Tag: compliance

Categories
Compliance and AI

Compliance and AI: Harnessing AI and Innovation: A Deep Dive into Compliance and Disruption with Jag Lamba

What is the role of Artificial Intelligence in compliance? What about Machine Learning? Are you using ChatGPT? These are but three questions we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance. In this episode, Tom is joined by Jag Lamba for a discussion on the intersection of innovation and disruption.

Jag frames his thoughts on disruption through theories from Clayton Christensen and practical examples from ventures like Tesla. They explore how these concepts translate to the compliance world, particularly through the lens of artificial intelligence. Jag elaborates on the role of generative AI in streamlining third-party risk management, from data gathering to ongoing monitoring. He shares insights on embedding compliance into core business processes, reducing friction, and creating commercial value, highlighting success stories and future potential. They look into the use of RegTech for policy management and regulatory updates, emphasizing the importance of automation for modern compliance frameworks. The podcast showcases how AI can transform compliance from a costly necessity to a strategic asset that drives business efficiency and growth.

Key highlights:

  • Understanding Disruption and Innovation
  • Elon Musk’s Approach to Innovation
  • AI in Third Party Risk Management
  • The Value of AI in Compliance
  • RegTech for Automated Compliance
  • Embedding Compliance into Business Processes

Resources:

Jag Lamba on LinkedIn

Certa AI 

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Creativity and Compliance

Creativity and Compliance – Bringing Joy to Compliance: A Conversation with Virginia MacSuibhne

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings, and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible. In this episode of Creativity and Compliance, Tom Fox and Ronnie Feldman are joined by Virginia MacSuibhne, former Chief Compliance Officer for Roche and Agilent Technologies.

Virginia shares her unique approach to making compliance accessible, engaging, and fun. Emphasizing the importance of a personal brand, she discusses her philosophy of authenticity and how it translates into creating clear, actionable, and enjoyable guidance. Her unconventional methods, including using infographics, breaking down complex policies, and injecting humor and personal interests, have significantly impacted employee engagement and compliance culture.

Virginia highlights the critical role of user experience (UX) in compliance, urging practitioners to rethink their policies and communication strategies. She shares anecdotes of her creative initiatives, such as wearing a unicorn costume to training sessions, integrating compliance messages into existing training programs, and making hotline experiences as user-friendly as possible. Her mantra, ‘What makes you weird makes you wonderful,’ encourages compliance professionals to bring their unique selves to their work to foster a more approachable and effective compliance environment.

Key highlights:

  • Virginia’s Philosophy on Compliance
  • Creating an Engaging Compliance Program
  • Simplifying Policies and Procedures
  • Innovative Training and Communication Techniques
  • Overcoming Pushback and Building a Business Case

Resources:

Virginia MacSuibhne on LinkedIn

Ronnie:

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets,” these 90-second commercials address misconceptions and excuses to promote speak-up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance, explaining policies, sharing examples, and debunking excuses. 
  • Tales from the Hotline – Real speak up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update, explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up, and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.

Categories
Blog

Stepping Up and Stepping Forward: The Future of Compliance in an Age of AI and Deregulation

The world of compliance took a surprising turn this February with the Executive Order issued by the President suspending FCPA investigation and enforcement. This was followed in short order by the dismissal, after six years of prosecution, of the two ex-Cognizant Technology executives charged with paying or authorizing the payment of bribes in that case. It now appears that both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA units will be eviscerated and even shut down by the Administration. These significant legal rollbacks have ignited a series of conversations about the very essence and future of the compliance profession. As compliance professionals, many of us are left pondering, where exactly does compliance go from here?

I recently discussed this topic on the Compliance into the Weeds podcast with Matt Kelly, reflecting on his insights from a compliance event held in Boston he wrote about in a blog post in Radical Compliance. Matt highlighted a prevalent unease among compliance officers, underpinned by two primary concerns: the potential redundancy of compliance roles due to relaxed regulatory scrutiny and the impact of advancing technology, particularly AI, on compliance functions.

First, tackle the issue of regulatory rollback. The Trump administration has shown a clear inclination toward scaling back certain regulatory requirements, warranted or not. But there is a critical takeaway. It is not 2010, at the modern beginnings of compliance; it is 2025, and compliance is fundamentally different from what it was 15 years ago. Compliance practices and ethics programs have become deeply integrated into business operations, creating intrinsic value that transcends mere regulatory requirements. These practices have proven essential not only for managing regulatory risk but also for effectively managing broader business risks, operational efficiency, and corporate reputation.

Yet, despite the embedded nature of compliance in modern corporations, there’s a troubling scenario Matt outlined based on a keen observation from Kristy Grant-Hart. Could compliance functions gradually be absorbed by other departments? Could compliance tasks like hotline management drift toward HR, regulatory compliance fall into the hands of the legal department, and privacy compliance become the responsibility of IT security? Unfortunately, this scenario is not entirely implausible. Some short-sighted organizations might indeed take this fragmented route, viewing it as an opportunity to reduce headcount and costs.

Both Matt and I agree this is a dangerous and ultimately costly path. Fragmenting compliance capabilities across departments risks creating silos, precisely what compliance professionals have spent years fighting against. Silos impede effective communication and cloud transparency and hinder the swift, coordinated responses necessary to manage risk in today’s complex business environments. In short, this fragmentation threatens operational integrity, compliance effectiveness, and, ultimately, corporate profitability.

Instead of retrenching, compliance professionals must seize this uncertain moment as an opportunity. This is a time to demonstrate conclusively how compliance adds tangible business value beyond regulatory mandates. Hui Chen beautifully articulated this sentiment in her insightful blog post, urging compliance leaders to elevate their roles proactively. Chen recommends re-evaluating and broadening our compliance messaging, enhancing engagement with leadership, and demonstrating the clear business value compliance delivers to the organization.

Now, when we look at technology, particularly AI, there is palpable excitement and understandable anxiety within our compliance community. AI presents both extraordinary potential and a perceived threat. The crux of the concern is straightforward: could AI replace human compliance professionals?

AI undoubtedly enhances compliance capabilities significantly; it empowers us to manage larger, more complex data sets, swiftly identifies risks, automates repetitive compliance tasks, and enriches our analytical capabilities. But here’s the fundamental truth: AI requires a “human in the loop.” Human oversight, nuanced judgment, ethical considerations, and strategic thinking cannot, and should not, be outsourced entirely to algorithms.

Moreover, AI is not a threat but a tool that amplifies the effectiveness of compliance officers. Compliance professionals should proactively harness AI to enhance third-party risk management, improve whistleblower and speak-up programs, conduct more nuanced behavioral analytics, and streamline compliance training and communication. AI is here to augment, not eliminate, the vital role of the compliance officer.

Short-sighted individuals will always view AI as a cost-cutting opportunity. These individuals might attempt to unravel compliance functions, dispersing responsibilities across various departments supported by AI, thereby undermining the coherent strategic value a centralized compliance function provides.

Our response as compliance professionals should be unequivocal; robust compliance management and risk assessment capabilities are more critical now than ever. Compliance functions must remain centralized and strategic, leveraging technology to enhance rather than dilute their impact. We must clearly demonstrate to senior management how a strong, unified compliance function, bolstered by advanced technologies like AI, not only ensures regulatory compliance but actively strengthens operational resilience, business efficiency, and profitability.

In closing, Matt and I both agree these are indeed challenging and uncertain times for the compliance profession. However, they also represent a profound opportunity for growth and innovation and demonstrate the indispensable value compliance brings to businesses. Compliance professionals must rise to this challenge, proactively shaping the future rather than passively waiting for it to unfold.

As Matt aptly concluded, and I echo wholeheartedly, “I would bet on the durability of the ethics and compliance profession every day of the week.” I would only add that now is unquestionably the moment for compliance to step forward confidently, embracing innovation and clearly demonstrating its value as a strategic partner in business success.

Categories
Red Flags Rising

Red Flags Rising: S01 E04 – FRESH LOOKS: Export Controls Penalties

In Episode 4, Mike and Brent revisit another of their prior “Fresh Looks” posts on the NYU Law School’s Program on Corporate Compliance & Enforcement (“PCCE”) blog. This one concerns export control penalties and what to make of recent statements attributed to Commerce Secretary Howard Lutnick and Undersecretary Jeffrey Kessler. Mike and Brent discuss the context for the original November 14, 2023, post (00:30), how historical FCPA penalties compared to U.S. export controls penalties prior to the April 2023 Seagate resolution (01:26), what current official statements and enforcement trends mean for c-suites and boards (02:59), a recent Export Compliance Daily article regarding internal BIS discussions about enforcement priorities (04:57), how to prepare (07:23) for high probability-based enforcement (08:52), the role of the DOJ’s National Security Division (11:01), and conclude with Brent Carlson’s “Managing Up” segment (12:30).

Resources:

Brent LinkedIn

Mike LinkedIn

Mike & Brent’s “Fresh Looks” Series

Categories
Blog

Gerry Zack Reports on from the OECD

Gerry Zack recently attended the OECD 2025 Global Anti-Corruption and Integrity Forum Conference in Paris. I was able to catch up with Gerry about his reflections on the conference. The full interview is found on this episode of the FCPA Compliance Report. This event has long been a cornerstone in the global compliance calendar, and this year’s gathering confirmed what many in the compliance profession already suspected: the expectations for corporate compliance programs are not only rising, but they are expanding in scope, depth, and accountability.

Over several days of panel discussions, roundtables, hallway conversations, and formal presentations, Zack heard from government regulators, corporate leaders, NGO advocates, academics, and frontline compliance professionals. Each brought their perspectives, but the collective message was clear: compliance has matured. It’s no longer a reactive function that kicks into gear when things go wrong. It is a proactive, dynamic, and essential business function that must be embedded throughout the organization, from the boardroom to the back office. Here are Zack’s key takeaways from the conference.

1. Compliance Has Gone Global—And So Have the Regulators

The global nature of risk is not new. However, what is new is the increasing level of coordination and information-sharing among regulators. This year’s Forum showcased how cross-border enforcement is now the norm, not the exception.

Representatives from Brazil, Germany, South Africa, and Indonesia all spoke candidly about their partnerships with international bodies like the OECD Working Group on Bribery, the United Nations Office on Drugs and Crime (UNODC), and national law enforcement agencies including the U.S. Department of Justice and the UK Serious Fraud Office.

Couple this with the task force recently created by the UK, France, and Switzerland, and it creates an undeniable takeaway for the corporate world: Enforcement is no longer local. It is global, coordinated, and deeply interconnected.

This means that compliance teams must have scalable internal controls, third-party risk processes, and applicable investigation protocols across jurisdictions. A weak compliance program in a high-risk country is no longer just a local problem; it is a potential global liability.

2. The Definition of “Compliance Risk” Is Expanding Rapidly

You’re missing the bigger picture if your organization still structures your compliance risk assessment around bribery, fraud, and financial misconduct alone. One of the most notable shifts at this year’s conference was the broadening of the integrity lens.

Some of the key areas compliance professionals are being asked to tackle:

  • Human rights violations in supply chains;
  • Climate-related disclosure risks;
  • Workplace harassment and DEI failures;
  • Misinformation and data ethics risks; and
  • AI governance and algorithmic bias.

As one panelist from the European Commission aptly said, “Integrity today includes not just what’s illegal but what’s unethical, unsustainable, or irresponsible.”

This evolution presents a golden opportunity for compliance professionals to step into broader leadership roles, working cross-functionally with ESG teams, legal departments, HR, procurement, and IT. However, it also means that risk ownership needs to be clarified. If your risk universe is expanding, your governance model should evolve with it.

3. Real-Time Monitoring and Data-Driven Compliance Are the New Norm

Several sessions at the Forum focused on the power of data analytics and automation in transforming compliance programs. Gone are the days when manual, quarterly sample testing was enough. Today’s compliance function must be continuous, predictive, and digital. Here are some of the key advancements discussed:

  • AI-driven due diligence tools that adapt based on geopolitical risk signals;
  • Transaction monitoring platforms that flag anomalies in near real-time;
  • Natural language processing (NLP) is used to screen internal communications for misconduct indicators and
  • Dashboarding that visualizes cultural metrics, training gaps, and hotline responsiveness

One global bank compliance leader shared how their monitoring system identified an uptick in vendor payments in a particular region, triggering a review that uncovered a corruption scheme in its early stages.

The message was clear: if regulators are using data to investigate you, you should be using data to stay ahead of them.

Of course, technology is not a silver bullet; it requires investment, integration, and governance. But the future of compliance will be won by those who use data not just for reporting, but for anticipating risk and enabling the business to act decisively.

4. Culture is No Longer a “Soft” Metric—It’s a Leading Indicator

One of the most powerful sessions I attended focused on measuring and monitoring organizational culture. For years, compliance professionals have been saying, “Culture eats policy for breakfast.” Now, regulators are saying it, too, and they are acting on it.

Several enforcement agencies, including the U.S. DOJ and French AFA have signaled that they now interview employees at various levels during investigations to assess whether a company’s compliance program is truly operational or just a paper tiger. As a compliance professional, you need to move from showing what policies you have in place and procedures to implement them to whether your employees believe in them.

In practice, this means you should use such tools as

  • Pulse surveys should become a regular part of your compliance toolkit.
  • Behavioral metrics, such as speaking-up rates, bystander intervention, and trust in investigations, matter more than ever.
  • Leadership modeling and how your senior managers demonstrate (or fail to demonstrate) ethical conduct will be scrutinized.

In short, culture has become a measurable compliance risk factor. And you need to be able to show not just that you have a positive culture but that you’re tracking it, nurturing it, and improving it.

5. Community Is Compliance’s Secret Weapon

One of the most energizing aspects of the OECD Forum is not just the content; it is the people. Zack walked away from the conference, reminded that compliance professionals do not have to go it alone. Whether you are a seasoned CCO at a multinational or a solo compliance officer at a mid-market company, the challenges we face are surprisingly similar. The OECD Forum reminded me just how powerful our community can be when we share resources, ask hard questions, and commit to learning from each other.

If there is one thing we have all learned over our collective years in the compliance field, it is that the best compliance programs are not built in isolation. They are informed by the wisdom of others, through conferences, working groups, webinars, and yes, even podcasts.

Keep the Conversation Going

After the final session of the OECD Forum, an attendee asked a simple question: “How do we keep this conversation alive after we go back to our companies? ”

The answer is the same one I will leave you with: reach out. Keep the dialogue going. Ask questions. Share what is and perhaps what is not working for you. Stay engaged and connected.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Role of Compliance Going Forward

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly take a deep dive into the intricate future of corporate compliance amidst changes brought by the presidential executive order suspending FCPA investigation and enforcement.

Matt shares insights from a recent Compliance Week event in Boston, highlighting concerns among compliance professionals about the potential obsolescence of their roles. The discussion covers two primary scenarios: regulatory relaxation, making dedicated compliance roles redundant, and technological advancements, particularly AI, potentially replacing human compliance officers. However, both agree on the enduring importance of robust compliance functions integrated within corporate structures, emphasizing the strategic value of compliance in risk management and business operations.

They explore the dual excitement and anxiety surrounding AI’s role in compliance. Matt and Tom caution against shortsighted management decisions to decentralize compliance functions and highlight how AI can be harnessed to enhance rather than replace human oversight. They argue for proactive measures from compliance officers to demonstrate their value and leverage AI to improve compliance programs. As Matt eloquently puts it, this is a challenging yet opportune time for compliance professionals to up their game and secure their vital role in ensuring corporate integrity and efficiency.

Key highlights:

  • The Future of Compliance Post-Executive Order
  • The Role of Technology in Compliance
  • AI’s Impact on Compliance Officers
  • Strategic Imperatives for Compliance

Resources:

Matt in Radical Compliance

Tom in the FCPA Compliance and Ethics Blog

Hui Chen A Pause in FCPA Enforcement: Crisis or Opportunity

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Compliance into the Weeds was recently honored as one of a Top 25 Regulatory Compliance Podcast

Categories
Daily Compliance News

Daily Compliance News: April 2, 2025, The All WSJ Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • What is the true cost of corruption-lost lives? (WSJ)
  • Agentic AI and ‘a moment of truth.’ (WSJ)
  • Head of EU Competition heads to US for Liberation Day. (WSJ)
  • The eyes of Dr. T. J. Eckleburg. (WSJ)
Categories
SBR - Authors' Podcast

Transforming Corporate Careers: From Business to Academia to Fiction with Dr. James Gregory

Welcome to the SBR-Authors Podcast! In this podcast series, host Tom Fox visits with authors in the compliance arena and beyond. Today, Tom is joined by Dr. James Gregory, an author, academician, and former corporate branding expert.

They look at Dr. Gregory’s fascinating career journey from a graphic designer in New York to a celebrated author, highlighting the evolution of his professional life and the development of his research on corporate branding, which led to the creation of the Core Brand Index. Dr. Gregory also shares insights into his transition from non-fiction to fiction writing, providing a glimpse into his writing process and his passion for various genres.

Key highlights include Dr. Gregory’s discovery of his love for research during his academic pursuits, the inspiration behind his first novel, ‘Zephyr War,’ and his upcoming projects, including a book inspired by childhood games. This episode is a must-listen for compliance professionals eager to explore the intersections of corporate compliance, branding, and the literary world.

Key highlights:

  • Dr. Gregory’s Professional Journey
  • The Evolution into Academia
  • Transition to Fiction Writing
  • Writing Process and Character Development
  • Exploring Multiple Genres

Resources:

James Gregory Website

James Gregory on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: April 1, 2025 the Hurry Up Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • How Deutsche hid problems from regulators. (WSJ)
  • Adams asks judge to hurry up and dismiss his case.  (NYT)
  • Apple hit with $192MM anti-trust fine in France. (Reuters)
  • End of American exceptionalism. (Bloomberg)
Categories
Blog

What’s Under Your Hood? The CCPA and Compliance

California’s privacy agency, the California Privacy Protection Agency (CCPA), targeted design features and contracting policies used by many companies in its inaugural enforcement strike under the state’s data privacy law. This demonstrates a “broad regulatory approach experts say promises to heat up as the agency continues to mature.” In an article in Law360, author Allison Grande looked at the recent enforcement action against American Honda Motors Company (Honda).

California’s recent privacy enforcement action against Honda has made headlines, and rightly so. This inaugural move by the California Privacy Protection Agency (CPPA) sends an unmistakable signal to corporate compliance professionals: it’s time to examine data privacy practices closely or risk significant consequences.

The CPPA’s allegations against Honda were not industry-specific; instead, the allegations highlighted universal challenges and concerns around data privacy practices and compliance that apply broadly across sectors. Why should compliance professionals sit up and pay close attention?

Firstly, consider consumer data requests. Honda faced scrutiny for requiring excessive information from consumers exercising their privacy rights, specifically when opting out or limiting data use. This nuanced point underscores a critical compliance lesson: not all privacy rights are equal, nor should they be managed uniformly. Compliance teams must tailor their mechanisms, perhaps even developing distinct web forms or processes, to differentiate between requests requiring identity verification and those not.

Grande quoted Gregory Leighton from Polsinelli PC, who said, “Once there’s an investigation open, the CPPA will clearly look at everything.” An open investigation invites regulators to scrutinize every aspect of your compliance program. Compliance teams need robust processes and airtight documentation to withstand such scrutiny.

Secondly, the issue of “symmetry in choice” came into sharp focus. Honda was flagged for making it more straightforward for users to activate advertising cookies than turning them off, a seemingly minor point with significant implications. It emphasizes that regulators now view user experience in data privacy tools through a strict compliance lens. A two-step process for disabling versus a one-step process for enabling cookies was enough to trigger regulatory criticism. Compliance officers should revisit user interfaces of consent management platforms and cookie notices, ensuring equal simplicity in opting both in and out.

Another critical compliance takeaway surrounds vendor management and contract documentation. Honda stumbled by not swiftly producing its contracts with third-party advertisers. This illustrates vividly that having contracts isn’t enough; immediate access and retrieval capability are equally crucial. Grande quoted Lily Li of Metaverse Law, who noted, “The Privacy Protection Agency was looking under the hood,” spotlighting the importance of being compliance-ready regarding documentation.

Beyond immediate lessons, this enforcement marks a new maturity stage for the CPPA. The agency’s stringent interpretations mean past assumptions about compliance, such as the adequacy of generic, broadly used privacy forms or common consent tools, are being upended. Compliance teams should anticipate increasingly rigorous scrutiny and proactive enforcement stances from regulators.

Lisa Sotto, chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP, summarized her thinking, indicating California’s regulator’s growing maturity and stringent interpretations. Similarly, Travis LeBlanc from Cooley LLP emphasizes that this enforcement action has broader implications for any company engaging digitally with consumers, highlighting the CPPA’s widening lens.

Adding to the urgency is the CPPA’s leadership transition. The incoming executive director, cybersecurity veteran Tom Kemp, signals a future of heightened enforcement activity. Kemp’s background and commitment to stringent enforcement strongly suggest a proactive regulatory stance.

Compliance professionals must recognize that federal pullback on data privacy regulation will likely spur increased state activity. California’s actions could be the vanguard for similar initiatives in other states. Manatt’s Brandon Reilly notes the completion of rulemaking and transition toward increased enforcement activities at the CPPA, predicting a significant uptick in regulatory actions.

In short, compliance teams must prioritize several key actions to remain ahead of this regulatory curve.

  • First, differentiated handling for various privacy rights requests is crucial. Compliance teams need precise frameworks and targeted methodologies to distinguish between requests that necessitate identity verification and those that do not, ensuring effective and compliant processes.
  • Second, ensuring symmetrical ease in privacy-related user choices demands careful evaluation of user interfaces and consent management tools. Regulators will increasingly expect businesses to offer equally simple options for consumers to turn data-sharing functions on or off, emphasizing intuitive design and fairness.
  • Third, rapid accessibility and comprehensive documentation of third-party contracts have become imperative. Compliance teams must establish contractual arrangements with vendors clearly defining data handling and protection standards and maintain them in an organized, readily accessible manner to respond swiftly to regulatory inquiries and investigations.

The CPPA’s Honda is not simply California-specific but a wake-up call nationwide. Compliance professionals must heed this signal and review and reinforce privacy programs proactively. As Leighton warns, the enforcement action is likely “just the tip of the iceberg.” Now is the time for compliance to look deeply and proactively under their data privacy hoods.