing that presents significant risk to California consumers, specifically:

  • Deriving 50 percent or more of annual revenue from selling or sharing personal information
  • Processing personal information of more than 250,000 consumers or households, or
  • Processing sensitive personal information of more than 50,000 consumers

Audits must cover 18 specified technical and organizational components and be certified annually by executive management under penalty of perjury.

What do businesses need to submit to the CPPA by April 2028?

Two categories: executive-certified attestations confirming required risk assessments were completed for 2026 and 2027 processing activities; and cybersecurity audit certifications on a staggered schedule: USD 100M+ revenue businesses first in 2028, mid-size in 2029, smaller businesses in 2030, all signed under penalty of perjury.

The submissions will give CalPrivacy the first structured, economy-wide compliance picture across California, and gaps or implausible claims become direct grounds for audit examination or enforcement referral.

What is the Consortium of Privacy Regulators, and which states are members?

A formal nine-state enforcement coalition established by memorandum of understanding in April 2025. Members are California (CalPrivacy and the state AG), Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.

Member regulators coordinate investigations, align priorities, and can bring joint actions. For any business under CalPrivacy scrutiny, the investigation can expand to all nine states simultaneously. Settling with one member does not resolve exposure in the others.