Author: Michael Macko
Published: Mar 25, 2025
This month The CPPA Blog takes a look at our Enforcement Division’s investigation process. While this article is written for legal practitioners and includes legal terminology, we’ve included language to make it accessible to all readers.
The CPPA Enforcement Division frequently contacts businesses as part of our ongoing investigations. Investigations are about fact-finding and gathering evidence. We work closely with businesses to understand the facts and assess whether businesses have violated our law.
How we reach out
There are different levels of formality in how we might contact a business. The range of options include:
- A simple phone call or email.
- Forwarding a consumer complaint with a cover letter and asking the business to respond.
- Sending a tailored letter to address various issues, pose questions, or request documents.
- Requesting an informal interview with someone at the business familiar with the situation or how a product or service works.
- Issuing investigatory subpoenas for documents, interrogatories, or testimony.
Our initial request is usually just the start. We often have follow-up questions.
Tips on responding
Regardless of how we engage, we encourage collaboration, communication, and candor. We urge businesses to be forthcoming about the facts. Here are some things to keep in mind.
- Credibility and disclosure are key.
- We recognize that we don’t always start with the full set of facts — our goal is to be thorough and fair.
- Lack of responsiveness or poor communication are not productive for anyone.
We understand hearing from a regulator — and then disclosing information to a regulator — can bring anxiety. The best approach is to own the facts, build credibility, and work constructively with us.
What does the timeline look like?
Our goal is to move quickly to vigorously enforce the law. However, we balance our interest in speed with our interest in handling investigations thoroughly, properly, and consistently with our priorities.
Investigations are iterative and typically the longest part of a case lifecycle at enforcement agencies. It is very common for us to ask numerous follow-up questions. Our focus is to ensure that the evidence is solid and we’re not rushing to judgment.
What happens next?
Based on the facts, there are several possible outcomes of an investigation, such as determining:
- There hasn’t been a violation of our laws.
- An enforcement action is necessary to correct past violations and deter future ones.
- Another action is appropriate.
At any time along the way, we might discuss a settlement. It can make sense to explore voluntary resolution at an early stage. We’ll typically explore settlement before we start litigation, but every case is different, and we don’t proceed the same way every time.
The CPPA enforcement team plays a crucial role in ensuring Californians’ privacy rights are protected. You can find additional information for consumers and businesses on our website.