California’s privacy regime entered a new phase of maturity in January 2026, and the appointment of Nicole Ozer to the governing board of the California Privacy Protection Agency is emblematic of that shift. Selected by the Assembly Speaker’s Office, Ozer’s appointment reflects an intentional recalibration of the agency’s leadership at a time when California privacy law is no longer experimental or aspirational, but operational, enforceable, and increasingly consequential for businesses nationwide. She joins other greats like Tom Kemp in the CalPrivacy mission to protect California consumers and ramp up enforcement for privacy violators who are not using software like the one provided by Captain Compliance to respect and protect CA resident consent choices.
The CPPA is no longer simply writing rules or issuing guidance. It is actively enforcing the California Consumer Privacy Act and its expanded successor framework with meaningful penalties, public settlements, and compliance mandates that now rival those seen in mature global regimes such as the GDPR. Against that backdrop, Ozer’s background in civil liberties, surveillance oversight, and technology governance positions her as a board member likely to influence not just how the law is interpreted, but how aggressively it is enforced.
A Strategic Appointment at an Enforcement Inflection Point
Nicole Ozer brings to the CPPA board a career defined by scrutiny of how powerful institutions collect, use, and monetize personal data. Her work has consistently focused on the real-world consequences of surveillance, opaque data practices, and algorithmic decision-making, particularly for vulnerable populations. That experience aligns closely with the CPPA’s current priorities as the agency pivots from regulatory build-out to sustained enforcement.
The Assembly Speaker’s appointment authority is designed to inject legislative perspective and public accountability into the agency’s governance. In choosing Ozer, the Speaker’s Office signaled an emphasis on consumer rights, procedural fairness, and restraint on data misuse at a moment when California businesses are confronting higher expectations and fewer enforcement safe harbors.
This is not a symbolic appointment. The CPPA board directly shapes enforcement priorities, approves major settlements, oversees rulemaking, and sets the tone for how strictly the agency interprets statutory ambiguities. Ozer’s arrival coincides with a period in which the CPPA is asserting itself as a primary privacy regulator rather than a secondary rule-writer operating in the shadow of the Attorney General.
The CPPA Board and the Architecture of Privacy Power
The CPPA’s five-member board reflects California’s intentionally fragmented appointment structure. Members are appointed by the Governor, the Attorney General, the Senate, and the Assembly, creating a governance body that is neither purely executive nor purely legislative. This structure was designed to insulate privacy enforcement from short-term political swings while ensuring broad institutional accountability.
Under the leadership of its chair, the board has increasingly emphasized enforcement consistency, proportional penalties, and demonstrable consumer harm. The board has also pushed agency staff to prioritize cases involving systemic violations rather than isolated technical errors, a trend that has become evident in recent enforcement actions.
Ozer joins a board that is no longer debating whether to enforce aggressively, but how to do so in a way that survives judicial scrutiny and sets durable precedents. Her background suggests a focus on enforcement grounded in constitutional principles, transparency, and procedural rigor rather than headline-driven penalties alone.
Enforcement Is No Longer Theoretical: Jam City and Tractor Supply
The CPPA’s evolution is best understood through its enforcement record. Two cases in particular — Jam City and Tractor Supply Company — illustrate how the agency is translating statutory authority into real consequences.
The Jam City enforcement action centered on the collection and use of personal information from minors through mobile gaming platforms. The CPPA found that Jam City failed to implement appropriate age-based safeguards, did not adequately limit the collection of sensitive personal information, and failed to honor heightened protections required when data relates to children. The resulting penalty and mandated compliance changes sent a clear signal that child-directed services are a top enforcement priority, and that reliance on self-reported age gates without meaningful verification will not suffice.
The Tractor Supply Company action addressed a different but equally important enforcement theme: friction and manipulation in consumer rights requests. The CPPA determined that Tractor Supply imposed unnecessary hurdles on consumers attempting to opt out of the sale or sharing of personal information. These included inconsistent interfaces, delayed processing, and design choices that discouraged completion of requests. The agency treated these practices not as technical oversights but as substantive violations of the CCPA’s prohibition on dark patterns.
Together, these cases demonstrate that the CPPA is focused less on abstract compliance checklists and more on consumer experience. The question is no longer whether a right exists on paper, but whether a reasonable consumer can actually exercise it without confusion, delay, or coercion.
The CCPA as of January 1, 2026: A Higher Bar for Businesses
As of January 1, 2026, the CCPA framework in effect is materially different from the version many businesses initially implemented in earlier years. The law now reflects a fully operational regulatory ecosystem with expanded obligations and fewer ambiguities.
Key changes now fully in force include enhanced requirements around sensitive personal information, formalized risk assessments for high-risk processing activities, and clearer standards for consent, particularly where data is used for profiling, targeted advertising, or automated decision-making. Businesses must now document not only what data they collect, but why, how long it is retained, and whether less intrusive alternatives were considered.
Cybersecurity obligations have also matured. For larger businesses and those processing significant volumes of sensitive data, regular audits and documented security assessments are no longer optional best practices but expected components of compliance. Failure to implement reasonable safeguards is increasingly treated as a standalone violation, even absent a breach.
Importantly, enforcement discretion has narrowed. The early “cure period” culture that characterized initial CCPA enforcement has largely disappeared. The CPPA now expects proactive compliance and has shown little tolerance for organizations that wait for regulatory contact before addressing known deficiencies.
A Broader Regulatory Agenda: Data Brokers and Algorithmic Accountability
Beyond traditional consumer privacy rights, the CPPA’s mandate now extends into areas that were once considered peripheral. Data broker regulation has become a central focus, with mandatory registration, deletion obligations, and centralized consumer request mechanisms reshaping how personal data is bought and sold in California.
Algorithmic accountability is another frontier. While enforcement timelines for automated decision-making technologies extend beyond 2026, the regulatory expectations are already clear. Businesses deploying algorithms that materially affect consumers must be prepared to explain those systems, assess their risks, and provide meaningful opt-out or appeal mechanisms.
These developments place the CPPA squarely at the intersection of privacy, artificial intelligence, and consumer protection. Board members like Ozer, whose careers span these domains, are likely to play an outsized role in shaping how aggressively the agency pursues this agenda.
What Ozer’s Appointment Signals Going Forward
Nicole Ozer’s appointment should be read as a signal, not a formality. It reflects California’s intent to anchor privacy enforcement in civil rights principles while maintaining regulatory credibility. Businesses should not expect enforcement to soften; rather, they should expect it to become more coherent, more predictable, and more difficult to dismiss as bureaucratic overreach.
Under the current board, enforcement actions are increasingly framed as governance failures rather than isolated technical mistakes. That framing has significant implications for executive accountability, board oversight, and enterprise risk management.
As California continues to set the pace for U.S. privacy regulation, the CPPA’s leadership choices matter far beyond state borders. Ozer’s presence on the board reinforces the message that privacy in California is no longer a compliance exercise to be delegated and forgotten. It is a core governance issue, backed by a regulator that now has both the authority and the institutional confidence to enforce it.
