California Privacy Protection Agency: Year in Review and Compliance Guide

What Recent CPPA Orders Tell Us About Compliance Priorities

Executive Summary

The California Privacy Protection Agency (CPPA) has emerged as an aggressive enforcer of the California Consumer Privacy Act (CCPA) and the Delete Act. Analysis of recent enforcement actions reveals that the agency is targeting businesses of all sizes—from major retailers like Tractor Supply ($1.35M fine) to smaller data brokers like Background Alert (forced 3-year cessation of operations). The message is clear: technical compliance failures, even those appearing minor, can result in significant penalties.

Recent Enforcement Actions at a Glance

What the CPPA Is Targeting

1. Opt-Out Mechanisms That Don't Actually Work

The single biggest enforcement theme is opt-out mechanisms that fail to function as advertised. The CPPA is scrutinizing:

• "Do Not Sell" links that don't stop tracking technologies: Tractor Supply's webform purported to honor opt-outs but had no effect on third-party trackers.
• Cookie banners with broken backends: Todd Snyder's cookie preference center disappeared instantly, preventing consumer action.
• Global Privacy Control (GPC) non-compliance: Both Tractor Supply and Honda failed to honor opt-out preference signals.
• Asymmetric cookie consent: Honda required two clicks to opt-out but only one click to "Allow All"—a specific regulatory violation.

2. Over-Collection of Information for Privacy Requests

The CPPA distinguishes between requests requiring verification (access, deletion, correction) and those that don't (opt-out of sale/sharing, limit sensitive data use). Honda and Todd Snyder both required government ID and extensive personal information for all requests—including opt-outs that legally cannot require verification. This over-collection deterred consumers from exercising rights and resulted in per-consumer fines.

3. Deficient Contracts with Ad Tech Vendors

Businesses cannot simply deploy tracking pixels and wash their hands. The CPPA is requiring that contracts with service providers and third parties contain specific CCPA-mandated provisions:

• Explicit prohibition on service providers selling/sharing collected data
• Limited and specified purposes for data use
• Compliance certification requirements
• Right to audit and remediate unauthorized use
• Obligation to forward and honor consumer opt-out requests

Honda could not even produce contracts with its advertising technology vendors—a significant aggravating factor.

4. Data Broker Registration Under the Delete Act

The Delete Act requires data brokers to register with the CPPA by January 31 each year. The CPPA is casting a wide net, including:

• Marketing agencies: ROR Partners, a fitness marketing agency, was found to be a data broker because it maintains data on 262 million consumers and creates inferences for targeted advertising.
• People search sites: Background Alert was ordered to cease operations for 3 years. The CPPA specifically noted that inferences (like identifying "possible" associates or family members) constitute personal information subject to the law.

5. Inadequate Privacy Policies

Tractor Supply's privacy policy was posted in 2018, updated in 2021, and not touched again until the investigation. The CPPA requires annual updates and comprehensive disclosures about categories of data collected, sources, purposes, and third-party recipients. Job applicants must also receive specific CCPA notices.

Actionable Compliance Checklist

1. Audit your opt-out mechanisms. Test whether clicking "Do Not Sell" actually stops all tracking technologies, pixels, and cookies. Many organizations find their opt-out only updates a database flag without affecting ad tech.
2. Implement Global Privacy Control (GPC). California regulations require honoring this browser-based opt-out signal. Test your site with GPC-enabled browsers.
3. Ensure symmetry in cookie consent. If users can accept all cookies in one click, they must be able to reject all in one click. "Reject All" buttons should be equally prominent as "Accept All."
4. Differentiate verification requirements. Opt-out and limit requests cannot require identity verification. Create separate, streamlined processes for these requests.
5. Review and update all vendor contracts. Ensure contracts with ad tech providers, analytics platforms, and any entity receiving personal information contain all CCPA-required terms. Document your contract review process.
6. Conduct quarterly tracking technology audits. Tractor Supply was ordered to scan its digital properties quarterly for tracking technologies and maintain an inventory.
7. Update your privacy policy annually. Include all required disclosures about data categories, sources, purposes, and recipients. Don't forget employee and job applicant notices.
8. Assess data broker registration. If you collect consumer data from sources other than the consumer and share it with third parties—even bundled with services—you may be a data broker. The threshold is 100,000+ consumers.
9. Train personnel handling privacy requests. Multiple enforcement actions required training certification. Document your training program.
10. Engage UX designers for privacy interfaces. Honda was specifically ordered to consult UX professionals to evaluate its privacy request methods. Consider A/B testing to ensure forms are easy to use.