Privacy & Cybersecurity Law Blog

The California Privacy Protection Agency (“CalPrivacy”) expects to conduct California Consumer Privacy Act (“CCPA”) compliance audits in 2026 as it builds out its newly created Audits Division, according to Law360’s recent interview with CalPrivacy’s Executive Director, Tom Kemp.

The Audits Division will monitor whether businesses, service providers, and contractors are complying with the CCPA and related laws (e.g., the Delete Act) through both announced and unannounced audits. Findings from audits may be referred to the agency’s Enforcement Division, which has already issued major fines against companies, including Honda, Ford, and Tractor Supply Company, for alleged violations of the CCPA.

As part of its proactive privacy awareness and enforcement efforts, CalPrivacy is also promoting the use of its new data broker Delete Request and Opt‑Out Platform (“DROP”). DROP allows Californians to submit a single data deletion request that must be honored by all registered data brokers.  Executive Director Kemp also indicated that CalPrivacy would in the coming months solicit public comment on a variety of topics for potential agency rulemaking, including “opt-out preference signals, reducing friction in the processes consumers use to exercise their data rights, handling employee data, streamlining privacy notices and how to conduct audits surrounding data brokers' data deletion obligations.”

Read Law360’s recent interview with CalPrivacy’s Executive Director, Tom Kemp.