The California Privacy Protection Agency (CalPrivacy) has appointed Sabrina Boyson Ross as its first Chief Auditor, establishing a dedicated Audits Division to bolster oversight and ensure robust compliance with state privacy laws.
The California Privacy Protection Agency (CalPrivacy) is on a tear to ramp up enforcement. This month they announced the selection of Sabrina Boyson Ross as Chief Auditor, marking a key milestone in strengthening proactive monitoring of businesses under the California Consumer Privacy Act (CCPA) and related regulations. Ross, who brings unparalleled expertise from senior roles in the tech sector and private practice, will head the newly created Audits Division focused on conducting rigorous examinations of privacy practices.
“I am thrilled to join CalPrivacy during this pivotal era for consumer protection,” said Ross. “Effective auditing complements enforcement by identifying compliance gaps early, promoting fair and transparent practices that safeguard Californians’ privacy rights and prevent potential harms.”
Ross’s career spans designing and leading privacy programs, data protection initiatives, and algorithmic governance efforts. Most recently, she served as Director of Public Policy at Meta, guiding cross-functional teams on product, legal, and policy matters. Prior positions included senior privacy and policy leadership at Uber, Apple, and Nauto, with her roots in private practice as a Privacy and Data Security Attorney. She earned her Juris Doctor from UC Berkeley School of Law and a Bachelor of Arts in literature from Grinnell College.
In her new role, Ross will oversee the Audits Division’s development of compliance audit protocols and execution of in-depth regulatory reviews. The division analyzes business records and practices to assess adherence to the CCPA, working in tandem with the Enforcement Division—where audit findings can inform investigations and referrals when violations are identified, akin to practices at federal and state regulatory bodies.
“Sabrina Ross combines exceptional legal acumen, hands-on operational insight, and a sophisticated grasp of advanced technology ecosystems,” said Tom Kemp, CalPrivacy’s Executive Director. “Her leadership will enhance our ability to monitor and promote compliance across industries, supporting Californians in an evolving digital landscape.”
This appointment aligns with CalPrivacy’s broader initiatives to advance privacy protections amid heightened responsibilities. On January 1, 2026, updated CCPA regulations took effect, introducing obligations such as enhanced risk assessments for high-risk processing, mandatory cybersecurity audits (phased in based on business size), and requirements around automated decision-making technology (ADMT)—with notices and opt-outs starting in 2027. These changes build on the CCPA framework to address emerging risks in data handling and security.
The agency has also ramped up enforcement, including recent actions against data brokers for Delete Act violations. In early January 2026, CalPrivacy imposed fines and restrictions on entities like Rickenbacher Data LLC (d/b/a Datamasters) for unregistered operations and selling sensitive health-related lists, and S&P Global for registration failures—demonstrating active oversight through its Data Broker Enforcement Strike Force.
A cornerstone of these efforts is the Delete Request and Opt-Out Platform (DROP), launched January 1, 2026, under the Delete Act. DROP empowers Californians to submit a single request to opt out of data sales and delete personal information from over 500 registered data brokers, with thousands signing up daily and the system already proving a “game changer” for consumer control, as noted by Executive Director Kemp.
CalPrivacy continues to expand its team and tools to meet these demands, ensuring enforcement, education, and auditing work together to deliver meaningful privacy safeguards for residents.
Other team members at CalPrivacy include Tom Kemp who serves as the Executive Director of the California Privacy Protection Agency (CalPrivacy), a position he assumed in April 2025. A Silicon Valley veteran, Kemp is a seasoned entrepreneur, cybersecurity expert, author, and longtime privacy advocate. He co-founded and led Centrify (now part of Delinea), a prominent cybersecurity firm specializing in identity and access management. Kemp played a pivotal role in supporting landmark privacy legislation, including the California Privacy Rights Act (Proposition 24), the Delete Act (SB 362), and the California AI Transparency Act. He holds a Bachelor of Science in computer science and history from the University of Michigan and authored the book Containing Big Tech: How to Protect our Civil Rights, Economy, and Democracy. Under his leadership, CalPrivacy has prioritized making privacy rights more accessible and enforceable for Californians while advancing proactive compliance tools amid evolving digital risks.
For more information on CalPrivacy initiatives, visit privacy.ca.gov.
