Opinion

California Privacy Protection Agency publishes first annual report

California Privacy Protection Agency publishes first annual report
Published Date
Mar 19 2025

On February 26 2025, the California Privacy Protection Agency (CPPA) published its first annual report for 2024 (Report). The Report highlights that the CPPA recovered more than USD170,000 of administrative fines for data broker non-compliance settlements, conducted two enforcement sweeps, supported five privacy bills that were signed into law from 2023 through 2024, received 3,797 consumer complaints since July 2023 and sponsored its first bill on opt-out preference signals.

Highlights of the Report are set out below

The CPPA’s Enforcement Division is focused on enforcing non-compliance with privacy notices / policies, implementation of consumer requests, the right to delete, selling or sharing personal information without a proper notice or opt-out mechanism, dark patterns or deceptive designs, or violations that affect vulnerable communities and groups. Throughout 2024, the Enforcement Division continued its investigative sweep focusing on the connected vehicle ecosystem (vehicles that are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras). Additionally, the Enforcement Division issued two enforcement advisories, including Applying Data Minimization to Consumer Requests and  Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

In July 2023, the Consumer Complaints Unit launched a consumer complaint portal. The CPPA has reported a robust public response after launching this portal. The Consumer Claims Unit reviews every complaint and uses complaints to inform enforcement priorities, identify targets and spot trends. The consumer complaints have focused on the right to opt-out of sale or sharing, the collection, use, storage and sharing of personal information, and the right to delete personal information.

In late 2024, the CPPA’s Legal Division began the formal rulemaking process for an omnibus regulatory package that addresses critical privacy issues, including cybersecurity audits, risk assessments, automated decision-making technology and regulatory requirements for insurance companies.

The CPPA also provided input on the Delete Act, the landmark 2023 law that helps consumers exercise their deletion rights with data brokers. The law transfers responsibility for the Data Broker Registry to the CPPA and mandates the creation of the DROP system (a delete request and opt-out platform) by January 1, 2026. Additionally, in 2024, the CPPA sponsored its first bill that requires internet browsers and mobile operating systems to provide consumers with easy access to opt-out of preference signals. Although this bill was ultimately vetoed, it has laid the groundwork for future advancements in this area.

Read more about the CPPA report here.

Related capabilities