
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

CalPrivacy’s 2025 Annual Report is not just a recap of last year’s activity. It shows that California has largely finished a major phase of rulemaking and is now building the infrastructure to test whether privacy rights are actually honored in live digital environments.
In 2025, CalPrivacy made a noticeable shift toward implementation, accountability, and long-term enforcement. Now, we are seeing the infrastructure to make all of that possible, including the final version of CCPA (California Privacy Protection Act) regulations, Delete Request and Opt-out Platform (DROP), the Opt Me Out Act, multi-state GPC enforcement activity, and a new Audits Division coming in 2026.
California is making privacy rights easier to exercise and easier to test.
Now, let’s get into what CalPrivacy has said in more detail, and the plan they’ve got for 2026 and beyond.
Here are the four updates concerning areas where you need to take action.
In 2025, the CalPrivacy Board adopted updates to existing CCPA regulations, as well as a comprehensive set of rules governing automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance companies.
Let’s break down what that means:
There are hundreds of data brokers spread across the country and worldwide.
For consumers, key aspects of CCPA and CPRA (California Privacy Rights Act) have not always been easy to exercise, until now.
With the implementation of the Delete Request and Opt-out Platform (DROP), consumers can use this first-of-its-kind platform to have their data removed from 500+ registered data brokers.
Anyone can use it straight away. As CalPrivacy says:
DROP compliance: From August 1, 2026, data brokers must delete your data within 90 days.
The CalPrivacy Enforcement Division has the “nation’s largest team of litigators and technologists dedicated solely to privacy enforcement.” It gained enforcement authority in 2023, and since then has worked with dozens of state Attorneys General and data protection authorities worldwide.
Since September 2025, CalPrivacy has initiated an investigative sweep across California, Colorado, Connecticut, and other states, focused on businesses that appeared not to honor global privacy control (GPC).
One reason for this is that it is easier for consumers to make a CCPA complaint. CalPrivacy has received more than 10,000 complaints since its online portal launched in 2023, with about a 120% year-over-year increase.
For privacy leaders, this is the bigger signal: California is reducing friction for consumers and increasing testability for regulators.
How extensive the changes need to be depends on how close your organization is to operationalizing privacy rights in practice, and that depends on what a website audit is going to show.
Now that CalPrivacy has the rules and mechanisms in place, privacy rights can be exercised at greater scale. Consumers are no longer expected to manually chase privacy rights across hundreds of sites and apps.
California is reducing friction for consumers and increasing testability for regulators. Proving runtime accountability is now essential, and it must be achieved across every surface.
Privacy cannot remain a policy-only exercise.From now on, the core enforcement issue is operational. It comes down to whether organizations actually honor consumers' privacy rights in practice.
It is not always that a company is trying to break CCPA or any privacy requirement.
Often, the issue is that privacy teams do not have visibility into what changes after a release, what marketing tags are firing downstream, or whether a user’s choice is actually being honored across every journey.
That is why technical audits are becoming so important. Privacy leaders need current evidence of what their websites and apps, do after a user rejects, opts out, or sends a browser-level preference signal.
Here are a few things that an audit can uncover, showing how closely your website(s) and app(s) align with disclosed privacy choices:
In short, most companies have purchased consent management platforms (CMPs) to address website privacy compliance, but CMPs are not designed to verify compliance or identify potential privacy violations.
CMPs are designed purely to set up consent banners and limit data flows based on consent. Since these tools lack privacy compliance checks, companies must regularly manually audit websites or risk a privacy violation. Manual audits are extremely time consuming, imprecise, and do not scale, especially considering most websites get updated weekly. As a result, many privacy teams are unaware that their CMP is not properly collecting or enforcing consent for data sharing on websites until it is too late, and there is threat of legal action.
Doing an audit that is aligned with CalPrivacy’s current enforcement priorities can help privacy teams identify gaps before regulators do.
Here is what you need to assess:
With Privado AI, you can benefit from the following:
CalPrivacy’s annual report matters because California now has both stricter rules and better mechanisms to test whether privacy rights actually work.
Static documentation, like privacy policies, is becoming less defensible than runtime evidence. Because of this, privacy leaders need continuous visibility into what their websites and apps are actually doing.
Request a free website scan to immediately identify and remediate all privacy risks live on your website.