Two years ago, CCPA compliance meant adding a Do Not Sell link, implementing a consent management platform, and hoping the Attorney General’s office wouldn’t come knocking. Now it means getting audited whenever the California Privacy Protection Agency or the AG decides to turn the microscope on you. And when they do, they expect years of logs, data maps, and technical decisions to line up.
Regulators today are reading your website and consent flows like users, not just your privacy policy like lawyers. The AG’s enforcement sweep against Sephora and other established retailers showed exactly that. Investigators tested whether Global Privacy Control signals were honored in real-time, whether third-party trackers still fired after opt-out, and whether the privacy notice actually matched observed data flows.
If you’re still assessing whether your website operations put you under CCPA’s scope, our applicability guide breaks down how each threshold is calculated and where websites change the math.
The common denominator in all of these? While the legal teams declared that they don’t sell personal information, the engineering and marketing stacks worked with adtech partners via cookies and pixels. That might not be “selling” in the everyday sense. But under CCPA and CPRA, it’s exactly that.
In this guide, we walk through what happens when a notice of inquiry arrives, what categories of evidence regulators actually request, and how to build a compliance program that generates audit-ready proof.
How California Privacy Enforcement works
From an enforcement perspective, California privacy law now really has two fronts. The Attorney General’s Office and California Privacy Protection Agency.
Both can investigate, demand documents, and impose penalties. But the CPPA is a bit different by design. It was created under the CPRA, vested with full administrative power to enforce the CCPA as an administrative regulator.
Due to the overlap between these two bodies, the statute builds in de-confliction rules. The CPPA must pause if the Attorney General pursues civil litigation. Similarly, the Attorney General is barred from filing a civil case once the CPPA has issued a final decision on the same facts.
For a business, that means you’re dealing with either a regulatory-style administrative process or civil litigation. But never both at the same time.
So, how do they really differ?
The AG investigates and files civil actions seeking civil penalties and injunctive relief. For businesses, the fines can be anywhere in between $2,500 per violation and up to $7,500 per intentional violation or violations involving minors under 16.
The CPPA operates more like a European data protection authority with continuous supervision, advisories, sectoral sweeps, and administrative orders. It can conduct investigations, issue subpoenas, and hold hearings under California’s Administrative Procedure Act once it finds probable cause that the law has been violated.
How do businesses learn about the scrutiny?
Usually, the sweeps often begin not with a subpoena but with an inquiry letter from the enforcement division asking detailed questions about practices and demanding supporting documentation within a stated deadline, typically around 30 days.
That deadline is set in the letter itself, not fixed by statute. However, there are a few things to note here. Before 2023, the AG sent a notice of alleged noncompliance. Businesses then had 30 days to cure under the California Civil Code.
But, since January 1, 2023, the CCPA no longer requires notice or an opportunity to cure before filing an enforcement action. That means that the safety net is not guaranteed.
Categories of evidence that regulators request
When the AG or CPPA sends an inquiry letter, they most likely ask for proof across multiple categories that your privacy program is working as intended. This means logs of consumer requests and how you responded, evidence that your opt-out mechanisms actually stopped data transmission, how GPC was honored, and more.
Typically, you get 30 days from the notice to draft a response. And if you look at past actions, enforcement summaries, and settlements, the evidence that gets requested falls under these buckets.
Privacy notices come first because they’re public and easy to test
The gap between what you claim and what actually happens in the backend is the first thing they see. For example, in the Sephora case, the AG quoted the company’s privacy notice stating it did not sell personal information, all while their website transmitted behavioral data to third-party advertising and analytics partners via cookies and pixels.
Thus, to verify your privacy practices, they are looking at your current privacy policy and notices at collection, historical versions that may date back multiple years, and evidence of an update cadence with approval flows, and even screenshots of how notices are actually presented in different channels like web, app, in‑store, or HR portals.
How do they evaluate it?
Looking at the regulations, the privacy policy must provide a comprehensive description of the business’s online and offline information practices and inform consumers of their rights and how to exercise them.
So while evaluating, they look at three factors.
First is completeness. Regulators want to know if all the required categories, sources, purposes, and sale or sharing disclosures are present. And if they are, then they ask if rights and request methods are clearly described?
Then, they gauge accuracy. Does the notice line up with observed practices, especially around adtech, loyalty programs, and data sharing? If that also passes, then they look at the freshness of the information.
In the previous AG’s enforcement summaries, non-compliant privacy policies were the most frequently alleged violation, appearing in 14 of 27 cases.
Regulator’s opinion? They want to see not just the current privacy notice, but how it evolved and whether that evolution kept pace with your actual data practices.
Data inventory is just as expected
The CCPA doesn’t directly mandate a data inventory, but its obligations presuppose one.
And when they do inquire about it, they typically want to know what kind of PI and sensitive PI you process.
They want to see if you can point out the sources of the information, a business justification for each category, the exact retention practices for those segments, and how data flows through your vendor ecosystem.
Put simply, the underlying intent is to use your inventory to verify whether or not you collect and retain more than what is reasonably necessary and proportionate to disclosed purposes.
So they scrutinize retention records and compare your list of vendors and data sharing partners against what they see in technical testing of cookies, SDKs, and pixels.
Consumer rights request records are fundamental
As per the regulations, businesses are needed to maintain records of consumer requests and the response to them for at least 24 months.
Those records must include the date of request, nature of request, manner in which it was made, date of response, nature of response, and basis for denial if applicable.
Larger businesses handling information on 10 million or more consumers annually must also publish annual metrics summarizing request volumes and response times.
The regulatory intent here is to gauge if the complaints get ignored, missed, or mishandled. That’s why, in most cases, logs are the first thing that organizations should produce.
Consent mechanisms and opt-out processes are directly tied to your CCPA compliance
Regulators test whether GPC signals are honored, whether opt-out links work, and whether dark patterns manipulate choices. Evidence here is increasingly technical. Not just policy quotes about honoring GPC, but proof that when a browser sends the GPC header, your site actually suppresses trackers that constitute a sale or sharing.
Vendor agreements become crucial technical evidence
Service provider contracts must include CCPA-required restrictions. Regulators repeatedly fault businesses for sending personal information to analytics or advertising partners without compliant agreements, forcing those relationships into the “sale” category and triggering opt-out obligations.
During investigations, that turns into requests for sample contracts, lists of vendors receiving PI, due diligence reports, and sometimes testing results showing whether vendors actually limit use as promised.
Evidence of control performance to prove reasonable security
California law requires businesses to implement and maintain reasonable security procedures appropriate to the nature of the information. And to assess that, regulators mostly look at risk assessments, vulnerability management records, incident response plans, and certifications like ISO 27001.
Training records round out the picture
CCPA requires that all individuals responsible for handling consumer inquiries about privacy practices or compliance be informed of CCPA requirements and how to direct consumers to exercise their rights.
In investigations, that translates into requests for training policies, slide decks or e-learning modules, attendance logs, and sometimes testing or assessment results. Regulators are looking for both coverage and substance. They want to know who is trained and whether the curriculum actually covers rights, timelines, and procedures.
Website-specific evidence requirements: what do auditors ask for?
Your website is the prime real estate for both compliance and violations. A tag fired before the user could input consent? That’s a violation. A third-party analytics script shared PI with sub-processors downstream that weren’t in your vendor contract? Again, a violation.
The issue is that your website is a highly dynamic environment. Marketing deploys tracking tags to measure campaign performance. Product ships new features that pull in recommendation engines and personalization tools. Engineering integrates fraud detection SDKs and payment processors. And customer success adds chat widgets and support tools.
Every script and third-party integration introduced potential for data collection. Auditors look for those failure points.
Inventory of tracking technologies to prove your oversight
Regulators expect a comprehensive list of all third-party scripts and SDKs that collect or receive personal information, categorized by function.
That includes analytics, advertising, session replay, heatmaps, A/B testing tools, and even mobile SDKs collecting device identifiers or location.
Beyond completeness, auditors look if the inventories are current, not a point-in-time snapshot from an annual audit.
In a recent enforcement action, Todd Snyder, a men’s apparel company, was found at fault by CPPA as the opt-out tool remained misconfigured for forty days. Point-in-time audits and compliance leave room for drift between reviews.
Regulators would most likely assume that as a governance failure.
Your privacy notice should be grounded in truth
For each significant tag, third-party script, feature, or SDK, regulators expect you to document what data it collects, to which vendor it’s sent, for what purpose, and under what legal relationship.
They then crosswalk your privacy notice disclosures against observed cookies and pixels.
Opt-out and consent enforcement should show up in logs
Regulators always check if the GPC signals and opt-out consent inputs are being honored by stopping data transmission. The most common issue is tags loading on a page before a user can consent to data collection, or ignoring the GPC signals.
Most marketing pixels and analytics scripts load on page render, transmit data to third parties, and only then check whether the user opted out. By that point, the data has already left the browser.
So regulators demand data flow and traffic logs before and after consent input to gauge if consent was actually honored or not. You need test logs, network traces showing calls cease after opt-out, and tag manager rules proving tags don’t fire when opt-out flags are present
Third-party data sharing should be documented
Regulators expect lists of partners receiving data via client-side and server-side integrations, contracts showing service provider or contractor status, and technical evidence of actual sharing. Client-side flows are visible in browser developer tools. Server-side flows require log exports or architecture diagrams.
| Evidence Category | What Regulators Request | How to Demonstrate |
| Privacy Notices | Current and archived notices showing evolution over time, with proof that disclosures match actual data practices | Time-stamped version history. Map the language of notice to documented data flows and tracking technologies |
| Data Inventory | Categories of PI and sensitive PI collected, sources, purposes, retention periods, systems, and vendors | Structured inventory mapping data types to collection points, processing activities, and legal bases |
| Consumer Request Handling | 24-month records of requests with dates, nature, channel, response, and denial basis. | Request logs with timestamps, verification steps, response documentation, and outcome tracking |
| Tracking Technology Inventory | Comprehensive list of cookies, pixels, SDKs, and scripts that collect or receive PI | Current, dynamic inventory categorized by function (analytics, advertising, session replay) covering web and app contexts |
| Opt-Out Enforcement | Evidence that GPC signals and opt-out mechanisms actually stop data transmission | Test logs, network traces showing calls cease after opt-out, tag manager rules proving tags don’t fire when opt-out flags are present |
| Consent Mechanisms | Proof that consent controls actual data flows, not just UI toggles | Mapping from UI elements to configuration changes. Monitoring confirming settings persist after site updates |
| Vendor Management | Service provider and contractor agreements with CCPA-required restrictions, or a list of partners receiving PI. | Contracts with specific limitations, due diligence records, assessments, and data sharing documentation |
| Third-Party Data Sharing | Technical evidence of what data flows to which partners via client-side and server-side integrations | Network traces, log exports, and architecture diagrams showing actual data transmission |
| Security Measures | Reasonable security practices appropriate to the nature of the information | Risk assessments, vulnerability management records, incident response plans, monitoring logs, and audit results |
| Training Records | Evidence that individuals handling consumer inquiries are informed of CCPA requirements | Training policies, curriculum covering rights and procedures, attendance logs, and assessment results |
Building an evidence-ready compliance program
When the notice arrives, you typically get a small response window to present the evidence of compliance. So you need to have a compliant program in place running like a clockwork so you produce coherent, defensible evidence without a panicked all-hands scramble. Here’s what works:
Step – 1: Dynamic documentation, not static binders
Operationally, living documentation means keeping your data inventory and system documentation in sync with product launches, tracking stack changes, and vendor updates.
That requires a clear owner, typically the Privacy Ops team, with defined triggers for updates. So all new tag requests, vendor intake, and significant code releases all trigger inventory and notice reviews.
However, point-in-time reconciliation cycles often fail because runtime environment drifts in between audits as vendors update, tags rotate, or third-party scripts change behaviour. That needs continuous monitoring, a tool that discovers new scripts automatically, documents them, and monitors them for drift.
Step – 2: Automate evidence collection
When you run your compliance programs manually, evidence lives fragmented in drives, email threads, and Slack messages. Every audit becomes a scramble, pulling away your team’s bandwidth from tasks that matter.
Manual evidence reconciliation becomes indefensible when regulators ask for all access requests from the last 24 months or all third-party trackers active between specific dates.
That’s where automated tools like AlphaPrivacy AI plug the gaps. They automatically discover tags, pixels, and SDKS and map themto data categories. Then, they capture logs, centralizing consumer rights requests, consent, and opt-out events, and versions of tag manager rules.
Even periodic comparison of privacy notice disclosures gets observed against categories and documented automatically, in a verifiable and auditable trail.
Step – 3: Enforce consent in real-time
Policy statements like “we honor your choices” are unsubstantiated without technical backing. You need mechanisms that offer real control to the users, honoring their choices in real-time.
To do that, tags should stay dormant by default until consent is captured, GPC signals should be detected and honored before any non-essential scripts fire, and users should be given a fair chance to opt out before data leaves the browser.
Visitors from other jurisdictions see different consent flows based on their applicable laws, which vary significantly across U.S. states in scope, thresholds, and opt-in versus opt-out requirements.
Step 4 – Track consumer requests with timelines and outcomes
An evidence-ready consumer rights system should be able to document like intake date and channel, identity verification steps, scope of request, and actions taken across systems to honor the request. Then, the system should be able to document responses, including any extensions with proper justifications behind them.
Management workflows can be pulled for evidence. Time-stamped tickets, SLAs, and responses all form a defensible evidence package.
Step 5- Preserve historical compliance records with time stamps
Under CPRA, your cybersecurity audit report isn’t just a compliance artifact. It’s a legal document that can be pulled into regulatory investigations and litigation.
While regulations explicitly require 24 months of consumer request records, enforcement practice suggests thinking longer-term. CPPA’s statute of limitations for administrative actions is five years.
For example, in a recent enforcement action on DoorDash, the AG’s office asked for records dating all the way back to January 2020, which was the first month CCPA took effect.
Keep key artifacts like privacy policy versions, system diagrams, tag inventories, vendor lists, and risk assessment summaries for at least five years in exportable, human-readable formats. Time stamps are crucial, as they help regulators trace a proper trail and verify versions.
How AlphaPrivacy AI generates audit-ready evidence
Evidence isn’t about marketing claims or glossy policies. It’s about traceability, consistency, and the ability to validate statements against independent facts.
Manual approaches don’t deliver that. Privacy notices drift out of sync with tracking stacks. Consent management platforms log user clicks but can’t prove tags stopped firing. Vendor inventories go stale between audits. And historical records get scattered across email threads and spreadsheets.
AlphaPrivacy AI closes those gaps by generating the evidence regulators expect.
It enforces consent in real-time with continuous monitoring
AlphaPrivacy AI continuously monitors all data collection across your website with AI-powered tracking detection. It discovers cookies, pixels, and scripts as they’re deployed, maps them to vendors and data categories, and maintains a living inventory that stays current as your stack evolves.
So when a user opts out or withholds consent, the platform enforces that preference in real time, blocking non-essential tags from firing and stopping data transmission before it leaves the browser.
It automatically adapts to geography and regional laws
The platform automatically adapts to privacy requirements across jurisdictions. California visitors see GPC enforcement and CCPA-compliant opt-out mechanisms. Visitors from other states and regions, like Europe and the UK, see consent flows tailored to their applicable laws without manual configuration.
Then, it compiles everything in audit-ready evidence package
The platform automatically collects evidence showing what data flows to which third parties, consent enforcement records proving opt-out preferences stop data transmission, and historical compliance records demonstrating continuous alignment rather than point-in-time snapshots.
So when a regulator asks what tracking technologies were active during a specific period, you can produce an answer immediately.
The Bottom Line
The gap between privacy notices and mechanisms that back them, where enforcements happen. And for that, organizations need to continuously document and monitor their systems to prove compliance throughout the year. That way, you stay compliant always, and not just at a point-in-time every six months.
And that’s how you respond, with reliability and definitive evidence when you receive an inquiry letter asking you to produce years of records.
Schedule a demo today to assess your current evidence readiness and explore how AlphaPrivacy AI generates the audit-ready documentation California regulators expect.
