California Consumer Privacy Act (CCPA)

On September 30, 2025, the California Privacy Protection Agency (“Agency”) announced a decision and $1.35 million fine to resolve allegations that Tractor Supply Co. (“Tractor Supply”) violated the California Consumer Privacy Act (“CCPA”). The settlement comes after the Agency filed a petition to enforce an investigative subpoena against Tractor Supply. In addition to imposing the Agency’s largest fine to date, the settlement also marks the Agency’s first enforcement action related to job applicant personal data. Similar to the enforcement actions against American Honda Motor Co., Inc. and Todd Snyder, Inc., the Agency continues to focus on how businesses facilitate consumer rights under the CCPA.Continue Reading California Privacy Agency Fines Tractor Supply $1.35 Million Over CCPA Violations

The California Civil Rights Council and the California Privacy Protection Agency have recently passed regulations that impose requirements on employers who use “automated-decision systems” or “automated decisionmaking technology,” respectively, in employment decisions or certain HR processes. On the legislative side, the California Legislature passed SB 7, which would impose

Continue Reading Navigating California’s New and Emerging AI Employment Regulations

Earlier this month, the California Privacy Protection Agency (“CPPA”) filed a petition in Sacramento County Superior Court to enforce an investigative subpoena against Tractor Supply Company (“Tractor Supply”). Continue Reading California Privacy Protection Agency Asks Court To Enforce Its Subpoena Authority

On July 1, 2025, California Attorney General Bonta announced a $1.55 million settlement, pending court approval, related to allegations that Healthline.com, a website where consumers can read informational articles about medical and health topics, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law.Continue Reading California Attorney General Announces $1.55M CCPA Settlement with Healthline.com

On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.Continue Reading Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations

On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $632,500 fine related to allegations that American Honda Motor Co., Inc. (“Honda”) violated the California Consumer Privacy Act (“CCPA”).Continue Reading Honda Settles CPPA Allegations Regarding California Consumer Privacy Act Violations

On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.Continue Reading California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization

On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”).  Below we provide a few key takeaways:Continue Reading CPPA Executive Director Remarks on Policy and Enforcement Priorities

At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information.  Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process.  At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process.  The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest.  Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments