CCPA audits elevate enforcement responsibility
- California privacy regulators have moved from warning to rulemaking and fines: the California Privacy Protection Agency opened a new Data Broker Audits comment period on April 7, 2026, after 2025 enforcement cases. - The clearest signal is in the numbers: Honda paid $632,500, Todd Snyder paid $345,178, Tractor Supply paid $1.35 million, and S&P Global was ordered to add compliance-auditing procedures. - The backdrop is a tougher rulebook that took effect January 1, 2026, with risk-assessment duties now live and audit obligations advancing in rulemaking. (cppa.ca.gov 1) (cppa.ca.gov 2)
California’s privacy regulator is pushing companies toward something more concrete than a policy memo: auditable privacy controls. (cppa.ca.gov) The California Privacy Protection Agency, which enforces the California Consumer Privacy Act, opened a preliminary comment period on Data Broker Audits on April 7, 2026, with comments due by May 7. (cppa.ca.gov) That step follows a broader package of CCPA regulations adopted on July 24, 2025 and effective January 1, 2026, including rules on risk assessments, cybersecurity audits, and automated decisionmaking technology. (cppa.ca.gov 1) (cppa.ca.gov 2) Some of those new duties are already live. The agency says businesses must conduct a risk assessment before starting activities such as selling or sharing personal information, processing sensitive personal information, or using certain automated tools. (cppa.ca.gov) The audit piece is narrower but more explicit about accountability. In its rulemaking notice, the agency said a cybersecurity-audit certification would have to identify the 12-month audit period and be signed by a board member, governing-body member, or highest-ranking executive responsible for oversight. (cppa.ca.gov) Enforcement has already started to reflect that posture. American Honda Motor Co. agreed in March 2025 to pay $632,500 and change its practices after the agency alleged it made Californians provide excessive information to exercise privacy rights and used an unequal consent design. (cppa.ca.gov) Todd Snyder, Inc. agreed in May 2025 to pay $345,178 and reconfigure its opt-out tools and employee training. The agency said the retailer had required consumers to submit a photo of themselves holding an identity document to make requests. (cppa.ca.gov 1) (cppa.ca.gov 2) Tractor Supply Company agreed in September 2025 to pay $1.35 million, the largest fine in the agency’s history, after an investigation that began with a consumer complaint from Placerville, California. (cppa.ca.gov) Even a registration case carried an audit lesson. In January 2026, S&P Global, Inc. agreed to pay $62,600 for failing to register as a data broker and was ordered to adopt procedures for registration and compliance auditing to prevent another lapse. (cppa.ca.gov) The pattern is that California is no longer treating privacy compliance as a one-time disclosure exercise. The agency’s current rules, proposed audit structures, and recent settlements all point to the same test: whether a company can show working controls, document them, and have senior leadership stand behind them. (cppa.ca.gov 1) (cppa.ca.gov 2)
