The Cost of Ignoring California Privacy Law
California privacy law carries heavy financial consequences for websites that ignore user rights. Regulators actively monitor digital properties for compliance failures, and they do not hesitate to issue public fines.
The CCPA empowers state authorities to penalise businesses that unlawfully collect, sell, or share personal data. Following updates from the California Privacy Rights Act (CPRA), the enforcement landscape has grown more aggressive. Companies can no longer rely on a mandatory 30-day cure period to fix mistakes after getting caught. If your website fails to honour an opt-out request or drops tracking scripts without notice, you face immediate liability.
Penalties scale quickly because fines apply on a per-violation basis. A single non-compliant tracking script loaded for a thousand California visitors constitutes a thousand separate violations.
Recent enforcement actions prove that regulators are looking closely at website tracking technologies. The focus has shifted from mere privacy policy wording to actual technical compliance, meaning your website must respect user choices exactly as legally required.
Understanding these risks helps you protect your business from costly investigations and reputational damage.
Understanding the 2025 CPI Adjustments to CCPA Fines
California law mandates periodic updates to privacy penalty thresholds to account for inflation. Under Civil Code Section 1798.199.95(d), the California Privacy Protection Agency (CPPA) adjusts these figures every odd-numbered year based on the Consumer Price Index (CPI).
Effective January 2025, the financial risk for non-compliance increased significantly. The threshold for a business to fall under CCPA jurisdiction based on gross annual revenue rose from $25,000,000 to $26,625,000. Administrative fines and statutory damages also saw proportional increases.
The revised penalty structure breaks down into three distinct categories.
| Violation Type | Pre-2025 Penalty Maximum | 2025 CPI-Adjusted Maximum |
|---|---|---|
| Standard Administrative Violation | $2,500 per violation | $2,663 per violation |
| Intentional Violation or Minors' Data | $7,500 per violation | $7,988 per violation |
| Statutory Damages (Data Breach) | $100 to $750 per consumer | $107 to $799 per consumer |
Regulators calculate administrative fines based on the nature of the offence. A genuine oversight might trigger the lower standard tier, but deliberately hiding opt-out mechanisms or ignoring privacy signals pushes the penalty into the intentional category. Any violation involving the data of consumers known to be under 16 years old automatically triggers the higher $7,988 maximum, regardless of intent.
The Two Pillars of Enforcement: The CPPA and the Attorney General
California relies on a dual-enforcement mechanism to police digital privacy. Initially, the California Attorney General (AG) held sole responsibility for investigating complaints and issuing fines. The landscape shifted when voters approved the CPRA, which established the California Privacy Protection Agency.
The CPPA operates as the first dedicated privacy regulator in the United States. This agency possesses full administrative power to investigate websites, audit data practices, and levy fines directly. The Attorney General retains civil enforcement authority and often handles high-profile cases involving widespread consumer harm.
These two bodies coordinate their efforts to maximize compliance pressure. The AG frequently conducts automated sweeps of websites and mobile applications to identify missing privacy links or broken opt-out flows.
You cannot predict which entity might audit your website. Both regulators expect strict adherence to the law, and both have demonstrated a willingness to penalise companies that fail to implement compliant cookie banners and data sharing controls.
Private Right of Action: The Hidden Cost of Data Breaches
Administrative fines only represent one aspect of your financial exposure. The CCPA includes a limited private right of action, allowing individual consumers to sue businesses directly following specific types of security incidents.
This right activates if unencrypted and unredacted personal information is exposed due to a business failing to maintain reasonable security procedures. While this does not apply to simple cookie consent failures, it becomes highly relevant if the data you collect via web trackers is subsequently breached.
Statutory damages for these breaches now range from $107 to $799 per consumer, per incident. You do not need to prove actual financial harm to claim these damages.
Class action lawsuits multiply these figures rapidly. A breach exposing the records of 50,000 California residents could result in statutory damages approaching $40 million, entirely separate from any regulatory fines the Attorney General might impose.
Real-World CCPA Enforcement Examples
Public enforcement actions provide a clear roadmap of what regulators actively target. Reviewing these cases reveals a consistent focus on hidden data sales and technical failures in consent mechanisms.
The Sephora Settlement (August 2022)
The California AG announced a $1.2 million settlement with cosmetics retailer Sephora, marking the first public CCPA enforcement action. The state alleged that Sephora failed to disclose that it was selling personal information and failed to process opt-out requests sent via user-enabled Global Privacy Control (GPC) signals.
Under California law, making consumer data available to third parties for advertising or analytics constitutes a "sale" even if no money changes hands. Sephora allowed third-party tracking networks to monitor customer behaviour but did not provide the required "Do Not Sell My Personal Information" link. Furthermore, the company's website completely ignored browser-level GPC signals, which legally function as valid opt-out requests.
This case established that technical compliance is mandatory. A privacy policy alone cannot shield a business if the underlying website code continues to share data against user wishes.
The DoorDash Settlement (February 2024)
Delivery platform DoorDash agreed to a $375,000 settlement over allegations of unlawful data sharing. The AG found that DoorDash participated in a marketing cooperative, exchanging customer names, addresses, and transaction histories for advertising opportunities.
DoorDash failed to notify consumers about this arrangement and provided no mechanism to opt out. The company attempted to argue that participating in a cooperative did not equal selling data, but the AG firmly rejected this interpretation. Any exchange of personal information for a commercial benefit falls under the CCPA definition of a sale.
The state also noted that DoorDash could not cure the violation because the data had already been disseminated to downstream data brokers, proving that retroactive fixes are rarely sufficient once data leaves your control.
The Healthline Settlement (July 2024)
In one of the largest penalties to date, Healthline agreed to pay $1.55 million to resolve claims it violated the CCPA. The health information website allowed third-party trackers to collect data about user search queries and reading habits without adequate disclosure.
The AG determined this practice essentially shared sensitive health indicators with advertising networks. Healthline lacked proper opt-out controls, and its privacy disclosures did not accurately reflect the depth of data sharing occurring behind the scenes.
This settlement highlights the severe risks associated with mismanaging analytics cookies and advertising pixels, especially when sensitive personal characteristics are involved.
Common Technical Failures That Trigger Investigations
Regulators do not rely on manual browsing to catch violators. They deploy automated scripts that scan thousands of domains to detect non-compliant behaviour.
Your site will likely flag a regulatory sweep if it exhibits any of these technical failures:
- Ignoring Global Privacy Control (GPC): The AG considers GPC a legally binding opt-out request. If a visitor arrives with GPC enabled and your site still fires marketing pixels, you are in violation.
- Missing Opt-Out Links: Websites that "sell" or "share" data for cross-context behavioural advertising must display a clear "Do Not Sell or Share My Personal Information" link in the footer.
- Dark Patterns: Designing a consent management platform interface that makes opting out significantly more difficult than opting in violates CPRA regulations.
- Faulty Categorisation: Classifying third-party advertising tags as "strictly necessary" cookies to bypass opt-out requirements is a frequent target for enforcement.
You must ensure your data collection practices align exactly with the technical controls presented to the user. A button that says "Reject All" must actually block the scripts from executing.
Frequently Asked Questions
What is the maximum fine for a CCPA violation?
Following the 2025 CPI adjustments, the maximum administrative fine is $2,663 for a standard violation and $7,988 for an intentional violation or any violation involving the data of minors under 16.
Does the CCPA 30-day right to cure still exist?
No. The CPRA amendments sunsetted the mandatory 30-day cure period for administrative enforcement. Regulators now have discretion to issue fines immediately upon discovering a violation.
Can individuals sue a company for CCPA violations?
Individuals can only sue under the CCPA's private right of action if their non-encrypted, non-redacted personal information is exposed in a data breach caused by a lack of reasonable security measures. They cannot sue over cookie banner issues.
Who enforces the CCPA in California?
Enforcement is shared between the California Attorney General, who handles civil litigation and large-scale sweeps, and the California Privacy Protection Agency (CPPA), which conducts administrative investigations and audits.
Are website cookies considered a sale of data under CCPA?
Yes. If you allow third-party cookies to collect visitor data for advertising or analytics purposes, California law generally defines this exchange as a "sale" or "sharing" of personal information, requiring an opt-out mechanism.
Take Control of Your Cookie Compliance
If you operate a website that receives traffic from California, relying on guesswork for your tracking setup is a massive financial risk. Kukie.io automatically scans your site, categorises your cookies, and ensures your consent mechanisms respect browser signals like GPC.
