Created by the CPRA in 2020 and operational since 2023, the CPPA is the first dedicated privacy enforcement agency in the United States. Prior to its formation, the California Attorney General was the sole enforcement authority for the CCPA.
The agency has broad regulatory authority: it can adopt regulations, investigate potential CCPA/CPRA violations, and impose administrative fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Violations involving minors' data are treated as intentional.
The CPPA has signaled an active enforcement posture, initiating investigations into data broker practices, mobile applications, and consent management implementation. Unlike the FTC, which primarily enforces privacy through deception-based theories, the CPPA enforces substantive privacy rights, making it a meaningful compliance threat even for organizations with clear and honest privacy policies.