On November 19, the California Privacy Protection Agency (CPPA) announced the creation of a “Data Broker Enforcement Strike Force” within its Enforcement Division to investigate privacy violations by the data broker industry. The announcement stated that the strike force will focus on enforcing the data broker registration requirements under the Delete Act and the compliance requirements with the California Consumer Privacy Act (CCPA), as well as supporting the rollout of the new Delete Request and Opt-out Platform (DROP) that will allow consumers to request deletion of their personal information from multiple data brokers with a single action, beginning in 2026 (covered by InfoBytes here).

The strike force builds on a 2024 investigative sweep into data broker compliance (covered by InfoBytes here), which the agency noted remains ongoing. According to the CPPA, the strike force will provide additional resources for investigations and enable the agency to pursue further enforcement actions against data brokers that fail to comply with obligations under the CCPA and Delete Act. The CPPA’s executive director emphasized the strike force is intended to contend with the “unique risks” posed by data brokers’ “industrial-scale collection and sale of our personal information” and stated the agency must act to reduce such risks and foster transparency.