CCPA Cpra Enforcement

California's privacy regulator opened a public comment period on April 7, 2026, to shape audit rules for data brokers under the Delete Act's centralized deletion platform. The California Privacy Protection Agency is seeking stakeholder input on how to verify that over 500 registered data brokers comply with consumer deletion requests submitted through DROP (Delete Request and Opt-Out Platform). The audits, mandatory starting January 1, 2028, and every three years thereafter, will assess auditor qualifications, evidence retention practices, audit tools, and whether brokers are improving match rates on deletion requests. Comments are due by May 7, 2026, at 5 p.m. PT via email to regulations@cppa.ca.gov or by mail.

Cybercriminals are systematically targeting registered investment advisers through credential theft, multifactor authentication fatigue attacks, and vendor breaches to steal client account numbers, Social Security numbers, and direct assets. Security professionals report these attacks are widespread across RIA networks.

U.S. District Court rulings in Shah v. Capital One Financial Corp. and a Therapymatch case have denied motions to dismiss CCPA claims, significantly broadening the private right of action under California Civil Code §1798.150. The courts interpreted the statute to cover unauthorized disclosure of personal information through website tracking tools—cookies, pixels, and similar technologies—to third parties including Google, Facebook, and Microsoft. Critically, the rulings do not require a traditional data breach to trigger liability.