CPPA Has Hundreds of Open Investigations and Most Targets Don't Know
The California Privacy Protection Agency’s head enforcer heralded “a new era of privacy enforcement,” in an update during the CPPA Board’s Friday meeting. The agency has “hundreds” of investigations open, and in most cases the targeted businesses don’t know about them yet, said Michael Macko, deputy director of enforcement. “We haven't surfaced yet."
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Macko described the number of CPPA enforcement actions made public so far as the tip of the iceberg. His division, which he said is the largest enforcement team dedicated to privacy in the nation, has seen a growing number -- and rate -- of consumer complaints, he told the board. “We're receiving about 150 complaints ... every single week,” said Macko. “That number has been increasing over time."
The agency received 8,265 complaints total from July 6, 2023, to Sept. 8, 2025. Macko presented a chart showing that the number of complaints steadily increased over time, with a spike from January to February 2025. Macko said he hasn’t “seen this volume of privacy complaints at any other agency,” which “shows that Californians care deeply about privacy," and more so "with each passing year.”
"We spoke about the influx of consumers who are submitting complaints to us about potential violations,” and “we also have a historic need … to develop precedent under our law,” said Macko. “When you put these two together, it really does add up to a new era of privacy enforcement, and new era of state enforcement, in particular, and … it's pretty historic."
While a consumer complaint is one action that can lead to a case, CPPA enforcers include in-house technologists who are "doing research and analysis proactively,” said Macko, adding that the team also monitors press reports and listens to other regulators. In addition, Macko predicted that cooperation with other states will increase. The enforcement head noted that a consumer protection investigation can take years before the agency brings an action.
“No notes,” said CPPA Board Chair Jennifer Urban, responding to the enforcement update.
The CPPA recently announced a multistate enforcement sweep of Global Privacy Control non-compliance (see 2509090045). Speaking about that effort earlier in the meeting, CPPA Executive Director Tom Kemp said, "We believe our enforcement actions in this area will further enable privacy at scale for consumers.”
Additionally, in his executive-director update, Kemp said the agency is working with the California Department of Finance to develop a FY 2026-27 budget to provide more resources to the agency. Also, Kemp said the CPPA’s development of the Delete Request and Opt-Out Platform (DROP) is “progressing very well” and the agency expects to open a beta test of the accessible data-deletion mechanism in October, with data brokers participating.
The CPPA Board voted 5-0 to approve regulations to adopt proposed DROP rules at the meeting. The board directed staff to send the rules to the California Office of Administrative Law (OAL) for final approval. Staff decided not to make further changes to the proposed rules following a round of comments that concluded Aug. 18 (see 2509230036).
Stakeholders shouldn’t interpret the draft rules as "developer docs," said Liz Allen, a CPPA attorney. "This instead merely states the rules that data brokers must follow when utilizing the system in compliance with their statutory obligations under the Delete Act.” She added that those who raised issues in comments might find, when DROP launches next year, "that at least some of their stated concerns are mitigated, if not resolved by the system's technical features and implementation.”
Also, the board voted 5-0 to approve a staff recommendation to reduce the data broker registration fee to $6,000 for the 2026 registration period, from $6,600 in 2025. The fee was $400 prior to the establishment of DROP. Also, the CPPA Board agreed to adjust a DROP access fee for data brokers to $6,000 for the month of January and prorate each following month by $500.
Meanwhile, CPPA General Counsel Phil Laird said the CPPA plans a business education initiative about recently finalized rules on automated decision-making technology, cybersecurity audits and other subjects. The rules received OAL approval earlier this week and take effect Jan. 1 (see 2509230036).
Laird said the education effort will include resources on the website to help navigate the regulations. "We are truly committed to supporting businesses and achieving compliance so that the promise of these enhanced privacy protections can be fully realized by Californians,” said Laird.
CPPA Board members celebrated the long-in-development rules becoming final. “We have a reasonable set of regulations right now that are workable,” said Alastair Mactaggart, who was vocal on the board in raising concerns throughout the proceeding. On Friday, Mactaggart said that it's still "a work in progress" and just "the end of the beginning."
Urban applauded the new regs, while adding, "This isn't the end of the story." The chair asked covered entities to work with the agency on implementing the rules and "help us update them as we need to.”
Brandie Nonnecke, another board member, supported the agency’s planned engagement with stakeholders. “We must collaborate with you for this to be fit for purpose.”
Friday was the first board meeting for new member Jill Hamer (see 2508270063). She replaced Jeffrey Worthe as one of two board appointees for Gov. Gavin Newsom (D). Hamer said she is “very excited to participate in the very important work that this agency performs for the state.”