Privacy compliance has entered a new phase—one defined not only by high-profile enforcement actions but by the growing expectation that organizations implement and maintain mature information governance programs capable of validating true, system-level technical compliance rather than merely projecting the appearance of it. A spate of recent California enforcement actions makes clear that companies must be prepared to validate how privacy control’s function, including across systems, platforms, and data flows, making thoughtful, system-oriented self-assessment an increasingly important tool for aligning policy commitments with operational reality—before regulators do it for them. SPB helps client’s self-access, identify gaps and remediate issues under the cloak of privilege.
Enforcement and Litigation Trends Illustrate Heightened Attention to the Technical Complexity of Consumer Privacy
Across the globe, regulators are moving beyond evaluating policies, and disclosures, and are examining instead whether privacy controls function effectively across systems, platforms, and data flows. This shift is particularly evident in California, where the California Privacy Protection Agency (“CalPrivacy” or the “Agency”) is moving beyond issuing regulations and bringing cases to reinforce its own institutional architecture in a way that will better enable it to scrutinize how privacy systems actually operate.
The recent appointment of a California Chief Privacy Auditor and the creation of a formal Audits Division, and legislative changes that enable CalPrivacy to keep most of the civil penalties it collects to fund itself, mark pivotal steps in that evolution. Further, recent actions make clear, that effective oversight now turns on whether privacy controls function across data flows, platforms, and technologies—not simply whether policies look compliant on their face. This will require many companies to mature their privacy programs.
Regulatory scrutiny is not the only force shaping this shift. Courts are signaling that privacy obligations may extend beyond regulatory enforcement. In Shah v. MyFitnessPal, a federal court suggested that even though the CCPA expressly precludes a private right of action (except for narrow data security breach circumstances), its standards can shape consumers’ reasonable expectations of privacy and give rise to privacy tort claims, such as when opt-out mechanisms fail in practice—highlighting that state consumer privacy law technical gaps may give rise not only to agency scrutiny, but also potentially to private litigation exposure. California courts have also been permissive of application of wiretapping and other laws to the modern digital ecosystem, particularly regarding tracking technologies, and in ways that are inconsistent with state privacy law schemes and create additional risk mitigation efforts.
These developments raise the stakes for companies and signal the end of the “window dressing” era of privacy compliance. They also illustrate the need to address consumer expectations and multiple laws that may be the basis for claims when those expectations are not met.
Institutionalizing Privacy Oversight: The Significance of CalPrivacy’s New Audits Division
In February, CalPrivacy appointed Sabrina Boyson Ross as its inaugural Chief Privacy Auditor and formally established a new Audits Division. Ross brings a career deeply rooted in privacy, technology, and regulatory governance. She most recently served as Privacy and AI Policy Director at Meta from 2020 to 2025, following prior leadership roles at Uber, including Global Head of Policy (Marketplace) and Legal Director, where she built and led privacy legal teams, managed regulatory investigations, and drove General Data Protection Regulation (“GDPR”) compliance efforts. She also served as Privacy Counsel at Apple. In her new role, Ross will apply her deep industry knowledge and experience to lead the Audits Division in developing audit procedures and conducting complex regulatory examinations to assess compliance with the California Consumer Privacy Act (“CCPA”).
The role of Chief Privacy Auditor is not optional—it is one of only two positions expressly mandated in the text of the CCPA, which provides that the Agency “shall … appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with this title pursuant to regulations adopted pursuant to paragraph (17) of subdivision (a) of Section 1798.185.” (Cal. Civ. Code § 1798.199.40(f)). Despite this statutory requirement, the appointment was not prioritized at the Agency’s inception. In July 2023, the Board considered how to structure the hiring process and whether the appointment needed to be made directly by the Board. It ultimately concluded that the authority to hire the Chief Privacy Auditor could be delegated to the Executive Director, and formally did so. Yet, despite that delegation, the appointment did not occur until now.
This sequence reflects a maturation phase in the Agency’s institutional development, and sets it apart from other states that lack such a functions and have limited personnel tasked to consumer privacy. With core rulemaking and enforcement functions established, attention has now shifted toward building durable audit capacity to ensure that Californians’ privacy rights are operationalized in an effective and accessible manner. By institutionalizing compliance review alongside enforcement, CalPrivacy signals that privacy oversight must be proactive as well as reactive. The Audits Division is tasked with reviewing business practices, analyzing privacy and technology records, and identifying compliance gaps—work that may lead to enforcement referrals where appropriate. This expanded internal capacity is especially critical in an era of “system-deep” compliance, where failures often stem not merely from missing or incomplete disclosures, but from fragmented technical architecture, SDK integrations, cross-device identity graphs, or incomplete implementation of Global Privacy Control signals.
It is important to note that CalPrivacy has emphasized that the Audits and Enforcement Divisions serve complementary functions: the Audits Division reviews business practices and identifies compliance gaps, while the Enforcement Division investigates potential violations and pursues appropriate action. It has also clarified that the Audits Division will be tasked with receiving and reviewing data risk assessment summaries and compliance attestations and cybersecurity audit results and attestations. It is purpose built to do more than that and can be expected to look under the hood to identify gaps that can be brought to the attention of the Enforcement Division.
Enforcement Signals: Opt-Out Must Actually Work, Be Implemented Properly and be Easy to Effect
The timing of the new Audits Division is significant. Recent enforcement actions—most notably the $2.75 million settlement with a leading media company—underscore that regulators are shifting their focus away from formalistic compliance and toward whether opt-out rights are offered in the manners technically required and function comprehensively in practice. This matter marks a clear transition from “formal compliance” to what has been described as “architectural compliance.” The issue was not whether opt-out links existed, but whether those mechanisms fully effectuated consumer choice across services, devices, and embedded third-party technologies. The California Attorney General secured a $2.75 million civil penalty—the largest CCPA settlement to date—after concluding that the business failed to properly implement consumers’ statutory opt-out rights across properties and platforms.
The settlement imposed detailed operational requirements: opt-out must immediately halt the selling and sharing of personal information; for logged-in users, the choice must apply account-wide across all associated services; consumers cannot be required to opt out service-by-service or device-by-device; opt-out links must be clear, conspicuous, and free from confusing design; and businesses must notify downstream third parties and require them to honor and propagate opt-out requests. The underlying principle is straightforward: if advertising systems operate at an identity or account level, compliance systems must function at that same level.
Parallel commentary in an IAPP analysis reinforces this enforcement trajectory. Regulators are increasingly scrutinizing whether opt-out procedures are easy to use and effective in real-world environments—not merely technically available in theory. The settlement also illustrates a broader trend toward ongoing reporting obligations and multi-year compliance monitoring, signaling that enforcement no longer concludes with the payment of a fine, but frequently entails sustained regulatory oversight.
Two weeks after that California AG settlement was announced, CalPrivacy announced its own settlement involving cookies and opt-out failures, with agreed civil penalties of $1.1 Million. Take ways include (1) ad industry self-regulatory opt-out programs are not the equivalent of opting out of sale and share under CCPA and are no substitute for CCPA-mandated opt-outs; (2) CCPA opt-out notices and mechanisms must meet all of the detailed technical requirements of the statute and regulations; (3) website and mobile app publishers have an obligation to maintain the ongoing effectiveness of tracking technology categorization and opt-out mechanism effectiveness (the settlement calls for testing at least quarterly) and have CCPA-compliant contracts in place with tracking vendors; (4) risk assessments are now required and will looked at in investigation and resolving matters; and (5) privacy policies and other notices, including cookie banners and consent management platforms, must be accurate and understandable by their intended audience (here teens were a substantial portion of users). This was shortly followed by another CalPrivacy enforcement action against a large vehicle manufacturer that not only alleged the failure to timely and effective honor opt-outs, but alleged that having a consumer validate their email used to make a request (requests made by persons that did not confirm they had made the request were not honored), a standard intake process of a leading privacy management platform used by many businesses to process consumer rights request, was impermissible step under CCPA that made it too difficult for California consumers to make opt-out requests, which under CCPA cannot be tied to any form of verification absent a reasonable basis to suspect fraud. Other enforcement actions from last year also looked at burdensome consumer request processes, such as requiring more information than is necessary to make a request.
Private Litigation Risk: Shah v. MyFitnessPal
Regulatory scrutiny, however, is only part of the exposure landscape. In Shah v. MyFitnessPal, a federal court observed that the CCPA’s provisions may shape consumers’ reasonable expectations of privacy when users attempt to reject cookies, but tracking continues. Despite criticism from academia it appears that although the CCPA does not broadly create a private right of action for privacy violations, courts may treat its statutory standards as norm-setting when evaluating common law claims.
The implication is significant: if a business represents that consumers can opt out, but its systems fail to properly honor that choice in practice, exposure may arise not only from regulators—but from private litigation as well. Add to that the growing threats of online tracking litigation under California’s Unfair Competition Law and Invasion of Privacy Act, and getting cookies and SDKs right should be high priority for business. Using off-the-shelf banner notice and choice tools, which have been built off of European tools that address obligations that differ greatly from what applies in the US, is insufficient. The companies involved in all of the tracking enforcement actions to date used well-known cookie management vendors, but their implementation of those tools were found lacking. SBP helps clients review and remediate their online tracking practices, including use of notice banners and choice centers, to help avoid these growing enforcement and litigation risks.
Practical Lessons for Businesses
But enforcement trends go beyond proper treatment of tracking technologies and application of opt-outs. Cases have addressed the effectiveness of notice, the need to avoid dark patterns, timely and effective response to consumer privacy rights requests and data minimization and purpose limitations principles. The enforcement trend—and the operational lessons emerging from it—make one point unmistakable: compliance must be engineered, tested, and continuously validated. Architecting for compliance rather than mere disclosure, ensuring account-level opt-out for logged-in users, immediately halting all selling and sharing upon request, designing clear and frictionless user interfaces, controlling downstream recipients, and monitoring opt-out functionality in live environments are no longer best practices—they are regulatory expectations.
The appointment of Sabrina Boyson Ross and the formation of a dedicated Audits Division reflect a maturing regulatory regime. CalPrivacy is not only enforcing violations—it is building the institutional capacity to examine how systems actually work. The message from recent enforcement is equally clear: opt-out rights must be comprehensive, frictionless, and technically effective across services, devices, and partners. In an environment where both regulators and courts are scrutinizing real-world functionality, architectural compliance is no longer optional—it is the baseline expectation.
For organizations, this means internal auditing can no longer be reactive or superficial. Companies should proactively evaluate how data flows across platforms, how opt-out signals propagate through systems and vendors, and whether account-level identity resolution is mirrored by account-level suppression. A practical starting point may be the development of structured internal questionnaires that probe technical implementation, vendor integrations, user interface design, and downstream data-sharing practices. Thoughtful, system-oriented self-assessment—before a regulator does it for you—may be the most effective way to align policy commitments with operational reality.
