Key point: The California Privacy Protection Agency’s announcement places even more scrutiny on the compliance practices of data brokers.

On November 19, 2025, the California Privacy Protection Agency (now calling itself CalPrivacy) announced the creation of a Data Broker Enforcement Strike Force. The stated goal of the strike force is to review the data broker “industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act.” Announcing the launch, Michael Macko, CalPrivacy’s head of enforcement, stated “For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry.”

The announcement is the latest in a series of actions taken by California lawmakers and regulators to control the data broker industry. California’s legislature first passed a data broker registration law in 2019 (AB 1202). As originally enacted, the law required data brokers to register with the California Attorney General’s office, pay a registration fee, and provide certain information to the office when registering.

In 2023, the California legislature amended the law through passage of the Delete Act (SB 362). The bill, which was co-authored by now-CalPrivacy Executive Director Tom Kemp, among other things:

  • Transferred oversight authority for the data broker registry to CalPrivacy;
  • Required data brokers to provide significantly more information to CalPrivacy when registering;
  • Charged CalPrivacy with creating a new Delete Request and Opt-out Platform (DROP) to allow California residents a one-stop-shop to request that all registered data brokers delete their personal information;
  • Required data brokers to, starting January 1, 2028, undergo third-party audits to ensure compliance; and
  • Increased penalties for noncompliance.

Earlier this month, CalPrivacy announced finalization of regulations further implementing the Delete Act and, in particular, the DROP. Starting in January, California residents will be able to submit delete requests through the DROP. On August 1, 2026, data brokers must access the DROP at least every 45 days to retrieve and process those deletion requests.

Adding to the complexity, in October, Governor Gavin Newsom signed SB 361 into law. As we previously reported, that bill requires data brokers to provide even more information when registering with CalPrivacy, including additional information as to their data collection and sale practices.

CalPrivacy’s announcement is not — by far — the first time it has focused enforcement efforts on data brokers. In its announcement, the agency identified more than a half dozen enforcement actions against data brokers to date. The announcement is a clear signal that registered data brokers — and entities that arguably should be registered as data brokers — should prepare themselves for even more regulatory scrutiny with not only their data broker registration and deletion compliance practices but also their CCPA compliance practices.