CCPA6 min read

CCPA Penalties and Fines: Enforcement Consequences Explained

Understanding CCPA penalties helps businesses prioritize compliance investments and assess risk. California has both regulatory enforcement and private litigation pathways, each with significant financial exposure.

Key Takeaways

Point Summary
Regulatory fines Up to $2,663 per violation; $7,988 for intentional or minors' data
Private action damages $107-$799 per consumer per data breach incident
No violation cap Penalties accumulate per consumer, per violation
Enforcement bodies California AG and California Privacy Protection Agency
Largest settlement Disney at $2.75 million (2025)

Quick Answer: CCPA violations can result in regulatory fines of $2,663-$7,988 per violation with no cap, plus private lawsuits for data breaches with statutory damages of $107-$799 per consumer. Major settlements have reached $2.75 million, and class actions can create exposure in the tens of millions.

Penalty Structure Overview

Regulatory Penalties (AG and CPPA)

Violation Type Maximum Penalty (2025)
Unintentional violation $2,663 per violation
Intentional violation $7,988 per violation
Violation involving minor's data $7,988 per violation
No cure after 30 days Full penalty applies

Private Right of Action (Data Breaches Only)

Damage Type Amount (2025)
Statutory minimum $107 per consumer per incident
Statutory maximum $799 per consumer per incident
Actual damages Available if greater
Injunctive relief Available

Penalty Adjustments

Penalties are adjusted every two years based on the Consumer Price Index:

Year Standard Intentional/Minor
2020 (original) $2,500 $7,500
2025 (current) $2,663 $7,988
2027 TBD (CPI adjustment) TBD

How Violations Accumulate

Per-Consumer Calculation

Each affected consumer represents a separate violation:

Scenario Potential Penalty Range
10,000 consumers affected $26,630,000 - $79,880,000
100,000 consumers affected $266,300,000 - $798,800,000
500,000 consumers affected $1,331,500,000 - $3,994,000,000

Per-Violation Calculation

Each CCPA provision violated counts separately:

Example Violations Count
No privacy policy disclosure 1 violation per consumer
Plus missing opt-out link 2 violations per consumer
Plus failure to honor GPC 3 violations per consumer

Enforcement Authorities

California Attorney General

Authority Details
Jurisdiction Civil enforcement of CCPA
Actions Civil lawsuits, settlements
Penalties Civil penalties per violation
Focus areas Consumer opt-out, disclosures, data practices

California Privacy Protection Agency (CPPA)

Authority Details
Jurisdiction Administrative enforcement
Actions Administrative fines, orders
Penalties Administrative penalties per violation
Focus areas Regulations compliance, systematic violations

Overlapping Authority

Aspect Details
Coordination AG and CPPA coordinate enforcement
Separate actions Either can bring actions independently
Not duplicative Generally do not both pursue same matter

Notable Enforcement Actions

Major Settlements and Fines

Company Year Amount Issues
Disney 2025 $2,750,000 Opt-out non-compliance
Healthline Media 2024 $1,550,000 Tracking, advertising, opt-out
Jam City 2024 $1,400,000 No opt-out in apps, children's data
Tractor Supply 2025 $1,350,000 Investigation compliance
Honda 2025 $632,500 Opt-out complexity, excessive data requests
Sling TV 2024 $530,000 Confusing opt-out, children's data
DoorDash 2024 $375,000 Data sharing without notice/opt-out

Common Violation Patterns

Violation Type Frequency
Opt-out mechanism failures Very common
GPC non-compliance Increasing focus
Inadequate disclosures Common
Children's data issues High penalty priority
Data sharing without contracts Common

Private Litigation

Requirements for Private Action

Element Required
Data breach Yes, must be breach
Non-encrypted data Yes, unless key also breached
Security failure Yes, violation of reasonable security duty
Pre-suit notice Yes, 30-day notice required

Class Action Exposure

Factor Impact
Large user base Higher potential damages
Sensitive data More likely litigation
Clear security failure Stronger plaintiff case
No encryption No safe harbor

Settlement Trends

Settlement Range Typical Scenario
Under $1 million Smaller breaches, quick settlements
$1-10 million Mid-size breaches, negotiated resolution
$10+ million Large breaches, prolonged litigation

Mitigating Penalty Risk

Compliance Program Elements

Element Risk Reduction
Privacy policy compliance Reduces disclosure violations
Opt-out mechanisms Reduces opt-out violations
GPC compliance Reduces opt-out violations
Security measures Reduces private action risk
Staff training Reduces intentional violation finding

Demonstrating Good Faith

Factor Effect on Penalties
Voluntary compliance May reduce penalties
Prompt remediation Favorable consideration
Cooperation May reduce penalties
Prior history Clean history favorable
Self-reporting May reduce penalties

30-Day Cure Period (Regulatory)

Aspect Details
Availability Only for regulatory violations
Timing 30 days from AG notice
Scope Must cure and commit to no recurrence
Effect May avoid civil action if cured
Limitation Not applicable to data breaches

Insurance Considerations

Cyber Insurance Coverage

Coverage Type Typical CCPA Application
Regulatory defense AG and CPPA investigations
Regulatory fines May be limited or excluded
Privacy liability Private lawsuits
Breach response Notification, remediation costs

Policy Limitations

Limitation Consideration
Intentional acts exclusion May not cover knowing violations
Prior acts Coverage may be limited
Consent requirements Insurer approval for settlements
Sublimits Regulatory fines often sublimited

Enforcement Trends

Increasing Activity

Indicator Trend
Number of enforcement actions Increasing
Settlement amounts Increasing
Focus on GPC Growing priority
Proactive sweeps AG and CPPA conducting sweeps
Industry targeting Ad tech, retail, mobile apps

2025-2026 Priorities

Focus Area Details
GPC compliance Multi-state sweep underway
Automated decision-making New regulations taking effect
Advertising technology Continued scrutiny
Data minimization Increasing emphasis
Cybersecurity New audit requirements

Avoiding Common Violations

Opt-Out Compliance

For detailed implementation guidance, see CCPA opt-out requirements.

Requirement How to Comply
Visible link Homepage, not buried
Functional mechanism Actually stops sale/sharing
GPC honoring Detect and respect signals
No dark patterns Easy, symmetric process

Disclosure Compliance

Requirement How to Comply
Complete categories List all collected PI categories
Accurate purposes Match disclosed to actual use
Updated annually Review and refresh
Accessible format Plain language, findable

Security Compliance

For detailed security guidance, see CCPA data security requirements.

Requirement How to Comply
Reasonable measures Implement CIS Controls v8 or equivalent
Encryption Encrypt PI at rest and in transit
Key management Secure key storage
Documentation Evidence of security program

How Bastion Helps

Understanding and mitigating penalty risk requires comprehensive compliance programs.

Challenge How We Help
Risk assessment Identify areas of highest penalty exposure
Compliance gaps Find and fix violations before enforcement
Opt-out implementation Compliant mechanisms including GPC
Security program Reasonable security measures
Documentation Evidence collection for defense
Monitoring Ongoing compliance verification

Concerned about CCPA penalty exposure? Talk to our team →

Sources

← PreviousCCPA Data Security Requirements: Reasonable Security MeasuresNext →CCPA Compliance Checklist: Step-by-Step Implementation Guide
Back to CCPA guides