CCPA Fines and Enforcement: The Cost of Non-Compliance

CCPA fines reach $2,663 to $7,988 per violation in 2026. See who enforces them, real settlements up to $12.75 million, and how to cut your risk.


by Riad Us Salehin • 4 July 2026


CCPA fines are the civil penalties California can impose on a business that violates the California Consumer Privacy Act. As of 2026, they run up to $2,663 per unintentional violation and $7,988 per intentional violation or one involving a minor's data. The California Attorney General and the California Privacy Protection Agency both enforce them.

How Much Are CCPA Fines?

CCPA civil penalties currently run up to $2,663 per unintentional violation and $7,988 per intentional violation. The higher figure also applies to a violation involving a consumer the business knew was under 16. Both amounts took effect January 1, 2025, replacing the law's original $2,500 and $7,500 caps.

The California Privacy Protection Agency (CPPA) recalibrates both amounts every odd-numbered January. It applies the change in California's Consumer Price Index over the prior two years, rounded to the nearest dollar. The current $2,663 and $7,988 figures reflect that first adjustment; the next review falls in January 2027.

Violation typeOriginal statutory maximumCurrent maximum (effective January 1, 2025)
Unintentional violation$2,500$2,663
Intentional violation$7,500$7,988
Violation involving a minor's data$7,500$7,988

Many CMP and compliance blogs still quote only the original $2,500 and $7,500 figures. The CPPA's own December 2024 announcement confirms the current, higher amounts apply now.

Penalties stack per violation and per affected consumer. Ignoring opt-out requests from 10,000 California residents at $2,663 each reaches $26.6 million, even at the lower unintentional rate. That stacking, not the per-violation figure, is what turns a single failure into a multimillion-dollar case.

What Counts as a CCPA Violation?

A CCPA violation is any failure to meet the law's consumer-rights, disclosure, or opt-out requirements. Before the penalties, it helps to know what the CCPA is and who it covers.

A violation becomes intentional when a business repeats the failure after a warning or a prior enforcement action. The statute never formally defines "intentional," so regulators read it from a business's pattern of conduct.

The most-cited violation triggers in real enforcement actions include:

  • Ignoring the Global Privacy Control (GPC) signal a visitor's browser sends
  • Providing no working "Do Not Sell or Share My Personal Information" link or opt-out mechanism
  • Selling or sharing personal information without notice or consent
  • Skipping the CCPA's required contract terms with vendors and service providers
  • Publishing no privacy policy, or one missing the required rights notice
  • Running a consent banner that collects a "reject" click but does not actually stop tracking

That last item is not theoretical. California's Attorney General has cited a banner that "did not actually disable tracking as promised" as part of a settlement. Functional opt-out gaps like that one recur across nearly every major CCPA case to date.

Who Enforces the CCPA?

Two bodies enforce the CCPA: the California Attorney General and the California Privacy Protection Agency (CPPA). For any violation other than a qualifying data breach, only these two can bring a legal action.

The CPRA created the CPPA in 2020 and began its enforcement authority in 2023. The agency started accepting consumer complaints on July 1, 2023, giving California two active enforcers instead of one.

The California Attorney General

The Attorney General's office brought the CCPA's first enforcement actions and remains the more active enforcer by volume. It has settled with Sephora, DoorDash, Healthline, Disney, and General Motors. Several of those settlements set a new "largest CCPA settlement" record at the time they were announced.

The California Privacy Protection Agency (CPPA)

The CPPA brings its own administrative enforcement actions through its Enforcement Division, separate from the Attorney General's civil cases. Its 2025 settlement with Tractor Supply, triggered by a single consumer complaint, was its first major public case. The CPPA also co-led the record General Motors settlement alongside the Attorney General.

The Private Right of Action: When Consumers Can Sue

Consumers can sue a business directly under the CCPA only for a data breach involving their unencrypted, unredacted personal information caused by inadequate security. Statutory damages run $100 to $750 per consumer per incident, or actual damages, whichever is greater.

The private right of action does not cover most CCPA violations. A business's failure to honor a Do Not Sell or deletion request cannot trigger a consumer lawsuit. Only a qualifying data breach can.

Three conditions must all be true. The breached data was sensitive personal information. The business failed to maintain reasonable security procedures, and that failure led to unauthorized access, theft, or disclosure.

Before suing, a consumer must send the business 30 days' written notice naming the specific CCPA provisions allegedly violated. If the business cures the issue within that window and confirms it in writing, the consumer generally cannot sue for statutory damages. This 30-day cure period still applies here, even though it no longer applies to Attorney General or CPPA enforcement.

Notable CCPA Enforcement Settlements

California's CCPA penalties have climbed sharply since the first settlement in 2022, with the largest now at $12.75 million.

CompanyPenaltyYearEnforcerWhat went wrong
Sephora$1.2 million2022CA Attorney GeneralDid not disclose the sale of personal information; ignored Global Privacy Control opt-outs
DoorDash$375,0002024CA Attorney GeneralSold personal information to a marketing cooperative without notice or an opt-out
Tilting Point Media$500,0002024CA Attorney GeneralCollected children's data in a mobile app without parental consent
Healthline$1.55 million2025CA Attorney GeneralShared health-related data with advertisers; consent banner did not actually disable tracking
Tractor Supply$1.35 million2025CPPANo opt-out mechanism; no privacy-rights notice; no required vendor contracts
Disney$2.75 million2026CA Attorney GeneralOpt-out and Global Privacy Control gaps that did not apply across all devices and services
General Motors$12.75 million2026CA Attorney General and CPPASold geolocation and driving-behavior data to data brokers without consent; largest CCPA fine to date

Every settlement after Sephora names the same recurring failure: an opt-out mechanism or Global Privacy Control signal that did not fully work. Disney's opt-out applied to one device but not another. Healthline's banner logged a rejection but kept tracking running anyway. That pattern, not novel legal theories, is what has driven CCPA penalties from $1.2 million in 2022 to $12.75 million in 2026.

The General Motors case also broke new ground. California regulators called it the state's first data-minimization enforcement action, and the first CCPA case joined by local district attorneys. Both signals point to broader, more aggressive enforcement ahead.

How CCPA Fines Differ From GDPR Fines

CCPA fines are small, per-violation amounts that stack across every affected consumer. GDPR fines work differently: a single administrative penalty capped at a much higher ceiling.

CCPAGDPR
Penalty basisPer violation, per consumerOne penalty per infringement
Maximum$7,988 per intentional violation, with no stated cap on total violations20 million euros or 4% of global annual turnover, whichever is higher
Who paysBusinesses meeting California's revenue or data-volume thresholdsAny organization processing EU residents' data
Who enforcesCA Attorney General and CPPANational data protection authorities (Ireland's DPC, France's CNIL, and others)

The per-violation figure looks small next to GDPR's headline numbers, but CCPA has no stated ceiling on how many violations can stack in one case. General Motors' $12.75 million settlement shows how quickly a single practice, applied across many consumers, closes that gap.

A site serving both audiences needs both frameworks covered. For the EU side, see the specific rules for cookie consent under the GDPR that apply before a tracker can load.

How to Reduce Your CCPA Penalty Risk

Every CCPA settlement to date traces back to a working opt-out mechanism that failed somewhere. Closing that specific gap removes the risk pattern regulators keep finding.

  • Publish a privacy policy that includes the rights notice the CCPA requires, for both consumers and California job applicants
  • Provide a Do Not Sell or Share My Personal Information link that actually stops the sale or sharing when clicked
  • Honor Global Privacy Control signals across every device and service a visitor uses, not just the one detected first
  • Scan your site for the cookies, scripts, and trackers actually running, since undocumented trackers are what caused several settlements
  • Keep consent and opt-out records as audit evidence in case the Attorney General or CPPA asks for proof
  • Put required privacy protections into every vendor and service-provider contract before sharing data with them

CCPA compliance is one piece of a wider map of US and international data privacy laws that businesses now track. A site serving EU visitors also needs the steps to make a website GDPR compliant.

How Consently Helps You Stay CCPA Compliant

Consently reduces CCPA risk with a built-in opt-out banner for US visitors and a consent log that documents every choice. Those are the two pieces every settlement above turned on.

Consently's banner shows California and other US visitors a CCPA-model opt-out banner with a working Do Not Sell or Share My Personal Information control. That control is built into the banner, not added as an afterthought. It directly targets the opt-out failure behind the Sephora, Healthline, and Disney settlements.

Every consent and opt-out choice is stored in a consent log you can export as audit evidence. That is the kind of record a CPPA or Attorney General inquiry asks for first. Consently's cookie scanner also finds the trackers actually running on your site, so nothing fires silently before a visitor has made a choice.

See how Consently handles CCPA opt-out or start a free trial to set up the banner and consent log yourself.

FAQs

How much is a CCPA fine?

A CCPA fine currently runs up to $2,663 per unintentional violation and $7,988 per intentional violation or one involving a minor's data. Both figures took effect January 1, 2025, and apply per violation and per affected consumer.

Is there still a 30-day cure period under the CCPA?

No, for Attorney General and CPPA enforcement, the CPRA removed the automatic 30-day cure period effective January 1, 2023. A 30-day cure window still applies to the separate consumer private right of action, where written notice is required before suing.

Can a small business be fined under the CCPA?

Yes, if the business meets the CCPA's applicability thresholds. Penalties apply per violation regardless of company size once a business is covered by the law.

What is the largest CCPA fine so far?

General Motors' $12.75 million settlement, announced in May 2026, is the largest CCPA fine to date. The Attorney General, the CPPA, and local district attorneys brought the case jointly over the sale of driving and location data.

Who can sue for a CCPA violation?

The California Attorney General and the CPPA can bring legal action for any CCPA violation. Individual consumers can sue only for a qualifying data breach under the private right of action.

How are CCPA fines calculated?

CCPA fines are calculated per violation, and each affected consumer's data can count as a separate violation. That stacking is why settlements reach into the millions even though the per-violation amount is a few thousand dollars.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.