Alston & Bird Privacy, Cyber & Data Strategy Blog

May Flowers Bring Fresh Insight from CalPrivacy

By and

Increased scrutiny of data brokers, rapid scaling of enforcement operations and active opposition to federal privacy preemption are in bloom in the Golden State.

On May 1, 2026, the California Privacy Protection Agency (the “Agency”) Board (the “Board”) held a public meeting to review and discuss enforcement activities, legislative developments, and international data transfer issues.

Key Takeaways

The Board emphasized the following priorities:

  • Data broker scrutiny is intensifying through a dedicated strike force and heightened focus on DELETE Act compliance.
  • Enforcement is scaling with increased complaints, a diversified portfolio across industries, and impact-driven case selection.
  • Federal preemption proposals present material risk to California privacy protections, prompting coordinated multi-state opposition.
  • The Board will continue tracking California privacy and artificial intelligence (“AI”) legislation that may expand Agency responsibilities.
  • A California-specific EU adequacy determination is not being pursued; the Board is monitoring the existing EU and US adequacy framework.

Clients should expect increased regulatory engagement, evolving technical requirements around opt-out and deletion mechanisms, and tighter response timelines from the Agency.

Enforcement Priorities

The Agency confirmed that enforcement operations are expanding in both volume and sophistication. Rather than concentrating on any single industry or large technology platforms, the Agency has adopted an intentionally broad enforcement approach.

  • Complaint Volume: Since July 2023, the Agency has received over 12,500 consumer complaints, representing approximately 125 percent year-over-year growth.
  • Core Focus Areas: Enforcement priorities center on failures to implement statutory privacy rights, including access, deletion, limitation, and opt-out compliance.
  • Sector Diversification: The Agency has diversified enforcement across automotive, youth services, retail, and data broker sectors to address systemic compliance issues.
  • Data Broker Priority: Data brokers remain a central enforcement priority. The Agency has established a dedicated enforcement strike force and intensified efforts to pursue non-registered entities.
  • Case Selection: The enforcement division prioritizes cases based on systemic impact and scalability. The Agency relies on embedded technical experts and is exploring AI-enabled tools for complaint triage.
  • DELETE Act Integration: Future enforcement will progressively integrate DELETE Act obligations, particularly global deletion requirements, which the Agency anticipates will be resource intensive.

Legislative Tracking

The Board discussed developments at federal, multi-state, and California levels, with emphasis on preemption risk and privacy standards strategy.

  • Federal Posture: The Agency opposes broad federal preemption. It has formally opposed the Secure Data Act and related bills that would displace stronger California protections, including opt-out mechanisms, data minimization requirements, and state enforcement authority.
  • Multi-State Engagement: The Agency is monitoring privacy legislation in more than a dozen states and providing technical assistance to jurisdictions considering DELETE Act-style regimes.
  • California Legislative Tracking: The Board reviewed a structured framework for monitoring California legislation. Pending bills are categorized as sponsored legislation, priority bills requiring formal positions, or watch-list bills. The Board authorized positions on specific bills amending the state privacy statute and DELETE Act and directed staff to monitor broader privacy and AI proposals.

Calprivacy is moving ahead with strong momentum this spring. Companies should also expect other states to ramp up privacy and AI initiatives quickly, especially with respect to data brokers, as California is actively working with other states to pass legislation and share enforcement tactics. California has also increased marketing directly to consumers, both as a way to encourage participation in initiatives like DROP (Delete Request and Opt Out Platform) and to encourage awareness among consumers of their rights under the CCPA.

For more information, Alston & Bird’s Privacy, Cybersecurity, and Data Strategy Team has extensive experience advising clients on CCPA compliance and state privacy investigations. Please contact us and sign up for alerts at AlstonPrivacy.com.

LinkedIn
Avatar photo

About Cynthia Cole

Cynthia is a former CEO and general counsel who helps clients confidently navigate AI, data, and technology with practical, globally informed strategies.

[Read Bio]

headshot of John Lesko

About John Lesko

John Lesko is an associate in Alston & Bird’s Technology & Privacy Group. He is able to effectively leverage his experience as a data scientist and engineer in multiple industries to assist clients with their technology, data privacy, and intellectual property transaction matters.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly