January 1, 2026
January 1, 2026By: Linda L. Goodman
If you’re a data broker operating in – or touching – California, this is not another routine regulatory update. It’s a warning shot.
The California Privacy Protection Agency (“CalPrivacy”) has formally announced the completion of the creation of a Data Broker Enforcement Strike Force within its Enforcement Division – a move that signals a dramatic escalation in how the state plans to police the data broker industry. This is not compliance by checklist anymore. This is compliance under investigation.
The Strike Force builds on CalPrivacy’s 2024 investigative sweep into data broker registration failures under the Delete Act, a sweep that has already produced a record-setting number of enforcement actions – with more still underway. Now, the Agency is adding personnel, resources, and enforcement authority specifically dedicated to rooting out violations by data brokers who failed to register, failed to disclose, or failed to comply with California’s broader privacy regime under the California Consumer Privacy Act (“CCPA”).
And CalPrivacy is being unusually candid about its intent.
“For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry,” said Michael Macko, CalPrivacy’s head of enforcement.
That level of intensity matters – because data brokers sit at the center of what CalPrivacy now openly describes as “industrial-scale” risks to consumers. According to Tom Kemp, the widespread availability of digital dossiers makes personal data easier to weaponize, easier to exploit, and harder to control – even when companies believe they are acting responsibly.
The message from California is clear: registration failures, opaque data practices, and passive compliance programs are no longer survivable strategies.
With the Delete Act’s centralized deletion mechanism – the Delete Request and Opt-Out Platform (“DROP”) – scheduled to go live at the end of January 2026, the clock is already ticking. And now, there is a dedicated Strike Force whose sole mission is to find out who didn’t prepare in time.
For data brokers, the question is no longer whether enforcement is coming — It’s whether your organization will be ready when it does. If not, you are now targeted, and time is short.
© 2026 CLIClaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.