CCPA Lawyer

Learn How RICHT Can Help You Navigate The California Consumer Privacy Act (CCPA)

CCPA News

• CCPA Cybersecurity Audit Requirements: This article details new California regulations requiring businesses with significant revenue or data processing volume to conduct annual independent cybersecurity audits. These rules aim to ensure robust protections for consumer personal information across the state. OUR TAKEAWAY: Companies must immediately evaluate their processing thresholds and internal controls to ensure they meet the rigorous independent auditing standards mandated by the CPPA (CalPrivacy). Read More →
• Disney’s Record CCPA Settlement: The California Attorney General secured a $2.75 million settlement with Disney over allegations of failing to honor consumer opt-out requests across various streaming platforms and devices. This enforcement action highlights the state’s rigorous focus on unified, user-friendly privacy controls. OUR TAKEAWAY: Organizations must synchronize opt-out mechanisms across all digital silos to ensure compliance with the Attorney General’s expectation of a seamless, identity-based privacy experience. Read More →
• CCPA Bolsters Private Privacy Actions: The court held that CCPA standards shape reasonable privacy expectations, even without a direct private right of action. This allows plaintiffs to use statutory norms to strengthen common law invasion of privacy claims regarding unauthorized cookies. OUR TAKEAWAY: Companies must recognize that CCPA compliance now serves as a critical benchmark for common law liability, effectively creating a private litigation workaround through “norm-shaping” judicial interpretations. Read More →
• California Privacy Enforcement in 2026: A Discussion with CalPrivacy’s Tom Kemp: This article examines the anticipated shift toward aggressive enforcement under the California Delete Act, specifically detailing the 2026 implementation of the “DROP” mechanism for centralized consumer deletion requests. OUR TAKEAWAY: Organizations must audit their automated data deletion pipelines and ensure strict registration compliance for data brokers to avoid the high-volume, per-day penalties associated with the new centralized system. Read More →

• Now it’s personal: How the new CCPA regulations impose personal accountability on designated individuals: The California Consumer Privacy Act (CCPA) regulations introduce significant changes by requiring businesses to designate specific individuals accountable for privacy, AI, and cybersecurity practices, who must submit filings under penalty of perjury to the California Privacy Protection Agency. These designated executives must have sufficient knowledge and authority to provide accurate risk assessments and cybersecurity audit certifications. The regulations also outline rigorous requirements for review, approval, and sub-certifications to support the integrity of these submissions. Companies must carefully choose qualified individuals, update governance and insurance provisions, and allocate resources upfront to meet these new personal accountability standards, which will come into effect in phases beginning in 2026. Read More →

• California AG Secures $530,000 Settlement with Sling TV Over CCPA Violations:
  Attorney General Rob Bonta reached a $530,000 settlement with Sling TV after the DOJ’s investigation found the streaming service violated the California Consumer Privacy Act (CCPA). Sling TV made it confusing and difficult for users to opt out of the sale of personal data, misleading them with cookie settings and requiring unnecessary, burdensome steps. The company also failed to protect children’s privacy by lacking easy opt-out functionality in its apps and not offering proper parental controls or disclosures for kids’ data. Under the settlement, Sling TV must streamline opt-out methods, minimize data collection from children, add kid profile protections, and clarify parental privacy tools. This marks the first enforcement action targeting streaming services from the DOJ’s CCPA sweep and reflects California’s ongoing intensive privacy enforcement.
  Read More →
• California Continues Privacy Enforcement Streak with Order Against Tractor Supply Company
  On September 30, 2025, the California Privacy Protection Agency (CPPA) fined Tractor Supply Company $1.35 million for multiple violations of the California Consumer Privacy Act (CCPA), including failure to provide timely and updated consumer and job applicant privacy notices, inadequate opt-out mechanisms for sale/sharing of personal information via tracking technologies, and deficient contracts with service providers and third parties. The CPPA imposed extensive remedial actions requiring quarterly digital property scans, improved opt-out preference signal recognition, enhanced privacy notice compliance, employee training, and annual compliance certifications through 2029. This enforcement underscores the CPPA’s focus on privacy notices, data subject rights, HR data, cookie consent systems, and contractual compliance, signaling increased scrutiny ahead of new CCPA regulations taking effect in 2026.
  Read More →
• Key CCPA Regulation Changes Effective January 1, 2026
  California’s revised CCPA rules require businesses to confirm and display when opt-out requests—including Global Privacy Control signals—are honored, enforce active opt-in for cookie consent without consent inferred from closing banners, and ensure opt-in and opt-out processes are equally easy. Consumers can request personal data collected since January 1, 2022. Privacy policies must specify categories of personal data shared with service providers, and mobile apps must include privacy policy links in settings. New rules mandate timely opt-out notices for connected devices like IoT, AR, and VR. Automated decision-making, privacy risk assessments, and cybersecurity audit requirements phase in from 2026 to 2028, requiring increased transparency, governance, and reporting.
  Read More →
• CPPA Finalizes ADMT and Risk Assessment Rules: The California Privacy Protection Agency Board finalized rules requiring businesses to assess privacy risks from data processing involving personal data sales, sensitive info, or automated decision-making technology (ADMT). Consumers can opt out of ADMT only when it replaces human decision-making. The rules await approval from the Office of Administrative Law. Read More →
• CCPA Compliance Reminder: Annual Update Requirement for Online Privacy Policies: For businesses subject to the California Consumer Privacy Act (CCPA), a compliance step often overlooked is the requirement to annually update the businesses online privacy policy. Read More
• Healthline Media to Pay Record California Privacy Penalty: Healthline Media LLC will pay $1.55 million in penalties for privacy violations under a pending settlement with California Attorney General Rob Bonta. The settlement announced Tuesday is the largest for violations under the California Consumer Privacy Act. The website publisher didn’t allow consumers to opt out of targeted advertising, and it shared data without the proper protections in place, according to Bonta’s office. Read More→
• District Court Rulings Could Signal Expansion of California Consumer Privacy Right of Action: In two recent rulings, judges in the U.S. Northern District of California have allowed proposed class actions under the California Consumer Privacy Act (CCPA) to proceed without an allegation of a data breach, departing from past precedent. The CCPA contains a limited private right of action that allows individuals to bring suit if personal data about them is exposed via “unauthorized access, exfiltration, theft, or disclosure” due to a business’s failure to implement “reasonable security measures.” Read More→