"A New Era Of Privacy Enforcement": CPPA Signals Intensified Oversight While Advancing New Regulations

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details

These were some of the highlights from the California Consumer Privacy Protection Agency (CPPA) Board meeting on September 26, 2025.

United States California Privacy

Article Insights

Janis Claire Kestenbaum’s articles from Perkins Coie LLP are most popular:

within Privacy topic(s)
with Finance and Tax Executives
in United States

150 consumer complaints per week. A consortium of privacy regulators. "Hundreds of open investigations."

These were some of the highlights from the California Consumer Privacy Protection Agency (CPPA) Board meeting on September 26, 2025. In addition to these enforcement updates, the Board advanced regulatory initiatives and introduced new concepts for future rulemaking. The meeting was the first for Board member Jill Hamer, who replaced Jeffrey Worthe (see announcement here).

Below, we summarize key updates from the meeting regarding increased enforcement and new regulatory requirements on the horizon.

CCPA Regulations Approved

At the outset, the CPPA announced that the California Office of Administrative Law (OAL) had approved the regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT).

The regulations will be effective as of January 1, 2026, with the following compliance dates:

Cybersecurity Audits

Businesses required to complete cybersecurity audits must submit certifications to the CPPA by:

April 1, 2028, if the business makes over $100 million;
April 1, 2029, if the business makes between $50 million and $100 million; or
April 1, 2030, if the business makes less than $50 million.

Risk Assessments

Businesses subject to risk assessment requirements must begin compliance by January 1, 2026. By April 1, 2028, they must submit to the CPPA:

An attestation that required risk assessments were completed, and
A summary of their risk assessment information.

ADMT

Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.

CPPA Announces Dramatically Ramped-Up Enforcement in the Works

In an update on the agency's enforcement activities, Michael Macko, the CPPA's Deputy Director of Enforcement, characterized the agency as entering "a new era of privacy enforcement." Mr. Macko touted the expansion of the agency's enforcement division, which he described as the largest in the United States dedicated solely to privacy with a mixture of former federal and state criminal prosecutors, in-house counsel from major technology companies, attorneys from law firms, former FTC staff, and Ph.Ds in computer science. Mr. Macko explained that they are handling a rapidly growing workload, which has ballooned from 150 consumer complaints per month to over 150 per week.

Mr. Macko emphasized that more enforcement is coming, noting that the CPPA is now pursuing "hundreds of open investigations," and that in "most of these investigations, the businesses do not know about us. We haven't surfaced yet in most of them." Mr. Macko explained that the targets are a mixture of larger and smaller businesses, and suggested that there will be more joint enforcement actions with other states (like the recent joint investigative sweep focused on global privacy controls) in the coming months.

DROP Regulations and Data Broker Updates

The Board also considered the proposed Data Rights and Opt-Out Platform (DROP) regulations to implement the California Delete Act. These regulations would establish a centralized, accessible deletion mechanism—the "DROP platform"—to allow consumers to request from registered data brokers the deletion of all non-exempt personal information associated with them. The Board unanimously approved the proposed regulations without any changes following the close of the comment period on August 18, 2025. The package now heads to the OAL for review, with a public demonstration of the DROP platform scheduled for the CPPA's November meeting. In addition, the Board voted unanimously to lower the data broker registration fee from $6,600 to $6,000 for the 2026 registration period.

On the Horizon: New Areas for Potential Rulemaking

Looking ahead, the CPPA Board discussed potential areas for future rulemaking, including a proposal from Board Member Mactaggart for a "partial" deletion right that would allow consumers to remove portions of their data and require businesses to include language requiring a clear explanation of the impact. The Board also reacted to public concerns about "4th-party" verification systems collecting sensitive data under the fraud exception without registering as data brokers by requesting legal analysis on the issue. Both topics may generate discussion in future meetings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.