Skip to main content
Back to Resources
Blog
May 17 min read

CalPrivacy Has 100+ Open Investigations: What Your Consent Program Needs Now

The California Privacy Protection Agency is no longer in startup mode.

CalPrivacy Executive Director Tom Kemp confirmed in a February IAPP interview that the agency has more than 100 open investigations underway and has received approximately 10,000 consumer complaints since becoming operational. At the agency's February 27, 2026 board meeting, staff reported that the Delete Request and Opt-Out Platform (DROP), which launched January 1, 2026, had registered more than 242,000 California residents. The data broker registry has grown from 459 entities in mid-2025 to 575+ by late February.

These are not projections. This is the current state of California's privacy enforcement infrastructure.

For organizations running consent management programs, these numbers represent a fundamental shift in enforcement risk. Here is what they mean in practice and what your team should be doing about it.

The Enforcement Playbook Is Already Published

CalPrivacy's most recent enforcement action provides a clear template for what the agency prioritizes.

In March 2026, PlayOn Sports agreed to pay $1.1 million to resolve California Consumer Privacy Act violations. The action was the first CalPrivacy decision involving students and California schools (roughly 1,400 California schools use PlayOn's GoFan ticketing platform), but the violations themselves were universal. Three specific failures drove the fine:

Failure to provide a first-party opt-out mechanism. PlayOn directed consumers to opt out through the Network Advertising Initiative and Digital Advertising Alliance. CalPrivacy ruled that redirecting to industry self-regulatory tools does not satisfy the CCPA. Businesses must offer their own direct opt-out.

Failure to recognize Global Privacy Control (GPC) signals. PlayOn's platform did not detect or honor GPC, which California treats as a valid opt-out of sale. CalPrivacy has been explicit that GPC recognition is a baseline requirement.

Coercive consent design. Users could not access tickets they had paid for without first clicking “agree” to tracking. CalPrivacy treats this kind of forced consent as a violation regardless of audience.

The order also requires PlayOn to implement opt-in procedures for minors going forward, consistent with CCPA requirements for users under 16. Notably, the agency did not allege a specific failure to obtain affirmative opt-in consent as the basis of the fine. The lesson is that the violations were structural, and the student angle made the enforcement notable, not narrower.

These are not one company's problems. They are systemic gaps that appear in consent management programs across industries.

DROP Changes the Enforcement Math

The Delete Request and Opt-Out Platform deserves special attention from compliance teams.

DROP creates a direct, automated channel between California consumers and their data deletion rights. With 242,000+ registered users and 575+ data brokers covered, the platform is operationalizing consumer privacy rights at a scale that manual processes cannot handle. Critical context: data brokers are not yet required to process DROP requests. That obligation begins August 1, 2026, with brokers required to retrieve requests every 45 days and complete determinations within 90 days.

Here is what this means for compliance operations:

Volume becomes the new variable. When deletion requests were submitted individually, most organizations could manage them through existing workflows. DROP aggregates and automates these requests, which means processing teams may face concentrated bursts of deletion demands that exceed current capacity.

Timeliness becomes measurable. Failure-to-delete penalties under the Delete Act are $200 per request, per day. When DROP is generating the requests, there is a clear timestamp on when the request was received and when (or if) it was fulfilled. CalPrivacy staff have publicly noted that non-compliance at scale could result in extensive financial exposure.

Data broker relationships are in scope. If your organization shares data with brokers registered on DROP, deletion requests will flow upstream to you. Understanding your data broker ecosystem and the contractual obligations around downstream deletion is no longer optional.

The State Enforcement Landscape Is Coordinating

CalPrivacy's trajectory does not exist in isolation.

In April 2026, several state-level developments reinforced the direction of travel:

Alabama became the 21st state with a comprehensive privacy law. Governor Kay Ivey signed HB 351 (the Alabama Personal Data Protection Act) on April 16. For organizations with national operations, the cost of treating smaller states as out-of-scope continues to rise.

Virginia restricted geolocation data sales. SB 338, signed April 13 and effective July 1, 2026, prohibits controllers from selling precise geolocation data, adding a new data-type-specific restriction that consent programs must account for.

Maryland passed legislation limiting data sales to immigration enforcement agencies. HB 711 (the Data Privacy Act) cleared the Maryland legislature on April 13, 2026 and is awaiting Governor Moore's signature. If signed, the law takes effect July 1, 2026, and represents an emerging pattern of purpose-specific data-sharing restrictions.

California's AB 1542 advanced through committee. The bill, which would categorically prohibit the sale or sharing of sensitive personal information, passed the Assembly Privacy and Consumer Protection Committee 9-5 on April 16 and signals continued legislative activity.

The compliance floor is rising simultaneously across multiple states. Organizations managing consent on a state-by-state basis are running an increasingly expensive and error-prone operation.

Meanwhile, at the Federal Level

The SECURE Data Act (HR 8413) was introduced on April 22, 2026, the first comprehensive federal privacy bill of the 119th Congress. Key provisions include consumer rights to access, correct, delete, and port data, plus treating teen data under 16 as sensitive data requiring parental opt-in consent. The bill is modeled on the Virginia and Kentucky state privacy frameworks.

The most significant provision for compliance teams: strong preemption of state privacy laws. If enacted, this could simplify the multi-state compliance burden. The bill is in early stages, faces a long legislative path, and has already drawn formal opposition from CalPrivacy on preemption grounds.

For now, the prudent approach is to continue building state-level compliance capabilities while monitoring federal developments. Organizations that wait for federal preemption before addressing state requirements are taking on measurable risk.

Three Steps for Your Next 90 Days

Based on what CalPrivacy's enforcement signals and the broader regulatory landscape tell us, here are three operational priorities for consent management programs.

1. Audit Your GPC Signal Handling and Opt-Out Mechanism

This is CalPrivacy's clearest enforcement priority. Test GPC recognition across every domain and subdomain your organization operates. Verify that your consent management platform detects the signal and applies the appropriate opt-out across all consent categories.

Equally important: confirm that you are providing a first-party opt-out mechanism, not redirecting consumers to third-party industry tools. The PlayOn order made clear that NAI and DAA links do not satisfy CCPA requirements on their own.

Common gaps we see: GPC handling is configured on the primary domain but not on subdomains, microsites, or acquired properties. Each unaddressed property is a potential finding.

2. Stress-Test Your Data Deletion Workflow

The DROP platform means deletion requests will arrive at volume, with timestamps, through an automated channel starting August 1, 2026. Run a load test on your current deletion workflow:

  • Can your team process the maximum expected volume within the required timeframe?
  • Where does the workflow break? At request intake, identity verification, cross-system deletion, or confirmation?
  • Do your data processor agreements include deletion obligations that mirror your own?

The organizations that discover their capacity limits during an audit have time to fix them. The organizations that discover them during an enforcement inquiry do not.

3. Review Your Consent Taxonomy Against Current Marketing Technology

Every analytics tool, tracking pixel, or marketing integration added after your initial CMP implementation is a potential gap. Run a structured comparison between your consent categories and your actual tag inventory. Across our client base, the most common pattern is unclassified or miscategorized tags accumulating in the months after launch, often without any single team owning the audit.

That gap is what CalPrivacy looks for in a compliance review.

The Operational Shift

CalPrivacy's enforcement posture is a signal to every organization with California consumer data: consent management is not a project with a completion date. It is an operational program that requires continuous governance, regular auditing, and the capacity to respond when enforcement inquiries arrive.

The organizations that treat consent management as infrastructure, with the same rigor they apply to security operations or financial controls, are the ones that will be prepared for what comes next.

The 100+ investigations are not a warning of what might happen. They are a description of what is already underway.



Tags
CalPrivacyCCPAConsent Management Platform (CMP)CPRA

Ready to get real value from your compliance technology?

Whether you are fixing what is broken, automating what is manual, or building AI-powered operations, let's talk.

Start a Conversation