CCPA Penalties and Fines in 2026: How Much Is a CCPA Violation?

These figures represent the CCPA maximum fine levels as of 2025. The CPPA will review these thresholds again in 2027 to reflect future CPI changes. Under the CCPA, each affected consumer may count as a separate violation. Because CCPA fines are calculated per violation, total exposure depends on the number of impacted individuals, not just the type of misconduct.

How much are CCPA fines per violation?

The CCPA authorizes the CPPA and Attorney General to issue civil and administrative fines for non-compliance. In 2026, the maximum CCPA fine per violation is $2,663 for unintentional violations and $7,988 for intentional or minor-related violations. These amounts represent administrative CCPA penalties imposed by regulators. Because violations may be counted per consumer, CCPA fines can increase rapidly in high-volume data environments. In addition, consumers affected by data breaches may seek damages between $107 and $799 per incident or actual damages, whichever is higher. The amount of each CCPA penalty depends on the nature, intent, and scope of the violation.

How regulators calculate CCPA penalties

Regulators evaluate several factors when determining the final amount of CCPA penalties in an enforcement action. While the statute sets maximum fine amounts per violation, the final CCPA fine often reflects how the violation occurred and how the business responded.

Authorities such as the California Privacy Protection Agency (CPPA) and the California Attorney General typically consider:

• Number of affected consumers: Because CCPA fines are calculated per violation, large datasets or high‑traffic platforms can significantly increase total exposure.
• Intent or negligence: Intentional violations typically result in higher CCPA penalties than accidental or promptly corrected issues.
• Duration of the violation: Ongoing failures to provide opt‑out mechanisms or honor consumer requests may increase enforcement risk.
• Remediation efforts: Businesses that quickly correct issues and cooperate during investigations may see reduced penalties.
• Impact on consumers: Regulators may evaluate whether the violation caused harm or exposed sensitive personal information.

For example, if a company ignores opt‑out requests from 10,000 consumers, regulators could theoretically assess CCPA fines for each affected individual. Even at the lower penalty tier, per‑violation fines can accumulate quickly in large‑scale data operations.

CCPA penalty tiers: How California calculates fines under the enforcement model

The CPPA applies structured penalty tiers that consider intent, harm, repetition, and cooperation.

These enforcement tiers illustrate how regulators assess CCPA penalties beyond the base fine amount. While the statute sets maximum CCPA fines, the final penalty depends on intent, repetition, harm, and cooperation during investigation.

Mitigating factors, such as documented staff training, transparent cooperation, and timely consumer notification, may reduce exposure within these tiers.

What qualifies as a CCPA violation: Common examples and scenarios

Common violations include:

• Collecting or sharing personal data without proper notice at collection.
• Failing to honor verified consumer requests within 45 days. For operational guidance, see our article on CCPA DSR workflows and request handling.
• Omitting the required “Do Not Sell or Share My Personal Information” link.
• Using sensitive personal information for undisclosed purposes. To understand the scope of regulated data, review what counts as personal information under CCPA.
• Continuing to process data after a consumer has opted out.

Example of a CCPA violation:
A retail website tracks visitors for advertising without providing an opt-out link. Each user session where data is sold or shared could count as an individual CCPA violation fine.

Each of these scenarios may trigger administrative CCPA penalties if regulators determine that the business failed to meet statutory obligations. Many enforcement actions originate from mishandled consumer requests, which is why companies often implement structured workflows. In large-scale digital operations, repeated failures can result in substantial CCPA fines.

CCPA enforcement actions and settlements: Key court cases and outcomes

California’s privacy law is enforced through a shared model, allowing both the California Attorney General and the California Privacy Protection Agency (CPPA) to pursue investigations and impose penalties. This dual enforcement approach ensures that businesses remain accountable under both administrative and legal oversight.
Key CCPA enforcement actions and outcomes

• Sephora (2022) - paid $1.2 million in civil penalties and agreed to injunctive terms after the Attorney General found the company failed to disclose that it sold personal information, did not honor Global Privacy Control signals, and did not cure within the required period. The judgment required updated privacy disclosures, honoring GPC signals, service-provider contract corrections, and periodic reporting.
• DoorDash (2024) - paid a $375,000 civil penalty and accepted permanent injunctive terms after an investigation concluded it participated in a marketing cooperative that shared customer data without adequate notice or an opportunity to opt out. The settlement required updated privacy notices, contract reviews with marketing vendors, and annual reports on sale or sharing practices.
• People v. Sling TV (2025) - resulted in a stipulated judgment and permanent injunction focused on accurate disclosures and honoring opt-out rights for cross-context behavioral advertising. The order required enhanced privacy notices, clarity around data related to minors, and compliance certifications to the Attorney General; resulted in a $530,000 settlement and permanent injunction requiring clearer privacy disclosures and improved opt-out handling for advertising data practices.

Enforcement priorities signaled for 2025

• Misleading consent interfaces and other dark pattern practices.
• Retention beyond disclosed business purposes and insufficient purpose limitation.
• Children and teens’ data, advertising transparency, and opt-out signals.

CCPA investigation process

CCPA enforcement investigations: common violation scenarios

California’s privacy law is enforced through a shared model, allowing both the California Attorney General and the California Privacy Protection Agency (CPPA) to pursue investigations and impose penalties.

CCPA enforcement penalties may be issued by either the California Attorney General or the CPPA. Both authorities have the power to investigate violations, conduct audits, and impose administrative CCPA fines.

Recent public enforcement actions have emphasized:

• Failure to disclose selling or sharing practices
• Failure to honor Global Privacy Control signals
• Inadequate opt-out mechanisms
• Weak service-provider agreements

Regulators increasingly examine backend data practices, not only website disclosures.

Recent enforcement examples and potential penalty exposure

These enforcement examples illustrate how operational failures can translate into administrative CCPA fines when regulators determine that statutory obligations were not followed.

CCPA fines vs statutory damages: understanding the difference

Businesses often confuse regulatory CCPA fines with consumer statutory damages. The two operate differently and may apply simultaneously depending on the incident.

Understanding this distinction helps organizations evaluate their potential exposure under different enforcement scenarios.

Statutory damages and private right of action

Under §1798.150, consumers may bring civil actions when certain data breaches occur due to failure to implement reasonable security measures. Statutory damages range from $107 to $799 per consumer per incident, or actual damages if higher.

These statutory damages are separate from administrative CCPA penalties. In certain cases, businesses may face both regulatory CCPA fines and private civil claims if a qualifying data breach occurs.

CCPA penalties and enforcement in 2026: What businesses should expect

As California’s privacy framework continues to evolve, 2026 reflects a period of operational enforcement.

While the per-violation CCPA fine amounts remain stable through 2026, enforcement attention continues to expand into consent design, data retention, opt-out symmetry, and transparency obligations. Businesses evaluating CCPA penalties exposure should review both statutory fine levels and operational risk factors using a structured CCPA compliance guide for businesses.

Areas of focus include:

• Honoring opt-out preference signals (including GPC)
• Symmetry between consent and opt-out mechanisms
• Clearer cookie banner disclosures
• Expanded privacy policy transparency
• Youth and teen data protections

Penalty amounts

• The California Privacy Protection Agency (CPPA) adjusts monetary thresholds in odd-numbered years based on CPI, as stated in California Civil Code § 1798.100 et seq.. Given the December 17, 2024 notice, the 2025 amounts are expected to remain in place through 2026, with the next update scheduled for 2027. Current levels: $2,663 per violation and $7,988 per intentional or minors-related violation; consumer damages $107–$799 per incident.

Regulations effective January 1, 2026

• The CPPA announced on September 23, 2025 that the Office of Administrative Law (OAL) approved a package of new and revised regulations, effective January 1, 2026. Key public-facing items include: confirming honored opt-out requests (including GPC), symmetry in consent and opt-out steps, clearer cookie banner requirements, expanded privacy policy disclosures (including categories disclosed to service providers and contractors), and a required privacy policy link in mobile app settings.
• Additional timing applies for some areas. Risk assessment duties begin January 1, 2026 with attestations due starting in 2028. Automated decision making technology obligations take effect January 1, 2027. Cybersecurity audit schedules are phased based on revenue, with certifications beginning in 2028.

Enforcement focus areas in 2026

• Adoption of the 2026 regulation changes on websites and apps, including honoring opt-out preference signals and avoiding non-symmetrical consent designs.
• Privacy policy placement and content updates, including app settings links and service provider disclosures.
• Ongoing attention to youth privacy and advertising transparency.

Practical takeaway

• For planning, treat 2026 as the year to operationalize the revised rules while keeping the 2025 CCPA maximum fine amounts in mind. Public-facing updates, consent flows, and signal handling are likely to be central in reviews and investigations.

6 steps to prepare your organization for CCPA enforcement in 2026

These steps help demonstrate good-faith efforts if regulators evaluate CCPA enforcement penalties.

How to report a CCPA violation to the CPPA

Consumers and organizations may file complaints through the CPPA online portal, which allows the public to report CCPA violation cases directly to the California Privacy Protection Agency. Complaints can relate to issues such as missing opt-out options, inaccurate privacy disclosures, or improper handling of consumer requests.
Once submitted, the CPPA may review the complaint, determine whether it indicates a pattern of non-compliance, and, if necessary, coordinate with the California Attorney General’s Office for further investigation. The agency’s published guidance clarifies that it focuses on patterns of misconduct and may use collected reports to inform future enforcement priorities.

How businesses can reduce the risk of CCPA penalties and fines

1. Map data flows: identify what categories of personal information are collected and shared.
2. Update privacy notices: state business purposes and retention periods clearly.
3. Establish consumer request workflows: log each access, deletion, or opt-out request.
4. Review vendor contracts: confirm that third parties meet service-provider obligations.
5. Train employees: educate staff on timelines, consumer rights, and reporting processes.
6. Document remediation efforts: records showing good-faith actions may reduce penalties.

To implement these steps systematically and avoid missing any requirements, use our step-by-step CCPA Compliance Checklist.

How Clym helps businesses manage CCPA penalties and privacy obligations

Navigating California’s privacy rules requires reliable tools that simplify consent management, consumer rights handling, and documentation. Clym offers a unified platform that helps organizations address the operational side of privacy management with solutions built to support CCPA and similar frameworks.

• Manage and record consent preferences automatically through Clym’s Consent Management Platform, which adapts to regional requirements and user preferences.
• Handle consumer data requests directly through Clym’s Data Subject Request Management feature, enabling quick responses to access, deletion, or opt-out submissions.
• Display and maintain up-to-date privacy disclosures using Clym’s Privacy and Cookie Policy Management tools.
• Monitor compliance activity and visitor interactions within a centralized Control Center dashboard for streamlined recordkeeping.

Clym’s integrated approach helps businesses simplify the complex regulatory landscape while maintaining transparency and respecting consumer rights.