CalPrivacy Strike Force Aims to Increase Intensity of Data Broker Enforcement

The strike force will reside inside CalPrivacy’s Enforcement Division and "provide additional resources to combat potential violations and will empower the Agency to pursue additional investigations," the agency said.

"CalPrivacy legal staff from other divisions will be assisting the enforcement team with the strike force," a CalPrivacy spokesperson said in an email to Privacy Daily.

Creating a strike force builds on the agency's 2024 investigative sweep into data broker compliance (see 2410300007). CalPrivacy has been cracking down on data broker registration in enforcement actions this year (see 2507290054 and 2501290050).

“For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States," said Michael Macko, CalPrivacy’s head of enforcement, in a release. “We intend to bring the same level of intensity to our investigations into the data broker industry.”

“Data brokers pose unique risks to Californians through the industrial-scale collection and sale of our personal information,” said Tom Kemp, CalPrivacy’s executive director.

“The widespread availability of digital dossiers makes it easier for our personal information to be weaponized against us, and even well-meaning data brokers can be victims of data breaches that leave all of us vulnerable,” so CalPrivacy must “reduce these risks, bring transparency, and hold data brokers accountable to their obligations under the CCPA and Delete Act,” he added.

The 2023 Delete Act authorized CalPrivacy to craft registration rules for data brokers (see 2407080021). The law also required the agency to build a mechanism for consumers and data brokers to delete data. Called the Deletion Request and Opt-Out Platform or DROP system, it goes into effect in 2026 (see 2510310032).