Privacy enforcement heats up

Privacy regulators are pressing harder on deletion rights and breach duties, with California and Europe both turning compliance gaps into enforcement targets. (edpb.europa.eu, cppa.ca.gov) In California, the California Privacy Protection Agency said in March 2025 that the California Consumer Privacy Act allows administrative fines of up to $2,500 per violation and $7,500 per intentional violation, with those amounts adjusted upward for inflation starting January 1, 2025. (cppa.ca.gov, cppa.ca.gov) The agency has already used that authority. Honda settled with the CPPA in March 2025 for $632,500 over alleged privacy-rights failures, and the agency said in January 2026 that it had brought more than 10 actions against unregistered data brokers. (cppa.ca.gov, cppa.ca.gov) In Europe, the European Data Protection Board adopted a report on February 18, 2026 after a year-long coordinated action on the General Data Protection Regulation’s right to erasure, also called the right to be forgotten. The board said regulators examined how organizations handle one of the most-used privacy rights and one that generates frequent complaints. (edpb.europa.eu, edpb.europa.eu) That review found recurring problems: some organizations made erasure requests hard to submit, interpreted exceptions too broadly, or lacked internal procedures to erase data completely and on time. The board said those gaps can block people from getting data deleted even when the law gives them that right. (edpb.europa.eu, edpb.europa.eu) California’s rules are moving in the same direction on deletion. Under the Delete Act, consumers can submit one request through the state’s Delete Request and Opt-out Platform, and starting August 1, 2026, registered data brokers must check that system at least every 45 days and process matching deletion requests unless an exemption applies. (cppa.ca.gov, cppa.ca.gov) The state has also shortened the runway for companies that get privacy rules wrong. The California Department of Justice says the CCPA no longer requires notice of violation or an opportunity to cure before an enforcement action as of January 1, 2023. (oag.ca.gov) Enforcement is not limited to headline privacy statutes after a breach. California Attorney General settlements listed on April 24, 2026 include a $3.25 million resolution with Illuminate Education over allegations tied to a 2021 student-data breach and a $7.616 million civil-penalty settlement with Wells Fargo in a separate privacy case. (oag.ca.gov) Businesses covered by the CCPA still have to do the basics: respond to requests to know, delete, correct, and opt out, and give consumers notices that explain what data they collect and how they use it. The California attorney general’s office says those duties apply to many companies, including data brokers. (oag.ca.gov) The through line in both jurisdictions is simple: privacy enforcement is moving from policy language to operational tests, and regulators are checking whether companies can actually delete data, document decisions, and meet deadlines when something goes wrong. (edpb.europa.eu, cppa.ca.gov, oag.ca.gov)