CCPA Cpra Enforcement

Cybercriminals are systematically targeting registered investment advisers through credential theft, multifactor authentication fatigue attacks, and vendor breaches to steal client account numbers, Social Security numbers, and direct assets. Security professionals report these attacks are widespread across RIA networks.

California's privacy regulator opened a public comment period on April 7, 2026, to shape audit rules for data brokers under the Delete Act's centralized deletion platform. The California Privacy Protection Agency is seeking stakeholder input on how to verify that over 500 registered data brokers comply with consumer deletion requests submitted through DROP (Delete Request and Opt-Out Platform). The audits, mandatory starting January 1, 2028, and every three years thereafter, will assess auditor qualifications, evidence retention practices, audit tools, and whether brokers are improving match rates on deletion requests. Comments are due by May 7, 2026, at 5 p.m. PT via email to regulations@cppa.ca.gov or by mail.