Sign in
Create FREE Account

The CPPA and UK ICO Sign Declaration of Cooperation to Enhance Privacy Protections

Table of Contents

Enforcement is ramping up and this goes back to an April of this year agreement between the California Privacy Protection Agency (CPPA) and the UK Information Commissioner’s Office (ICO) when they signed a Declaration of Cooperation. While non-binding, it formalizes a framework for collaboration—covering joint research, best-practice sharing, and staff exchanges—that signals tighter alignment on investigations and remedies across jurisdictions. This is a notable development for companies operating in both California and the UK, who must harmonize privacy programs across overlapping legal expectations.

In other words this means that California and The United Kingdom are teaming up to come after businesses who target consumers in either locations and it’s only a matter of time until the world has a global agreement to come after any business who does not respect data subjects rights in their jurisdiction.

The pact builds on the CPPA’s growing network of international ties, including agreements with France’s CNIL (June 2024) and South Korea’s PIPC (January 2025), further cementing California’s role on the global privacy stage acting as the GDPR of America. 

Why This Matters to Global Brands

  • More predictable oversight across borders: Closer regulator-to-regulator ties reduce friction and clarify expectations for investigations, audits, and remediation plans.
  • Faster knowledge transfer on emerging risks: Joint research channels help authorities respond consistently to issues like adtech, connected vehicles, and AI governance.
  • Higher bar for accountability: Coordinated enforcement norms make fragmented compliance (by brand, region, or system) more risky.

Enforcement Context You Can’t Ignore

California’s privacy regime has matured from guidance to action. Recent CPPA cases include a $632,500 stipulated fine against American Honda Motor Co. alongside mandated UX improvements, training, and contracting controls, as well as six-figure penalties in retail and data broker matters.

The UK ICO continues to wield its well-known upper limits—up to £17.5 million or 4% of worldwide turnover for UK GDPR infringements—and, following reforms, the UK’s PECR direct-marketing/cookies regime now aligns those maximums as well.

CPPA vs. UK ICO: Fines, Thresholds, and Real-World Signals

Headline Penalty Frameworks

Regulator Statutory Maximums Illustrative Enforcement
CPPA (California) Up to $2,663 per violation (unintentional); up to $7,988 per violation (intentional / under-16 data), CPI-adjusted.

 
  • Honda — $632,500 and remedial obligations (2025). :contentReference
  • Todd Snyder — $345,178 fine (2025).
  • Multiple data-broker cases, e.g., Accurate Append ($55,400).
  • Note: Prior to CPPA actions, the CA Attorney General settled with Sephora for $1.2M (2022).
UK ICO Up to £17.5M or 4% of global turnover (whichever is higher) under UK GDPR; PECR now aligned to the same maximums post-reform.
  • British Airways and Marriott fines (GDPR-era) illustrate multi-million-pound exposure.

Sources for penalty thresholds: CPPA monetary thresholds & CPI adjustments; ICO penalties guidance; PECR reforms 

CPPA Coming After Every Business After Starting Big

 

CPPA — Honda ($632k)

CPPA — Todd Snyder ($345k)

ICO — Major GDPR fines (e.g., BA/Marriott, multi-million)

Context: ICO can reach multi-million-pound penalties tied to turnover; CPPA currently trends toward six-figure fines plus prescriptive remedies and injunctive obligations.  

What the Declaration Changes for Your Program (and What It Doesn’t)

  • It does increase the likelihood of consistent expectations across investigations in California and the UK (e.g., records of processing, UX fairness, third-party contracts, data minimization).
  • It does not replace statutory duties: you must still meet UK GDPR and CCPA/CPRA requirements independently, and maintain jurisdiction-specific notices, DPIAs, risk assessments, and cookie governance.

Operational Playbook: How Global Brands Should Respond

  1. Harden DSAR intake with brand-specific portals: Eliminate “Contact Us” sprawl by routing requests through standardized privacy webforms with identity verification, SLAs, and audit logs.
  2. Map systems & owners per brand: Keep a living inventory of systems holding personal data and named owners to avoid missed steps during regulatory timelines.
  3. Automate routing, escalations, and deadlines: Use workflow automation to assign subtasks, trigger reminders, and escalate stalled items—especially across time zones and business units.
  4. Lock in UX and cookie compliance: CPPA’s Honda order underscores the importance of intuitive choice architecture and robust vendor contracts; ICO continues to scrutinize consent and transparency.
  5. Document everything: Maintain evidence of identity checks, timelines, decisions, and communications to support investigations or complaints.

How Captain Compliance Helps Multi-Brands With DSARs at Enterprise Scale

  • Brand-specific DSAR portals with centralized oversight to standardize intake, verification, and SLA-driven fulfillment across regions.
  • Automated workflows for routing, approvals, clock-stops, and escalations, with complete audit trails for regulators.
  • System & owner discovery to build accountability into each DSAR subtask—no data source left behind.
  • Training & playbooks so your team can operate independently, or engage us for managed services.

Outcome: Clients see up to 40% faster DSAR completion, fewer manual touches, and stronger readiness for cross-border scrutiny.

FAQ: Fast Answers for Busy Privacy Teams

Is the CPPA–ICO declaration legally binding?

No. It’s a cooperation framework that facilitates research, staff exchanges, and knowledge-sharing. It can still materially influence how aligned investigations and expectations become.

Are CPPA fines “small” compared to ICO fines?

CPPA penalties are per-violation (CPI-adjusted) and often coupled with detailed injunctive relief (UX fixes, training, and contract controls). ICO’s upper limits can be far higher due to the turnover-based cap. Both regimes are increasingly prescriptive in the remedies they impose. Healthline just got fined $1.55 million dollars and even the largest organizations in the world have a threshold of tolerance. For example Amazon says anything under $1 milion they are not concerned about but anything over they take serious. Privacy is one of those matters.

What about cookies and direct marketing in the UK?

Post-reform, PECR’s maximum fines now align with UK GDPR, increasing cookie and marketing exposure for UK-facing brands

Next Steps: Make Cross-Border Compliance a Competitive Advantage

  • Run a DSAR maturity assessment (systems, owners, SLAs, escalations).
  • Refactor consent and cookie experiences to reduce “dark pattern” risk.
  • Close third-party contracting gaps for adtech and analytics.
  • Operationalize documentation: logs, evidence, and playbooks.

We can help. Captain Compliance standardizes multi-brand privacy operations with automation that scales globally—without ballooning headcount. Book a demo below with a data privacy expert from our team and learn how to proetct against the growing influence of regulators who are teaming up across the globe.

 

Written by: 

Graeme Whiles

Relevant Posts

Recent Posts

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.

Book a Demo

Data Privacy and Compliance from Superheroes

Copyright © 2025 Captain Compliance | Cookie Transparency Powered By 
730 NW 9th St, Fort Lauderdale, FL 33311 | +1 (954) 408-2192 | heroes@captaincompliance.com