CCPA Cpra Enforcement

California's privacy regulator opened a public comment period on April 7, 2026, to shape audit rules for data brokers under the Delete Act's centralized deletion platform. The California Privacy Protection Agency is seeking stakeholder input on how to verify that over 500 registered data brokers comply with consumer deletion requests submitted through DROP (Delete Request and Opt-Out Platform). The audits, mandatory starting January 1, 2028, and every three years thereafter, will assess auditor qualifications, evidence retention practices, audit tools, and whether brokers are improving match rates on deletion requests. Comments are due by May 7, 2026, at 5 p.m. PT via email to regulations@cppa.ca.gov or by mail.

Cybercriminals are systematically targeting registered investment advisers through credential theft, multifactor authentication fatigue attacks, and vendor breaches to steal client account numbers, Social Security numbers, and direct assets. Security professionals report these attacks are widespread across RIA networks.

U.S. District Court rulings in Shah v. Capital One Financial Corp. and a Therapymatch case have denied motions to dismiss CCPA claims, significantly broadening the private right of action under California Civil Code §1798.150. The courts interpreted the statute to cover unauthorized disclosure of personal information through website tracking tools—cookies, pixels, and similar technologies—to third parties including Google, Facebook, and Microsoft. Critically, the rulings do not require a traditional data breach to trigger liability.

In March 2026, multiple U.S. federal and state courts issued decisions in privacy litigation cases involving data tracking, wiretapping claims under the Electronic Communications Privacy Act (ECPA), consent via website design and policies, and negligence allegations, producing five key takeaways summarized in a Troutman Pepper Locke report.[1][5]

The California Privacy Protection Agency finalized updates to the state's consumer privacy regulations on July 24, 2025, imposing mandatory risk assessments for companies processing sensitive personal data. The new requirements, effective January 1, 2026, apply to businesses meeting CCPA thresholds—including those with $25 million in annual revenue or handling data on 100,000 or more consumers. Companies must document assessments before processing health or financial information, selling or sharing personal data, deploying automated decision-making technology for significant decisions like lending or hiring, or training AI models with personal data.