California’s privacy enforcement has accelerated since the California Privacy Protection Agency (CPPA) became fully operational. The agency reported hundreds of investigations in progress during 2025, with the largest fine to date reaching $1.35 million.
How CCPA/CPRA Enforcement Works
The CPPA and California Attorney General share enforcement responsibilities. Civil penalties for 2025 range from $2,663 to $7,988 per violation, with higher penalties for violations involving minors under 16.
Each affected consumer can count as a separate violation, which means penalties can escalate quickly. The CPPA has stated it can investigate conduct dating back to the law’s operative date of January 1 2020, even for regulations finalised later.
Notable Enforcement Actions
Tractor Supply Company (2025) – $1.35 Million
The CPPA’s largest fine to date was issued in October 2025. The agency found that Tractor Supply’s website included a “Do Not Sell My Personal Information” link, but submitting requests through this form did not actually stop the sale or sharing of personal information.
Additionally, Tractor Supply did not configure its website to recognize and honor opt-out preference signals such as Global Privacy Control until July 2024. Browser-based opt-out requests were ineffective before that date.
Source: CPPA Announcement
Sephora (2022) – $1.2 Million
The California Attorney General’s first major CCPA settlement came against cosmetics retailer Sephora. The investigation found the company failed to disclose that it sold personal information, did not honor Global Privacy Control signals, and failed to cure violations within the 30-day period required at the time.
This case established that sharing data with third parties for targeted advertising purposes constitutes a “sale” under California law, even without direct payment.
Source: California Attorney General press release, August 2022
DoorDash (2024) – $375,000
DoorDash paid a $375,000 civil penalty after an investigation concluded it participated in a marketing cooperative that shared customer data. The company failed to provide adequate notice about this data sharing and did not offer customers an opportunity to opt out.
Source: CPPA enforcement records
Honda (2025)
The CPPA issued a decision against Honda in March 2025. The enforcement division alleged that Honda violated the privacy rights of California residents by requiring excessive personal information verification before consumers could exercise their privacy rights. The verification process was deemed overly burdensome.
Source: CPPA Board Decision
What These Cases Tell Us
Several patterns emerge from California’s enforcement actions:
Global Privacy Control matters. Multiple fines have involved businesses that ignored or failed to implement GPC support. The CPPA expects businesses to honor these browser-based opt-out signals.
Opt-out mechanisms must actually work. Having a “Do Not Sell” link is not enough. The mechanism behind it must genuinely stop data sales and sharing.
Data sharing for advertising counts as selling. The Sephora case confirmed that sharing personal information with third parties for targeted advertising is a “sale” under California law, even without monetary exchange.
Verification must be proportionate. The Honda case shows that verification processes cannot create barriers to consumers exercising their rights.
What This Means for Your Organization
Enforcement is accelerating. Businesses should audit their opt-out mechanisms to confirm they function correctly, implement Global Privacy Control support if they have not already, and review verification procedures for consumer requests.
The CPPA publishes enforcement decisions and guidance on its website. Monitoring these announcements can help you understand the agency’s priorities and adjust your compliance approach accordingly.
