In December 2025, the California Privacy Protection Agency (CPPA) released Enforcement Advisory No. 2025-01, a targeted reminder outlining obligations under California’s Delete Act. The advisory introduces centralized deletion infrastructure, daily penalties, entity-level accountability, and UX-focused compliance checks that can fundamentally change how privacy compliance will be evaluated starting in 2026. This seems like a preview of how regulators are designing privacy enforcement to be faster, more automated, and easier to test. Let’s understand why this advisory deserves attention far beyond data brokers and what it signals for the broader privacy enforcement landscape. 

The Shift to Testable, Scalable Enforcement 

This CPPA advisory is less about introducing new rules and more about revealing how enforcement is evolving. It shows regulators shifting from policy interpretation to system verification. It demonstrates how privacy enforcement will increasingly rely on infrastructure that makes failures obvious, repeatable, and difficult to explain away.  

Mandatory annual registration 

The CPPA’s Enforcement Advisory is a reminder that “data broker” status isn’t something you can hand-wave away with brand structure or corporate umbrellas. If an entity meets California’s definition of a data broker, it has to register each year, and that requirement applies separately to subsidiaries and related entities, not just the parent company. 

DROP is the new “one-to-many” delete lane 

The advisory lands right before California flips the switch on DROP (the Delete Request and Opt-Out Platform) designed to let consumers submit a single deletion request that reaches all registered data brokers. The key shift is scale: once DROP is live, consumer deletion becomes centralized and repeatable, and the operational burden moves from “respond to occasional inbound requests” to “be ready for standardized, platform-driven requests at volume.” 

Entry-Level Accountability 

One of the sharpest signals in the advisory is that companies can’t “solve” registration by pointing to a parent’s listing. The CPPA is explicitly warning against attempts to rely on affiliated registrations or corporate restructuring tricks to dodge visibility. That matters because it forces governance to match reality: if multiple entities operate multiple data products, they’ll be treated as multiple accountable actors. For privacy teams, this means entity mapping becomes a compliance deliverable. 

Functional Trade Names and Websites 

The advisory is also a crackdown on obscurity. Data brokers must list trade names (DBAs) and websites in their DROP/registration information and keep links accurate and working because broken links, missing brand aliases, or incomplete web footprints effectively block consumers from exercising rights. The CPPA frames this as a pattern it’s already seeing in-market: brokers operating under multiple names and sites, or otherwise making it difficult for consumers to understand who is collecting data and how to opt out/delete. In other words, “findability” is now part of compliance. 

Consumer rights pages must be clean, clear, and dark-pattern-free
Beyond listing links, the advisory emphasizes that the destination matters: businesses must provide a consumer-rights page that actually explains how to exercise privacy rights and it must do so without dark patterns. This is important because it turns UX into an enforcement surface: if the page is confusing, manipulative, or designed to slow people down, it’s not just bad design it’s a compliance risk. CPPA’s posture here mirrors the broader 2025–2026 enforcement vibe: rights must be usable, not merely “available in theory,” and regulators increasingly look for fast, visible proof that consumer choice is respected. 

Compliance Playbook for Data-Driven Businesses 

While the advisory is explicitly directed at data brokers, its implications reach far wider. Any organization that collects, aggregates, sells, licenses, enriches, or shares personal data at scale, especially through third parties, should view this as relevant. This includes ad-tech companies, analytics providers, mobile app ecosystems, data enrichment vendors, marketing platforms, and businesses whose partners qualify as data brokers, even if they do not use that label themselves. 

Map entity structures 

Businesses need a clean, up-to-date view of their corporate and operational structure, not just at the parent level but across subsidiaries, affiliates, and special-purpose entities. The CPPA advisory makes it clear that enforcement will look at what an entity actually does, not how it is branded or grouped on paper. Any entity that collects, sells, licenses, or shares personal data in ways that meet California’s data broker definition must be identified and assessed independently. This mapping exercise should connect legal entities to actual data flows, products, and revenue models, so nothing falls through organizational cracks. 

Audit consumer-facing rights pages 

Consumer rights pages are no longer a “set it and forget it” compliance artifact. Regulators expect these pages to work, load correctly, reflect current trade names and websites, and clearly explain how users can exercise their rights. Dark patterns, confusing layouts, buried links, misleading language, or friction-heavy flows are increasingly treated as compliance failures, not UX choices. Businesses should periodically test these pages the way a consumer or regulator would, ensuring that exercising a right is straightforward and honest. 

Test deletion and opt-out workflows 

With DROP and similar centralized mechanisms coming online, companies should stop thinking only in terms of individual inbound requests. Instead, they should simulate what happens when deletion or opt-out requests arrive in bulk, in standardized formats, and with clear regulatory expectations behind them. This means validating that requests can be received, authenticated, routed, executed, and confirmed end-to-end across internal systems and vendors without manual scrambling or breakdowns. 

Review third-party relationships 

Even if a business does not see itself as a “data broker,” vendors may be collecting, enriching, or sharing data in ways that create indirect exposure. Advertising partners, analytics providers, enrichment services, and SDKs can all pull an organization into scope. Businesses should review contracts, data uses, and actual technical behavior not just disclosures to understand whether vendor activities trigger registration, deletion, or opt-out obligations that flow back to the company. 

Move beyond static documentation 

The advisory signals that compliance is being evaluated as an ongoing condition, not a snapshot. Links break, websites change, entities spin up, and products evolve. Static documentation can quickly become outdated and misleading. Businesses should adopt processes or tooling that continuously check whether registrations are current, links remain functional, rights flows still work, and disclosures match reality—before regulators or plaintiffs do that checking for them. 

Assume enforcement will scale 

Perhaps the most important mindset shift is scale. Enforcement mechanisms like DROP are designed to operate at volume, and penalties accrue daily. A missed registration, a broken link, or a poorly designed rights page may seem minor in isolation, but when scaled across time, entities, and requests, these gaps become measurable, repeatable, and costly. Businesses should assume that small issues will not stay small and plan compliance programs accordingly. 

Privacy Enforcement Is Being Re-Engineered 

The CPPA’s Delete Act advisory is not just a reminder for data brokers, but an early signal of how privacy enforcement is being rebuilt for 2026 and beyond. Centralized platforms like DROP, entity-level accountability, daily penalties, and UX-focused checks point to an enforcement model that is faster, more automated, and far less tolerant of ambiguity. For businesses, this advisory should be read as a blueprint. Not just for California data brokers, but for anyone operating in data-driven ecosystems where third parties, multiple entities, and complex UX flows are the norm. Those built around continuous visibility, operational testing, and system-level accountability will be the ones that hold up when enforcement shifts from theory to execution.