{"id":18267,"date":"2026-03-27T15:20:28","date_gmt":"2026-03-27T14:20:28","guid":{"rendered":"https:\/\/stage.usercentrics.com\/us\/?post_type=knowledge&#038;p=18267"},"modified":"2026-03-31T14:39:15","modified_gmt":"2026-03-31T12:39:15","slug":"cppa-enforcement-risk","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/","title":{"rendered":"CPPA Enforcement Is Escalating: The Legal and Financial Risks U.S. Businesses Face Now"},"content":{"rendered":"\n<p>If your company collects data from California residents, your regulatory exposure has changed materially in the past 18 months. And this applies whether or not you&#8217;ve received any notice from the California Privacy Protection Agency (now publicly known as CalPrivacy).<\/p>\n\n\n\n<p>There\u2019s a new Audits Division and automated website scanning will open investigations without a single consumer complaint. A nine-state enforcement coalition can turn a California investigation into a multistate one overnight. The penalty philosophy is explicitly designed to deter entire industries, not just correct individual businesses.&nbsp;<\/p>\n\n\n\n<p>These aren&#8217;t future risks on a roadmap: they&#8217;re operational today. This article breaks down ten structural forces behind the escalation and what they mean for U.S. businesses managing privacy risk right now.<\/p>\n\n\n<div class=\"uc-key-takeaways\">\n    <div class=\"uc-key-takeaways__container\">\n        <h2 class=\"uc-key-takeaways__title uc-key-takeaways__heading-variarion like-h3\">\n            At a glance        <\/h2>\n        <div class=\"uc-key-takeaways__content\">\n            <div class=\"uc-key-takeaways__content__inner\">\n                <div class=\"uc-accordion-item uc-accordion-item--opened\">\n    <span class=\"uc-accordion-item__title no-default-margin\">    <button class=\"uc-accordion-item__button\"\n            aria-expanded=\"true\"\n            tabindex=\"0\"\n            aria-label=\"Toggle accordion item\">\n        Key Takeaways    <\/button>\n    <\/span>    <div class=\"uc-accordion-item__content\">\n        <div class=\"uc-accordion-item__content__inner\">\n            \n\n<ul class=\"wp-block-list\">\n<li><strong>Investigations open without a complaint or warning.<\/strong> CalPrivacy autonomously scans and initiates investigations of public-facing websites for GPC non-compliance, broken opt-outs, and dark patterns.<\/li>\n\n\n\n<li><strong>Fixing a violation before CalPrivacy calls doesn&#8217;t protect you from a fine.<\/strong> The March 2026 PlayOn Sports settlement established that prior remediation is no longer a penalty shield.<\/li>\n\n\n\n<li><strong>One California investigation can expand to eight additional states simultaneously.<\/strong> The nine-state Consortium of Privacy Regulators coordinates investigations, shares evidence, and pursues joint enforcement actions.<\/li>\n\n\n\n<li><strong>2026 brought the largest wave of new CCPA obligations since the law took effect.<\/strong> Privacy risk assessments, cybersecurity audits, and automated decision-making rules are now in force.&nbsp;<\/li>\n\n\n\n<li><strong>The 2028 submission deadline hands CalPrivacy a structured map of every business&#8217;s compliance posture<\/strong>, and a ready-made list of investigative leads.<\/li>\n\n\n\n<li><strong>Mid-market businesses are not too small to be targeted.<\/strong> Enforcement targets are chosen for industry-wide signaling value, not company size.&nbsp;<\/li>\n<\/ul>\n\n        <\/div>\n    <\/div>\n<\/div>\n\n            <\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-1-calprivacy-is-working-through-years-of-accumulated-enforcement-backlog\">1. CalPrivacy Is Working Through Years of Accumulated Enforcement Backlog<\/h2>\n\n\n\n<p>CalPrivacy&#8217;s Enforcement Division only gained formal enforcement authority in July 2023, even though the <a href=\"https:\/\/usercentrics.com\/us\/ccpa\/\">California Consumer Privacy Act (CCPA) <\/a>has been in effect since January 1, 2020. That three-year gap only deferred potential violations; it didn\u2019t erase them.<\/p>\n\n\n\n<p>When CalPrivacy opened its <a href=\"https:\/\/cppa.ca.gov\/announcements\/2025\/20250930.html#:~:text=The%20CPPA%20opened%20an%20investigation%20into%20Tractor,entering%20into%20contracts%20that%20contain%20privacy%20protections\" target=\"_blank\" rel=\"noreferrer noopener\">investigation into Tractor Supply<\/a> in 2024, it sought records going back to 2020, and Tractor Supply accepted the agency&#8217;s authority to examine the full operative period of the law. For businesses that assumed earlier conduct was beyond reach, that precedent is worth understanding.<\/p>\n\n\n\n<p>Between July 2023 and September 2025, CalPrivacy received 8,265 consumer complaints, roughly 150 per week. By early 2026, the agency reported more than 100 active investigations running simultaneously. Many businesses under examination are not aware it has started.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-2-the-cppa-audits-division-is-operational-and-not-waiting-for-complaints\">2. The CPPA Audits Division Is Operational and Not Waiting for Complaints<\/h2>\n\n\n\n<p>In February 2026, CalPrivacy formally stood up its Audits Division under inaugural Chief Privacy Auditor Sabrina Boyson Ross, fulfilling a mandate written into the <a href=\"https:\/\/usercentrics.com\/us\/cpra\/\">California Privacy Rights Act (CPRA)<\/a> when voters passed Proposition 24 in 2020. For the first five-plus years of the law, no dedicated audit function existed.<\/p>\n\n\n\n<p>The Audits Division alters the risk calculus for businesses in several ways:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-no-complaint-required\">No complaint required<\/h3>\n\n\n\n<p>Unlike the Enforcement Division, which is largely driven by consumer complaints and reported incidents, the Audits Division can examine any CCPA-covered business at any time based on sector risk, regulatory priority, or its own independent research.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-technical-depth\">Technical depth<\/h3>\n\n\n\n<p>Chief Auditor Ross&#8217;s background at Meta signals a methodology focused on how systems actually work \u2014 data flows, technical configurations, system architecture \u2014 not just whether policy documents say the right things. That&#8217;s precisely where most compliance failures occur.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-a-direct-pipeline-to-enforcement\">A direct pipeline to enforcement<\/h3>\n\n\n\n<p>An audit is not a parallel track. Findings can be referred to the Enforcement Division, making an audit examination an earlier stage of the same process that can end with fines and mandatory remediation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-growing-capacity\">Growing capacity<\/h3>\n\n\n\n<p>The division is actively hiring, which means its ability to run simultaneous examinations across sectors will increase over time.<\/p>\n\n\n\n<p>CalPrivacy has stated publicly that education and prevention remain priorities alongside enforcement. The <a href=\"https:\/\/cppa.ca.gov\/pdf\/2025_annual_report.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">2025 CalPrivacy Annual Report<\/a> describes plans for stakeholder meetings, plain-language guidance, and webinars to support business readiness.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-3-three-new-compliance-categories-took-effect-january-1-2026\">3. Three New Compliance Categories Took Effect January 1, 2026<\/h2>\n\n\n\n<p>The largest single expansion of CCPA obligations since the law took effect arrived at the start of 2026. Businesses that were fully aligned with California privacy law in 2024 may not be today.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-privacy-risk-assessments\">Privacy Risk Assessments<\/h3>\n\n\n\n<p>Businesses engaged in high-risk processing must now conduct and document formal risk assessments before beginning new processing activities. For activities already underway, assessments must be completed by December 31, 2027. The threshold is triggered by selling or sharing personal information, processing sensitive data, using automated decision-making for significant decisions, or training AI systems on personal data.<\/p>\n\n\n\n<p>CalPrivacy has signaled it will begin requesting risk assessments during active investigations well ahead of the 2028 submission deadline. The March 2026 <a href=\"https:\/\/privacy.ca.gov\/2026\/03\/youth-sports-media-company-to-pay-1-1-million-fine-change-practices-over-privacy-violations\/\" target=\"_blank\" rel=\"noreferrer noopener\">PlayOn Sports settlement <\/a>included a mandatory risk assessment as a remedial condition\u2014confirming that the agency treats this as an active enforcement tool, not a future obligation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cybersecurity-audits\">Cybersecurity Audits<\/h3>\n\n\n\n<p>Annual independent cybersecurity audits are now required for businesses whose data processing presents significant risk to California consumers.&nbsp;<\/p>\n\n\n\n<p>These audits must cover 18 specified technical and organizational components [<a href=\"https:\/\/cppa.ca.gov\/regulations\/pdf\/ccpa_updates_cyber_risk_admt_ins_text.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Cal. Code Regs. tit. 11, \u00a7 7123(b-c<\/a>)], be conducted by a qualified independent professional, and be certified annually by a member of executive management under penalty of perjury. There&#8217;s no prior analog to this requirement under the CCPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-automated-decision-making-technology-admt\">Automated Decision-Making Technology (ADMT)<\/h3>\n\n\n\n<p>Businesses using AI and automated systems to make significant decisions about consumers in sectors like employment, housing, credit, education, or healthcare must comply with new notice and opt-out requirements from January 1, 2027. Risk assessment obligations for those same systems are already in force.<\/p>\n\n\n\n<p>The ADMT definition is deliberately broad. Machine learning models, rule-based scoring systems, and analytics tools that materially shape decisions about individuals all fall within scope, regardless of whether a business labels them &#8220;AI.&#8221; Companies that use third-party scoring or decisioning tools should assess whether those tools meet the threshold.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-4-the-2028-submission-deadline-is-an-enforcement-launchpad-not-just-a-filing-requirement\">4. The 2028 Submission Deadline Is an Enforcement Launchpad, Not Just a Filing Requirement<\/h2>\n\n\n\n<p>Beginning April 1, 2028, businesses must submit to CalPrivacy:<\/p>\n\n\n\n<div class=\"uc-article-list-timeline uc-article-list-timeline--empty-header uc-article-list-timeline--no-image uc-ctx--base\" style=\"\">\n        <div class=\"uc-article-list-timeline__list\">\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p>Executive-certified attestations confirming that required privacy risk assessments were completed for 2026 and 2027 processing activities<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p>Summary information from those assessments, signed by a senior executive with direct compliance responsibility<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p>Annual cybersecurity audit certifications on a staggered schedule: large businesses from 2028, mid-size from 2029, smaller businesses from 2030 (all signed under penalty of perjury)<\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n            <\/div>\n<\/div>\n\n\n\n<p>For the first time, CalPrivacy will hold a structured, economy-wide picture of compliance across every sector in California. Submissions that reveal gaps or make claims the agency has reason to doubt create ready-made grounds for an audit referral. Executives who certify compliance that doesn&#8217;t hold up face personal liability \u2014 not just corporate exposure \u2014 for false certification.<\/p>\n\n\n\n<p>The 2028 deadline is generating the records CalPrivacy&#8217;s Audits Division will scrutinize. Businesses should be building those records now.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-5-drop-is-live-and-complaint-volume-is-rising\">5. DROP Is Live and Complaint Volume Is Rising<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/privacy.ca.gov\/drop\/\" target=\"_blank\" rel=\"noreferrer noopener\">Delete Request and Opt-Out Platform (DROP)<\/a> launched January 1, 2026, enabling any California resident to submit a single deletion request to all 500-plus registered data brokers simultaneously. Within the first two months, more than 217,000 residents had enrolled. CalPrivacy Executive Director Tom Kemp has publicly stated he expects complaint volume to climb as DROP&#8217;s user base grows.<\/p>\n\n\n\n<p>The obligation for data brokers to actually process and fulfill DROP requests begins August 1, 2026, after which non-fulfillment triggers immediate enforcement exposure with no cure period.&nbsp;<\/p>\n\n\n\n<p>The fine structure compounds quickly: USD 200 per day for each unprocessed deletion request, plus a separate USD 200 per day for any registration lapse. For data brokers managing large volumes of consumer records, that exposure accumulates fast.<\/p>\n\n\n\n<p>DROP creates a permanent, consumer-powered monitoring mechanism. Every enrolled resident is an ongoing check on whether brokers honor their obligations. Every unfulfilled request is a potential enforcement referral.<\/p>\n\n\n<div id=\"uc-cta_69d4f6cf3e95d\" class=\"uc-cta uc-cta--button uc-cta--size-full uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Your website may already be on CalPrivacy&#8217;s radar <\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p><span style=\"font-weight: 400;\">CalPrivacy uses automated scanning to detect non-compliant consent behavior \u2014 no complaint required. Usercentrics CMP helps you build the consent infrastructure that holds up when they come looking. <\/span><\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"0aa543e0-e85a-443c-a8e9-5c5d94a82a62\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/us\/free-trial\/\" target=\"\"><span>Start free trial<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69d4f6cf3e95d\"));\n    <\/script>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-6-automated-detection-means-your-website-can-trigger-an-investigation\">6. Automated Detection Means Your Website Can Trigger an Investigation<\/h2>\n\n\n\n<p>CalPrivacy&#8217;s dedicated technology team conducts independent research into privacy harms and data flows, and this is entirely separate from consumer complaint intake. Using automated scanning of public-facing websites and applications, it assesses non-compliance at scale, with a particular focus on <a href=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/global-privacy-control-gpc-usercentrics-signaling\/\">Global Privacy Control (GPC)<\/a> signal recognition, opt-out mechanism functionality, dark patterns in consent interfaces, and <a href=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/beginners-guide-to-website-tracking\/\">consent banner behavior<\/a>.<\/p>\n\n\n\n<p>In September 2025, CalPrivacy and partner attorneys general in Connecticut and Colorado announced a joint investigative sweep targeting businesses failing to honor GPC signals. Every business on that list was identified through automated technical monitoring. No consumer complaints, no tips.<\/p>\n\n\n\n<p>For U.S. businesses, the practical implication is direct: a non-compliant consent setup on your website is not a private matter. It&#8217;s visible to regulators through automated tools that operate continuously.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-7-a-single-calprivacy-investigation-can-now-span-nine-states\">7. A Single CalPrivacy Investigation Can Now Span Nine States<\/h2>\n\n\n\n<p>In April 2025, nine state privacy regulators formalized their coordination through a memorandum of understanding establishing the <a href=\"https:\/\/cppa.ca.gov\/announcements\/2025\/20250416.html\" target=\"_blank\" rel=\"noreferrer noopener\">Consortium of Privacy Regulators<\/a>. The consortium includes CalPrivacy and California&#8217;s Attorney General, alongside regulators from Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.<\/p>\n\n\n\n<p>The consortium&#8217;s structure has concrete implications for any business operating across multiple states:<\/p>\n\n\n\n<div class=\"uc-article-list-timeline uc-article-list-timeline--empty-header uc-article-list-timeline--no-image uc-ctx--base\" style=\"\">\n        <div class=\"uc-article-list-timeline__list\">\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">A CalPrivacy investigation can expand to include eight other states without any additional triggering event.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Evidence developed in one state&#8217;s investigation is available to inform parallel or subsequent investigations by consortium members.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">Resolving a violation with CalPrivacy does not close the matter in other member states. The same conduct can be investigated and penalized independently.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"uc-article-list-timeline__item\">\n                <div class=\"uc-article-list-timeline__item-graphics \">\n                    <div class=\"uc-article-list-timeline__item-bullet uc-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"uc-article-list-timeline__item-content\">\n                                        <div class=\"uc-article-list-timeline__item-description\">\n                        <p><span style=\"font-weight: 400;\">The consortium&#8217;s shared priorities of GPC compliance, data broker registration, children&#8217;s data, and dark patterns, create a unified enforcement agenda across nine jurisdictions.<\/span><\/p>\n                    <\/div>\n                <\/div>\n            <\/div>\n            <\/div>\n<\/div>\n\n\n\n<p>Legal observers have compared this dynamic to the multistate data breach enforcement coalitions of the 2010s, which produced landmark settlements and reshaped how businesses approached security investment. A comparable pattern is emerging in privacy law enforcement.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-8-proposed-whistleblower-legislation-could-open-enforcement-from-inside-your-organization\">8. Proposed Whistleblower Legislation Could Open Enforcement from Inside Your Organization<\/h2>\n\n\n\n<p><a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=202520260AB2021\" target=\"_blank\" rel=\"noreferrer noopener\">AB 2021<\/a>, introduced in February 2026 by Assembly Member Pilar Schiavo, is modeled on the <a href=\"https:\/\/www.sec.gov\/enforcement-litigation\/whistleblower-program\" target=\"_blank\" rel=\"noreferrer noopener\">SEC whistleblower program<\/a>.&nbsp;<\/p>\n\n\n\n<p>If enacted, it would establish financial awards of 15 to 33 percent of collected fines or settlement proceeds for verified whistleblower reports, the ability to file anonymously through legal counsel, anti-retaliation protections for employees and contractors, and a standalone civil cause of action for anyone who faces retaliation for reporting.<\/p>\n\n\n\n<p>CalPrivacy&#8217;s existing enforcement tools, including automated scanning, consumer complaints, audit authority, all operate from the outside. AB 2021 would add enforcement intelligence sourced from inside the organizations being regulated.&nbsp;<\/p>\n\n\n\n<p>Employees and contractors with direct knowledge of internal privacy decisions, system configurations, or quietly deprioritized compliance obligations would have a meaningful financial incentive to bring that information forward.<\/p>\n\n\n\n<p>The SEC program has generated some of the largest enforcement actions in the history of financial regulation\u2014not because regulators got better at detecting violations from the outside, but because insiders started bringing evidence directly to them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-9-self-remediating-before-calprivacy-calls-no-longer-protects-you\">9. Self-Remediating Before CalPrivacy Calls No Longer Protects You<\/h2>\n\n\n\n<p>For much of CalPrivacy&#8217;s short enforcement history, the implicit expectation was that businesses identifying and fixing their own compliance issues before agency contact would receive some credit for doing so. The March 2026 PlayOn Sports settlement ended that assumption.<\/p>\n\n\n\n<p>PlayOn had found and remediated its compliance failures in December 2024. This was months before CalPrivacy made contact. The agency imposed a USD 1.1 million penalty regardless, and its public statements made the intent explicit: the fine was calibrated to deter an entire industry, not to correct one company&#8217;s behavior.<\/p>\n\n\n\n<p>Several things follow from that shift:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-prior-remediation-is-no-longer-a-reliable-mitigant\">Prior remediation is no longer a reliable mitigant<\/h3>\n\n\n\n<p>Fixing violations before agency contact may still be the right operational decision, but it does not insulate a business from significant penalties, especially in cases involving minors, as in PlayOn Sports.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-penalty-sizes-reflect-deterrence-objectives-not-violation-cost\">Penalty sizes reflect deterrence objectives, not violation cost<\/h3>\n\n\n\n<p>Fines are set to produce industry-wide behavioral change, which means they will often exceed what the specific violation would seem to warrant.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-enforcement-targets-are-selected-for-their-signaling-value\">Enforcement targets are selected for their signaling value<\/h3>\n\n\n\n<p>PlayOn put youth sports and subscription media on notice; Tractor Supply addressed rural retail; Honda addressed automotive, and with <a href=\"https:\/\/oag.ca.gov\/news\/press-releases\/california-wont-let-it-go-attorney-general-bonta-announces-275-million\" target=\"_blank\" rel=\"noreferrer noopener\">Disney\u2019s settlement with the California Attorney General<\/a>, entertainment. Actions reached entire industries through a single case.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-captive-audience-doctrine-is-portable\">The &#8220;captive audience&#8221; doctrine is portable<\/h3>\n\n\n\n<p>The &#8220;captive audience&#8221; doctrine is portable. CalPrivacy&#8217;s enforcement position in PlayOn \u2014 that consumers who had no meaningful alternative deserved heightened protection \u2014 applies directly to subscription platforms, workplace tools, ticketing services, and any context where opting out is genuinely difficult.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-10-active-rulemaking-will-expand-obligations-through-2027-and-beyond\">10. Active Rulemaking Will Expand Obligations Through 2027 and Beyond<\/h2>\n\n\n\n<p>CalPrivacy has four confirmed rulemaking areas underway, each of which will add new obligations and create new grounds for enforcement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-employee-and-contractor-data\">Employee and contractor data<\/h3>\n\n\n\n<p>CCPA protections for job applicants, employees, and contractors have often been treated as a lower-burden category. Upcoming rulemaking is expected to clarify and expand what businesses must do to protect employment-related personal information. This is an area where many businesses have limited documentation practices.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-privacy-policy-standards\">Privacy policy standards<\/h3>\n\n\n\n<p>Readability, accuracy, and disclosure completeness are all under review. A privacy policy that passed muster in 2024 may not satisfy what CalPrivacy finalizes for 2026 or 2027, and outdated privacy policies have already featured in enforcement actions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-opt-out-preference-signals\">Opt-out preference signals<\/h3>\n\n\n\n<p>CalPrivacy is moving to codify and expand the obligation to recognize and honor browser-level opt-out signals, including GPC. What is currently a compliance expectation enforced through investigations will become a formal, auditable regulatory requirement.<\/p>\n\n\n\n<p>A fourth rulemaking area has been confirmed but not yet publicly described. Its scope and timeline remain unknown. Each rulemaking package creates new legal obligations, new audit and examination standards, and new grounds for enforcement action.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-this-means-for-u-s-businesses\">What This Means for U.S. Businesses<\/h2>\n\n\n\n<p>For companies operating in California, the enforcement picture CalPrivacy has built isn&#8217;t abstract regulatory risk. It&#8217;s a concrete and growing set of mechanisms that affect businesses of all sizes operating across California and the consortium&#8217;s eight other member states.<\/p>\n\n\n\n<p>The table below summarizes how enforcement pressure is likely to evolve.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Timeframe<\/strong><\/th><th><strong>Key Drivers<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>2026<\/strong><\/td><td>&#8211; Backlog of investigations from 2020\u20132023 being resolved<br>&#8211; Audits Division operational and hiring<br>&#8211; DROP compliance deadline (August 1, 2026)2026 regulations, including risk assessments, cybersecurity audits, ADMT are in force<br>&#8211; Automated detection sweeps ongoing<\/td><\/tr><tr><td><strong>2026\u20132027<\/strong><\/td><td>&#8211; DROP complaint volume increasing<br>&#8211; ADMT notice and opt-out requirements take effect January 1, 2027<br>&#8211; Consortium joint investigations expanding<br>&#8211; AB 2021 whistleblower legislation progressing<br>&#8211; New rulemaking packages being finalized<\/td><\/tr><tr><td><strong>2028 and beyond<\/strong><\/td><td>&#8211; First wave of executive-certified risk assessment attestations and cybersecurity audit certifications submitted<br>&#8211; Audits Division gains an economy-wide compliance map<br>&#8211; Annual submission and examination cycles begin<\/td><\/tr><tr><td><strong>Ongoing<\/strong><\/td><td>&#8211; DROP enrolment growing; automated scanning capacity expanding<br>&#8211; Multi-state enforcement becoming routine<br>&#8211; Penalty levels rising as deterrence approach compounds<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The ten forces described here compound. Each new regulation creates new audit criteria. Each audit finding feeds the enforcement pipeline. Each new consortium member multiplies the jurisdictional reach of any single investigation.<\/p>\n\n\n\n<p>Businesses that treat CCPA obligations as a periodic checklist are already operating at a structural disadvantage, and that gap widens as the 2028 submission cycle approaches.Usercentrics is built for this environment. From automated consent collection and cross-environment consent governance to <a href=\"https:\/\/usercentrics.com\/us\/server-side-tracking-solution\/\">server-side data infrastructure<\/a>, Usercentrics helps businesses move from reactive risk management to an always-audit-ready posture\u2014with the documentation, consent logs, and signal integrity that regulators will ask to see.<\/p>\n\n\n<div id=\"uc-cta_69d4f6cf408d8\" class=\"uc-cta uc-cta--button uc-cta--size-full uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">CalPrivacy doesn&#8217;t wait for you to be ready<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p><span style=\"font-weight: 400;\">With automated scanning, an active Audits Division, and over 100 open investigations, enforcement doesn&#8217;t require a complaint or a warning. Start your 14-day free trial with Usercentrics and close data privacy gaps.<\/span><\/p>\n                <\/div>\n                                                                    <\/div>\n                            <div class=\"uc-cta__section\">\n                                        <a id=\"82f65ed2-2825-4d9c-98dd-58b3d2e093ec\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/free-trial\/\" target=\"\"><span>Start free trial<\/span><\/a>                                    <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69d4f6cf408d8\"));\n    <\/script>\n","protected":false},"excerpt":{"rendered":"<p>CalPrivacy&#8217;s enforcement apparatus has expanded dramatically: a new Audits Division, automated website scanning, the nine-state Consortium of Privacy Regulators, and a deterrence-first penalty philosophy. For U.S. businesses, the risk is no longer theoretical as investigations can open without warning, and fixing a violation before agency contact doesn&#8217;t guarantee avoiding a fine. Learn about the 10 areas driving enforcement.<\/p>\n","protected":false},"featured_media":18269,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[],"class_list":["post-18267","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"<title>CPPA Enforcement: What U.S. Businesses Risk in 2026<\/title>\n<meta name=\"description\" content=\"CalPrivacy now uses automated detection, an Audits Division, and a nine-state coalition. Penalties don&#039;t require a complaint or prior notice.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CPPA Enforcement Is Escalating: The Legal and Financial Risks U.S. Businesses Face Now\" \/>\n<meta property=\"og:description\" content=\"CalPrivacy now uses automated detection, an Audits Division, and a nine-state coalition. Penalties don&#039;t require a complaint or prior notice.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-31T12:39:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-SoMe-CPPA-enforcement-1000x630px.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/\",\"url\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/\",\"name\":\"CPPA Enforcement: What U.S. Businesses Risk in 2026\",\"isPartOf\":{\"@id\":\"https:\/\/usercentrics.com\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-Hero-CPPA-enforcement-1000x1000-1.jpg\",\"datePublished\":\"2026-03-27T14:20:28+00:00\",\"dateModified\":\"2026-03-31T12:39:15+00:00\",\"description\":\"CalPrivacy now uses automated detection, an Audits Division, and a nine-state coalition. Penalties don't require a complaint or prior notice.\",\"breadcrumb\":{\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#primaryimage\",\"url\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-Hero-CPPA-enforcement-1000x1000-1.jpg\",\"contentUrl\":\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-Hero-CPPA-enforcement-1000x1000-1.jpg\",\"width\":1000,\"height\":1000,\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\/\/usercentrics.com\/us\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CPPA Enforcement Is Escalating: The Legal and Financial Risks U.S. Businesses Face Now\",\"item\":\"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/usercentrics.com\/us\/#website\",\"url\":\"https:\/\/usercentrics.com\/us\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/usercentrics.com\/us\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"CPPA Enforcement: What U.S. Businesses Risk in 2026","description":"CalPrivacy now uses automated detection, an Audits Division, and a nine-state coalition. Penalties don't require a complaint or prior notice.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/","og_locale":"en_US","og_type":"article","og_title":"CPPA Enforcement Is Escalating: The Legal and Financial Risks U.S. Businesses Face Now","og_description":"CalPrivacy now uses automated detection, an Audits Division, and a nine-state coalition. Penalties don't require a complaint or prior notice.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2026-03-31T12:39:15+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-SoMe-CPPA-enforcement-1000x630px.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/","name":"CPPA Enforcement: What U.S. Businesses Risk in 2026","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-Hero-CPPA-enforcement-1000x1000-1.jpg","datePublished":"2026-03-27T14:20:28+00:00","dateModified":"2026-03-31T12:39:15+00:00","description":"CalPrivacy now uses automated detection, an Audits Division, and a nine-state coalition. Penalties don't require a complaint or prior notice.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-Hero-CPPA-enforcement-1000x1000-1.jpg","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2026\/03\/UC-Hero-CPPA-enforcement-1000x1000-1.jpg","width":1000,"height":1000,"copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"CPPA Enforcement Is Escalating: The Legal and Financial Risks U.S. Businesses Face Now","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/cppa-enforcement-risk\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/18267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/18267\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/18269"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=18267"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=18267"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=18267"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=18267"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=18267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}