The California data privacy enforcement environment isn’t going through a temporary surge. The California Privacy Protection Agency (now known by their chosen public-facing name, CalPrivacy) is in the middle of a structural shift, driven by ten converging forces that are expanding its capacity, reach, and legal authority at the same time.
Understanding what’s driving this change and what it means for your business is the first step toward building the kind of privacy infrastructure that holds up long-term under scrutiny.
At a glance
- CPPA enforcement is structural, not cyclical. Ten converging forces — a new Audits Division, automated detection, a nine-state coalition — are expanding capacity and reach simultaneously, with no sign of letting up through 2028.
- No complaint needed to trigger an investigation. Automated website scanning detects GPC non-compliance, dark patterns, and broken opt-outs — meaning businesses can be under investigation before they know it.
- 2026 brought a wave of new obligations. Privacy risk assessments, annual cybersecurity audits, and automated decision-making rules are now in force following amendments to the CCPA. 2024-compliant businesses may already be out of step.
- The 2028 submission deadline is an enforcement launchpad. Executive-certified attestations will give the CPPA a structured, economy-wide compliance map — and a ready-made list of investigative leads.
- Prior remediation no longer protects you. The PlayOn Sports settlement ($1.1M, March 2026) confirmed that self-identifying and fixing violations before agency contact doesn’t prevent significant penalties.
- Compliance increasingly requires continuous operational oversight. Documented risk assessments, consent logs, and audit-ready records aren’t best practices anymore — they’re what the agency will ask for when it comes calling.
1. The Historical Backlog Is Now Being Worked Through
CalPrivacy’s Enforcement Division didn’t have formal enforcement authority until July 2023, though the California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020. That gap left more than three years of potential violations that weren’t necessarily time-barred by the agency’s prior incapacity.
When CalPrivacy opened the Tractor Supply investigation in 2024, it sought records going back to 2020. Tractor Supply acknowledged the agency’s authority to examine the full operative period of the law. This precedent is significant for businesses assessing their regulatory exposure. Businesses that assumed earlier conduct was beyond regulatory reach may need to revisit that assumption.
Between July 2023 and September 2025, CalPrivacy received 8,265 consumer complaints — roughly 150 per week. As of early 2026, the agency has stated it has over 100 open investigations active at any given time, and many target businesses may not be aware they’re under investigation.
2. The CPPA Audits Division Is Now Operational
In February 2026, CalPrivacy formally established its Audits Division under inaugural Chief Privacy Auditor Sabrina Boyson Ross, fulfilling an enforcement mandate built into the California Privacy Rights Act (CPRA) when voters passed Proposition 24 in 2020. For the first five-plus years of the law’s existence, no dedicated audit function existed.
The Audits Division changes the enforcement dynamic in several important ways:
No complaint required
Unlike CalPrivacy’s Enforcement Division, which is largely complaint- and incident-driven, the Audits Division can examine any CCPA-covered business at any time based on sector risk, regulatory priority, or independent research.
Technical depth
Chief Auditor Ross’s background at Meta signals a methodology that goes beyond policy review into actual system architecture, data flows, and technical configurations, where compliance failures frequently occur.
A referral pipeline
Audit findings can be referred to the Enforcement Division. An audit is not a safe harbor; it’s an earlier stage of the same pipeline that can end with CalPrivacy fines and mandatory remediation.
Growing capacity
The division is actively staffing up, which means its ability to conduct simultaneous examinations across industries will increase over time.
CalPrivacy has publicly stated that it wants to prioritize education and prevention, not just pursue non-compliance penalties. The 2025 CalPrivacy Annual Report notes:
“CalPrivacy is here for the business community as well. In 2026, CalPrivacy will meet with stakeholders and offer practical, plain-language guidance through new resources and webinars to help them meet compliance requirements under the new regulations. The Enforcement Division will continue issuing enforcement advisories to guide businesses and signal agency priorities.”
3. A Wave of New Compliance Obligations Took Effect January 1, 2026
Three major categories of compliance requirements came into force at the start of 2026 following CCPA regulations passed in late 2025. Businesses that met California privacy law compliance standards in 2024 may not meet 2026 requirements.
Learn about the most recent CCPA updates, including ADMT, audits, risk assessments, and more.
Privacy Risk Assessments
Businesses engaged in high-risk processing must now conduct and document formal risk assessments before starting new processing activities. Existing activities must have completed assessments by December 31, 2027. Types of processing meeting the new standard include:
- selling or sharing personal information
- processing sensitive data
- using automated decision-making for significant decisions
- training AI on personal data
CalPrivacy signaled that it will begin requesting risk assessments during investigations as early as 2026, well ahead of the 2028 submission deadline. The PlayOn Sports settlement in March 2026 was the first enforcement action to include a mandatory risk assessment requirement as a remedial term, establishing it as an active enforcement tool rather than a future obligation.
Cybersecurity Audits
Annual independent cybersecurity audits are now required for businesses with processing that presents significant risk to California consumers. These audits must cover 18 specified technical and organizational components of the cybersecurity program [Cal. Code Regs. tit. 11, § 7123(b-c)].
They must be conducted by a qualified independent professional and must result in an annual certification signed under penalty of perjury by a member of executive management. There’s no prior analog to this requirement under the CCPA.
Automated Decision-Making Technology (ADMT)
Businesses using AI and automated systems to make significant decisions about consumers — in employment, housing, credit, education, or healthcare — must comply with new notice and opt-out requirements beginning January 1, 2027, with risk assessment obligations already in force.
The ADMT definition is broad enough to capture machine learning models, rule-based scoring systems, and advanced analytics tools that materially influence decisions, even when not labeled as “AI.”
4. The 2028 Submission Wave Will Create a Comprehensive Compliance Map
Beginning April 1, 2028, businesses must submit to CalPrivacy:
Attestations that required risk assessments were completed for 2026 and 2027 processing activities
Summary information about those assessments, signed by a senior executive responsible for compliance
Starting in 2028 (large businesses), 2029 (mid-size businesses), and 2030 (smaller businesses): annual cybersecurity audit certifications, also signed under penalty of perjury
For the first time, the Agency will receive structured, executive-certified compliance disclosures from businesses across every sector of the California economy (which is the world’s fourth or fifth largest at any given time).
Any submission revealing gaps, inconsistencies, or implausible claims will provide a ready-made basis for an audit examination or enforcement referral. And submissions that claim full compliance where the Agency has reason to doubt it will expose senior executives to personal liability for false certification.
The 2028 submission cycle isn’t just a compliance deadline. It gives the Audits Division its most powerful ongoing source of investigative leads.
5. DROP Is Live: Data Broker Compliance Deadline and Rising Complaint Volume
The Delete Request and Opt-Out Platform (DROP) launched January 1, 2026, enabling any California resident to submit a single deletion request to all 500-plus registered data brokers simultaneously.
Within the first two months of the platform’s launch (as of early March 2026) more than 217,000 residents had enrolled. Tom Kemp, CalPrivacy executive director, has explicitly stated he expects complaint volume to increase as DROP usage grows.
DROP compliance, which requires data brokers to actually process and fulfill deletion requests received through the platform, is required beginning August 1, 2026. Any broker that fails to fulfill DROP requests after that date faces enforcement action.
Data brokers that fail to process DROP deletion requests face fines of USD 200 per day for each unprocessed consumer request — with no cure period, meaning enforcement can begin immediately upon detection of non-compliance. Those fines stack on top of a separate USD 200-per-day penalty for any registration lapse, creating significant cumulative exposure for brokers managing large volumes of consumer records.
DROP effectively creates a persistent, automated monitoring mechanism for data broker behavior. Every unfulfilled deletion request is a potential enforcement referral, and every consumer who enrolls represents an ongoing check on compliance. The platform is funded through data-broker registration fees.
6. Technology-Driven Detection Is Scaling Investigation Capacity
CalPrivacy has a dedicated technology team that conducts independent research into privacy harms and specific data flows, separate from its consumer complaint intake. The agency uses automated website scanning to identify non-compliance at scale, particularly around:
- Global Privacy Control (GPC) signal recognition
- Opt-out mechanism functionality
- Dark patterns in consent interfaces
- Consent banner behavior
In practice, this means a business doesn’t need to be the subject of a consumer complaint to trigger an investigation. CalPrivacy’s technology team can identify non-compliant behavior through automated scans of public-facing websites and applications and then open an investigation without any external referral.
In September 2025, CalPrivacy and partner state attorneys general in Connecticut and Colorado announced a joint investigative sweep targeting businesses failing to honor GPC signals. The targets were identified through technical monitoring, not consumer complaints — demonstrating that the agency can run sector-wide investigations based entirely on automated detection.
7. The Multistate Consortium Multiplies Enforcement Reach
The Consortium of Privacy Regulators, established via formal memorandum of understanding in April 2025, currently includes nine states: California (CPPA and Attorney General), Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.
The consortium coordinates investigations, shares enforcement priorities, pools expertise on complex data practices, and can pursue joint actions. For businesses, the practical implications include:
A single CalPrivacy investigation can expand to include eight other states simultaneously
Evidence gathered by one state’s regulators can inform investigations by others
Businesses that have resolved violations in one state may still face enforcement in others for the same underlying conduct
The consortium’s shared priorities, which include GPC compliance, data broker registration, children’s data, and dark patterns, create a coordinated enforcement agenda
Legal observers have compared this dynamic to the data breach enforcement coalitions of the 2010s, which produced significant multistate settlements and became a primary driver of corporate privacy investment. A similar pattern is emerging in comprehensive privacy law enforcement.
8. The Proposed AB 2021 Whistleblower Law Would Open Enforcement from Inside Businesses
AB 2021 was introduced in February 2026 by Assembly Member Pilar Schiavo and is modeled on the SEC whistleblower program. It would create:
- Financial awards of 15–33 percent of collected fines or settlement proceeds for verified whistleblower reports
- Anonymous filing through counsel
- Strong anti-retaliation protections for employees and contractors
- A new standalone civil cause of action for whistleblowers who face retaliation
If enacted, AB 2021 would give CalPrivacy visibility into internal business decisions, communications, and practices — areas that external regulators can’t easily access through website scans or consumer complaints.
Employees and contractors with direct knowledge of privacy violations would have a meaningful financial incentive to bring that information forward. The SEC whistleblower program has produced some of the most significant enforcement actions in financial regulation history for exactly this reason.
9. CPPA Enforcement Philosophy Has Shifted Toward Deterrence
The PlayOn Sports settlement in March 2026 marks an explicit change in enforcement approach. PlayOn had self-identified and remediated compliance issues in December 2024 — before CalPrivacy contacted the company. But the Agency imposed a USD 1.1 million penalty in CalPrivacy fines anyway, and its public statements made clear this was intentional.
The goal no longer appears to be primarily bringing individual businesses into compliance, but rather to deter non-compliance across entire industries.
What this means in practice:
Prior remediation does not guarantee penalty reduction or elimination.
Settlement amounts are calibrated for industry-wide impact, not just to cover the cost of the specific violation.
Actions are chosen partly for their signaling value — PlayOn’s schools context, Tractor Supply’s rural retail context, and Honda’s automotive context each put different industry sectors on notice.
The “captive audience” framework from PlayOn (where users had no meaningful choice) is explicitly portable to other business models involving subscription services, ticketing, workplace tools, or any context where users can’t easily opt out.
10. Active Rulemaking Will Create Additional Compliance Requirements
CalPrivacy has announced four active rulemaking areas that will add new obligations:
- Employee Data: Extending CCPA protections more fully to employment, contractor, and job applicant contexts. Many businesses have assumed employment data receives lighter treatment and new CalPrivacy rulemaking will clarify and expand obligations.
- Privacy Policy Streamlining: New requirements around readability, accuracy, and disclosure completeness. Privacy policies that met 2024 standards may not meet 2026 or 2027 standards.
- Global Privacy Control / Opt-Out Preference Signals: Codifying and expanding the obligation to recognize and honor browser-level opt-out signals, making GPC compliance a formal, auditable requirement rather than a best practice.
- A fourth area not yet publicly disclosed.
Each new rulemaking package creates additional legal obligations, new audit and examination standards, and new grounds for enforcement action.
What Escalating CPPA Enforcement Means for Businesses and Privacy Infrastructure
The enforcement pressure from CalPrivacy is structural, not cyclical. Each mechanism described above adds capacity that doesn’t diminish over time, and each new body of regulation creates new categories of potential violations.
The summary below outlines how enforcement pressure is likely to evolve:
| Timeframe | Key Drivers |
| 2026 | – Backlog of investigations from 2020–2023 being resolved – Audits Division operational and staffing up – DROP compliance deadline (August 1) – New 2026 regulations in force – Ongoing technology-driven sweeps |
| 2026–2027 | – DROP complaint volume increasing – ADMT compliance deadline (January 1, 2027) – Multistate consortium investigations scaling – AB 2021 whistleblower law potentially enacted – New rulemaking finalized |
| 2028 and beyond | – First wave of risk assessment attestations and cybersecurity audit certifications submitted to CalPrivacy, giving the Audits Division a comprehensive, executive-certified compliance map of the California business landscape – Ongoing annual cycles of submissions and examinations |
| Ongoing | – Complaint volume compounding through DROP – Technology scanning expanding – Multistate investigations becoming standard – Fines increasing as deterrence actions increase |
The ten forces described above aren’t moving independently — they’re compounding. Each new regulation creates new audit criteria. Each new audit finding feeds the enforcement pipeline. Each new consortium member multiplies the jurisdictional reach of any single investigation.
Businesses that approach CCPA compliance as a periodic exercise are already operating with a structural disadvantage, and that gap will widen as the 2028 submission cycle approaches and rulemaking continues to expand the obligation set.
Usercentrics is built for exactly this environment. From automated consent collection and cross-environment consent governance to server-side data infrastructure, Usercentrics helps businesses move from reactive compliance to an always-audit-ready posture.
Businesses should maintain documentation, consent logs, and signal integrity that regulators will expect to see. As CalPrivacy’s capacity grows and the regulatory landscape continues to evolve, having a consent infrastructure that scales with it isn’t a competitive advantage. It’s increasingly becoming a baseline requirement.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
