Privacy & Information Security Law Blog

On January 27, 2026, the Centre for Information Policy Leadership (“CIPL”) hosted a fireside chat with California Privacy Protection Agency (“CPPA”) General Counsel Phil Laird in honor of Data Privacy Day. The CPPA (also known as CalPrivacy), established in 2020 by a California voter initiative, is the only state-level data privacy enforcement agency in the country and the largest team in the U.S. dedicated solely to privacy enforcement.

CIPL’s Mark Smith spoke with Laird about a wide range of topics, ranging from the CPPA’s structure and enforcement priorities to upcoming rulemaking activities. Key takeaways from the discussion follow:

• Data Broker Registry and Delete Act. On January 1, 2026, the California Delete Act went into effect and transferred California's existing data broker registry administration to the CPPA (previously administered by the California Attorney General). Businesses that meets the definition of a data broker must register with the CPPA, which is required to maintain a publicly accessible data broker registry. The law also requires the CPPA to establish a one-stop shop for consumers to request that all data brokers delete their personal information. Pursuant to this mandate, the CPPA launched the Delete Request and Opt-out Platform mechanism. Laird emphasized that businesses should closely review the definition of data broker under applicable law to determine whether data broker registration requirements apply.

• Investigation and enforcement priorities. While Laird's role as the CPPA’s General Counsel does not encompass enforcement and investigation activities, he offered general comments about the CPPA’s 's enforcement priorities. CPPA investigations can arise from many circumstances, including consumer complaints or the personal experiences of CPPA staff. Additionally, the CPPA has expanded its technical capacity and hired several technical staff to support the enforcement division, including through investigations of publicly observable business practices. Laird also pointed to CPPA Deputy Director of Enforcement Michael Macko’s Enforcement Update presented to the CPPA’s September 2025 Board Meeting. Deputy Director Macko disclosed that the CPPA’s enforcement strategy is to establish precedent highlighting different elements of the California Consumer Privacy Act (“CCPA”) and across all industries rather than focusing on a single industry or an “eye-catching penalty.”

Businesses should pay attention to the CPPA’s Enforcement Advisories, as these signal some of the Enforcement Division’s priorities. According to Laird, Enforcement Advisories typically address widespread issues that the CPPA observes across industries.

While not all investigations will lead to enforcement actions, the CPPA encourages businesses to engage willingly and transparently, as this engagement will result in the best outcome for all parties involved.

• Upcoming rulemaking. Laird previewed several topics that the CPPA intends to solicit public comments for in 2026 under its rulemaking authority, including employee data, CCPA-mandated notices and disclosures, reducing friction in consumers’ ability to exercise their privacy rights, and opt-out preference signals.

The CPPA’s rulemaking authority is governed by the California Administrative Procedures Act (“APA”). Notably, the CPPA is strictly prohibited from issuing regulations or guidance that can be interpreted as an “underground regulation.” Any regulations or rules issued by the CPPA must follow APA procedures. Laird encouraged businesses to notify the CPPA of any gaps in the CCPA or related regulations, as this will help inform CPPA rulemaking priorities.

Businesses subject to the CCPA should sign up for CPPA emails and alerts through this link.

CIPL is a global privacy and data policy think and do tank that partners with industry leaders, regulatory authorities and policy makers to develop solutions and best practices for privacy and the responsible use of data. You can learn more about CIPL here.