Since 2022, California regulators have fined 13 companies a combined total of over $23 million for CCPA violations. Sephora's $1.2 million settlement started it; General Motors' $12.75 million penalty is the record so far. The California Attorney General and the California Privacy Protection Agency bring these cases, with fines reaching $7,988 per intentional violation. Below: 13 real, named settlements from 2022 through 2026 and the specific lesson each one teaches.
What CCPA Enforcement Actually Punishes (Read This First)
Regulators keep fining the same five failures. They are: a broken or fake opt-out, ignoring the Global Privacy Control signal, and making opt-out harder than opt-in. The other two are over-verifying people who opt out, and treating ad-tracker sharing as "not a sale". Nearly every case below fails at least one.
A Broken or Fake Opt-Out
A "Do Not Sell or Share" mechanism that does not function is the single most common violation. The signal it is missing: a link that opens only cookie settings, or a webform that silently fails. It can also be an opt-out that skips some devices or properties.
Ignoring the Global Privacy Control Signal
The Global Privacy Control (GPC) is a browser-level signal that tells a website to stop selling or sharing personal information automatically. The signal it is missing: the browser sends a GPC opt-out and the site keeps selling or sharing data anyway.
Making Opting Out Harder Than Opting In
The CCPA requires symmetrical choice: accepting and opting out must take comparable effort. The signal it is missing: accepting cookies takes one click, while opting out takes two or more, or requires navigating a separate menu.
Over-Verifying People Who Just Want to Opt Out
Businesses cannot demand more information than necessary to process an opt-out request, and identity verification is generally prohibited for opt-outs specifically. The signal it is missing: the site demands a government ID, a photo, or eight form fields just to stop a data sale.
Treating Ad-Tracker Sharing as "Not a Sale"
Installing third-party advertising or analytics trackers while telling a visitor "we do not sell data" is itself a CCPA violation. The signal it is missing: a privacy policy that denies selling data while ad-tech scripts run in the background.
Every case below fails at least one of these five, and most fail several.
Who Enforces the CCPA (and Why the Cure Period Is Gone)
Two regulators enforce the CCPA: the California Attorney General and the California Privacy Protection Agency (CPPA). The Attorney General brought every early case, from Sephora in 2022 through Disney in 2026. The CPPA brought its first action against American Honda in March 2025. The automatic 30-day right to cure no longer exists. A violation can result in a fine immediately, though regulators retain discretion to offer a chance to fix the problem first.
Enforcement is often complaint-driven. A single consumer complaint to the Attorney General or the CPPA can open an investigation that ends in a settlement.
| Regulator | Brought its first action | Notable trait |
|---|---|---|
| California Attorney General | Sephora, August 2022 | Handles the largest volume of cases; also the private-right-of-action referral point for data breach lawsuits |
| California Privacy Protection Agency (CPPA) | American Honda, March 2025 | Created by CPRA; issues its own administrative orders and rulemaking |
The statutory base is $2,500 to $7,500 per violation, adjusted for inflation to $2,663 to $7,988 effective January 1, 2025. The higher figure applies to intentional violations, and to violations involving a consumer the business knew was under 16. The California Consumer Privacy Act itself does not let individual consumers sue over most violations; a private lawsuit is available only after a data breach. Consumers pursue website tracking separately, through California's CIPA wiretapping suits.
The Opt-Out and "Do Not Sell" Cases
The most common CCPA violation across every case on this page is a missing, broken, or fake opt-out.
Sephora, $1.2 Million (2022): The First CCPA Settlement
Sephora, $1.2 million, August 2022: installing ad trackers is a "sale," even if you never call it one. Sephora let third-party companies install tracking software that monitored device type, browsing behavior, and location. It then failed to disclose that this counted as selling personal information, and failed to process opt-out requests sent through the Global Privacy Control. A real "Do Not Sell or Share" mechanism that also honored GPC would have prevented this. So would a privacy policy that admitted tracker-based sharing was a sale.
DoorDash, $375,000 (2024): A Marketing Co-Op Counts as a Sale
DoorDash, $375,000, February 2024: a marketing data exchange is a sale even without a cash transaction. DoorDash participated in a marketing co-op that shared customer personal information with other businesses and data brokers, without giving notice or an opt-out opportunity. Treating the co-op as a sale from day one, with notice at collection and a working opt-out, would have prevented this settlement.
Disney, $2.75 Million (2026): An Opt-Out That Did Not Follow the User
The Walt Disney Company, $2.75 million, February 2026: an opt-out button is not finished when it exists; it has to work everywhere. Disney's streaming services failed to fully apply opt-out requests across every property and device. A consumer who opted out on one service or device could still have data sold through another. An opt-out architecture that propagates the choice across every owned property and device type would have prevented this settlement.
The Dark-Pattern and Over-Verification Cases
California fines the opt-out experience itself, not only the underlying data sale.
American Honda, $632,500 (2025): The First CPPA Action
American Honda Motor Co., $632,500, March 2025: the CPPA's first-ever enforcement action, and it targeted the click count. Honda's cookie tool let visitors accept cookies in one click but required at least two clicks to opt out, violating the CCPA's symmetrical-choice rule. The site also demanded eight data fields for every consumer request, including opt-outs. Only two data points were needed to identify a consumer, and verification is prohibited for opt-out requests specifically. Honda could not produce its contracts with advertising-technology partners when the CPPA asked, and the Order cited 153 alleged violations. One-click opt-out matching one-click accept, zero verification on opt-out-of-sale requests, and signed, producible ad-tech vendor contracts would have prevented this settlement.
Todd Snyder, $345,178 (2025): A Broken Banner and a Photo of Your ID
Todd Snyder, Inc., $345,178, May 2025: a consent management platform you deploy but never test can become the violation. For 40 days in late 2023, clicking Todd Snyder's "Cookie Preference Center" link opened a banner that immediately disappeared. This made it impossible to submit an opt-out request. The retailer also required consumers to submit government identification to opt out, and ignored the Global Privacy Control signal entirely. This is the most relatable case for a small site owner: the retailer used a third-party consent tool and never checked that it still worked. Testing the consent banner end-to-end after every deployment, and never asking for a photo or ID to honor an opt-out, would have prevented this settlement.
Sling TV and Dish, $530,000 (2025): A Confusing Opt-Out
Sling TV L.L.C. and Dish Media Sales L.L.C., $530,000, October 2025: having an opt-out is not a defense if it is confusing to use. Sling TV directed consumers seeking to opt out toward cookie settings alone. It also required redundant webform fields already on file, and offered no opt-out inside its living-room device apps. The settlement also cited inadequate children's privacy protections. A plainly labeled, low-friction opt-out available on every device, plus neutral age handling, would have prevented this settlement.
The Tracking, Sensitive-Data, and Data-Sale Cases
These cases move from the banner itself to the data flowing behind it.
Healthline, $1.55 Million (2025): A Banner That Did Not Block
Healthline Media, $1.55 million, July 2025: a consent banner that looks compliant but does not stop the trackers is worse than no banner at all. Healthline's banner did not disable tracking as promised. The company also shared article titles that revealed a reader's likely medical diagnosis with advertisers. It lacked required privacy terms in its contracts with third parties, too. This was the largest AG fine before General Motors. A banner whose "reject" button actually blocks the tags, and treating health-inference data as sensitive, would have prevented this settlement.
General Motors, $12.75 Million (2026): The Largest CCPA Settlement
General Motors, $12.75 million, May 2026: the largest CCPA settlement to date, and the first to lead on data minimization. GM sold names, contact information, geolocation, and driving-behavior data to data brokers LexisNexis and Verisk. The data covered hundreds of thousands of OnStar subscribers, from 2020 to 2024, without adequate consent. GM's own privacy policy stated it did not sell driving or location data. GM also retained the data long after it was needed for OnStar, then sold the retained data anyway. A consent banner alone could not have prevented this case, since the violation happened in GM's backend data-broker relationships, not on a website. Not selling data you told users you would not sell would have prevented this settlement. So would deleting data you no longer need, and getting fresh consent before repurposing it.
The Children's Data Cases
Minors are a separate, higher-risk class under the CCPA. Businesses cannot sell or share the data of a consumer under 13 without verifiable parental consent. Consumers aged 13 to 15 must affirmatively opt in before their data is sold or shared.
Tilting Point, $500,000 (2024): Selling Kids' Data by Misconfiguration
Tilting Point Media LLC, $500,000, June 2024: a misconfigured advertising SDK can silently sell children's data. The mobile game SpongeBob: Krusty Cook-Off collected and shared data belonging to children under 13 without parental consent, using age screens that were not neutral. Neutral age gates and auditing every third-party SDK's data behavior before shipping would have prevented this settlement.
Jam City, $1.4 Million (2025): No Opt-Out and Teen Data
Jam City, Inc., $1.4 million, November 2025: teens are a distinct, protected class. Twenty-one of Jam City's mobile games sold or shared the personal information of consumers aged 13 to 16 without the required affirmative opt-in. The games also failed to provide any way to opt out of the sale of personal information. An opt-out for adults and an opt-in gate specifically for minors 13 to 15 would have prevented this settlement.
The Newest 2026 Actions to Watch
2026 has already produced the largest CCPA settlement ever, General Motors at $12.75 million, alongside a widening sweep of connected-car and mid-size platform actions. Ford Motor Company paid $375,703 in March 2026 after the CPPA found it added unnecessary friction, including an email-verification step, to its opt-out process. PlayOn Sports, a youth sports media platform, paid $1.1 million the same month. Its violation: directing users to third-party industry opt-out tools instead of providing its own, and failing to recognize opt-out preference signals. This is not a California-only pattern either; regulators abroad levy far heavier penalties, as the biggest GDPR fines in the EU show. Also worth watching: Tractor Supply Company paid $1.35 million in September 2025. It was the first CPPA action to cite inadequate privacy notices and job-applicant privacy rights, alongside opt-out failures. The pace of enforcement is accelerating, not slowing down.
The table below places all 13 cases side by side.
| Company | Fine | Date | Enforcer | Headline lesson |
|---|---|---|---|---|
| Sephora | $1,200,000 | Aug 2022 | CA Attorney General | Ad trackers are a "sale" |
| DoorDash | $375,000 | Feb 2024 | CA Attorney General | Marketing co-ops are a "sale" |
| Tilting Point | $500,000 | Jun 2024 | CA Attorney General + LA City Attorney | Misconfigured SDKs sell kids' data |
| American Honda | $632,500 | Mar 2025 | CPPA | Opt-out clicks must match accept clicks |
| Todd Snyder | $345,178 | May 2025 | CPPA | An untested banner can be the violation |
| Healthline | $1,550,000 | Jul 2025 | CA Attorney General | A banner must actually block trackers |
| Tractor Supply | $1,350,000 | Sep 2025 | CPPA | Privacy notices and job-applicant rights count too |
| Sling TV / Dish | $530,000 | Oct 2025 | CA Attorney General | A confusing opt-out is not a defense |
| Jam City | $1,400,000 | Nov 2025 | CA Attorney General | Teens need opt-in, not just opt-out |
| Disney | $2,750,000 | Feb 2026 | CA Attorney General | An opt-out must follow the user everywhere |
| PlayOn Sports | $1,100,000 | Mar 2026 | CPPA | Build your own opt-out, do not outsource it |
| Ford | $375,703 | Mar 2026 | CPPA | Friction itself is the violation |
| General Motors | $12,750,000 | May 2026 | CA Attorney General | The largest fine, and the first data-minimization case |
The Mistakes That Trigger an Enforcement Notice
Before regulators fine a company outright, they often send a notice of alleged noncompliance. The California Attorney General publishes anonymized examples of exactly what earned one.
- A clothing retailer whose "Do Not Sell" link opened only cookie management, not a real sales opt-out, and had to separate the two.
- A data broker with no "Do Not Sell" link at all, which added one to its homepage.
- A data broker that demanded a government ID, a utility bill, and account creation just to process an opt-out, and dropped the verification.
- An ad-tech firm with confusing, non-functional opt-out links, which hired a UX designer to fix the flow.
- An ad-tech provider whose service-provider contracts lacked required CCPA terms, which added CCPA addendums.
- A fitness chain whose opt-out toggles used confusing double negatives, which simplified the language.
- A media conglomerate that required a separate opt-out per website, which streamlined the process to one opt-out across the portfolio.
What These Enforcement Cases Mean for Your Website
These 13 cases sit inside a wider wave of website tracking lawsuits. Three actions cut the risk shown across them:
- Put up a real, one-click opt-out and honor the Global Privacy Control signal automatically.
- Make sure your consent banner actually blocks trackers, and test it again after every change you make to the site. Confirm first whether your site legally needs a cookie policy and an opt-out at all.
- Never sell or share what your privacy policy says you do not, and never over-collect information to verify a simple opt-out request.
Consently handles the website-consent layer these cases turn on. It ships a CCPA-ready opt-out banner with a "Do Not Sell or Share My Personal Information" link. It shows the correct region-based model to California visitors automatically, and uses symmetrical accept and reject buttons. It also blocks trackers before consent and keeps an exportable consent log as your audit record. Honoring the Global Privacy Control signal is a separate obligation your business must still meet by other means. A banner alone cannot undo a backend data sale like the GM or DoorDash cases. Try Consently free to put a compliant opt-out banner on your site.
FAQs
How is the CCPA enforced?
The California Attorney General and the California Privacy Protection Agency bring administrative enforcement actions against businesses. Consumers have a private right of action only after a data breach, not for most other CCPA violations.
What was the first CCPA enforcement action?
Sephora was the Attorney General's first public CCPA settlement, at $1.2 million in August 2022. American Honda was the CPPA's first enforcement action, at $632,500 in March 2025.
What is the largest CCPA fine so far?
General Motors holds the record at $12.75 million, announced in May 2026. Before that settlement, Healthline's $1.55 million fine from July 2025 was the largest.
Can a small business be fined under the CCPA?
Yes, if the business meets a CCPA coverage threshold. The thresholds include gross annual revenue over $26.625 million. They also include buying, selling, or sharing personal information for 100,000 or more consumers or households. See the full compliance requirements for exact numbers and who must comply.
Is there still a 30-day cure period under the CCPA?
No. The CPRA eliminated the automatic 30-day right to cure. The CPPA and the Attorney General may still offer a chance to cure a violation, but only at their own discretion.
What is the most common CCPA violation regulators cite?
A missing, broken, or fake opt-out, most often paired with a failure to honor the Global Privacy Control signal. Nearly every case on this page includes one or both.
How do I make sure my website avoids a CCPA enforcement action?
Put up a working opt-out and honor the Global Privacy Control signal. Confirm your consent banner actually blocks trackers, keep signed vendor contracts on file, and follow a complete compliance checklist. See how to comply with the CCPA step by step for the full process.

