CALIFORNIA PRIVACY PROTECTION AGENCY
The California Privacy Protection Agency (CPPA), or “CalPrivacy” as it is publicly known, is the first dedicated privacy regulatory agency in the United States. Established by the California Privacy Rights Act (CPRA), which was approved by voters in November 2020 (Proposition 24), the California Privacy Protection Agency is an independent body with a mission to protect consumer privacy rights and ensure businesses operating in California are well-informed of their obligations under state law.
Legal advice can help businesses, local jurisdictions and other entities ensure compliance with California’s privacy laws and help residents protect their rights.
Origins and Mandate
The California Privacy Protection Agency was created to amend and strengthen the landmark California Consumer Privacy Act of 2018 (CCPA). Before the Agency’s creation, the CCPA was enforced solely by the California Attorney General’s office. With the passage of the CPRA, California voters established an expert, five-member board with “full administrative power, authority, and jurisdiction” to implement and enforce both the CCPA and CPRA, including investigative and rulemaking powers.
Key responsibilities of the California Privacy Protection Agency include:
Promoting public awareness of consumer privacy rights and business responsibilities.
Issuing detailed regulations on a range of topics, including automated decision-making technologies (ADMT), data security, and risk assessments.
Vigorously enforcing the law against businesses that violate consumers’ privacy rights.
Maintaining the California data broker registry and, with the recent California Delete Act, building a one-stop shop data deletion mechanism for consumers.
Key Enforcement Actions and Priorities
The California Privacy Protection Agency has quickly established a reputation as an active and assertive regulator, setting the pace for state-level privacy enforcement across the nation. Recent enforcement actions and advisories highlight its priorities:
Significant Fines:Ā In September 2025, the California Privacy Protection Agency announced a fine of $1.35 million against Tractor Supply Company for California Consumer Privacy Act violations related to broken opt-out mechanisms for third-party tracking technologies used for advertising purposes. Also in 2025, a $632,500 fine against American Honda Motor Co., and a $345,178 fine against national clothing retailer Todd Snyder, Inc., for business practices violating the California Consumer Privacy Act. The Agency has also brought enforcement actions against businesses for failing to register as a data broker such as ROR Partners LLC, a Nevada-based marketing firm which paid $56,600 in fines and past due fees.
Technical Compliance: Enforcement actions emphasize that simply having a privacy policy or an opt-out link is not enough. Businesses must ensure that technical implementations effectively honor consumer privacy requests across all platforms, including mobile apps and third-party data sharing.
“Dark Patterns” Advisory: The California Privacy Protection Agency’s Enforcement Division has issued guidance warning businesses against using “dark patterns” which are user interfaces designed to subvert or impair consumer privacy choices.
Employee and Job Applicant Data: California is unique among state consumer privacy laws in that it applies in the human resources context. The California Privacy Protection Agency’s actions have made it clear that job applicant and employee data is covered and enforceable.
Looking Ahead: New Regulations and National Impact
The California Privacy Protection Agency continues to shape the future of digital privacy. In July 2025, the Agency’s board unanimously voted to adopt a substantial package of proposed regulations covering areas such as cybersecurity audits and the use of automated decision-making technology. These regulations are expected to have a significant impact on national privacy expectations due to California’s market size and influence.
Contact us by phone or email to learn more about how we can help.