California Is Watching: Unpacking Enforcement Trends with Daniel Goldberg
March 17, 2026
California continues to set the pace for U.S. privacy enforcement, and 2025 is proving to be a pivotal year. In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan sit down with Daniel Goldberg, Partner and Chair of the Data Strategy, Privacy, and Security Group at Frankfurt Kurnit Klein & Selz and 2025 California Privacy Lawyer of the Year, to unpack what’s really happening behind the scenes of CCPA enforcement.
Drawing on his direct experiences defending companies facing California privacy enforcements, Daniel shares firsthand insights from public and non-public investigations, including trends emerging from actions involving companies like Sephora, DoorDash, and Jam City. The conversation explores what regulators actually prioritize, why misconfigured opt-outs and vendor oversight remain the most common pitfalls, and how the new Delete Act and data broker rules could dramatically shift compliance obligations.
California continues to set the pace for U.S. privacy enforcement, and 2025 is proving to be a pivotal year. In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan welcome Daniel Goldberg, Partner and Chair of the Data Strategy, Privacy, and Security Group at Frankfurt Kurnit Klein & Selz and 2025 California Privacy Lawyer of the Year, to unpack what’s really happening behind the scenes of CCPA enforcement.
Daniel shares firsthand insights from public and non-public investigations, including trends emerging from actions involving companies like Sephora, DoorDash, and Jam City. The conversation explores what regulators actually prioritize, why misconfigured opt-outs and vendor oversight remain the most common pitfalls, and how the new Delete Act and data broker rules could dramatically shift compliance obligations.
What this episode covers:
- California’s accelerating enforcement landscape under the CCPA and what’s changed in 2025
- Why most enforcement actions stem from misconfigured consumer rights processes
- The rising settlement amounts and what being on notice means for businesses
- Public vs. non-public settlements and what regulators really prioritize
- Vendor risk exposure, cookie banner failures, and contract deficiencies
- How to operationalize opt-outs across websites, apps, and connected ecosystems
- Data broker registration enforcement and what the Delete Act changes in practice
And so much more!
Connect with Daniel Goldberg here: LinkedIn
Connect with Kellie du Preez here: LinkedIn
Connect with Danie Strachan here: LinkedIn
If you enjoyed this episode, make sure to subscribe, rate, and review it.
Episode Highlights:
- [02:58] What’s Changing in California Privacy Enforcement
California’s privacy regime has moved from abstract compliance talk to sustained, precedent-setting enforcement. What began as a slow, symbolic action after the CCPA’s 2020 rollout has evolved into a coordinated enforcement landscape led by both the California Attorney General and the California Privacy Protection Agency (CPPA). Public cases, such as Sephora, DoorDash, Tilting Point Media, and Jam City only represent part of the picture. Across actions, regulators are signaling consistent priorities, including clear notice, lawful targeted advertising practices, functional opt-outs, and compliant vendor contracts.
- [11:17] How Enforcement Starts
Regulatory enforcement can begin the same way customers experience your brand: someone identifies a potential issue while browsing your website, reading about your company, or attempting to exercise their privacy rights. Consumer-facing companies are naturally more visible to regulators, since regulators are consumers too, but the biggest trigger is still complaints, especially when an organization advertises privacy rights and then fails to honor those rights due to misconfiguration, slow response, or a broken process. Many cases aren’t about willful neglect. Often, they stem from gaps between what a company thinks the law requires and what regulators expect in practice. And while companies often study post-investigation website changes for guidance, they do not represent a regulator endorsement nor should they be used as a compliance template. The practical move is to think like a regulator.
- [22:36] Why GDPR Compliance is not enough in the U.S.
While the GDPR is rooted in human rights, most U.S. state privacy laws are grounded in consumer protection. That philosophical divide shapes everything from compliance strategy to enforcement risk. U.S. laws tend to focus on notice, opt-outs, unfair or deceptive practices, and contractual safeguards. GDPR, by contrast, is structured around broader accountability and rights-based principles. As enforcement expands and legal challenges grow, companies need more than a checklist. An effective privacy strategy requires practical judgment about real-world risk.
- [45:10] The Cross-Device Opt-Out Obligations
Regulators expect companies to honor opt-outs signals across all your platforms where a user can be reasonably identified. Companies are expected to effectuate an opt-out across connected systems when data links exist or when a user is identifiable within the ecosystem. If systems genuinely don’t connect and it’s not reasonable to link them, the obligation may be narrower. But companies cannot use fragmentation or technical silos as a workaround or excuse for not honoring opt-outs.
- [53:22] The AI Service Provider Gray Area
When an AI vendor uses client data to train its own models, it may no longer qualify as a “service provider” under the CCPA. Danie Strachan draws a direct parallel to the GDPR controller and processor distinction, while Daniel and Kellie discuss why deidentification is the only defensible safe harbor for companies navigating this gray area.