Key players include state attorneys general (e.g., California AG, Texas AG), the rebranded CalPrivacy agency (formerly CPPA), and coalitions like the Consortium of Privacy Regulators (California, Colorado, Connecticut, etc.) conducting multistate sweeps on Global Privacy Control (GPC) non-compliance and sensitive data.[4][5][6] Enforcement targets companies like data brokers (via California's strike force), Healthline Media (settled for health data misuse), and others flagged for opt-outs, minors' data, and AI systems.[1][5][7] Businesses face fines up to $200 per violation daily from August 2026 in California.[1]
This patchwork stems from post-CCPA momentum since 2018, with states filling federal voids amid rising data breaches, AI risks, and consumer demands; 2025 saw GPC sweeps and settlements, setting up 2026 activations.[1][3][5] It's newsworthy now (April 2026) as laws just took effect, triggering immediate compliance deadlines (e.g., California's broker registrations by Jan 31), ramped enforcement, and business updates for sensitive data, minors, and ADMT amid no federal uniformity.[2][3][4][7]