Understanding CCPA penalties and fines

Since 2020, the California Consumer Privacy Act (CCPA) has acted as a watchdog for Californian privacy and data security. CCPA gives state residents rights to control their data, limits data sharing activities, tightens data security requirements, and prescribes financial penalties for non-compliance.

This article explains how CCPA defines violations and how regulators and courts enforce the regulations. We will explore the size of potential fines, discuss some real-world examples, and offer tips to prevent CCPA violations.

What constitutes a CCPA violation?

The California Consumer Privacy Act safeguards the privacy of California residents, similar to privacy laws like the EU's GDPR. Under the CCPA, companies must:

  • Take "reasonable security measures" to protect personal information.
  • Inform customers about data collection and request consent before gathering data.
  • Enable access to consumer data held about individuals. Companies must explain why data collection is necessary, detail the type of data collected, and list any third parties with access to that data.
  • Allow data removal after user requests (unless there is a legitimate business or legal reason to retain information).
  • Stop sharing customer data with third parties following a customer request. Companies must gain consent to transfer data to other companies and enable data portability between similar organizations.
  • Allow consumers to opt out of automated decision-making systems.
  • Not discriminate against customers for any reason and ensure consistent data processing.

CCPA violations occur when companies active in the State of California do not meet the above requirements or if they breach consumer rights specified by the CCPA.

It's important to note that CCPA does not affect all California companies. Covered organizations must have revenues exceeding $25 million, handle personal information from 50,000 California households, or earn over half of their revenues from selling personal data.

Consumers can enforce their CCPA rights by bringing lawsuits against companies that meet those conditions. Section 1798.155 of the privacy laws provides a private right of action. California residents can file lawsuits and claim damages based on CCPA penalties.

At this point, companies may have an opportunity to remedy privacy failures. Defendants have 30 days to change their systems or policies to avoid similar violations in the future. However, in severe cases, consumers can enforce the private right of action. The 30-day window does not apply.

If companies fail to rectify violations, the case proceeds to court. Courts determine whether companies have committed CCPA violations. When making this decision, the court considers:

  • Severity. What consequences has the violation had for individual privacy and safety? Severe breaches, such as private tax or health data, incur higher fines than relatively trivial failures.
  • Duration. For example, the court may issue more severe fines for a long-term data breach.
  • Number of violations. Companies can expect higher CCPA penalties if violations affect large communities of residents.
  • Responsibility. Was the violation accidental or deliberate? Courts consider whether companies willfully put data at risk or harmed customers. Failure to implement security controls usually represents an intentional violation, leading to higher penalties.
  • The defendant's means. Courts generally issue higher CCPA fines to larger, wealthier organizations. Civil penalties may take liabilities into account to avoid business failure.

Civil cases are not the only CCPA enforcement mechanism. The Office of the State Attorney General also launches investigations for CCPA violations. This applies even in the absence of consumer complaints. If the AG decides to act, companies have a 30-day window to make changes in all cases.

What are the penalties for CCPA violations?

Violating the California Consumer Privacy Act can be extremely expensive. For companies operating in the state, ensuring consumer privacy and securing private data should be top priorities.

Under the CCPA, enforcement actions by the California Attorney General result in financial penalties. The size of CCPA fines varies depending on the nature and extent of the violation:

  • Unintentional violations result in CCPA penalties of $2,500 per violation. This penalty also applies to every violation that companies fail to address within the 30-day mitigation window.
  • Intentional violations incur higher CCPA fines. In that case, courts can fine companies $7,500 per violation.

There are no upper limits for CCPA penalties. Compliance fines rise with the number of affected individuals, potentially leading to multi-million dollar costs.

The cost of CCPA non-compliance

CCPA non-compliance damages corporate finances in several ways. The cost of violations extends beyond basic fines, and companies must understand the consequences of poor data security or privacy safeguards. CCPA costs take the following forms:

  • Injunctions: The Office of the State Attorney General can issue injunctions to companies. Injunctions force violators to stop collecting or using data in ways that contravene CCPA. In extreme cases, regulators can halt business operations entirely.
  • Intentional violation penalties: Penalties for intentional violations can reach $7,500 per breach. This applies to each individual affected by the violation. If companies handle the data of thousands of California residents, fines can rapidly rise. Cure periods apply for intentional violations, enabling organizations to avoid the most severe CCPA penalties.
  • Unintentional violation penalties: Fines for unintentional violations are $2,500 per breach. The 30-day cure period applies, although, as with intentional violations, companies are liable for additional fines if they fail to mitigate regulatory breaches.
  • Costs from civil lawsuits: Civil penalties can exceed penalties administered by state regulators. The CCPA empowers courts to issue fines between $100 and $750 per violation. However, courts can also demand damages related to the violation's impact. Generally, companies have a 30-day window to redress CCPA violations. If they fail to take action, they must pay civil penalties.
  • Reputational damage: CCPA breaches signal to customers that companies do not take privacy seriously. As a result, consumers may feel their data is not secure. They may well move their business to competitors with stronger reputations for protecting consumer rights.
The cost of CCPA non-compliance

CCPA fines issued to companies: Real-life examples

CCPA penalties occur frequently. They are far more than legal threats to encourage stronger privacy and data breach security. The case studies below illustrate how extensive CCPA fines can be.

Sephora: Selling personal information without consent

In 2022, the California Attorney General announced a $1.2 million fine for cosmetics giant Sephora. According to the ruling, Sephora had breached CCPA by tracking website visitors and sharing information with third parties without user consent.

Sephora did not offer customers an opt-out in the company's privacy policy. The firm also ignored Global Privacy Control (GPC) signals to avoid data sharing.

DoorDash: sharing personal data to help marketing partners

In 2024, regulators announced a $375,000 CCPA fine for fast food delivery service DoorDash. In this case, investigators found that DoorDash consistently shared user data with marketing partners without informing customers. Partners then used this data to target advertising, a breach of CCPA privacy laws.

Hanna Andersson: the first civil action under CCPA

The first private right of action under CCPA reached court in 2020 when consumers sued clothing retailer Hanna Andersson. This case was brought after hackers breached Hanna Andersson's eCommerce platform, stealing over 200,000 customer records.

Damages did not approach the maximum allowed under CCPA, but the court did require a relief fund of $400,000 ($2 per affected individual). Total damages seemed low at the time, but courts considered the effects of COVID and the firm's financial position when determining damages.

Hanna Andersson also had to take corrective action, adding further costs, while the case had a lasting impact on its business reputation.

Honda: fined for breaching the privacy of motorists

In 2025, Japanese car maker Honda was fined $632,500 for a bundle of CCPA compliance violations regarding customer privacy. According to regulators in the Office of the California Attorney General, Honda failed to make opting out of data sharing easy enough and requested excessive personal information.

Honda also failed to supply contact details for advertising partners when asked, raising the ire of state officials. Overall, this case shows how aggressive regulators can be. Penalties apply even for seemingly minor privacy violations.

How can businesses avoid CCPA fines?

Companies active in California should take a strict approach to CCPA compliance. If they don't, regulatory penalties and reputational damage are likely at some point. Here are some tips to help you comply with the California Consumer Privacy Act and avoid harmful outcomes.

  • Understand your data environment: Start by auditing your data collection, usage, and storage practices. What information do you collect, and why? Do you have a robust business justification for gathering personal data? Do you share data with other companies? If so, you'll need to make that clear to California customers.
  • Create a clear, compliant privacy policy: Privacy policies explain how you comply with the CCPA and provide customers with the knowledge needed to opt out of data sharing. Present the policy to new customers and make your privacy policy accessible to all website visitors. Revisit the text regularly to ensure continuing compliance.
  • Implement systems to safeguard consumer privacy: Customers must have the right to opt out of data sharing if they wish (opt-ins are not explicitly required under CCPA). The consent form should include a "Do Not Sell My Personal Information" option, which applies to all third-party data-sharing agreements.
  • Cut data breach risks with security controls: Data breaches due to inadequate cybersecurity controls can lead to severe CCPA fines. Encrypt consumer data and use network segmentation to separate sensitive data from network assets. Use authentication and Zero Trust access controls to limit who can access personal information. This significantly cuts the risk of accidental and deliberate data exposure.
  • Allow customers to exercise their CCPA rights: Under CCPA regulations, companies must enable consumers to access, move, and delete personal information. Create and test processes to fulfill consumer requests, and audit response times regularly to ensure prompt compliance. Remember: CCPA rules give you 45 days to fulfill requests. Failure to do so may constitute an intentional violation.
  • Create incident response playbooks: CCPA regulations provide time to mitigate privacy or security violations without the threat of penalties. A smooth incident response plan lets you take advantage of this cure period and avoid further compliance action. Assign roles in incident response teams and workshop incidents to ensure every stakeholder is fully prepared.

Regulators worldwide are becoming stricter about protecting personal data and ensuring customer privacy. California is no exception. The CCPA allows responsible data collection. However, it also specifies severe penalties for irresponsible behavior. Follow the tips above to secure personal information and minimize CCPA compliance risks.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consult a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance