CalPrivacy’s 2025 annual report is a blueprint for 2026 enforcement: Compliance evidence, not empty policy promises

CalPrivacy’s 2025 Annual Report is not just a recap of last year’s activity. It shows that California has largely finished a major phase of rulemaking and is now building the infrastructure to test whether privacy rights are actually honored in live digital environments.

In 2025, CalPrivacy made a noticeable shift toward implementation, accountability, and long-term enforcement. Now, we are seeing the infrastructure to make all of that possible, including the final version of CCPA (California Privacy Protection Act) regulations, Delete Request and Opt-out Platform (DROP), the Opt Me Out Act, multi-state GPC enforcement activity, and a new Audits Division coming in 2026.

California is making privacy rights easier to exercise and easier to test.

Key takeaways: 

• What happened: On March 4th, 2026, CalPrivacy published its inaugural annual report to highlight major regulatory changes for 2026, including launching DROP, supporting the Opt Me Out Act, and expanding enforcement operations.
• Why it matters: CalPrivacy issued its first three privacy fines in 2025 and shares in this report how they plan to ramp up future enforcement
• What needs to be reviewed: Businesses need to review whether GPC/OOPS are actually honored, whether opt-out flows suppress tracking, whether privacy notices match runtime behavior, and whether risk assessments are supported by current technical evidence.
• How Privado AI can help: Request a free website audit. Privado AI helps privacy teams audit live websites and apps across consent states, build complete data maps without questionnaires, and fully automate privacy assessments.

Now, let’s get into what CalPrivacy has said in more detail, and the plan they’ve got for 2026 and beyond.

4 moves CalPrivacy made in 2025 that change 2026 data privacy enforcement

Here are the four updates concerning areas where you need to take action.

1. California finished core rulemaking phase

In 2025, the CalPrivacy Board adopted updates to existing CCPA regulations, as well as a comprehensive set of rules governing automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance companies.

Let’s break down what that means:

• Cybersecurity audits: Annual audits are mandatory for businesses that pose significant security risks.
• Businesses must submit initial certifications of completion to CalPrivacy by:

1. April 1, 2028 – if annual revenue exceeds $100 million
2. April 1, 2029 – if annual revenue is between $50-$100 million
3. April 1, 2030 – if annual revenue is under $50 million

• Risk assessments: Are required for “activities presenting significant risk to consumers’ privacy.”
• Risk assessments must be done between 1 January, 2026, and 1 April, 2028, and must “include an attestation that the risk assessments were completed and the information is true and correct.”
• ADMT: Consumers must be allowed to actively and easily opt-out of ADMT “for [any activity involving] significant decisions (e.g., employment, housing, education, healthcare).”
• Compliance needs to start no later than January 1, 2027.
• Insurance companies: Clarifies when insurance companies must comply with the CCPA, ensuring consistent application of privacy protections across sectors.

2. California made rights more scalable for consumers

There are hundreds of data brokers spread across the country and worldwide.

For consumers, key aspects of CCPA and CPRA (California Privacy Rights Act) have not always been easy to exercise, until now.

With the implementation of the Delete Request and Opt-out Platform (DROP), consumers can use this first-of-its-kind platform to have their data removed from 500+ registered data brokers.

Anyone can use it straight away. As CalPrivacy says:

• DROP is safe, secure, and protects your privacy
• Fast and easy to use
• Free — we will never charge you to use DROP

DROP compliance: From August 1, 2026, data brokers must delete your data within 90 days.

3. Browser-level opt-out signals (OOPS) are now law

• In October 2025, California’s Governor signed into law the California Opt Me Out Act (AB 566).
• Every browser needs to offer a built-in opt-out preference signal (OOPS). This means every browser with any users in California, which is highly likely to mean almost every browser in the world.
• Browsers must comply with the new OOPS requirement beginning January 1, 2027.

4. Enforcement is more scalable

The CalPrivacy Enforcement Division has the “nation’s largest team of litigators and technologists dedicated solely to privacy enforcement.” It gained enforcement authority in 2023, and since then has worked with dozens of state Attorneys General and data protection authorities worldwide.

Since September 2025, CalPrivacy has initiated an investigative sweep across California, Colorado, Connecticut, and other states, focused on businesses that appeared not to honor global privacy control (GPC).

One reason for this is that it is easier for consumers to make a CCPA complaint. CalPrivacy has received more than 10,000 complaints since its online portal launched in 2023, with about a 120% year-over-year increase.

For privacy leaders, this is the bigger signal: California is reducing friction for consumers and increasing testability for regulators.

How extensive the changes need to be depends on how close your organization is to operationalizing privacy rights in practice, and that depends on what a website audit is going to show.

What CalPrivacy is really saying: Consumer data protection rights must work at scale

Now that CalPrivacy has the rules and mechanisms in place, privacy rights can be exercised at greater scale. Consumers are no longer expected to manually chase privacy rights across hundreds of sites and apps.

California is reducing friction for consumers and increasing testability for regulators. Proving runtime accountability is now essential, and it must be achieved across every surface.

Privacy cannot remain a policy-only exercise.From now on, the core enforcement issue is operational. It comes down to whether organizations actually honor consumers' privacy rights in practice.

What breaks when users try to opt out of data sharing on websites and apps

It is not always that a company is trying to break CCPA or any privacy requirement.

Often, the issue is that privacy teams do not have visibility into what changes after a release, what marketing tags are firing downstream, or whether a user’s choice is actually being honored across every journey.

That is why technical audits are becoming so important. Privacy leaders need current evidence of what their websites and apps, do after a user rejects, opts out, or sends a browser-level preference signal.

Here are a few things that an audit can uncover, showing how closely your website(s) and app(s) align with disclosed privacy choices:

• GPC or future browser-based opt-out signals are not honored
• Reject or opt-out states suppress some trackers but not downstream pixels, tags, or SDKs.
• CMPs fire on websites and apps before personal data shared via advertising pixels
• Privacy notices describe one thing, while actual recipients and data elements show another.
• Risk assessments are completed as box-ticking exercises, but are not based on current, observable web/app behavior.
• Consent enforcement and evidence collection are not aligned across websites, mobile apps, and other user-facing and backend applications.

Why consent management platforms require regular privacy auditing to ensure compliance

In short, most companies have purchased consent management platforms (CMPs) to address website privacy compliance, but CMPs are not designed to verify compliance or identify potential privacy violations. 

CMPs are designed purely to set up consent banners and limit data flows based on consent. Since these tools lack privacy compliance checks, companies must regularly manually audit websites or risk a privacy violation. Manual audits are extremely time consuming, imprecise, and do not scale, especially considering most websites get updated weekly. As a result, many privacy teams are unaware that their CMP is not properly collecting or enforcing consent for data sharing on websites until it is too late, and there is threat of legal action. 

What to audit now before California’s next wave of enforcement: Actionable checklist

Doing an audit that is aligned with CalPrivacy’s current enforcement priorities can help privacy teams identify gaps before regulators do.

Here is what you need to assess:

1. Global Privacy Control (GPC) opt-outs: GPC is a web browser setting that users turn on to automatically opt out of data sharing for advertising purposes, and CCPA requires that websites honor GPC signals by blocking third-party advertising cookies and network requests when GPC is turned on.   
2. Traditional opt-outs: After users opt out to not sell or share data made via consent banners, forms, or other mechanisms, test whether 
   
   1. Third-party advertising cookies are used 
   2. Personal data is shared with advertising third parties via network requests 
   3. Opt-outs are not honored on the same device or across devices/environments: web, mobile app, connected TV, etc. 
3. Opt-out forms don’t require users to provide personal data to opt out
4. Sensitive personal data isn’t shared such as location or health data without explicit consent
5. Personal data isn’t shared with third parties without a CCPA-compliant contract
6. Compare privacy disclosures against and data sharing behavior.
7. Review whether your risk assessments are supported by current technical evidence.
8. Repeat the same tests in mobile apps

How Privado AI detects high-risk privacy violations and automates assessments

With Privado AI, you can benefit from the following:

• Web Auditor and App Auditor: Continuously scan your websites and mobile apps to verify consent banners, cookies, pixels, SDKs, and data flows are compliant with each privacy law in each location worldwide, including CCPA, CIPA, VPPA, GDPR, PIPEDA, etc. 
• Wren: By integrating with your existing tools and leveraging the latest AI agent technology, Wren can autonomously capture potential risks, conduct research, recommend action, and populate entire assessments based on your company’s policies and regulatory requirements.
• Dynamic Data Maps: Build complete data maps and RoPAs without manual assessments. Scan all 1st & 3rd party software, documentation, & contracts to identify personal data elements, 3rd parties, flows, & purposes.

The privacy teams that win in 2026 will have proof

CalPrivacy’s annual report matters because California now has both stricter rules and better mechanisms to test whether privacy rights actually work.

Static documentation, like privacy policies, is becoming less defensible than runtime evidence. Because of this, privacy leaders need continuous visibility into what their websites and apps are actually doing.

Request a free website audit

Request a free website scan to immediately identify and remediate all privacy risks live on your website.