On November 18, the California Privacy Protection Agency (CPPA) announced the creation of a Data Broker Enforcement Strike Force within its Enforcement Division to investigate alleged violations of the California Consumer Privacy Act and the Delete Act’s data broker registration requirements. The Agency stated that the new unit will expand its review of the data broker industry and support implementation of the Delete Request and Opt-Out Platform, which will allow consumers to submit a single deletion request to all registered data brokers beginning in January 2026.
The announcement builds on CalPrivacy’s 2024 investigative sweep into data broker compliance, which the Agency reports has resulted in a significant number of ongoing enforcement actions. The Strike Force will provide additional resources to expand those efforts and increase oversight of registration and compliance obligations under the Delete Act and the CCPA.
Putting It Into Practice: California continues to lead the way in state-level privacy enforcement and supervision (previously discussed here and here), and the launch of the Strike Force marks another expansion of its oversight footprint. Other states are likely to explore similar enforcement models, making it important for organizations operating across jurisdictions to monitor new developments and update compliance programs accordingly.
