{"id":21027,"date":"2026-03-30T17:27:08","date_gmt":"2026-03-30T15:27:08","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=21027"},"modified":"2026-04-09T18:45:34","modified_gmt":"2026-04-09T16:45:34","slug":"escalating-cppa-enforcement","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/escalating-cppa-enforcement\/","title":{"rendered":"10 Reasons CPPA Enforcement Is Getting Stronger and What Businesses Should Do"},"content":{"rendered":"\n<p>If your business collects data from California residents, the regulatory environment you're operating in today looks meaningfully different from two years ago. CalPrivacy \u2014 the chosen name of the California Privacy Protection Agency (CPPA) \u2014 has acquired new enforcement tools, new legal authority, and new allies across nine states, all at the same time. This article breaks down the ten structural forces driving that expansion and what they mean for how businesses need to approach compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-at-a-glance\">At a glance<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CPPA enforcement is not temporary, it\u2019s structural.<\/strong> An operational Audits Division, automated detection capabilities, and a nine-state coalition are all expanding enforcement capacity at once, with no sign of slowing through 2028.<\/li>\n\n\n\n<li><strong>Investigations can open without a consumer complaint.<\/strong> Automated scanning of public-facing websites identifies GPC non-compliance, dark patterns, and broken opt-outs \u2014 meaning businesses may be under scrutiny before receiving any notice.<\/li>\n\n\n\n<li><strong>New legal obligations arrived in 2026.<\/strong> Privacy risk assessments, annual cybersecurity audits, and rules governing automated decision-making are now in force. Businesses that were compliant in 2024 may not meet 2026 standards.<\/li>\n\n\n\n<li><strong>The 2028 submission deadline creates an enforcement tool.<\/strong> Executive-certified attestations will give CalPrivacy a structured, economy-wide compliance map \u2014 and a ready-made source of investigative leads.<\/li>\n\n\n\n<li><strong>Self-remediation no longer shields against penalties.<\/strong> The PlayOn Sports settlement confirmed that identifying and fixing violations before agency contact does not prevent significant fines.<\/li>\n\n\n\n<li><strong>Compliance now requires continuous operational discipline.<\/strong> Documented risk assessments, consent records, and audit-ready logs aren\u2019t aspirational best practices \u2014 they\u2019re what investigators will ask for.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-1-the-historical-cppa-enforcement-backlog-is-being-actively-resolved\">1. The Historical CPPA Enforcement Backlog Is Being Actively Resolved<\/h2>\n\n\n\n<p>CalPrivacy\u2019s Enforcement Division only gained formal authority in July 2023, even though the <a href=\"https:\/\/www.cookiebot.com\/en\/what-is-ccpa\/\" target=\"_blank\" rel=\"noreferrer noopener\">California Consumer Privacy Act (CCPA)<\/a> has been in effect since January 2020. That gap left more than three years of potential violations that weren\u2019t necessarily extinguished by the agency\u2019s prior limitations.<\/p>\n\n\n\n<p>That gap is now being tested. When <a href=\"https:\/\/cppa.ca.gov\/announcements\/2025\/20250930.html\" target=\"_blank\" rel=\"noreferrer noopener\">CalPrivacy investigated Tractor Supply<\/a> in 2024, it pulled records back to 2020, and Tractor Supply accepted the agency's authority to do so. For businesses that treated pre-enforcement-era conduct as untouchable, that precedent changes the calculation.<\/p>\n\n\n\n<p>Between July 2023 and September 2025, CalPrivacy received 8,265 consumer complaints, roughly 150 per week, per <a href=\"https:\/\/cppa.ca.gov\/pdf\/2025_annual_report.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">CalPrivacy\u2019s 2025 Annual Report<\/a>. By early 2026, the agency had more than 100 active investigations running simultaneously, with many businesses under examination unaware it had begun.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-2-a-new-cppa-audits-division-means-proactive-scrutiny-across-every-sector\">2. A New CPPA Audits Division Means Proactive Scrutiny Across Every Sector<\/h2>\n\n\n\n<p>Until February 2026, the <a href=\"https:\/\/www.cookiebot.com\/en\/cpra\/\" target=\"_blank\" rel=\"noreferrer noopener\">CPRA<\/a>'s audit mandate, which was written into law when voters passed Proposition 24 in 2020, had never been operationalized. That changed when CalPrivacy appointed Sabrina Boyson Ross as inaugural Chief Privacy Auditor and started ramping up a dedicated <a href=\"https:\/\/privacy.ca.gov\/2026\/02\/california-privacy-protection-agency-names-sabrina-boyson-ross-as-chief-auditor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Audits Division<\/a>.\u00a0<\/p>\n\n\n\n<p>What the Audits Division adds to the enforcement picture:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 4\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>The Enforcement Division responds primarily to complaints and reported incidents. The Audits Division is not bound by either. It can open an examination of any CCPA-covered business based on sector risk, its own research, or regulatory priority alone.<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Ross's prior experience at Meta points to a methodology focused on how systems actually work \u2014 data flows, technical configurations, and system architecture \u2014 rather than whether policy documents say the right things. That's where most compliance failures come from.<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>An audit is not a parallel track. Findings can be referred directly to the Enforcement Division, making an audit an early stage of the same process that ends with fines and remediation orders.<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>The division is actively hiring. More staff means more simultaneous examinations across more industries, which is a capacity that will only grow.<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<p>CalPrivacy has been clear that the Audits Division is not purely punitive. The 2025 Annual Report signals an intention to engage businesses directly through stakeholder meetings, plain-language guidance, and webinars, while the Enforcement Division continues issuing advisories to indicate where scrutiny is headed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-3-cppa-s-2026-ruleset-adds-risk-assessments-cybersecurity-audits-and-admt-rules\">3. CPPA's 2026 Ruleset Adds Risk Assessments, Cybersecurity Audits, and ADMT Rules<\/h2>\n\n\n\n<p>January 1, 2026 marked the largest single expansion of CCPA obligations since the law took effect. Three new requirement categories are now in force, and businesses that were fully compliant two years ago may not be today.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-privacy-risk-assessments\">Privacy Risk Assessments<\/h3>\n\n\n\n<p>Before starting any new high-risk processing activity, businesses must now complete and document a formal risk assessment. For processing already underway, assessments must be finished by December 31, 2027. The threshold is triggered by:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 4\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Selling or sharing personal information<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Processing sensitive data<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Using automated decision-making for significant decisions<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Training AI systems on personal data<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<p>CalPrivacy has made clear it won't wait for the 2028 submission deadline to start asking questions. The agency signaled it would request risk assessments during active investigations as early as 2026.&nbsp;<\/p>\n\n\n\n<p>The March 2026 <a href=\"https:\/\/privacy.ca.gov\/2026\/03\/youth-sports-media-company-to-pay-1-1-million-fine-change-practices-over-privacy-violations\/\" target=\"_blank\" rel=\"noreferrer noopener\">PlayOn Sports settlement<\/a> reinforced that: A mandatory risk assessment was included as a remedial condition, confirming the agency treats this as an enforcement tool now, not a future compliance milestone.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cybersecurity-audits\">Cybersecurity Audits<\/h3>\n\n\n\n<p>Businesses whose data processing presents significant risk to California consumers must now commission annual independent cybersecurity audits covering 18 specified technical and organizational components [<a href=\"https:\/\/cppa.ca.gov\/regulations\/pdf\/ccpa_updates_cyber_risk_admt_appr_text.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Cal. Code Regs. tit. 11, \u00a7 7123(b-c)<\/a>].&nbsp;<\/p>\n\n\n\n<p>The audit must be conducted by a qualified independent professional. Its findings must be certified annually by a member of executive management under penalty of perjury. Nothing in the prior CCPA framework required anything comparable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-automated-decision-making-technology-admt\">Automated Decision-Making Technology (ADMT)<\/h3>\n\n\n\n<p>AI and automated systems that make significant decisions about consumers in areas like employment, housing, credit, education, or healthcare, are subject to new notice and opt-out requirements from January 1, 2027. Risk assessment obligations for those same systems are already in effect.<\/p>\n\n\n\n<p>The definition of ADMT is deliberately broad. Machine learning models, rule-based scoring systems, and analytics tools that materially shape decisions about individuals all fall within scope, regardless of whether the business labels them \"AI.\"<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-4-the-2028-cppa-deadline-will-hand-regulators-an-economy-wide-list-of-investigative-leads\">4. The 2028 CPPA Deadline Will Hand Regulators an Economy-Wide List of Investigative Leads<\/h2>\n\n\n\n<p>The April 1, 2028 deadline is where years of accumulated compliance obligations converge into a single structured disclosure.&nbsp;<\/p>\n\n\n\n<p>Three categories of submission will be required:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 3\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet \">\n                        1                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><strong>Executive-certified attestations<\/strong> confirming that risk assessments were conducted for all qualifying processing activities in 2026 and 2027<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet \">\n                        2                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><strong>Summary information from those assessments<\/strong>, signed by a senior executive with direct compliance responsibility<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet \">\n                        3                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><strong>Annual cybersecurity audit certifications<\/strong> on a staggered schedule: large businesses from 2028, mid-size from 2029, smaller businesses from 2030 (all signed under penalty of perjury)<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<div class=\"cb-spacer\" style=\"--cb-height--d:40px;;--cb-height--t:40px;;--cb-height--m:40px;\">\n<\/div>\n\n\n\n<p>What makes this consequential is not the paperwork but rather what the submissions create. For the first time, CalPrivacy will hold a structured, economy-wide picture of compliance across every sector in California \u2014 a state whose economy ranks among the four or five largest in the world by most measures.<\/p>\n\n\n\n<p>That picture will be read carefully. Submissions that reveal gaps or make claims the agency has reason to question become ready-made grounds for an audit referral. And executives who sign off on compliance attestations that don't hold up face personal liability for false certification, not just corporate exposure.<\/p>\n\n\n\n<p>The 2028 submission cycle is, in effect, the Audits Division's most powerful investigative tool. It hasn't launched yet, but businesses are already generating the underlying records that it will be scrutinizing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-5-drop-is-in-force-and-complaint-volumes-are-rising\">5. DROP Is In Force and Complaint Volumes Are Rising<\/h2>\n\n\n\n<p>Before the <a href=\"https:\/\/privacy.ca.gov\/drop\/\" target=\"_blank\" rel=\"noreferrer noopener\">Delete Request and Opt-Out Platform (DROP)<\/a> was launched, a California resident wanting to remove their personal information from <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/data-brokers-and-data-privacy-monetization\/\" target=\"_blank\" rel=\"noreferrer noopener\">data broker<\/a> databases had to contact each one individually. That process could involve hundreds of separate requests. DROP, which launched January 1, 2026, collapses that into a single submission covering all 500-plus registered data brokers at once.<\/p>\n\n\n\n<p>Adoption has been rapid. <a href=\"https:\/\/iapp.org\/news\/a\/california-privacy-enforcement-in-2026-a-discussion-with-calprivacy-s-tom-kemp\" target=\"_blank\" rel=\"noreferrer noopener\">More than 217,000 California residents enrolled<\/a> within the first two months. CalPrivacy Executive Director Tom Kemp has said publicly that he expects complaint volume to climb as the platform's user base grows, and the trajectory so far gives little reason to doubt that.<\/p>\n\n\n\n<p>The platform has two enforcement-relevant phases. Drop launched for consumers on January 1, 2026. The obligation for data brokers to actually process and fulfill the deletion requests it generates kicks in on August 1, 2026. After that date, non-fulfillment triggers immediate enforcement exposure. There is no cure period.<\/p>\n\n\n\n<p>The penalty structure is designed to compound quickly. Each unprocessed deletion request carries a USD 200-per-day fine. Brokers also face a separate USD 200-per-day penalty for any registration lapse. For a broker managing tens of thousands of consumer records, those figures accumulate fast.<\/p>\n\n\n\n<p>What DROP ultimately creates is a permanent, consumer-powered audit mechanism for data broker compliance. Every enrolled resident is an ongoing check on whether brokers are honoring their obligations. Every unfulfilled request is a potential enforcement referral. The platform finances itself through the same registration fees that data brokers are already required to pay.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-6-cppa-automated-detection-is-expanding-investigation-capacity\">6. CPPA Automated Detection Is Expanding Investigation Capacity<\/h2>\n\n\n\n<p>Most regulatory enforcement starts with a complaint. A consumer files one, the agency reviews it, and an investigation may follow. But CalPrivacy has built a parallel track that doesn't require any of that.<\/p>\n\n\n\n<p>The agency's dedicated technology team conducts its own independent research into privacy harms and data flows. This is entirely separate from complaint intake. Using automated scanning of public-facing websites and applications, it can assess non-compliance at scale across four areas in particular:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 4\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><a href=\"https:\/\/www.cookiebot.com\/en\/global-privacy-control\/\" target=\"_blank\" rel=\"noopener\">GPC signal recognition<\/a>: whether sites are correctly processing Global Privacy Control opt-out signals<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Opt-out mechanism functionality: whether the mechanisms businesses provide actually work<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/dark-patterns-and-how-they-affect-consent\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Dark patterns<\/span><\/a><span style=\"font-weight: 400;\">: in consent interfaces, design choices that nudge or manipulate users away from privacy-protective choices<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/ccpa-cookie-banner\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Consent banner behavior<\/span><\/a><span style=\"font-weight: 400;\">: whether banners meet CCPA requirements for symmetry and clarity<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-7-one-cppa-investigation-can-now-trigger-enforcement-across-nine-states\">7. One CPPA Investigation Can Now Trigger Enforcement Across Nine States<\/h2>\n\n\n\n<p>In April 2025, nine state privacy regulators formalized something that had previously been ad hoc: a coordinated, cross-jurisdictional enforcement coalition.&nbsp;<\/p>\n\n\n\n<p>Established by a memorandum of understanding, the Consortium of Privacy Regulators brings together CalPrivacy and California\u2019s Attorney General alongside regulators from Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.<\/p>\n\n\n\n<p>The consortium's structure enables member regulators to share investigative findings, align on enforcement priorities, build collective expertise on technically complex data practices, and bring joint actions where warranted. For businesses, the implications go well beyond California:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resolving a privacy violation with CalPrivacy does not close the matter in other consortium states. The same conduct can be investigated and penalized independently by any member.<\/li>\n\n\n\n<li>Evidence developed in one state's investigation is available to inform parallel or subsequent investigations by others.<\/li>\n\n\n\n<li>A CalPrivacy investigation can become a nine-state investigation without any additional triggering event.<\/li>\n\n\n\n<li>The consortium's coordinated priorities \u2014 GPC compliance, data broker registration, children's data, and dark patterns \u2014 mean businesses face a unified enforcement agenda, not nine separate ones.<\/li>\n<\/ul>\n\n\n\n<p>The closest historical analogy is the wave of multistate data breach enforcement coalitions that took shape in the 2010s. Those coalitions reshaped how corporations approached data security investment, producing landmark settlements and establishing cross-state enforcement as a standard feature of the regulatory landscape. Privacy law enforcement appears to be following the same trajectory.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-8-proposed-whistleblower-legislation-would-open-cppa-enforcement-from-within-businesses\">8. Proposed Whistleblower Legislation Would Open CPPA Enforcement from Within Businesses<\/h2>\n\n\n\n<p>CalPrivacy's existing enforcement tools, which include automated scanning, consumer complaints, audit authority, all operate from the outside looking in.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=202520260AB2021\" target=\"_blank\" rel=\"noreferrer noopener\">AB 2021<\/a>, legislation introduced in February 2026, would add a fundamentally different mechanism: enforcement intelligence sourced from inside the organizations being regulated.<\/p>\n\n\n\n<p>Modeled on the <a href=\"https:\/\/www.sec.gov\/enforcement-litigation\/whistleblower-program\" target=\"_blank\" rel=\"noreferrer noopener\">SEC whistleblower program<\/a>, the bill would establish:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial awards of 15\u201333 percent of collected fines or settlement proceeds for verified reports<\/li>\n\n\n\n<li>The ability to file anonymously through legal counsel<\/li>\n\n\n\n<li>Anti-retaliation protections for employees and contractors who come forward<\/li>\n\n\n\n<li>A standalone civil cause of action for anyone who faces retaliation for reporting<\/li>\n<\/ul>\n\n\n\n<p>The significance of that last point shouldn't be understated. Internal privacy violations, which can include decisions made in meetings, configurations set by engineers, or policies quietly deprioritized under cost pressure, among others, are largely invisible to external regulators.&nbsp;<\/p>\n\n\n\n<p>AB 2021 would give people with direct knowledge of those decisions a meaningful financial incentive to report them, and a legal backstop if their employer retaliates.<\/p>\n\n\n\n<p>The SEC program offers a useful benchmark for what that could mean in practice. Since its introduction, it has generated some of the largest and most consequential enforcement actions in the history of financial regulation. Not because regulators got better at detecting violations from the outside, but because insiders started bringing the evidence directly to them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-9-deterrence-approach-fixing-a-cppa-violation-before-contact-no-longer-guarantees-a-reduced-fine\">9. Deterrence Approach: Fixing a CPPA Violation Before Contact No Longer Guarantees a Reduced Fine<\/h2>\n\n\n\n<p>For much of CalPrivacy's short enforcement history, the implicit understanding was that businesses that identified and fixed their own compliance issues before the agency came calling would receive some credit for doing so. The PlayOn Sports settlement ended that assumption.<\/p>\n\n\n\n<p>PlayOn had found and remediated its compliance failures in December 2024, months before CalPrivacy made contact. The agency imposed a USD 1.1 million penalty regardless. Its public statements left little ambiguity about why: The fine was intended to send a message to an entire industry, not just to correct one company's behavior.<\/p>\n\n\n\n<p>Several things follow from that shift, about which businesses across sectors should take note:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 4\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h5 class=\"cb-article-list-timeline__item-title\">                        Self-remediation is no longer a reliable mitigant                        <\/h5>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p>Fixing violations before agency contact may still be the right thing to do operationally, but it does not insulate a business from significant penalties.<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h5 class=\"cb-article-list-timeline__item-title\">                        Penalty size reflects deterrence objectives, not violation cost                        <\/h5>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Fines are calibrated to produce industry-wide behavioral change, which means they will often exceed what the specific violation would seem to warrant.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h5 class=\"cb-article-list-timeline__item-title\">                        Enforcement targets are chosen for their signaling value                        <\/h5>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">PlayOn put the schools and youth sports sector on notice; Tractor Supply addressed rural retail; <\/span><a href=\"https:\/\/privacy.ca.gov\/2025\/03\/honda-settles-with-cppa-over-privacy-violations\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Honda addressed automotive<\/span><\/a><span style=\"font-weight: 400;\">; and the <\/span><a href=\"https:\/\/oag.ca.gov\/news\/press-releases\/california-wont-let-it-go-attorney-general-bonta-announces-275-million\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Attorney General\u2019s case against Disney<\/span><\/a><span style=\"font-weight: 400;\"> addressed entertainment. Actions reached entire industries through a single case.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h5 class=\"cb-article-list-timeline__item-title\">                        The &quot;captive audience&quot; doctrine travels                        <\/h5>                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">CalPrivacy's enforcement position in PlayOn \u2014 that users who had no meaningful alternative deserved heightened protection \u2014 applies directly to subscription platforms, workplace tools, ticketing services, and any other context where opting out is genuinely difficult.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-10-4-cppa-rulemaking-areas-will-add-new-obligations-through-2027-and-beyond\">10. 4 CPPA Rulemaking Areas Will Add New Obligations Through 2027 and Beyond<\/h2>\n\n\n\n<p>The ten forces described in this article represent the current state of CPPA enforcement. Rulemaking underway at CalPrivacy will expand that picture further in at least four areas, with a fifth possible depending on what the undisclosed fourth rulemaking covers.<\/p>\n\n\n\n<p>The three confirmed areas:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 3\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet \">\n                        1                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">CCPA protections for job applicants, employees, and contractors have long been treated as a lower-compliance-burden category. Upcoming rulemaking will challenge that assumption, clarifying and potentially expanding what businesses must do to protect employment-related personal information.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet \">\n                        2                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Readability, accuracy, and completeness requirements are all under review. A policy that passed muster in 2024 may not satisfy what CalPrivacy finalizes for 2026 or 2027, and outdated privacy policies have already featured in enforcement actions.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet \">\n                        3                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                        <div class=\"cb-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">CalPrivacy is moving to codify and expand the obligation to recognize and honor browser-level opt-out signals, including GPC. What is currently a compliance expectation enforced through investigations will become a formal, auditable regulatory requirement.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n\n<div class=\"cb-spacer\" style=\"--cb-height--d:40px;;--cb-height--t:40px;;--cb-height--m:40px;\">\n<\/div>\n\n\n\n<p>A fourth rulemaking area has been confirmed but not yet publicly described. Its scope and timeline remain unknown.<\/p>\n\n\n\n<p>Each package that emerges from this process adds new obligations, creates new standards against which audits will measure businesses, and opens new grounds for enforcement action. The rulemaking calendar is, in effect, a forward-looking list of future compliance gaps for businesses that aren't tracking it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-businesses-need-to-do-as-cppa-enforcement-continues-to-escalate\">What Businesses Need to Do as CPPA Enforcement Continues to Escalate<\/h2>\n\n\n\n<p>The enforcement pressure building at CalPrivacy is structural, not cyclical. Each mechanism described above adds capacity that persists and compounds over time; each new body of regulation creates new categories of potential violation.<\/p>\n\n\n\n<p>The table below summarises how enforcement pressure is likely to evolve:<\/p>\n\n\n\n<figure class=\"wp-block-table enabled-responsive\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Timeframe<\/strong><\/th><th><strong>Important Initiatives<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>2026<\/strong><\/td><td>- Historical enforcement backlog under active review<br>- Audits Division hiring and building examination capacity<br>- August 1 DROP processing deadline for data brokers<br>- January 2026 regulations \u2014 risk assessments, cybersecurity audits, ADMT \u2014 now in force<br>- Automated detection sweeps ongoing<\/td><\/tr><tr><td><strong>2026\u20132027<\/strong><\/td><td>- Growing consumer participation in DROP driving complaint volume up<br>- ADMT notice and opt-out requirements take effect January 1, 2027<br>- Consortium joint investigations expanding in scope and frequency<br>- AB 2021 whistleblower legislation moving through legislature<br>- Rulemaking packages on employee data, privacy policies, and GPC being finalized<\/td><\/tr><tr><td><strong>2028 and beyond<\/strong><\/td><td>- April 2028 submission deadline: executive-certified risk assessment attestations and cybersecurity audit certifications due<br>- Audits Division has a structured, economy-wide compliance picture for the first time<br>- Annual submission and examination cycles begin<\/td><\/tr><tr><td><strong>Ongoing<\/strong><\/td><td>- DROP enrolment and complaint volume continuing to grow<br>- Automated scanning capacity expanding<br>- Nine-state consortium making multi-state enforcement routine<br>- Penalty levels rising as deterrence-focused approach embeds across enforcement actions<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>These ten forces are not operating independently; they are compounding. Each new regulation creates new audit criteria. Each audit finding feeds into the enforcement pipeline. Each new consortium member multiplies the jurisdictional reach of any single investigation.<\/p>\n\n\n\n<p>Businesses that treat CCPA compliance as a periodic exercise are already operating at a structural disadvantage, and that gap will widen as the 2028 submission cycle approaches.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent-solution\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cookiebot by Usercentrics<\/a> helps businesses maintain the consent records, documented opt-out flows, and <a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent\/\" target=\"_blank\" rel=\"noreferrer noopener\">consent management infrastructure<\/a> that regulators will expect to see. Having systems in place that can demonstrate compliance rather than just aspiring to it is increasingly a baseline requirement, not a competitive differentiator.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Take action before enforcement does                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p><span style=\"font-weight: 400;\">CalPrivacy is actively investigating and penalizing businesses for non-compliant data collection and consent management. Start your free trial to see what\u2019s running on your website.<\/span><\/p>\n                    <\/div>\n                                                                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"53aad4a3-9edb-4a1c-b106-33b4e4c5beee\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/www.cookiebot.com\/en\/free-trial\/\" target=\"_blank\">\n<span>Start free<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                                                <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<div class=\"cb-spacer\" style=\"--cb-height--d:40px;;--cb-height--t:40px;;--cb-height--m:40px;\">\n<\/div>\n\n\n\n<div class=\"cb-spacer\" style=\"--cb-height--d:40px;;--cb-height--t:40px;;--cb-height--m:40px;\">\n<\/div>\n\n\n\n<div class=\"cb-spacer\" style=\"--cb-height--d:40px;;--cb-height--t:40px;;--cb-height--m:40px;\">\n<\/div>\n\n\n<div class=\"cb-flex-row\" style=\"--padding-top: 0px; --padding-bottom: 0px;\">\n<div class=\"cb-flex-column \" style=\"--column-size: var(--column-size-12);--i:1;\">\n    \n<div class=\"cb-faqs\" >\n    <div class=\"cb-faqs__heading\">\n        <h2>Frequently asked questions<\/h2>\n    <\/div>\n\n    <div class=\"cb-faqs__list\">\n        <div class=\"cb-faq\"\n     id=\"faq-what-is-the-cppa-currently-prioritizing-for-enforcement\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-is-the-cppa-currently-prioritizing-for-enforcement-answer\"\n        >\n            What is the CPPA currently prioritizing for enforcement?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-is-the-cppa-currently-prioritizing-for-enforcement-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p><span style=\"font-weight: 400;\">CalPrivacy's current focus areas, based on public actions and active scanning:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">GPC compliance<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data broker registration and DROP compliance<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Dark patterns in consent interfaces<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Children's and students' data&nbsp;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Automated decision-making systems<\/span><\/li>\n<\/ul>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-is-the-cppa-currently-prioritizing-for-enforcement');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-is-the-cppa-currently-prioritizing-for-enforcement'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-how-does-the-cppa-open-an-enforcement-investigation\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-how-does-the-cppa-open-an-enforcement-investigation-answer\"\n        >\n            How does the CPPA open an enforcement investigation?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-how-does-the-cppa-open-an-enforcement-investigation-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p><span style=\"font-weight: 400;\">CPPA enforcement investigations are initiated in three ways:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Consumer complaint<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Audits Division referral<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Proactive detection by the agency's own technology team<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The third one requires no external trigger. CalPrivacy scans public-facing websites autonomously for GPC non-compliance, broken opt-out mechanisms, and dark patterns. A business can be under active investigation without having received any contact from the agency.<\/span><\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-how-does-the-cppa-open-an-enforcement-investigation');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-how-does-the-cppa-open-an-enforcement-investigation'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-if-a-business-fixes-a-privacy-violation-before-the-cppa-makes-contact-does-that-prevent-a-fine\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-if-a-business-fixes-a-privacy-violation-before-the-cppa-makes-contact-does-that-prevent-a-fine-answer\"\n        >\n            If a business fixes a privacy violation before the CPPA makes contact, does that prevent a fine?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-if-a-business-fixes-a-privacy-violation-before-the-cppa-makes-contact-does-that-prevent-a-fine-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p><span style=\"font-weight: 400;\">Not necessarily. The March 2026 PlayOn Sports settlement is the controlling precedent. CalPrivacy imposed a USD 1.1 million penalty on a company that had self-identified and remediated its violations months before agency contact. The agency's stated position is that enforcement is calibrated for industry-wide deterrence. Prior remediation does not function as a penalty shield.<\/span><\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-if-a-business-fixes-a-privacy-violation-before-the-cppa-makes-contact-does-that-prevent-a-fine');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-if-a-business-fixes-a-privacy-violation-before-the-cppa-makes-contact-does-that-prevent-a-fine'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-which-businesses-are-required-to-complete-annual-cybersecurity-audits-under-the-ccpa\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-which-businesses-are-required-to-complete-annual-cybersecurity-audits-under-the-ccpa-answer\"\n        >\n            Which businesses are required to complete annual cybersecurity audits under the CCPA?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-which-businesses-are-required-to-complete-annual-cybersecurity-audits-under-the-ccpa-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p><span style=\"font-weight: 400;\">Businesses that are required to complete annual cybersecurity audits are those with data processing that presents significant risk to California consumers, specifically:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Deriving 50 percent or more of annual revenue from selling or sharing personal information<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Processing personal information of more than 250,000 consumers or households, or<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Processing sensitive personal information of more than 50,000 consumers<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Audits must cover <\/span><a href=\"https:\/\/www.faegredrinker.com\/en\/insights\/publications\/2025\/9\/cybersecurity-audits-under-the-california-consumer-privacy-act-ccpa\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">18 specified technical and organizational components<\/span><\/a><span style=\"font-weight: 400;\"> and be certified annually by executive management under penalty of perjury.<\/span><\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-which-businesses-are-required-to-complete-annual-cybersecurity-audits-under-the-ccpa');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-which-businesses-are-required-to-complete-annual-cybersecurity-audits-under-the-ccpa'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-do-businesses-need-to-submit-to-the-cppa-by-april-2028\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-do-businesses-need-to-submit-to-the-cppa-by-april-2028-answer\"\n        >\n            What do businesses need to submit to the CPPA by April 2028?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-do-businesses-need-to-submit-to-the-cppa-by-april-2028-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p><span style=\"font-weight: 400;\">Two categories: executive-certified attestations confirming required risk assessments were completed for 2026 and 2027 processing activities; and cybersecurity audit certifications on a staggered schedule: USD 100M+ revenue businesses first in 2028, mid-size in 2029, smaller businesses in 2030, all signed under penalty of perjury.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The submissions will give CalPrivacy the first structured, economy-wide compliance picture across California, and gaps or implausible claims become direct grounds for audit examination or enforcement referral.<\/span><\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-do-businesses-need-to-submit-to-the-cppa-by-april-2028');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-do-businesses-need-to-submit-to-the-cppa-by-april-2028'));\n            });\n        <\/script>\n    <\/div>\n<div class=\"cb-faq\"\n     id=\"faq-what-is-the-consortium-of-privacy-regulators-and-which-states-are-members\">\n        <button\n            class=\"cb-faq__question\"\n            type=\"button\"\n            aria-expanded=\"false\"\n            aria-controls=\"faq-what-is-the-consortium-of-privacy-regulators-and-which-states-are-members-answer\"\n        >\n            What is the Consortium of Privacy Regulators, and which states are members?            <span class=\"cb-faq__toggle\" aria-hidden=\"true\"><\/span>\n        <\/button>\n        <div class=\"cb-faq__answer\" id=\"faq-what-is-the-consortium-of-privacy-regulators-and-which-states-are-members-answer\">\n            <div class=\"cb-faq__answer__inner\">\n                <p><span style=\"font-weight: 400;\">A formal nine-state enforcement coalition established by memorandum of understanding in April 2025. Members are California (CalPrivacy and the state AG), Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Member regulators coordinate investigations, align priorities, and can bring joint actions. For any business under CalPrivacy scrutiny, the investigation can expand to all nine states simultaneously. Settling with one member does not resolve exposure in the others.<\/span><\/p>\n            <\/div>\n        <\/div>\n        <script>\n            cbFaqItemPreload('faq-what-is-the-consortium-of-privacy-regulators-and-which-states-are-members');\n            window.addEventListener('load', function () {\n                new Cb_Faq(document.getElementById('faq-what-is-the-consortium-of-privacy-regulators-and-which-states-are-members'));\n            });\n        <\/script>\n    <\/div>\n            <\/div>\n\n    <\/div>\n\n<\/div>\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>10 forces are converging to expand CalPrivacy's enforcement capacity at once. There\u2019s a dedicated Audits Division, automated detection, DROP, a nine-state coalition, and a deterrence-first penalty approach among them. The result: investigations that open without warning, penalties that don't disappear with remediation, and compliance obligations that compound year on year.<\/p>\n","protected":false},"author":28,"featured_media":21029,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-21027","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2026\/03\/CB-CPPA-Enforcement-Hero-1_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/21027","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=21027"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/21027\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/21029"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=21027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=21027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=21027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}