CPPA

On January 8, 2026, the California Privacy Protection Agency (“CalPrivacy”) announced an enforcement action against Rickenbacher Data LLC (d/b/a “Datamasters”), an information reseller, for failing to register as a data broker under the California Delete Act.  Datamasters agreed to pay a $45,000 administrative fine, among other remedial measures.  In November, CalPrivacy launched a Data Broker Enforcement Strike Force within its enforcement division to investigate violations of the law in the data broker industry, which builds upon a 2024 investigative sweep into data broker compliance.

Continue Reading CalPrivacy Announces $45,000 Fine Against Data Broker for Delete Act Violations

Last week, the Global Privacy Enforcement Network (“GPEN”)—a global network of over 30 national data protection authorities—announced the launch of its annual privacy sweep. The purpose of the sweep is to examine how websites and mobile applications commonly used by children handle minors’ personal information. Members of GPEN include regulators who have long prioritized protections for children and teens, such as the Federal Trade Commission (“FTC”), the California Attorney General, the California Privacy Protection Agency, the UK Information Commissioner’s Office, the French Commission Nationale de l’Informatique et des Libertés (“CNIL”), and the Irish Data Protection Commission.

Continue Reading Global Privacy Regulators Launch Enforcement Sweep Focused on Children’s Data Protection

Earlier this month, the California Privacy Protection Agency (“CPPA”) filed a petition in Sacramento County Superior Court to enforce an investigative subpoena against Tractor Supply Company (“Tractor Supply”). 

Continue Reading California Privacy Protection Agency Asks Court To Enforce Its Subpoena Authority

On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.

Continue Reading Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations

On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $632,500 fine related to allegations that American Honda Motor Co., Inc. (“Honda”) violated the California Consumer Privacy Act (“CCPA”).

Continue Reading Honda Settles CPPA Allegations Regarding California Consumer Privacy Act Violations

On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.

Continue Reading California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization

At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information.  Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process.  At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process.  The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest.  Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.

Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments

On February 9, the Third Appellate District of California vacated a trial court’s decision that held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations could not commence until one year after the finalized date of the regulations.  As we previously explained, the Superior Court’s order prevented the

Continue Reading California Appeals Court Vacates Enforcement Delay of CPPA Regulations

At its December 8 board meeting, the California Privacy Protection Agency (“CPPA”) voted to advance a legislative proposal that would require vendors of web browsers to include a feature that would allow consumers to exercise data subject rights through opt-out preference signals.  Regulations promulgated under the California Consumer Privacy Act

Continue Reading California Privacy Protection Agency Votes to Advance Legislation Requiring Certain Browsers to Support Opt-Out Preference Signals

Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft risk assessment regulations.  The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year, at which time it will also consider draft regulations covering “automated decisionmaking technology” (ADMT), cybersecurity audits, and revisions to existing regulations.  Accordingly, the draft risk assessment regulations are subject to change.  Below are the key takeaways:

Continue Reading CPPA Releases Draft Risk Assessment Regulations