CCPA Cpra Enforcement

State of play.

• California's privacy enforcement apparatus has expanded on multiple fronts simultaneously. The CPPA is enforcing new risk assessment mandates, targeting fragmented opt-outs, and operationalizing the DROP platform for data brokers, while Gartner data documents $3.425 billion in U.S. state privacy fines during 2025 alone—exceeding the prior five-year combined total .
• Federal courts are splitting on the scope of CCPA's private right of action. Rulings in Shah v. Capital One and the Therapymatch case extend §1798.150 liability to third-party tracking disclosures without a traditional data breach, departing sharply from the breach-only framework that governed prior years .
• CIPA's application to website tracking technologies remains judicially unsettled, with over 4,000 lawsuits and arbitrations filed and the Variety Media case pending before the California Court of Appeal on whether cookies and pixels qualify as pen registers .
• Standing doctrine is providing defendants a meaningful filter. The C.D. Cal. dismissed all eight counts against Paramount Skydance under the TransUnion concrete-injury standard, signaling that statutory-violation-only theories remain vulnerable at the pleading stage .
• For counsel advising any business with California consumer or employee data, the practical baseline is a compounding multi-vector exposure: regulatory enforcement on opt-outs and risk assessments, expanding private litigation on tracking technologies, and a 20-state patchwork that eliminates most cure periods.

Where things stand.

• The CCPA/CPRA regulatory framework has materially expanded as of January 1, 2026. New CPPA regulations impose mandatory risk assessments for sensitive data processing, cybersecurity audits, and automated decision-making disclosures; executive certifications under penalty of perjury are due beginning April 1, 2028 for assessments covering 2026 and 2027 .
• Employee data is now fully within CCPA scope. The employment exemption expired January 1, 2023; the CPPA has opened a new rulemaking on employment-specific notice and disclosure standards, following a 2023 AG enforcement sweep targeting large employers .
• California's DELETE Act DROP platform is live and generating volume. Over 500 registered data brokers must process deletion requests every 45 days beginning August 1, 2026; 242,000 deletion requests were submitted since DROP launched in January 2026; mandatory audits begin January 1, 2028 .
• California enforcement is targeting opt-out fragmentation. The CPPA has taken enforcement action against businesses that honor opt-outs inconsistently across channels or business units, and new rules require businesses to demonstrate compliance rather than merely assert it .
• The CCPA private right of action is expanding beyond data breach. District court rulings in Shah v. Capital One and Therapymatch permit §1798.150 claims based on unauthorized disclosure through tracking pixels and cookies to third parties, without requiring a traditional breach of unencrypted data .
• CIPA tracking-technology litigation is a parallel and overlapping exposure. Over 4,000 lawsuits and arbitrations target website trackers; federal courts have split on whether CIPA's pen register framework applies to digital tracking; the Ninth Circuit has held CIPA targets third-party eavesdropping specifically, but appellate guidance on web technologies is unsettled .
• Cookie banner technical failures are an independent enforcement and litigation trigger. Honda paid $632,500 to the CPPA for default-enabled tracking cookies; HelloFresh settled a class action for $7.5 million over dark patterns in its consent interface; CIPA allows statutory damages up to $5,000 per violation .
• The state privacy patchwork now spans 20 active regimes. Indiana, Kentucky, and Rhode Island activated comprehensive consumer privacy laws on January 1, 2026; most states have eliminated cure periods; businesses operating across multiple states face compounding liability under divergent statutory regimes .
• California's DFPI is enforcing the California Consumer Financial Protection Law through administrative adjudication. The agency secured its first affirmed administrative ruling under the CCFPL, requiring rescission, refunds, and a $150,000 penalty against an unlicensed debt collector; DFPI can impose penalties up to $2,500 per violation .

Latest developments.

• Gartner data documents $3.425 billion in U.S. state privacy fines in 2025, exceeding the prior five-year combined total, with Gartner projecting the trajectory steepens through 2028 .
• CPPA opened a public comment period on April 20, 2026 on CCPA employee data notices and disclosures, with comments due May 20, 2026 .
• ACC filed an amicus brief in Variety Media urging the California Court of Appeal to hold CIPA does not cover cookies, pixels, and analytics metadata as pen registers or trap-and-trace devices .
• C.D. Cal. dismissed all eight counts against Paramount Skydance for failure to plead a concrete injury under the TransUnion standard, covering VPPA, ECPA, CIPA, and common law claims .
• Three new state privacy laws activated January 1, 2026 in Indiana, Kentucky, and Rhode Island, bringing the active patchwork to 20 regimes .
• CCPA mandatory risk assessments took effect January 1, 2026, with executive certifications under penalty of perjury due April 1, 2028 .
• CPPA opened preliminary comments on DROP audit rules for data brokers on April 7, 2026; 242,000 deletion requests already submitted since DROP's January 2026 launch .
• District court rulings in Shah v. Capital One and Therapymatch deny motions to dismiss, extending CCPA §1798.150 private right of action to tracking-pixel disclosures without a traditional data breach .
• California enforcement actions target fragmented opt-outs, with new CPPA rules requiring businesses to prove compliance rather than assert it .
• Cookie banner technical failures are driving a distinct litigation wave; over 1,000 CIPA suits filed in 2025 alone targeting banners that fail to honor opt-outs on the backend .
• Tracking pixel litigation has spread across multiple states under state wiretapping statutes, with credit unions and fintechs among the expanding defendant pool .
• DFPI secured its first affirmed administrative ruling under the CCFPL, requiring $150,000 in penalties and rescission against an unlicensed debt collector .
• March 2026 privacy litigation decisions continue to reflect divergent outcomes on standing and CIPA scope across federal and state courts .

Active questions and open splits.

• Does CCPA §1798.150 reach tracking-pixel disclosures absent a traditional data breach? The Shah v. Capital One and Therapymatch rulings say yes; earlier precedent including Judge Carter's 2022 decisions said no. The split is unresolved at the appellate level and is the central litigation risk question for any business using third-party analytics .
• Does CIPA's pen register framework apply to cookies, pixels, and web analytics? Federal courts have split; the Ninth Circuit has held CIPA targets third-party eavesdropping; the Variety Media case before the California Court of Appeal is the next dispositive opportunity for clarity .
• What concrete injury suffices to survive TransUnion in a privacy claim? The Paramount Skydance dismissal reinforces that statutory violations and speculative future harm are insufficient, but the line between pleadable and non-pleadable injury remains contested across districts .
• What will CPPA's employee data rulemaking require beyond the current notice-and-rights framework? The agency's questions signal interest in European-style specificity; the outcome will determine whether California employers face materially higher compliance obligations than the current CCPA baseline .
• How will DROP audit standards be operationalized for data brokers? The CPPA has not yet defined auditor qualifications, acceptable audit tools, or match-rate improvement benchmarks; the framework being finalized now will govern compliance obligations beginning January 2028 for clients with any data broker exposure .
• What does "fragmented opt-out" enforcement mean for multi-entity and multi-channel businesses? The CPPA's enforcement posture targets inconsistent opt-out honoring across business units, but the operational standard for what constitutes a unified opt-out mechanism is not yet defined by formal rule .
• How will the 20-state patchwork interact with any federal preemption framework? Federal privacy legislation remains stalled; in its absence, compounding liability under divergent state regimes—with most cure periods eliminated—is the operative risk environment .

What to watch.

• California Court of Appeal decision in Variety Media—the ruling will determine whether CIPA or the CCPA framework governs digital tracking disputes and will reshape the litigation posture of thousands of pending claims .
• CPPA final rules on employee data notices—the May 20, 2026 comment deadline has passed; watch for the agency's next step and whether it moves toward European-style specificity .
• DROP audit rulemaking finalization—the framework governing data broker compliance obligations beginning January 2028 is being shaped now; watch for CPPA guidance on auditor qualifications and match-rate standards .
• August 1, 2026 DROP processing deadline—data brokers must begin processing deletion requests every 45 days; enforcement posture at that trigger date will signal how aggressively the CPPA pursues the $200-per-day penalty .
• Appellate review of Shah v. Capital One and Therapymatch—if the tracking-pixel theory of CCPA §1798.150 liability reaches the Ninth Circuit, the outcome will either validate or constrain the new wave of non-breach CCPA class actions .
• Executive certification deadline pressure—the April 2028 certification date for CCPA risk assessments is approaching faster than many compliance programs are moving; watch for CPPA enforcement advisories or guidance that accelerate the timeline .