California Privacy Enforcement: What Every Business Needs to Know Now The Big Picture

by: Lael Bellamy

California's privacy regulator, CalPrivacy (formerly, the California Privacy Protection Agency) (CalPrivacy), is actively enforcing the California Consumer Privacy Act, as amended (CCPA) against businesses of all sizes and industries.

In 2025 and 2026 alone, it settled cases against a major automaker (Honda, $632,500), a rural lifestyle retailer (Tractor Supply, 1,3500,000), a clothing brand (Todd Snyder, $345,178), and a sports technology company (PlayOn Sports, $1,100,000). Fines aside, the settlements imposed additional duties including years of monitoring and reporting to CalPrivacy, employee training, simplified processes for exercising privacy rights, changes in contracting processes, requirements to consult with user experience (UX) designers and conduct risk assessments, and officer-signed compliance certifications.

CalPrivacy brought more than a half-dozen actions against unregistered data brokers including a $45,000 settlement against Rickenbacher Data LLC, d/b/a Datamasters, a Texas-based reseller for failing to register as a data broker in violation of California’s Delete Act. The settlement prohibits the company from selling Californians’ personal information, which consisted of (1) the names, addresses, phone numbers, and email addresses of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence, and other health conditions and (2) the age and perceived race, political views, grocery store purchases, banking activity, and health-related purchases. CalPrivacy also fined S&P Global, Inc., a New York-based provider of data and technology, $62,600 for failing to register as a data broker due to an administrative error and required the company to develop new procedures for registration and auditing their compliance activities.

CalPrivacy is growing fast with 54 employees, a $15.8M budget, a new Data Broker Enforcement Strike Force, and a new Audits Division launching in 2026. It has also built a multi-state enforcement coalition now spanning nine states' Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Hampshire, New Jersey, Minnesota, and Oregon plus international partnerships with regulators in the UK, France, and Korea.

The bottom line: CCPA enforcement is no longer theoretical. It is active, sophisticated, and expanding.

The Top 10 Issues That Got Companies in Trouble and What To Do Now

1. Opt-Out Mechanisms That Don't Actually Work

The single most common violation is tech that doesn’t work as described. Companies relied on out-of-the-box links and webforms that looked compliant, but were disconnected from the tracking technologies actually sharing consumer data. Consumer’s browsers transmitted opt-out requests, but nothing changed behind the scenes.

What to do: Verify that your opt-out mechanism is technically connected to tracking technologies on your site and app. Test it. Document it. Audit it quarterly.

2. Not Honoring Global Privacy Control (GPC)

The GPC is a browser signal that automatically tells websites "do not sell or share my data." Companies either ignored it entirely or failed to configure their systems to recognize it — and were charged accordingly. A September 2025 multi-state enforcement sweep (California, Colorado, Connecticut) targeted this issue specifically.

What to do: Confirm your website recognizes and honors GPC signals including for logged-in or known users and not just anonymous visitors. Display a confirmation message of whether the consumer’s opt-out request was processed as a valid request. The confirmation message can read “Opt-Out Request Honored.”

For more information, see The Essential CA Privacy Update Series and  globalprivacycontrol.org.

3. Choices That Are Rigged in Favor of "Accept"

CalPrivacy has been explicit: it is a dark pattern if it’s easy for consumers to "Accept All" in one click, but forces consumers through multiple steps to “Reject”. This includes banners that offer only "Accept All" and "More Information" with no direct "Reject" or “Non-essential Cookies Only” option. Companies must properly configure their enterprise compliance platform or be found in violation.

What to do: Properly configure and test your compliance solutions periodically. Don’t use pre-checked boxes and avoid double negatives. If using toggle buttons, add text to explain how the toggles work.  Make consumer choices equally prominent or equivalent and do not make it hard to exercise consumer rights.

4. Requiring Too Much Information to Exercise Privacy Rights

Companies cannot require consumers to verify their identity before processing a "Do Not Sell or Share" opt-out or request to limit. The CCPA treats opt-out requests differently from access, deletion or correction requests. Todd Snyder required consumers to upload a selfie holding a government-issued ID just to submit a "Do Not Sell" request. Honda required eight mandatory data fields for every request type with no distinction between the type of request. Tractor Supply failed to provide an effect opt-out mechanism including honoring GPC. See: Applying Data Minimization to Consumer Requests, Enforcement Advisory No. 2024-01.

What to do: Your privacy request forms must distinguish between request types. Opt-out and limit requests should require only the minimum information needed to process them and should not require government ID and other information unless strictly necessary.

5. Deficient or Outdated Privacy Policies

A privacy policy that has not been updated in years, that claims the company does not "sell" data when it does, or that fails to describe consumer rights in any meaningful way is itself an independently charged violation. PlayOn's policy had not been updated since 2022 and falsely stated it did not sell personal information. Tractor Supply's investigation resulted from a consumer complaint in California and violated the CCPA by failing: to maintain a privacy policy that notified consumers and job applicants of their privacy rights and how to exercise them.

What to do: Update your privacy policy annually. Ensure it accurately reflects whether you sell or share personal information (tracking pixels and ad tech almost certainly mean you do) and that it fully describes all consumer rights and how to exercise them. Scan your digital properties to inventory tracking technologies.

6. Missing or Deficient Vendor Contracts

Every company that sells or shares consumer personal information with a service provider or third party must have a written contract containing specific required terms. Honda could not produce contracts. Tractor Supply's contracts were missing multiple required provisions including clauses requiring vendors to honor opt-out requests forwarded to them.

What to do: Audit vendor relationships involving consumer personal information especially when sharing with ad tech companies. Ensure written agreements are in place and contain all required CCPA contractual terms (some are in the regulations).

7. No Notice to Job Applicants

The Tractor Supply settlement was the first to focus on the failure to provide job applicant notices. Businesses must provide job applicants with a notice at collection and privacy policy explaining their CCPA privacy rights. Many businesses focus their compliance efforts on customer-facing disclosures and overlook this requirement entirely.

What to do: Review your job application process including online portals and background check intake forms to ensure a compliant CCPA notice is provided at the point of collection, train your personnel to recognize and respond to privacy requests, make sure not to delete personal records that are required to be retained under federal law and remove third party trackers from pages where consumers are entering personal information.

8. Failing to Oversee and Configure Third-Party Compliance Tools

Companies deferred to their third-party privacy management tool without knowing their limitations or validating their operation. CalPrivacy expects companies to monitor their vendor tools.

What to do: Do not assume that deploying a consent management platform means you are compliant. Actively monitor and validate that your privacy tools are functioning correctly including links and email addresses. Train your employees to recognize and respond to consumer requests. Conduct periodic testing and document your monitoring activities. 

9. Making It More Difficult for Authorized Agents to Exercise a Consumer’s Rights

Companies should not make it harder for authorized agents to exercise a consumer’s privacy rights including by requesting unnecessary information and requiring additional steps.

What to do: Ensure that unnecessary steps are removed—especially from requests where there are limited opportunities for fraud or security risks such as opt-outs and requests to limit. Do not require powers of attorney or other processes that cost consumers time or money.

10. Pointing Consumers to Industry Opt-Out Tools Instead of Providing Your Own

PlayOn's privacy policy directed consumers to opt out through NAI and DAA industry self-regulatory tools rather than providing a direct opt-out mechanism on its own website. CalPrivacy found this insufficient.

What to do: Do not treat NAI/DAA opt-out tools as satisfying your CCPA obligation.

Bonus: Failing to Register as a Data Broker

If your business collects and sells personal information about people you do not have a direct relationship with, you are likely a "data broker" under California law and must register annually with CalPrivacy. In 2025, CalPrivacy brought more than a half-dozen enforcement actions against unregistered data brokers, and one company shut down entirely rather than comply. A dedicated Data Broker Enforcement Strike Force is now operational.

What to do: Assess whether your business or any subsidiary or affiliate meets the definition of "data broker." If so, register with CalPrivacy by the annual January deadline.

What the Enforcement Trend Tells Us

CalPrivacy's enforcement is focused on one central idea: privacy rights must actually work, not just appear to work. It is not compliant to maintain an opt-out link that does nothing or fails to honor GPC, a cookie banner that only says "Agree," a privacy policy that claims you don't sell or share data when you do, an opt-out request form that requires a government ID or that  systematically prevents or discourages consumers from exercising their privacy rights under the CCPA.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE. This summary does not constitute legal advice.