At the end of February, the California Privacy Protection Agency (CalPrivacy) published its 2025 annual report outlining its achievements in strengthening Californian’s privacy rights, including finalizing the CCPA Regulations, launching its DROP opt-out system, and proactively enforcing the state’s privacy laws. Below are some key points that businesses should know.
Table of Contents
Increased enforcement powers
CalPrivacy has more resources with which to investigate complaints, conduct audits, publish guidance and enforcement authorities and enforce against businesses that violate California privacy laws. The agency’s employee count went from 40 to 54 last year, and it saw a $3 million increase in its budget to $15.8 million.
Additionally, it has added a Data Broker Enforcement Strike Force and established a new role, Chief Privacy Auditor, to lead a newly created Audits Division.
Significant settlements for non-compliance
With five significant enforcement actions in 2025 (others were brought by the Attorney General’s Office}, CalPrivacy established itself as a leader in privacy enforcement. Significant fines totaling as much as $1.4 million caught the attention of business leaders across the globe.
By proactively auditing, investigating, and publishing enforcement authorities, CalPrivacy has shown a strong commitment to holding businesses accountable to their privacy obligations and ensuring Californians can access their rights easily clearly.
The report shows clearly that businesses can expect more of this in 2026 and beyond.
Consumer engagement is up
Not long ago, American consumers were largely (blissfully?) unaware of the privacy risks when sharing personal information online. The California Consumer Privacy Act, its regulations, and the enforcement actions out of CalPrivacy and the California AG’s Office have significantly changed that.
Year over year, CalPrivacy has seen a 120% increase in consumer complaints. The launch of the Delete Request and Opt-out Platform (DROP) at the beginning of 2026 saw more than 200,000 registrations in its first two months. Californians are understanding their rights more than ever before and beginning to hold businesses accountable.
CalPrivacy has conducted outreach in the form of consumer education programs, teaching consumers about their privacy rights, helping seniors protect their personal information, and growing its social media presence. Its website serves as a tool for consumers and businesses alike to obtain information on the state’s laws and what they mean for both parties.
Collaboration between regulatory agencies
As a founder of the Consortium of Privacy Regulators, which includes attorneys general from Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon, Minnesota and New Hampshire, CalPrivacy has a strong network of support domestically. It conducted a joint privacy sweep in September 2025, and businesses can expect more collaboration on investigations and enforcement going forward.
It also strengthened international collaboration, partnering with Korea’s Personal Information Protection Commission, the UK Information Commissioner’s Office, and France’s CNIL. These partnerships facilitate the sharing of best practices and investigative methods, joint research initiatives. CalPrivacy is a member of the Asia Pacific Privacy Authorities, the Global Privacy Enforcement Network (GPEN), and has adequacy with the Dubai International Financial Center.
Collaboration and coordination across borders will mean more efficient and effective enforcement by aligning goals and strategies and acting as a force multiplier for all agencies involved.
2026 Plans
The report highlights some specific areas CalPrivacy will continue to focus on going forward, like expanding the Consortium of Privacy Regulators, providing more education for both consumers and businesses, and continuing to proactively enforce California privacy laws.
All indications are that CalPrivacy is ramping up its efforts and intends to build on the momentum it gained in 2025. Increased resources, collaboration and consumer awareness will accelerate these efforts.
What Does This Mean for Businesses?
Regulators publish these reports not only to show their accomplishments, but also to provide guidance to businesses on the focus of the agency, its goals for enforcement, and shed light on its actions toward achieving those goals. So, what does this 2025 CalPrivacy report tell us?
1. Businesses should be conducting a gap analysis to ensure privacy programs align with CCPA and the newly adopted regulations.
2. They should be reviewing the sources of their information to understand the downstream impact of programs like DROP that may impact the availability of personal information.
3. They should be testing the functionality of privacy tech and reviewing consent and choice mechanisms for clarity, symmetry and completeness.
4. And they should definitely be tuning their antennae to the information and actions coming out of CalPrivacy and the Consortium of Privacy Regulators.
Need Help Meeting the CCPA’s Evolving Requirements?
We’re here for you! With decades of privacy experience helping companies from Fortune 500s to startups, we can get your privacy program up to speed with new obligations from the CCPA Regulations and any other compliance hurdles coming your way! Contact us today to talk through your CCPA readiness and next steps.
California Consumer Privacy Act (CCPA) Compliance Guide
Inside our CCPA Compliance Guide you’ll find: essential details about scope and enforcement, definitions, consumer privacy rights and obligations of organizations and more!
