Skip to content

What to Know About the California Privacy Protection Agency (CPPA)

William Newmark
Author
William Newmark
Read time
9 mins
Published
May 15, 2026
Resources / Blog / What to Know About the California Privacy Protection Agency (CPPA)
Summary
  • The CPPA is California’s dedicated privacy regulator, created to enforce and shape state privacy laws independently of the Attorney General.
  • Its authority goes beyond enforcement and includes rulemaking, audits, public education, and oversight of the Delete Act and data broker registry.
  • The agency is actively targeting issues like dark patterns, ineffective opt-outs, and excessive data collection across businesses of all sizes.
  • CPPA penalties can be significant, and recent enforcement actions show that noncompliance carries real financial risk.
  • Staying compliant requires operational privacy controls, including clear consent flows and systems that can stand up to audits and regulatory scrutiny.

The California Privacy Protection Agency (CPPA), now publicly known as CalPrivacy, is the first dedicated privacy regulator in the United States. The Agency was created to enforce and evolve California’s data protection laws, namely the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA). 

The Agency plays a central role in shaping how businesses collect, use, and protect the personal data of California consumers. It fines businesses for violations of California privacy laws; develops rules around areas like consent, data minimization, and automated decision-making; and works with other state regulators on enforcement activities.

This guide breaks down what the CPPA is, how its authority works, where it’s focusing enforcement, and what businesses need to do to keep data operations privacy-compliant.

What Is the California Privacy Protection Agency (CPPA)?

The CPPA/CalPrivacy is an independent agency created by the California Privacy Rights Act (CPRA) to implement and enforce California privacy laws. 

It’s the first independent privacy agency established in the United States, and its mission is to protect the privacy rights of California consumers. It does this in a few different ways: 

Rulemaking: Adopting and updating regulations to implement privacy laws and address changes in technology and data practices

Enforcement: Investigating possible violations (either proactively or responding to complaints) and bringing administrative enforcement actions against businesses, service providers, or contractors that fail to comply

Auditing: Conducting audits of businesses to ensure compliance with privacy standards

Public education: Informing consumers about their rights and providing guidance to businesses to help them understand their legal obligations

Policy advice: Providing technical assistance and advice to the California Legislature on privacy-related legislation

The agency has full administrative power, authority, and jurisdiction to implement and enforce the CCPA/CPRA, as well as the Delete Act.

Why Was the CPPA Created?

CalPrivacy was created in 2020 through the passage of Proposition 24, also known as the CPRA. 

The goal was to establish an independent watchdog with the sole mission of protecting consumer privacy instead of relying only on the Attorney General for enforcement of California privacy laws. 

The agency emerged as a solution to inform businesses and consumers of their rights and enforce the law against those who violate privacy rights.

The CPPA was also created in part to update regulations in the face of rapid changes in technology and data collection practices. 

What Authority Does CalPrivacy Have?

CalPrivacy’s authority spans rulemaking, investigation, audit, and enforcement across the CCPA and the CPRA.

Rulemaking Authority

CalPrivacy has the authority to adopt, amend, and rescind regulations to carry out the provisions of the CCPA. This includes creating rules for emerging concerns like automated decision-making technology (ADMT), cybersecurity audits, risk assessments, and sensitive categories like neural data.

Administrative Enforcement

The Agency protects consumer privacy through the following actions:

Investigations: It can investigate potential violations of the law, either on its own initiative or based on sworn complaints from the public.

Probable cause proceedings: If evidence supports a reasonable belief that California privacy law has been violated, the Agency can hold hearings to determine if an infraction occurred.

Administrative fines: CalPrivacy can issue orders requiring violators to cease and desist and pay administrative penalties.

Subpoena power: The Agency can subpoena witnesses, take evidence, and request any relevant records.

Auditing Power

The Agency has the authority to conduct audits of businesses, service providers, or contractors to ensure compliance with the CCPA/CPRA. It’s responsible for appointing a Chief Privacy Auditor and building out an audits department to lead these efforts. Audits may be announced or unannounced, and failure to cooperate can result in the issuance of subpoenas or warrants.

Public Education and Policy Advice

CalPrivacy is tasked with increasing public awareness of privacy risks and rights. It also provides technical assistance and advice to the California Legislature on privacy-related legislation and can sponsor its own bills, such as the California Opt Me Out Act.

Cooperation with Other Regulators

The CPPA has the authority to cooperate with other jurisdictions, including other states and international data protection authorities, to ensure the consistent application of privacy protections. It helped establish the Consortium of Privacy Regulators in 2025 to collaborate with various state Attorneys General on enforcement.

Authority Under the Delete Act

With authority from the 2023 Delete Act, CalPrivacy oversees:

What Do CPPA Fines and Penalties Look Like?

CalPrivacy, alongside the California Attorney General, has the authority to impose significant financial penalties on businesses that violate privacy laws.

Violations are penalized based on the nature of the infraction, and penalties are adjusted periodically to align with the Consumer Price Index:

  • Up to $2,500 per violation for unintentional violations of the law
  • Up to $7,500 per violation for intentional violations or any violations involving the personal information of consumers known to be under 16 years of age

And the agency doesn’t hesitate to enforce its authority when required. According to the CalPrivacy 2025 Annual Report, CPPA enforcement actions have covered a wide range of industries. 

Some recent significant fines from enforcement actions include:  

  • USD 1.35 million to Tractor Supply Companyfor failing to maintain an adequate privacy policy, failing to notify job applicants of privacy rights, failing to provide an effective opt-out mechanism, and disclosing personal information (PI) without privacy protective contracts
  • USD 632,000 to American Honda Motor Co.for requiring Californians provide verification or excessive PI to exercise certain privacy rights, using dark patterns that made it hard for consumers to use authorized agents, and sharing PI with ad tech companies without privacy protective contracts 

Note that the CPPA doesn’t just target large corporations; it also audits and fines smaller companies for minor infractions. Businesses are not immune from enforcement action just because they’re smaller, especially given that automated technologies are in use to audit websites for data handling practices.

Learn more: Why California Privacy Protection Agency (CPPA) Enforcement Is Escalating and How Businesses Can Stay Ahead

CPPA Enforcement Priorities Businesses Need to Know

CalPrivacy has established several clear enforcement priorities that businesses should pay special attention to. These priorities are informed by recurring complaints, periodic investigative sweeps, and the agency’s overarching goal of protecting consumers. 

The agency has publicly emphasized areas like dark patterns, honoring opt-outs, data minimization, and transparency. Here’s what you need to know to achieve and maintain privacy compliance in California. 

The agency closely scrutinizes interfaces that use dark patterns to steer user privacy choices. 

Examples of this include asymmetrical choices, such as making an “Accept” button more prominent or hiding the “Decline” option, or using double negatives, like a “Yes/No” toggle next to a “Do Not Sell or Share My Personal Information” label. 

Consent manipulation also includes disruptive choice architecture, such as forcing consumers to click through multiple screens or scroll through a full privacy policy just to find an opt-out link. 

Part of the justification for the USD 632,000 fine on Honda was the use of dark patterns to present privacy choices in an asymmetrical or unequal way. 

To avoid penalties for dark patterns, take the following measures: 

Ensure that the path to exercise a privacy-protective option is not longer or more difficult than the path to a less protective one.

Understand that consent must be freely given, specific, informed, and unambiguous: hovering over content, muting it, or closing a pop-up without choosing doesn’t constitute valid consent.

Use straightforward language, avoid technical jargon, and provide equal prominence to “Accept” and “Decline” options.

Consumers have the right to request that a business stop selling or sharing their personal information, and CalPrivacy places special emphasis on this right. 

The USD 1.35 million penalty against Tractor Supply cited a failure to provide an effective opt-out mechanism as one justification for the violation. 

A key component is Opt-out Preference Signals (OOPS), such as Global Privacy Control (GPC), which enable consumers to automatically signal their opt-out choice to every website they visit via their browser settings. By January 1, 2027, all browsers in California will be required to offer a built-in OOPS feature. 

To respect opt-outs and universal consent:

Honor OOPS as a valid consumer request to stop selling or sharing data.

If you sell or share data, provide a “Do Not Sell or Share My Personal Information” link or a single “Your Privacy Choices” link accompanied by a mandatory opt-out icon.

Respond to opt-out requests within 15 business days.

Data Minimization

CalPrivacy aims to confirm that a business’s collection, use, and retention of personal information is reasonably necessary and proportionate to achieve the purpose for which it was collected. This means you should only collect the minimum amount of information necessary for a specific, disclosed purpose. 

For example, an alarm clock app shouldn’t collect a user’s precise geolocation, because it’s not necessary for the app’s functionality. Or for an email newsletter signup, you don’t need the subscriber’s date of birth or home address.

This principle also applies to how businesses handle data subject requests and how much information they ask for when processing them. Clothing retailer Todd Snyder, for example, was fined USD 345,178, in part for requiring consumers to submit more personal information than necessary to process privacy requests. 

Situations like this are avoidable with the right approach. Review your data practices to ensure you’re not collecting data that is unrelated to your core services. Avoid requesting additional information when verifying a consumer’s identity for a privacy request. Instead, attempt to match the consumer’s request against data already in your systems.

Transparency

In a recent report, the agency cites review of privacy notices and privacy policies as one of its enforcement priorities which puts transparency at the forefront of CPPA scrutiny. In fact, failing to maintain an adequate privacy policy was one of the reasons noted for the seven figure fine on Tractor Supply Company.

Create a customized privacy policy for your website in minutes, for free: Usercentrics Privacy Policy Generator

This focus on transparency extends to the data broker industry, where the agency has stepped up enforcement through its new Data Broker Enforcement Strike Force. The initiative actively pursues data brokers that fail to meet transparency requirements under the Delete Act.

This regulation requires data brokers to register annually with the agency and gives consumers more visibility into the multi-billion dollar industry that collects and sells their personal information. In 2024 alone, the agency recovered over USD 170,000 in administrative fines from data broker non-compliance settlements. 

To increase transparency with consumers and protect your business, you should:

Make notices easy to read, available in the primary languages of your customers, and accessible to individuals of all abilities.

Clearly state whether personal information — including sensitive personal information such as neural data — is sold or shared.

Make your privacy policy conspicuous and easily accessible on your website (typically located in the footer).

Avoid CPPA Scrutiny and Enforcement With Usercentrics 

As CCPA enforcement accelerates and CalPrivacy continues to crack down, compliance requires more than surface-level fixes. 

You need a tool that operates as your core infrastructure and operationalizes privacy across every touchpoint. That’s where Usercentrics can help. 

Usercentrics Consent Management Platform applies geolocation-based rules, enables granular consent management, and recognizes opt-out signals like GPC automatically. It also comes with integrations for Google Consent Mode, Microsoft UET Consent Mode, and Amazon Consent Signal out of the box, so you can make sure opt-out signals are respected throughout your marketing stack. 

Usercentrics CMP includes prior blocking where required, and tag control to prevent unlawful data collection. It provides secure consent record storage for accountability and audit-readiness.

Instead of reacting to evolving California privacy laws, Usercentrics helps businesses automate and scale privacy practices to align with CPPA priorities.

Take control of CCPA privacy compliance

Usercentrics helps businesses manage consumer consent, meet opt-out requirements, and maintain privacy notice obligations under the CCPA. Try it for free.

Start free trial
William Newmark
Read bio
Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Frequently asked questions

The CPPA oversees any for-profit business that collects the personal information of California residents and meets at least one of the following thresholds: 

  • Annual gross revenue above USD 25 million
  • Purchase, sale, or sharing of personal information from 100,000 or more consumers or households per year; or 
  • Deriving 50 percent or more of annual revenue from selling or sharing consumer personal information

Businesses that meet these criteria are subject to CPPA oversight regardless of where they are based. The law applies to any company that does business in California or processes data belonging to California residents.

The CPPA administers, implements, and enforces the CCPA/CPRA. This includes conducting administrative hearings to determine whether a business has violated the law and what penalties are appropriate.

It also has exclusive rulemaking authority, promotes public awareness of consumer privacy rights, and provides guidance to both consumers and businesses regarding their rights and responsibilities under the CCPA.

Unlike the California Attorney General, whose enforcement responsibilities span the full breadth of state law, the CPPA is dedicated exclusively to data privacy.

Businesses should start by mapping their data processing activities and benchmarking their practices against the CCPA’s requirements, including opt-out mechanisms, privacy notice obligations, and service provider contract terms.

Covered businesses must conduct annual cybersecurity audits through an objective and independent auditor, produce risk assessment reports, and submit a written certification of completion to the CPPA by April 1 each year. Audit records must be retained for at least five years, and businesses may leverage audits conducted for other regulatory purposes, such as NIST Cybersecurity Framework assessments — provided they meet all CCPA requirements.

Staggered submission deadlines apply based on annual revenue, with the first certifications due between 2028 and 2030.

Yes. Under the CCPA, unintentional violations can result in a civil penalty of up to USD 2,500 per violation. Intentional violations — or those involving the personal information of minors — can attract fines of up to USD 7,500 per violation.

Penalties are assessed on a per-violation basis, meaning a single compliance gap affecting a large number of consumers can accumulate quickly. The CPRA also eliminated the mandatory 30-day cure period that previously applied before enforcement action could be taken.

Under the CCPA, dark patterns refer to user interfaces that subvert or impair consumers’ autonomy, decision-making, or choice when asserting their privacy rights or providing consent.

Common examples include making an “Accept All” button prominently displayed while burying the “Reject” option, or requiring more steps to opt out of data sharing than to opt in.

The CPPA has made clear that intent is not required. Dark patterns are assessed by their effect on consumer choice, not the motivation behind their design. The agency issued a dedicated enforcement advisory on the subject in September 2024, signaling that user interface design is now a live area of regulatory scrutiny.

Yes, and it is one of the agency’s most active enforcement areas. Businesses operating websites in California are required to recognize and honor opt-out preference signals — including the Global Privacy Control — and failure to do so has been a central finding in several major CPPA enforcement actions.

In September 2025, the CPPA joined the California Attorney General and attorneys general in Colorado and Connecticut for an investigative sweep dedicated to potential GPC signal noncompliance, with the agencies stating they had identified businesses refusing to honor consumers’ requests to stop selling their personal data.

The California Consumer Privacy Act (CCPA), which took effect in January 2020, established the foundational privacy rights for California residents. These include the right to know, the right to delete, and the right to opt out of the sale of personal information.

The California Privacy Rights Act (CPRA), passed by voters in November 2020 and effective from January 2023, amended and expanded the CCPA significantly. Key additions include a new category of sensitive personal information with heightened protections, a right to correct inaccurate data, a right to limit the use of sensitive personal information, expanded obligations around data minimization and retention, and the creation of the CPPA as a dedicated enforcement agency.

Both the CPPA and the California Attorney General hold authority to investigate violations and pursue penalties under the CCPA, and they have cooperated on joint enforcement actions.
The key distinction is structural: whereas all enforcement previously fell under the broad remit of the Attorney General, the CPPA is dedicated exclusively to data privacy, with its own administrative hearing process, rulemaking authority, and a permanent enforcement division.

The Attorney General retains the authority to bring civil lawsuits against companies in court — particularly in cases involving major data breaches or willful non-compliance — while the CPPA conducts administrative proceedings and can impose fines directly without going to court.

In practice, the two bodies operate in parallel, with the CPPA handling the bulk of day-to-day enforcement since assuming primary responsibility in July 2023.