CPPA's 2025 Enforcement Blitz: What Compliance Teams Must Know

Compliance Hub

28 Dec 2025 — 11 min read

California's privacy regulator has shifted into enforcement overdrive with hundreds of active investigations, record-breaking fines, and expanded regulatory authority. Here's what security and compliance professionals need to understand about the new enforcement landscape.

Part of our ongoing coverage of global privacy law enforcement and digital privacy challenges at ComplianceHub.wiki.

The California Privacy Protection Agency (CPPA), now operating under the public-facing brand "CalPrivacy," has emerged as the most aggressive privacy enforcement authority in the United States. Between launching a dedicated Data Broker Enforcement Strike Force, imposing millions in fines, and revealing hundreds of undisclosed investigations, the agency's 2025 enforcement activity represents a fundamental shift in how California privacy law will be implemented.

The Numbers Behind the Enforcement Surge

At the CPPA Board meeting on September 26, 2025, Deputy Director of Enforcement Michael Macko revealed striking statistics that should concern every organization handling California consumer data:

Hundreds of open investigations currently underway, most undisclosed to target companies
150 consumer complaints per week being received by the agency
8,265 total complaints filed between July 2023 and September 2025
Over $3 million in fines imposed across major enforcement actions in 2025 alone

Macko characterized this as entering "a new era of privacy enforcement," supported by what he described as the nation's largest enforcement division dedicated solely to privacy. The team comprises former federal and state criminal prosecutors, in-house counsel from major technology companies, FTC alumni, and Ph.D.s in computer science.

Perhaps most concerning for businesses: many investigation targets remain unaware they're under scrutiny. As one analysis noted, "The agency sometimes does not institute an enforcement action until years after it opens an investigation."

Major 2025 Enforcement Actions

Tractor Supply Company: $1.35 Million Record Fine

The nation's largest rural lifestyle retailer received the highest CPPA penalty to date in September 2025, marking a significant escalation in enforcement severity.

Key violations identified:

Failed to provide effective opt-out mechanisms for selling/sharing personal information
Inadequate privacy notices for consumers and job applicants
Missing contractual safeguards with service providers, contractors, and third parties
Non-functional Global Privacy Control (GPC) implementation

The investigation, initiated after a single consumer complaint in early 2024, examined conduct from January 2023 through July 2024. Critically, Tractor Supply acknowledged the CPPA's authority to investigate violations dating back to January 1, 2020—the CCPA's operative date—even though specific regulations were finalized later.

Compliance implications:

Opt-out links must actually prevent data sharing across all tracking technologies
Browser-based signals like GPC require frictionless, automatic processing
Job applicant data receives full CCPA protections (no employment exemption)
Third-party contracts need comprehensive CCPA-required provisions

Todd Snyder: $345,178 for Technical Failures

In May 2025, the national clothing retailer settled allegations highlighting the dangers of outsourcing privacy compliance without proper oversight.

Critical failures:

Privacy portal misconfigured for 40 days, blocking all opt-out requests
Cookie consent banner appeared then immediately disappeared, preventing user interaction
Required government ID verification for simple opt-out requests (prohibited under CCPA)
Collected sensitive personal information unnecessarily for privacy requests

The CPPA emphasized that businesses cannot defer responsibility to third-party privacy management tools. As Michael Macko stated: "Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them."

Todd Snyder would have discovered the malfunctioning portal through basic website monitoring, but instead relied blindly on vendor tools without validation.

Compliance takeaways:

Regular testing and validation of consent management systems is mandatory
Opt-out requests cannot require identity verification
Data collection for privacy requests must be minimal and necessary
Third-party tool failures remain the implementing business's liability

ROR Partners: $56,600 Data Broker Strike Force Action

In December 2025, the CPPA's newly formed Data Broker Enforcement Strike Force targeted this Nevada-based marketing firm serving fitness and wellness brands.

Violation details:

Collected "billions of data points" on 262+ million Americans
Created detailed consumer profiles and custom audience segments
Sold targeted advertising lists based on behavioral inferences
Operated throughout 2024 without data broker registration

The CPPA decisively rejected arguments that bundling personal information sales within broader marketing services exempts companies from data broker requirements: "A sale is a sale. A business cannot bypass the CCPA's and the Delete Act's requirements by selling personal information as part of a larger suite of products and services it offers."

Expanded enforcement scope: Marketing and advertising firms now squarely within regulatory crosshairs if they:

Sell or license audience segments, profiles, or behavioral predictions
Create consumer inferences and profiles (now explicitly classified as personal information)
Handle significant volumes of consumer data without direct relationships

Michael Macko's warning was unambiguous: "We will scrutinize any business that walks and talks like a data broker to make sure it's registered, and we will continue to examine businesses that create inferences about consumers to profile them."

The Data Broker Enforcement Strike Force

Announced November 19, 2025, this dedicated unit represents the CPPA's most focused enforcement initiative. As Executive Director Tom Kemp explained: "For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry."

Current enforcement priorities:

Unregistered data brokers operating in California
Trade name and website disclosure compliance
Parent/subsidiary registration requirements (each entity must register separately)
Preparation for January 1, 2026 DELETE Request and Opt-Out Platform (DROP) launch

The Strike Force has already brought enforcement actions against multiple unregistered brokers beyond ROR Partners, including Accurate Append ($55,400 fine) and National Public Data ($46,000). Annual penalties for non-compliance: $200 per day plus registration fees and investigation costs.

DROP Platform: The Game-Changing Mechanism

Beginning January 1, 2026, California consumers gain access to the Delete Request and Opt-Out Platform—a centralized system allowing single-request deletion across all registered data brokers.

Key features:

One-stop deletion mechanism for all registered broker data
Funded by data broker registration fees ($6,000 in 2026, down from $6,600 in 2025)
Mandatory January 31 annual registration deadline for qualifying businesses
Consumer-friendly interface to exercise privacy rights at scale

Organizations meeting data broker definitions must:

Register individually (parent company registration doesn't cover subsidiaries)
Update trade names and website links in registry
Maintain operational consumer rights pages
Prepare systems to process DROP deletion requests

Multi-State Coordination and Expanded Authority

The CPPA isn't operating in isolation. Recent developments demonstrate increasing interstate enforcement cooperation, reflecting broader global trends in privacy regulation:

September 2025 GPC Sweep: California, Colorado, and Connecticut jointly investigated businesses refusing to honor Global Privacy Control opt-out signals. This coordinated approach enables efficient identification of multi-state violators.

Bipartisan Consortium of Privacy Regulators: Launched to facilitate collaboration across state lines, with Minnesota and New Hampshire joining in October 2025. Michael Macko predicted "an increasing level of coordination with other states" in upcoming enforcement actions.

International partnerships: The CPPA maintains cooperative agreements with data protection authorities in South Korea, France, and the United Kingdom for information sharing and investigation coordination.

Updated Penalty Structure for 2025

Effective January 1, 2025, the CPPA adjusted all monetary thresholds based on California's Consumer Price Index:

New fine amounts:

Standard violations: $2,686 per violation (previously $2,500)
Intentional violations: $8,058 per violation (previously $7,500)
Violations involving minors: $8,058 per violation

These adjustments occur every two years, with the next scheduled for 2027. The compounding effect becomes significant in cases involving systematic violations across thousands of consumers.

New Regulatory Requirements Taking Effect

Beyond enforcement actions, the CPPA finalized major regulatory updates approved by California's Office of Administrative Law in September 2025:

Cybersecurity Audit Requirements (Effective January 1, 2026)

Businesses meeting revenue thresholds must conduct annual cybersecurity audits and submit certifications:

$100M+ revenue: First certification due April 1, 2028
$50-100M revenue: First certification due April 1, 2029

Risk Assessment Mandates (Effective January 1, 2026)

Covered businesses must conduct detailed risk assessments for processing activities beginning in 2026, with summary submissions to the CPPA by April 1, 2028 for 2026-2027 activities.

Automated Decision-Making Technology (ADMT) Rules (Effective January 1, 2027)

Businesses using ADMT for significant decisions about consumers—including employment, compensation, independent contracting—must comply with new transparency and opt-out requirements.

What Compliance Teams Should Do Now

Immediate Actions (Q1 2026)

1. Audit Data Broker Status Evaluate whether your organization meets data broker definitions:

Do you collect personal information from consumers lacking direct relationships?
Do you sell, license, or transfer this data to third parties?
Does your revenue exceed $25M, or do you handle 100K+ consumers, or derive 50%+ revenue from data sales?

If yes to all three, register by January 31, 2026.

2. Test All Privacy Infrastructure

Verify opt-out mechanisms actually prevent tracking/sharing
Confirm GPC and similar signals process automatically
Validate cookie consent tools function correctly
Document testing protocols and results

3. Review Third-Party Contracts Ensure all service provider, contractor, and third-party agreements contain required CCPA provisions (see our guide on third-party risk management frameworks for best practices):

Data use limitations
Confidentiality requirements
Sub-processor restrictions
Security obligations
California consumer rights acknowledgments

4. Assess Verification Procedures

Eliminate identity verification requirements for opt-out requests
Minimize data collection for all privacy requests
Never require government IDs for opt-outs
Match against existing data rather than collecting new information

Medium-Term Priorities (2026)

1. Prepare for DROP Integration If operating as a registered data broker:

Develop systems to receive and process DROP deletion requests
Establish internal workflows for cross-database deletion
Train staff on DROP compliance requirements
Test deletion verification processes

2. Implement Enhanced Monitoring

Schedule regular privacy portal functionality checks
Monitor third-party tool performance continuously
Establish automated alerting for privacy mechanism failures
Create escalation procedures for identified issues

3. Employment Context Compliance

Update job applicant privacy notices
Ensure CCPA rights disclosures reach all candidates
Review employee data handling for ADMT compliance
Coordinate with HR on algorithmic decision-making requirements

4. Document Risk Assessments For covered businesses, establish comprehensive documentation of:

Processing activity inventories
Risk identification methodologies
Mitigation measures implemented
Ongoing monitoring procedures

Strategic Considerations (2026-2027)

1. Assume Investigation Risk With hundreds of undisclosed investigations ongoing and complaint volumes rising 150+ weekly, assume your organization could face scrutiny:

Maintain detailed compliance documentation
Preserve evidence of good-faith efforts
Document vendor oversight activities
Create audit trails for all privacy-related decisions

2. Monitor Enforcement Trends The CPPA publishes enforcement actions and advisories at cppa.ca.gov/announcements. Track patterns to anticipate future priorities:

Consumer complaint themes
Multi-state coordination targets
Industry-specific sweeps
Technical implementation focus areas

3. Prepare for ADMT Requirements If using algorithmic decision-making for employment, lending, housing, or other significant consumer impacts:

Inventory all ADMT systems by mid-2026
Assess compliance gaps against 2027 requirements
Budget for necessary technical implementations
Train relevant staff on new obligations

4. Build Interstate Compliance Programs Given increasing multi-state coordination, ensure privacy programs address:

Colorado risk assessment requirements (materially different from California)
Connecticut GPC enforcement priorities
Other state comprehensive privacy law obligations
Harmonization opportunities and unavoidable conflicts

The Broader Enforcement Philosophy

Several themes emerge from the CPPA's 2025 enforcement blitz that signal its regulatory approach:

Technical Implementation Matters Deeply

Simply having privacy policies, opt-out links, or consent management platforms provides no protection. The CPPA scrutinizes actual functionality, user experience, and effectiveness. Businesses must actively monitor, test, and validate all privacy mechanisms.

Vendor Reliance Is Not a Defense

As both Todd Snyder and Tractor Supply learned, outsourcing privacy operations to third-party tools doesn't transfer liability. Organizations remain fully responsible for vendor performance and must conduct ongoing oversight.

Retroactive Authority Is Real

The CPPA's position that it can investigate violations back to January 1, 2020 significantly expands potential liability windows. Organizations cannot assume historical practices are beyond reach simply because regulations were finalized later.

Consumer Inferences Receive Protection

The ROR Partners case establishes that behavioral predictions, audience segments, and consumer profiles constitute protected personal information. Marketing technology built on data inference now faces data broker obligations.

Employment Data Gets Full Protection

Unlike some state privacy laws, California provides no employment exemption. Job applicants and employees possess full CCPA rights, creating compliance obligations in HR contexts many organizations have overlooked. This intersects with growing concerns about algorithmic decision-making and workplace surveillance in modern employment practices.

Looking Ahead

Michael Macko's characterization of "a new era of privacy enforcement" appears well-founded. The CPPA has demonstrated:

Willingness to impose seven-figure penalties
Sophisticated technical understanding of privacy mechanisms
Expanding interpretations of regulated activities
Multi-state coordination capabilities
Long-term investigation timelines

For compliance teams, the message is clear: California privacy enforcement has transitioned from theoretical risk to operational reality. Organizations handling California consumer data face:

Increasing complaint volumes driving investigations
Hundreds of undisclosed current investigations
Multi-year investigation timelines before public disclosure
Record-breaking fines for systematic violations
Expanding definitions of regulated activities
Enhanced scrutiny of vendor relationships
Interstate enforcement coordination

The January 31, 2026 data broker registration deadline and January 1, 2026 DROP launch represent enforcement chokepoints. Organizations uncertain about compliance status should prioritize immediate assessment—the CPPA has made clear it expects businesses to self-evaluate and register before "they hear from us."

With 150 weekly complaints, sophisticated enforcement staff, and explicit warnings about scrutinizing "any business that walks and talks like a data broker," the enforcement trajectory points clearly upward. Compliance teams should treat 2026 as the year to operationalize enhanced privacy controls, not the year to begin planning them.

Additional Resources

For more insights on privacy compliance and data protection:

Global Data Privacy Strategies - Understanding international privacy frameworks beyond CCPA
Digital Privacy Challenges in 2026 - The evolving landscape of privacy threats
Third-Party Risk Management - Best practices for vendor oversight
Compliance Guardian AI Tool - AI-powered compliance assistance

Visit ComplianceHub.wiki for comprehensive coverage of privacy laws, information security frameworks, and regulatory guidance tailored for CISOs, CCOs, and DPOs.

About the Author: This analysis synthesizes CPPA enforcement actions, board meeting disclosures, and regulatory guidance current through December 2025. For updates on California privacy enforcement, visit the official CPPA announcements page at cppa.ca.gov/announcements or the consumer-focused privacy.ca.gov portal.