CCPA Penalties and Fines: What Happens If You Don't Comply

The CCPA has teeth. Real ones.

Unlike some privacy regulations that look tough on paper but rarely result in consequences, the CCPA has multiple enforcement mechanisms -- and California has been using them. Between the Attorney General's office, the California Privacy Protection Agency (CPPA), and the private right of action for data breaches, non-compliant businesses face financial penalties that can escalate quickly.

This guide covers what the penalties actually are, who enforces them, how enforcement has played out in practice, and what you can do to avoid being on the wrong end of an enforcement action.

For a complete understanding of what the law requires, see our Complete Guide to CCPA Compliance.

The Penalty Structure

The CCPA has two separate penalty tracks: government enforcement (fines imposed by the state) and private lawsuits (filed by individual consumers). They work differently and cover different violations.

Government Enforcement Penalties

The California Attorney General and the California Privacy Protection Agency (CPPA) can bring enforcement actions against businesses that violate the CCPA (Cal. Civ. Code § 1798.155). The penalty structure is:

Unintentional violations: Up to $2,500 per violation

Intentional violations: Up to $7,500 per violation

These sound manageable until you think about what "per violation" means. Each individual consumer whose rights are violated represents a separate violation. If your privacy policy fails to include required disclosures and you have 50,000 California customers, that's potentially 50,000 violations.

Let's do the math on some scenarios:

These are theoretical maximums, and actual fines have generally been lower. But the per-violation structure means that even modest enforcement actions can produce significant penalties.

CPRA's Enhanced Penalties for Minors

CPRA added a provision that triples the penalty for violations involving children's data. If you intentionally violate the CCPA with respect to consumers you know are under 16 years old, the penalty is up to $7,500 per violation -- and because it's already classified as intentional, this effectively becomes the baseline for any violation involving minors' data.

The CPPA has signaled that enforcement involving children's privacy is a priority, so businesses that collect data from younger demographics should pay special attention.

Private Right of Action (Data Breaches)

This is the enforcement mechanism that keeps privacy attorneys employed and security teams awake at night.

Under Cal. Civ. Code § 1798.150, individual California consumers can sue businesses directly -- without waiting for the AG or CPPA to act -- if their "nonencrypted and nonredacted personal information" is subject to unauthorized access due to the business's "violation of the duty to implement and maintain reasonable security procedures and practices."

In plain English: if you get breached because you didn't take reasonable security precautions, consumers can sue you.

Damages per consumer per incident:

• Statutory damages: $100 to $750 per consumer per incident (Cal. Civ. Code § 1798.150(a)(1)(A); no need to prove actual harm)
• Actual damages: If actual damages exceed $750, the consumer can claim those instead
• Injunctive relief: A court can order you to change your practices

The statutory damages provision is what makes this so potent. In a class action lawsuit involving 100,000 affected consumers, the damages range is:

• Minimum: $10,000,000 (100,000 x $100)
• Maximum: $75,000,000 (100,000 x $750)

And the consumers don't need to prove they were actually harmed by the breach. The mere fact that their data was exposed, combined with your failure to implement reasonable security, is enough.

The 30-Day Cure Period

Before filing a private lawsuit, the consumer (or their attorney) must send a written notice to the business identifying the specific violation (Cal. Civ. Code § 1798.150(b)). The business then has 30 days to cure the violation and provide a written statement that the violation has been fixed and that no further violations will occur.

If the business cures the violation within 30 days, the consumer cannot proceed with the lawsuit.

However, there are important limitations to this cure period:

• It only applies to the private right of action (data breach lawsuits), not to AG/CPPA enforcement
• A business can't repeatedly cure the same violation -- the courts will see a pattern
• CPRA gave the CPPA the authority to bring administrative actions without any cure period
• The cure period doesn't apply to intentional violations in the AG enforcement context

Practical note: The 30-day cure period for private actions was under discussion for potential elimination in CPRA rulemaking. Check current regulations, as this may have changed. The trend is toward removing cure periods, not adding them.

Who Enforces the CCPA?

The California Attorney General

The AG's office was the original (and, until CPRA, the sole) enforcement authority for the CCPA. The AG can:

• Investigate potential violations
• Send inquiry letters to businesses
• Bring civil enforcement actions in court
• Seek injunctive relief
• Impose penalties of up to $2,500 or $7,500 per violation

The AG has been active in enforcement since the CCPA took effect. Their approach has generally been to start with inquiry letters -- giving businesses a chance to come into compliance -- before escalating to formal enforcement actions.

The California Privacy Protection Agency (CPPA)

Created by CPRA, the CPPA is a dedicated privacy enforcement agency -- the first of its kind in the United States. It began operating in 2023 and has been ramping up enforcement activity since.

The CPPA can:

• Conduct investigations and audits
• Issue subpoenas
• Bring administrative enforcement actions (without going to court)
• Impose fines and penalties
• Issue regulations and guidance
• Refer matters to the AG for prosecution

The CPPA has its own administrative law process, which is generally faster than going through the courts. This makes it a more agile enforcement body than the AG's office for routine violations.

The CPPA's stated enforcement priorities include:

• Businesses that collect or process large volumes of personal information
• Violations involving sensitive personal information
• Violations involving children's and minors' data
• Businesses that have failed to implement basic compliance measures
• Data broker registration violations

Private Plaintiffs

Individual consumers (usually through class action attorneys) can bring lawsuits for data breaches caused by inadequate security (Cal. Civ. Code § 1798.150). This is the only area where private citizens can sue directly under the CCPA -- they cannot bring private lawsuits for other types of violations (like failing to honor deletion requests).

The private right of action has produced significant settlements and continues to be an active area of litigation.

Real Enforcement Examples

Understanding how enforcement has actually played out gives you a much better sense of what the regulators care about.

Sephora ($1.2 Million Settlement, 2022)

The California AG's first major public CCPA enforcement action was against Sephora, the cosmetics retailer. The AG alleged that Sephora:

• Failed to disclose that it was selling consumers' personal information
• Failed to process opt-out requests submitted via Global Privacy Control (GPC) signals
• Did not provide a "Do Not Sell My Personal Information" link
• Failed to cure the violations within 30 days after being notified

Sephora settled for $1.2 million and agreed to comply with GPC signals, update its privacy disclosures, and implement compliance measures.

Key takeaway: Ignoring GPC signals is a violation. If your website doesn't honor GPC, fix it.

DoorDash ($375,000 Fine, 2024)

The CPPA issued its first independent enforcement action against DoorDash for sharing consumer data with a marketing cooperative without proper consent. DoorDash was found to have disclosed personal information to a third party for advertising purposes without providing notice or an opt-out mechanism.

Key takeaway: Sharing data with marketing cooperatives or advertising networks requires proper notice and opt-out rights.

Data Broker Enforcement (Ongoing)

CPRA required data brokers to register with the CPPA and created specific penalties for failure to register: $200 per day for each day a data broker fails to register. The CPPA has been actively pursuing unregistered data brokers, and the penalties add up quickly. A data broker that fails to register for a full year faces $73,000 in penalties.

Key takeaway: If you buy or sell consumer data as a primary business function, you may be classified as a data broker with additional registration requirements.

Class Action Data Breach Settlements

On the private litigation side, numerous companies have faced class action lawsuits under the CCPA's private right of action following data breaches:

• T-Mobile (2021 data breach): Settled for $350 million, with CCPA claims as part of the litigation
• Zoom (2020): Settled a class action for $85 million that included CCPA-related claims about data sharing practices
• Various smaller companies have settled for amounts ranging from low six figures to tens of millions

Key takeaway: Data breach class actions under the CCPA are real, they result in substantial settlements, and they can affect businesses of all sizes.

What Triggers Enforcement?

Understanding what draws regulatory attention helps you prioritize your compliance efforts.

Consumer Complaints

Both the AG and CPPA accept consumer complaints. A high volume of complaints about a specific business is a common trigger for investigation. If consumers are complaining that you're not responding to their requests, not honoring opt-outs, or not providing required disclosures, you're putting a target on your back.

Data Breaches

A data breach, especially one that becomes public, is a common trigger for both government enforcement and private litigation. If the breach occurred because of inadequate security measures, expect both a CPPA investigation and class action lawsuits.

Sweep Investigations

The AG's office has conducted "sweep" investigations targeting entire industries or specific compliance issues. For example, the AG sent inquiry letters to numerous businesses about their GPC compliance, which led to the Sephora enforcement action and others.

Whistleblowers and Competitors

Former employees, business partners, and competitors can all bring violations to the attention of regulators. Disgruntled employees who know your data practices are non-compliant are a particularly common source of complaints.

Public Reporting and Media Attention

Investigative journalism and public interest organizations regularly publish reports about data practices. If your company's privacy practices become the subject of negative media coverage, regulatory attention often follows.

How to Minimize Your Risk

You can't eliminate enforcement risk entirely, but you can reduce it dramatically with reasonable compliance efforts. Here's what matters most:

Priority 1: Implement Reasonable Security

The private right of action for data breaches is the highest-risk penalty mechanism because it doesn't require a government investigation -- anyone can sue. Implementing reasonable security is your most important risk-reduction measure.

At minimum:

• Encrypt personal information at rest and in transit
• Use strong access controls and multi-factor authentication
• Keep all software patched and updated
• Conduct regular security assessments
• Have a documented incident response plan
• Train employees on security basics

The California AG has referenced the CIS Critical Security Controls as a benchmark for "reasonable security." Implementing at least the basic CIS Controls provides a strong defense if you're ever challenged.

Priority 2: Honor Consumer Requests

Failing to respond to consumer requests is a straightforward violation that's easy for regulators to identify and prove. Build a real DSAR process with documented procedures, response templates, and deadline tracking.

For a complete DSAR process guide, see CCPA DSAR Process: A Guide for California Compliance.

Priority 3: Get Your Privacy Policy Right

An incomplete or inaccurate privacy policy is low-hanging fruit for enforcement. Make sure yours includes all required CCPA disclosures, is updated annually, and accurately reflects your actual data practices.

Priority 4: Honor Opt-Out Signals

After Sephora, it's clear that GPC compliance is an enforcement priority. If your website uses tracking technologies, implement GPC signal detection and honor those signals as opt-out requests.

See our CCPA Cookie Compliance guide for practical implementation details.

Priority 5: Document Everything

If you're ever investigated, your documentation is your defense. Keep records of:

• Your compliance program and policies
• DSAR requests received and how you handled them
• Employee training records
• Vendor agreements with CCPA provisions
• Security assessments and improvements
• Privacy policy updates and rationale

The businesses that get the worst enforcement outcomes are the ones that can't demonstrate they tried. Regulators distinguish between businesses that made good-faith compliance efforts (and maybe got some details wrong) and businesses that simply ignored the law.

What to Do If You Receive an Enforcement Inquiry

If the AG's office or the CPPA contacts you:

1. Don't panic, but don't ignore it. These inquiries are serious, but they're often the beginning of a conversation, not the end of one.
2. Get legal counsel immediately. This is not the time for DIY compliance. You need a privacy attorney.
3. Gather your documentation. Pull together your privacy policy, DSAR records, compliance documentation, and vendor agreements.
4. Respond within the stated deadline. Inquiry letters typically give you 30 days to respond. Don't miss this deadline.
5. Be cooperative and honest. Regulators look more favorably on businesses that engage constructively. Stonewalling or being evasive makes things worse.
6. Remediate identified issues promptly. If the inquiry identifies specific compliance gaps, fix them. Fast. Demonstrating a willingness to cure violations can significantly reduce penalties.

The Cost of Non-Compliance vs. Compliance

Let's be blunt about the economics:

Cost of basic CCPA compliance for a mid-sized business:

• Data mapping: 20-40 hours of internal time
• Privacy policy update: $2,000-$5,000 (with legal review)
• DSAR process setup: 10-20 hours of internal time + software costs
• Employee training: 2-4 hours per relevant employee
• Ongoing maintenance: 5-10 hours per month

Total first-year cost: Roughly $10,000-$50,000, depending on business size and complexity.

Cost of a single enforcement action or class action lawsuit:

• Legal defense: $100,000+ (often much more)
• Settlement or fine: $100,000 to millions
• Remediation costs: $50,000-$500,000
• Reputational damage: Incalculable

The math isn't close. Compliance is dramatically cheaper than non-compliance, even in the most optimistic non-compliance scenario.

The Bottom Line

CCPA penalties are real, enforcement is active, and the trend is toward more enforcement, not less. The CPPA is still ramping up its capabilities, the AG's office continues to pursue high-profile actions, and the class action bar is aggressively pursuing data breach cases.

The good news: compliance isn't that hard. If you handle consumer data responsibly, respond to requests on time, keep your privacy policy accurate, and implement reasonable security, you've addressed the vast majority of your enforcement risk.

The businesses that get into trouble are the ones that ignore the law, not the ones that try and get a few details wrong. Regulators have consistently shown more interest in enforcing against willful non-compliance than in punishing good-faith mistakes.

Make the effort. It's worth it.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website
• California Attorney General -- Privacy Enforcement: AG Privacy Enforcement Actions

---

Protect your business with a solid DSAR compliance process. Our DSAR Compliance Guide gives you a practical, step-by-step framework for handling consumer requests correctly and on time -- the single most important thing you can do to reduce your enforcement risk under the CCPA.