CCPA Penalties and Fines: What Businesses Need to Know

Q: What is the maximum fine under the CCPA in 2025?

The CCPA establishes two main categories of fines: $2,663 for negligent or unintentional violations and $7,988 for intentional violations or those involving minors. Each violation is counted per affected consumer, meaning large-scale data incidents can lead to significant total penalties. These amounts reflect the CPPA’s December 2024 inflation adjustment and will remain valid until the next CPI-based review in 2027.

Q: How are consumer damages calculated?

Consumers may claim $107 – $799 per incident or actual damages, whichever is higher, under the CCPA’s private right of action. This provision applies to certain data breaches involving unencrypted or unredacted personal information. The law also allows courts to consider the nature and severity of the breach when assessing damages, providing flexibility in how consumer harm is compensated.

Q: Who enforces the CCPA?

The California Privacy Protection Agency (CPPA) and the Attorney General share enforcement authority. The Attorney General continues to bring civil actions in state court, while the CPPA leads administrative enforcement, audits, and rulemaking. This shared framework allows for both preventive oversight and formal enforcement when violations are found.

Q: What are examples of violations?

Violations may include failing to display a “Do Not Sell or Share My Personal Information” link, ignoring verified deletion requests, collecting sensitive personal data without disclosure, or sharing user data with third parties without consent. For instance, the Attorney General’s case against Sephora showed that failing to honor Global Privacy Control signals could qualify as a CCPA violation.

Q: Does Clym prevent CCPA penalties?

Clym cannot guarantee immunity from enforcement, but it provides features that help organizations manage data privacy and documentation effectively. Through its centralized dashboard, consent logs, and data request workflows, businesses can demonstrate their ongoing efforts to maintain compliance readiness.

Q: How often are CCPA fine amounts reviewed or updated?

The California Privacy Protection Agency (CPPA) is required by law to adjust penalty amounts every two years based on the Consumer Price Index (CPI). The next scheduled review is in 2027, meaning the 2025 fine levels remain in effect through 2026. These periodic updates help maintain fairness and deterrence by reflecting economic changes.

Q: What rights do California consumers have under the CCPA?

Consumers have several key rights, including the right to know what personal information is collected, the right to delete that information, the right to opt out of its sale or sharing, and the right to correct inaccurate data. They also have the right to access a copy of their personal data and to request that businesses disclose their data-sharing practices.

Q: How long does a business have to respond to a consumer request?

Under the CCPA, businesses generally have 45 days to respond to a verified consumer request. This period may be extended by an additional 45 days when reasonably necessary, provided the consumer is informed of the extension and its justification. Proper request-handling documentation helps demonstrate good-faith compliance efforts.

Q: Can small businesses be fined under the CCPA?

Yes. The law applies to businesses meeting specific thresholds, such as annual revenue over $25 million, buying or selling data of 100,000 or more consumers, or deriving 50% or more of revenue from selling or sharing personal data. Smaller entities outside these thresholds are generally not covered but may still face enforcement under other consumer protection statutes.

Q: How can companies reduce the risk of CCPA violations?

Companies can reduce risk by maintaining clear privacy notices, updating consent interfaces to reflect current requirements, and tracking all consumer requests for access or deletion. Using tools such as Clym’s Consent Management Platform and Data Subject Request Management can simplify these processes and improve transparency.

November 06 2025 | 12:47 AM~ 7 min read

CCPA Penalties and Fines: What Businesses Need to Know

The California Privacy Protection Agency (CPPA) has introduced a revised CCPA fine structure effective in 2025, adjusting penalty amounts for inflation and clarifying how enforcement actions are assessed. The update creates tiered categories for negligent, intentional, and minor-related violations, offering greater transparency and proportionality in how businesses are fined. This article explores the new fine amounts, real-world cases, and enforcement priorities for 2025–2026, along with practical steps companies can take to reduce exposure and strengthen privacy operations under California’s evolving data protection framework.

The California Consumer Privacy Act (CCPA) is California’s primary data privacy law, granting residents rights over how their personal information is collected, used, and shared by businesses. On December 17, 2024, the California Privacy Protection Agency (CPPA) released an enforcement update that reshapes how penalties are assessed under this law. Beginning January 1, 2025, the agency will adjust the CCPA penalties and fine amounts every two years to reflect inflation, bringing clarity and consistency to how violations are handled.

In this article we are looking at how CCPA fines, penalties, and enforcement actions now work, what counts as a CCPA violation, and what businesses can do to manage their obligations under California’s privacy law, the California Consumer Privacy Act. For a broader look at how these penalties fit into your overall obligations, see our CCPA compliance guide 2026.

Why the CCPA fine system changed in 2025: Updated penalty structure explained

Before 2025, the CCPA set maximum penalty caps, $2,500 for general violations and $7,500 for intentional or child-related violations, but it did not specify how those amounts should be applied or adjusted over time. This often left regulators with broad discretion and businesses uncertain about their potential exposure.

The CPPA’s 2024 update changes that by introducing a transparent, tiered system linked to inflation through the Consumer Price Index (CPI). This structure means CCPA fines per violation now automatically adjust every two years to retain their deterrent value and better reflect the scale of violations.

In addition to adjusting the dollar amounts, the CPPA’s enforcement guidance now defines how each CCPA penalty should be calculated, taking into account intent, cooperation, the number of affected consumers, and whether corrective action was taken quickly.

The new framework aims to:

Replace ambiguity with predictable fine ranges for similar violations.
Emphasize fairness by considering both business behavior and harm caused.
Motivate organizations to act proactively and document compliance efforts.

For example, consider a digital marketing company that collects and sells consumer data without providing a clear opt-out link or properly disclosing third-party data sharing. Under the pre-2024 system, the business might have faced a general fine of up to $2,500 per violation or $7,500 if the conduct was intentional or involved minors. After the 2024 CPPA update, those same actions could now lead to adjusted fines of up to $2,663 per unintentional violation and $7,988 per intentional one, with the possibility of additional damages of $107–$799 per affected consumer.

This example highlights how the new enforcement approach increases predictability while maintaining proportional consequences, ensuring that penalties scale with both intent and consumer impact.

CCPA fines and penalties 2025: Updated amounts and tiers explained

Under Cal. Civ. Code § 1798.155 and § 1798.199.90, the following fine amounts have applied since January 1 2025, adjusted by the CPPA for inflation.

Type of violation	Maximum fine (2025)	Details
Negligent or unintentional violation	$2,663 per violation	Each incident affecting one consumer may count separately.
Intentional violation	$7,988 per violation	Covers reckless or knowing conduct that disregards CCPA duties.
Violation involving minors (<16 years)	$7,988 per violation	Applies when data of minors is sold or shared without consent.
Individual consumer damages	$107 – $799 per consumer per incident or actual damages	Consumers may seek compensation through civil action.

These figures represent the CCPA maximum fine levels as of 2025. The CPPA will review these thresholds again in 2027 to reflect future CPI changes.

CCPA penalty tiers: How California calculates fines under the new enforcement model

Regulators don't just pull a number out of a hat. They now use a six-tier scoring system to decide how much to fine you. If you can prove you had a compliance program in place (Tier 1 or 2), your fine stays low. If they find you ignored the rules on purpose (Tier 5 or 6), the penalties max out immediately.

Tier	Description	Base penalty
1	Minor violations with low harm and high cooperation	$2,500
2	Low harm with no prior violations, some negligence	$7,500
3	Moderate harm, standard negligence	$15,000
4	High harm, repeated violations, or recklessness	$22,500
5	High harm with wilful misconduct	$30,000
6	Severe, repeated violations with clear intent to deceive or cause harm	$50,000

Mitigating factors, such as documented staff training, transparent cooperation, and timely consumer notification, may reduce exposure within these tiers.

What qualifies as a CCPA violation: Common examples and real-world scenarios

Common violations include:

Collecting or sharing personal data without disclosing the business purpose.
Failing to honor verified consumer requests to access or delete data within 45 days.
Omitting the required “Do Not Sell or Share My Personal Information” link.
Using sensitive personal information (such as precise location or identification numbers) for undisclosed purposes.
Continuing to process data after a consumer has opted out.

Example of a CCPA violation:
A retail website tracks visitors for advertising without providing an opt-out link. Each user session where data is sold or shared could count as an individual CCPA violation fine.

CCPA enforcement actions and settlements: Key court cases and outcomes

California’s privacy law is enforced through a shared model, allowing both the California Attorney General and the California Privacy Protection Agency (CPPA) to pursue investigations and impose penalties. This dual enforcement approach ensures that businesses remain accountable under both administrative and legal oversight.

Key CCPA enforcement actions and outcomes

Sephora (2022) - paid $1.2 million in civil penalties and agreed to injunctive terms after the Attorney General found the company failed to disclose that it sold personal information, did not honor Global Privacy Control signals, and did not cure within the required period. The judgment required updated privacy disclosures, honoring GPC signals, service-provider contract corrections, and periodic reporting.
DoorDash (2024) - paid a $375,000 civil penalty and accepted permanent injunctive terms after an investigation concluded it participated in a marketing cooperative that shared customer data without adequate notice or an opportunity to opt out. The settlement required updated privacy notices, contract reviews with marketing vendors, and annual reports on sale or sharing practices.
People v. Sling TV (2025) - resulted in a stipulated judgment and permanent injunction focused on accurate disclosures and honoring opt-out rights for cross-context behavioral advertising. The order required enhanced privacy notices, clarity around data related to minors, and compliance certifications to the Attorney General; the judgment does not list a public monetary figure.

Enforcement priorities signaled for 2025

Misleading consent interfaces and other dark pattern practices.
Retention beyond disclosed business purposes and insufficient purpose limitation.
Children and teens’ data, advertising transparency, and opt-out signals.

CCPA From Violation to Enforcement

CCPA penalties and enforcement in 2026: What businesses should expect

As California’s privacy framework continues to evolve, 2026 marks a period of practical implementation for businesses adapting to the revised CCPA regulations. Here's what companies can expect regarding CCPA fine structures, penalties for non-compliance with CCPA, and regulatory milestones as they move from policy preparation to hands-on application.

Penalty amounts

The California Privacy Protection Agency (CPPA) adjusts monetary thresholds in odd-numbered years based on CPI, as stated in California Civil Code § 1798.100 et seq.. Given the December 17, 2024 notice, the 2025 amounts are expected to remain in place through 2026, with the next update scheduled for 2027. Current levels: $2,663 per violation and $7,988 per intentional or minors-related violation; consumer damages $107–$799 per incident.

Regulations effective January 1, 2026

The CPPA announced on September 23, 2025 that the Office of Administrative Law (OAL) approved a package of new and revised regulations, effective January 1, 2026. Key public-facing items include: confirming honored opt-out requests (including GPC), symmetry in consent and opt-out steps, clearer cookie banner requirements, expanded privacy policy disclosures (including categories disclosed to service providers and contractors), and a required privacy policy link in mobile app settings.
Additional timing applies for some areas. Risk assessment duties begin January 1, 2026 with attestations due starting in 2028. Automated decisionmaking technology obligations take effect January 1, 2027. Cybersecurity audit schedules are phased based on revenue, with certifications beginning in 2028.

Enforcement focus areas in 2026

Adoption of the 2026 regulation changes on websites and apps, including honoring opt-out preference signals and avoiding non-symmetrical consent designs.
Privacy policy placement and content updates, including app settings links and service provider disclosures.
Ongoing attention to youth privacy and advertising transparency.

Practical takeaway

For planning, treat 2026 as the year to operationalize the revised rules while keeping the 2025 CCPA maximum fine amounts in mind. Public-facing updates, consent flows, and signal handling are likely to be central in reviews and investigations.

6 Steps to prepare your organization for CCPA enforcement in 2026

Six steps to reduce your CCPA risk

How to report a CCPA violation to the CPPA

Consumers and organizations may file complaints through the CPPA online portal, which allows the public to report CCPA violation cases directly to the California Privacy Protection Agency. Complaints can relate to issues such as missing opt-out options, inaccurate privacy disclosures, or improper handling of consumer requests.

Once submitted, the CPPA may review the complaint, determine whether it indicates a pattern of non-compliance, and, if necessary, coordinate with the California Attorney General’s Office for further investigation. The agency’s published guidance clarifies that it focuses on patterns of misconduct and may use collected reports to inform future enforcement priorities.

What are the penalties for violating the CCPA?

The CCPA authorizes the CPPA and Attorney General to issue civil and administrative fines for non-compliance. Businesses may face CCPA violation fines ranging from $2,663 per unintentional violation to $7,988 per intentional or child-related violation. In addition, consumers affected by data breaches may seek damages between $107 and $799 per incident or actual damages, whichever is higher. The amount of each CCPA penalty depends on the nature, intent, and scope of the violation.

How businesses can reduce the risk of CCPA penalties and fines

Map data flows – identify what categories of personal information are collected and shared.
Update privacy notices – state business purposes and retention periods clearly.
Establish consumer request workflows – log each access, deletion, or opt-out request.
Review vendor contracts – confirm that third parties meet service-provider obligations.
Train employees – educate staff on timelines, consumer rights, and reporting processes.
Document remediation efforts – records showing good-faith actions may reduce penalties.

To implement these steps systematically and ensure you don't miss any requirements, use our step-by-step CCPA Compliance Checklist.

How Clym helps businesses manage CCPA penalties and privacy obligations

Navigating California’s privacy rules requires reliable tools that simplify consent management, consumer rights handling, and documentation. Clym offers a unified platform that helps organizations address the operational side of privacy management with solutions built to support CCPA and similar frameworks.

Manage and record consent preferences automatically through Clym’s Consent Management Platform, which adapts to regional requirements and user preferences.
Handle consumer data requests directly through Clym’s Data Subject Request Management feature, enabling quick responses to access, deletion, or opt-out submissions.
Display and maintain up-to-date privacy disclosures using Clym’s Privacy and Cookie Policy Management tools.
Monitor compliance activity and visitor interactions within a centralized Control Center dashboard for streamlined recordkeeping.

Clym’s integrated approach helps businesses simplify the complex regulatory landscape while maintaining transparency and respecting consumer rights.

FAQs about CCPA penalties