California

Overview

California has an extensive privacy law framework that spans a constitutional guarantee of privacy, a comprehensive consumer data protection statute, a dedicated privacy enforcement agency, electronic communications protections that exceed federal law, a first-in-the-nation data broker deletion platform, and a web of sector-specific protections covering everything from genetic data to license plate readers.

California’s early adoption of privacy protections traces back to 1972, when voters amended the state constitution through a ballot initiative to add “privacy” as an inalienable right. Article I, Section 1 of the California Constitution now reads: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”^[1] This was the first express constitutional right to privacy enacted by any state in the nation. Critically, California’s constitutional privacy right applies to both government and private actors, a distinction that sets it apart from the federal Fourth Amendment, which constrains only government conduct.^[2]

Since 1972, California has enacted numerous statutory protections building on this constitutional foundation. The state has frequently been the first to enact privacy protections later considered by other states: from the first data breach notification law in 2003, to the first comprehensive consumer privacy act (CCPA) in 2018, to the first dedicated state privacy enforcement agency (CPPA) in 2020, to the first centralized data broker deletion platform (DROP) in 2026.

This page catalogs every major California privacy and surveillance law currently in effect, along with recent enforcement actions, pending litigation, and the agencies responsible for implementation. Given California’s population of nearly 39 million and its outsized role in the technology economy (home to Silicon Valley, the headquarters of Apple, Google, Meta, and countless other technology companies), the state’s privacy laws have a regulatory impact that extends far beyond its borders. Many companies choose to apply California’s standards nationally rather than maintain separate compliance regimes for different states.

CCPA / CPRA – The California Consumer Privacy Act

Enactment and Timeline

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and became effective on January 1, 2020. It was the first comprehensive consumer privacy law enacted by any U.S. state.^[3] The CCPA was subsequently amended and strengthened by the California Privacy Rights Act (CPRA), which passed as a ballot initiative (Proposition 24) on November 3, 2020, with its amendments taking effect on January 1, 2023.^[4] The CPRA did not replace the CCPA but rather amended it in place; the law is still formally codified as the CCPA at California Civil Code Section 1798.100 et seq.

Who It Applies To

The CCPA applies to for-profit businesses that do business in California, collect California residents’ personal information, and determine the purposes or means of processing that data, and satisfy at least one of the following thresholds:

• Annual gross revenue exceeding $26.625 million (adjusted for inflation as of January 1, 2025; originally $25 million)^[5]
• Annually buy, sell, or share the personal information of 100,000 or more California consumers or households
• Derive 50% or more of annual revenue from selling or sharing California consumers’ personal information

Unlike most other state privacy laws, the CCPA’s reach is extraterritorial, meaning it applies to any qualifying business that collects data from California residents, regardless of where the business is physically located.

Key Exemptions

The CCPA exempts certain categories of data and entities, including:

• Medical information governed by the Confidentiality of Medical Information Act (CMIA) and the federal HIPAA
• Personal information collected under the federal Gramm-Leach-Bliley Act (GLBA) by financial institutions
• Personal information collected under the Fair Credit Reporting Act (FCRA)
• Clinical trial data and de-identified or aggregate consumer information
• Government agencies and nonprofits (a notable gap that some states like Oregon and Delaware have closed)

Importantly, these exemptions apply at the data level, not the entity level, so a financial institution is still subject to the CCPA for any personal information it collects that is not covered by GLBA.

Sensitive Personal Information

The CPRA introduced a distinct category of sensitive personal information subject to heightened protections. This category includes:

• Social Security, driver’s license, state identification card, and passport numbers
• Account log-in credentials (username plus password, security questions, or answers)
• Financial account numbers combined with access or security codes
• Precise geolocation data
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Contents of mail, email, and text messages (unless the business is the intended recipient)
• Genetic data and biometric information processed for identification purposes
• Health information and information about sex life or sexual orientation

Consumers have the right to limit the use and disclosure of sensitive personal information to what is necessary to perform the services or provide the goods reasonably expected by an average consumer. Businesses must display a “Limit the Use of My Sensitive Personal Information” link alongside the opt-out link.^[3]

Consumer Rights

The CCPA/CPRA grants California residents an extensive set of consumer data rights:

• Right to Know: Consumers can request that a business disclose what personal information it has collected, the categories of sources, the business purposes for collecting it, and the categories of third parties with which it has been shared.^[3]
• Right to Delete: Consumers can request deletion of their personal information, subject to certain exceptions.
• Right to Correct: Added by the CPRA, consumers can request that a business correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: Consumers can direct a business to stop selling or sharing their personal information for cross-context behavioral advertising. Businesses must provide a “Do Not Sell or Share My Personal Information” link on their website.
• Right to Limit Use of Sensitive Personal Information: Added by the CPRA, consumers can restrict a business’s use and disclosure of sensitive personal information (including Social Security numbers, financial account numbers, precise geolocation, racial or ethnic origin, religious beliefs, and biometric data) to what is necessary for the expected purposes.
• Right to Data Portability: Consumers can obtain their personal information in a structured, commonly used, machine-readable format.
• Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights by charging different prices, providing different quality of service, or denying goods or services.
• Right to Opt Out of Automated Decision-Making: Added by CPPA regulations effective January 1, 2026, consumers have rights related to automated decision-making technology (ADMT), including pre-use notices and the ability to opt out of significant decisions made by algorithms.^[6]

Business Obligations

The CCPA/CPRA imposes substantial obligations on covered businesses:

• Data minimization: The CPRA added the requirement that businesses collect, use, retain, and share personal information only as “reasonably necessary and proportionate” to the disclosed purposes.
• Purpose limitation: Personal information cannot be used for purposes incompatible with those disclosed at the time of collection.
• Storage limitation: Businesses must not retain personal information for longer than reasonably necessary for the disclosed purpose.
• Contractual requirements: Service providers and contractors must agree by contract to specific data handling obligations.
• Universal opt-out recognition: Businesses must honor Global Privacy Control (GPC) and similar universal opt-out preference signals.
• Privacy policy requirements: Businesses must maintain comprehensive privacy policies updated at least once every 12 months.
• Cybersecurity audits: Regulations effective January 1, 2026, require certain high-risk businesses to conduct annual cybersecurity audits.^[6]
• Risk assessments for ADMT: Businesses using automated decision-making technology for significant decisions must complete risk assessments and submit them to the CPPA.^[6]

Enforcement

The CPRA created the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement agency in the United States. The five-member board began operations in 2021 and has concurrent enforcement authority with the California Attorney General.^[4]

Administrative penalties (CPPA): As of 2025, penalties are adjusted for inflation: up to $2,663 per violation for unintentional violations and up to $7,988 per intentional violation or violations involving minors’ data.^[5]

Civil penalties (AG): The Attorney General can seek civil penalties in court under the same per-violation structure, and has secured settlements reaching into the millions of dollars.

Private Right of Action for Data Breaches

The CCPA includes a limited private right of action under Section 1798.150 – the only provision in the CCPA that allows individual consumers to sue. It applies when a consumer’s nonencrypted and nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures and practices.^[7]

Consumers can recover statutory damages of not less than $100 and not greater than $750 per consumer per incident (adjusted for inflation: $107–$799 as of 2025), or actual damages, whichever is greater.^[5] Before filing suit, a consumer must provide 30 days’ written notice to the business; if the business cures the violation within that window, the statutory damages claim is barred.^[7] This private right of action has generated substantial class action litigation, particularly following large-scale data breaches. Courts consider factors including the nature and seriousness of the misconduct, the number of violations, the persistence and willfulness of the conduct, and the defendant’s financial condition when determining the amount of statutory damages within the permissible range.^[7]

How California Compares

The CCPA/CPRA differs from the other 19 state comprehensive privacy laws in several critical respects:

• Dedicated enforcement agency: California is the only state with the CPPA, a purpose-built privacy enforcement body. All other states rely on their Attorney General.
• Private right of action: California is the only state (along with limited provisions in Florida for children’s violations) that allows consumers to sue directly for privacy violations, even if only for data breaches.
• Enumerated rights: California enumerates more individual consumer data rights than any other state, including the right to limit use of sensitive data and (as of 2026) rights related to automated decision-making.
• Ballot initiative status: Because the CPRA was enacted by voters through a ballot initiative, the legislature can only strengthen its protections, not weaken them.
• Most detailed regulations: The CPPA has promulgated the most detailed implementing regulations of any state, running hundreds of pages and covering topics from universal opt-out mechanisms to cybersecurity audits.

CalECPA – California Electronic Communications Privacy Act

The California Electronic Communications Privacy Act (CalECPA), codified at Penal Code Section 1546 et seq., took effect on January 1, 2016. Co-authored by Senators Mark Leno and Joel Anderson, CalECPA was the product of a broad coalition including the ACLU, EFF, major technology companies, and law enforcement groups.^[8]

Core Warrant Requirement

CalECPA establishes a bright-line rule: no California government entity may compel the production of or access to electronic communication information or electronic device information without a search warrant, the individual’s consent, or a qualifying emergency.^[9] This addresses a gap left by the federal Electronic Communications Privacy Act (ECPA), which still permits law enforcement to access certain electronic communications with a mere subpoena or court order based on a standard below probable cause.

What CalECPA Protects

• Electronic communication information: The content of electronic messages, as well as associated metadata, location data, and IP addresses, essentially any information about an electronic communication or the use of an electronic communication service.^[8]
• Electronic device information: All information stored on a device (phones, laptops, tablets) as well as information generated through the use of the device.

Warrant Specificity and Safeguards

CalECPA warrants must describe with particularity the information to be seized, specifying time periods covered and targeted individuals or accounts. Any information obtained that is unrelated to the warrant’s objective must be sealed and cannot be reviewed, used, or disclosed without a separate court order.^[9]

Notice Requirements

Uniquely, CalECPA requires that targets of a warrant be provided with notice of the government’s request, even in emergency situations. Delayed notice is permitted only with a court order and must be served within a defined period.^[8]

Emergency Exceptions

Law enforcement may access electronic communications without a warrant only when there is a good-faith belief that an emergency exists involving danger of death or serious bodily injury. Even in emergencies, the government must apply for a warrant within a short time after access and report the emergency access to a court.^[9]

CalECPA Significance

CalECPA is frequently cited by privacy advocates, including the EFF and ACLU, as a model for state-level electronic privacy legislation. The federal ECPA, enacted in 1986, contains an outdated provision (the “180-day rule”) that treats emails stored on a server for more than 180 days as abandoned – allowing government access with only a subpoena rather than a warrant. CalECPA eliminates this loophole entirely for California government entities, requiring a full warrant regardless of how long the communications have been stored. It also extends protections to location data, metadata, and device information that the federal ECPA does not adequately address. Several other states have modeled their electronic privacy laws on CalECPA’s framework.^[8]

DELETE Act and DROP Platform

The DELETE Act (SB 362)

The Delete Act (Senate Bill 362, Chapter 709, Statutes of 2023), signed by Governor Newsom on October 10, 2023, is a law that requires all data brokers registered in California to participate in a centralized deletion mechanism.^[10] The law builds on California’s existing data broker registration statute (Civil Code Section 1798.99.80 et seq.), which has required data brokers to register with the California Attorney General (now the CPPA) since 2019.

The DROP Platform

The Delete Act directed the CPPA to build the Delete Request and Opt-out Platform (DROP), a first-in-the-nation system that allows California residents to submit a single deletion request that is transmitted to all registered data brokers simultaneously.^[11]

Timeline:

• January 1, 2026: The DROP platform launched, and California consumers can now submit deletion requests through the system.^[12]
• August 1, 2026: Data brokers must begin accessing the DROP at least every 45 days to retrieve and process consumer deletion requests.
• Processing deadline: Once a broker retrieves a deletion request, it has 45 days to process the deletion and report back to the CPPA.

Enforcement and Penalties

Data brokers who fail to register face penalties of $200 per day. Beginning August 1, 2026, data brokers who fail to act on DROP deletion requests may face penalties of $200 per request per day.^[10] In January 2026, the CPPA announced its Data Broker Strike Force, a dedicated enforcement unit targeting non-compliant data brokers and indicating increased enforcement of the Delete Act.^[13]

Opt-Out Functionality

On January 20, 2026, Governor Newsom announced that the DROP platform had been expanded to allow consumers to not only delete their data but also block the future sale of their personal information by all registered data brokers, a first-of-its-kind opt-out tool.^[14]

California Age-Appropriate Design Code Act (CAADCA)

The California Age-Appropriate Design Code Act (CAADCA), Assembly Bill 2273, was signed into law on September 15, 2022, and was intended to take effect on July 1, 2024. Modeled after the United Kingdom’s Age Appropriate Design Code, it was the first U.S. state age-appropriate design code.^[15]

Key Provisions

The CAADCA would require online services “likely to be accessed by children” (under 18) to:

• Configure default privacy settings to high privacy for children
• Complete Data Protection Impact Assessments (DPIAs) evaluating whether algorithms, data collection, or design features could harm children
• Use age-appropriate language in privacy disclosures
• Prohibit profiling of children by default
• Restrict features that encourage children to provide more data than necessary

Litigation: NetChoice v. Bonta

Before the CAADCA could take effect, the tech industry trade group NetChoice (whose members include Google, Meta, Amazon, and TikTok) sued to block it. In September 2023, the Northern District of California issued a preliminary injunction halting enforcement on First Amendment grounds.^[16]

On August 16, 2024, the Ninth Circuit issued a partial ruling: it held that the CAADCA’s DPIA requirement likely violates the First Amendment by compelling speech and potentially “commandeering private companies to act as roving censors,” but remanded the case to the district court to evaluate the constitutionality of the remaining provisions individually.^[17]

On remand, the Northern District of California again granted NetChoice’s request for a preliminary injunction on March 13, 2025. California filed another appeal on April 11, 2025, and the case remains pending before the Ninth Circuit as of February 2026.^[16]

Current Status

The CAADCA is not currently enforceable. It has been enjoined since September 2023 and faces an uncertain future, though Governor Newsom and Attorney General Bonta have vowed to continue defending the law. The case has become a bellwether for the viability of children’s online safety legislation nationwide.

Other Sector-Specific Privacy Laws

Shine the Light (Civil Code Section 1798.83)

Enacted in 2003 and effective January 1, 2005, Shine the Light was one of the first state laws in the nation to address the practice of sharing customers’ personal information for marketing purposes. It requires businesses to disclose, upon request from a California resident, what personal information has been shared with third parties for direct marketing and the identities of those third parties. Alternatively, businesses can offer customers the ability to opt out of such sharing.^[18] While largely superseded by the CCPA’s broader rights, Shine the Light remains in effect and has seen renewed litigation activity.

Song-Beverly Credit Card Act (Civil Code Section 1747 et seq.)

Originally enacted in 1971, the Song-Beverly Credit Card Act prohibits retailers from requesting or recording personally identifiable information (PII) as a condition of accepting credit card payment. The California Supreme Court has held that ZIP codes qualify as PII under the Act. Violations carry statutory penalties, and the law has generated a new wave of privacy litigation as plaintiffs’ attorneys have used it to challenge online tracking pixels and other digital collection tools that gather PII during credit card transactions.^[19]

Genetic Information Privacy Act (GIPA)

Effective January 1, 2022, the Genetic Information Privacy Act (Civil Code Section 56.18 et seq.) regulates direct-to-consumer genetic testing companies, requiring express consent for collection, use, and disclosure of genetic data. Companies must implement reasonable security procedures, provide consumers with access to their genetic data, and honor deletion requests for genetic data and accounts.^[20]

CalGINA – Genetic Non-Discrimination

The California Genetic Information Non-Discrimination Act (CalGINA) extends genetic non-discrimination protections beyond the federal GINA’s scope of employment and health insurance. CalGINA adds “genetic information” to California’s protected classes, prohibiting genetic discrimination in housing, emergency services, education, mortgage lending, and elections.^[20]

Biometric Information Protections

While California does not have a standalone biometric privacy statute comparable to Illinois’s BIPA, the CCPA classifies biometric information – including fingerprints, face prints, retina scans, iris scans, voice recordings, and DNA – as sensitive personal information. This classification grants consumers the right to limit processing and triggers heightened business obligations under the CCPA/CPRA framework.^[3]

Student Online Personal Information Protection Act (SOPIPA)

Enacted in 2014, SOPIPA prohibits operators of websites, online services, and apps designed for K–12 school purposes from selling students’ information, using it for behavioral advertising, or building profiles of students for non-educational purposes.

California Financial Information Privacy Act (SB 1)

California’s version of financial privacy regulation goes beyond the federal Gramm-Leach-Bliley Act by requiring opt-in consent (rather than opt-out) before financial institutions can share consumers’ nonpublic personal information with non-affiliated third parties.

Confidentiality of Medical Information Act (CMIA)

The CMIA (Civil Code Section 56 et seq.) has protected the confidentiality of medical information in California since 1981 – predating the federal HIPAA by nearly two decades. It restricts health care providers, health plans, and their contractors from disclosing medical information without patient authorization, and provides a private right of action with damages of $1,000 per violation plus actual damages and attorney’s fees. The CMIA applies to entities that may not be covered by HIPAA, including employers who receive medical information.

Reader Privacy Act (SB 602)

Enacted in 2011, the Reader Privacy Act (Government Code Section 6267) protects the privacy of book purchases, library records, and digital reading activity. It requires a court order, warrant, or written consent before any government entity or private party can compel a provider of a “book service” (including e-book platforms and digital library services) to disclose a user’s reading records. California was the first state to extend traditional library privacy protections to digital reading platforms.

California Consumer Credit Reporting Agencies Act

California’s credit reporting law (Civil Code Section 1785.1 et seq.) provides protections that in several areas exceed the federal Fair Credit Reporting Act, including a security freeze right (enacted before the federal version), additional restrictions on who can access credit reports, and enhanced dispute resolution procedures.

Surveillance and Law Enforcement

Two-Party Consent State – Penal Code 632

California is one of approximately eleven two-party (all-party) consent states for the recording of confidential communications. Penal Code Section 632 makes it a crime to intentionally record or eavesdrop on a confidential communication without the consent of all parties to the conversation using any electronic amplifying or recording device.^[21]

Penalties:

• First offense: a wobbler (can be charged as either a misdemeanor or felony), with a fine up to $2,500 per violation and/or imprisonment up to one year in county jail or state prison (up to three years for felony prosecution).^[21]
• Subsequent offenses: fine up to $10,000 per violation and/or imprisonment.
• Civil liability: Victims can sue for the greater of $5,000 or three times the amount of actual damages, plus punitive damages, attorney’s fees, and injunctive relief.

Related statutes include Penal Code 631 (wiretapping of telephone or telegraph communications), Penal Code 632.5 (cellular and cordless phone communications), Penal Code 632.7 (cellular radio telephone communications), and Penal Code 636 (eavesdropping on law enforcement communications).

CalECPA Warrant Requirements

As detailed above, CalECPA (Penal Code Section 1546 et seq.) requires a warrant based on probable cause before any California government entity can access electronic communications or device data, closing loopholes in the federal ECPA that allow warrantless access to communications older than 180 days.^[8]

Facial Recognition Restrictions

California enacted a three-year moratorium (AB 1215, effective 2020–2023) prohibiting law enforcement from using facial recognition technology or other biometric surveillance systems in connection with police body-worn cameras.^[22] After the moratorium expired in January 2023, subsequent legislation (AB 1814) was introduced to prohibit the use of facial recognition technology as the sole basis for probable cause for an arrest, search, or warrant affidavit. At the local level, San Francisco (2019), Oakland, and Berkeley have enacted outright bans on government use of facial recognition technology, while other jurisdictions including Santa Clara County and San Diego require government body approval before law enforcement can procure or deploy the technology.^[22]

Automatic License Plate Reader (ALPR) Regulations

Senate Bill 34 (Statutes of 2015), codified at Civil Code Section 1798.90.5 et seq., established California as one of the first states to comprehensively regulate ALPR systems used by law enforcement. Key requirements include:^[23]

• Public agencies may not sell, share, or transfer ALPR data except to other public agencies
• ALPR operators must maintain reasonable security and implement a publicly available usage and privacy policy
• System operators must maintain ALPR data only for authorized purposes and define retention policies
• Violations carry minimum liquidated damages of $2,500 per violation plus potential punitive damages

Drone Privacy (Civil Code Section 1708.8)

California’s “anti-paparazzi” statute, Civil Code Section 1708.8, was originally enacted in the 1990s and amended in 2015 (AB 856) to address drone-based surveillance. The law creates civil liability for physical invasion of privacy when a person knowingly enters onto land or into the airspace above land without permission to capture images or recordings of private activity. Penalties include civil fines of $5,000 to $50,000, treble damages, and disgorgement of commercial proceeds. The law applies to anyone – not just paparazzi – and covers both direct physical trespass and the use of drones or other devices to capture images from airspace above private property.^[24]

Local Surveillance Oversight Ordinances

Several California cities have enacted local ordinances requiring transparency and oversight of law enforcement surveillance technology:

• San Francisco: The 2019 Stop Secret Surveillance Ordinance bans city agencies from using facial recognition and requires Board of Supervisors approval before acquiring any new surveillance technology, along with annual reporting on existing technology use.^[22]
• Oakland: The Privacy Advisory Commission oversees surveillance technology acquisitions and requires impact reports.
• Berkeley: Enacted a surveillance oversight ordinance modeled on San Francisco’s, including a facial recognition ban.
• Santa Clara County: Requires county agencies to submit surveillance technology proposals for public review and Board of Supervisors approval.

These local measures have been cited as examples by other cities considering surveillance oversight ordinances.

Data Breach Notification

California was the first state in the nation to enact a data breach notification law when it passed SB 1386 in 2002 (effective July 1, 2003). The law, codified at Civil Code Section 1798.82 et seq., has been amended multiple times and remains among the more detailed breach notification statutes in the country.^[25]

Trigger

Notification is required when unencrypted personal information is acquired, or reasonably believed to have been acquired, by an unauthorized person. Personal information includes name combined with Social Security number, driver’s license number, financial account numbers, medical information, health insurance information, biometric data, or online account credentials.^[25]

Timeline (Amended 2025)

Senate Bill 446, signed in 2025 and effective January 1, 2026, replaced the previous “most expedient time possible” standard with a hard 30-calendar-day deadline from discovery of the breach. Delayed notification is permitted only to accommodate law enforcement needs or to determine the scope of the breach and restore system integrity.^[26]

AG Notification

For breaches affecting more than 500 California residents, the entity must notify the California Attorney General within 15 calendar days of notifying affected residents.^[26]

Content Requirements

Notifications must be clearly titled “Notice of Data Breach,” set in 10-point font or larger, written in plain language, and organized under specific headings including: what happened, what information was involved, what the business is doing, what the consumer can do, and contact information.^[25]

Interaction with CCPA Private Right of Action

The CCPA’s private right of action under Section 1798.150 provides an additional layer of consumer remedies for data breaches caused by a business’s failure to maintain reasonable security. While the breach notification statute addresses notice obligations, the CCPA addresses liability for damages resulting from inadequate security that contributed to the breach.^[7]

Enforcement

The California Attorney General maintains a public database of data breach notifications received from entities reporting breaches affecting more than 500 California residents. This database serves as both a transparency mechanism and a deterrent, as companies know their breaches will become part of the public record. Failure to comply with notification requirements can result in civil penalties and injunctive relief sought by the AG, in addition to potential CCPA liability.^[25]

Recent Developments (2025–2026)

CPPA Rulemaking

On July 24, 2025, the CPPA Board adopted final regulations that went into effect January 1, 2026, adding three major new requirements to the CCPA framework:^[6]

• Mandatory cybersecurity audits for businesses whose data processing presents significant risk to consumer privacy
• Risk assessments for ADMT, requiring businesses to evaluate the risks and benefits of using algorithms for significant decisions about consumers
• Consumer rights related to ADMT, including pre-use notices, the right to opt out of algorithmic profiling, and the right to access meaningful information about the logic and likely outcomes of automated decisions

CPPA Enforcement Actions

The CPPA has significantly increased enforcement activity through 2025 and into 2026:

• Tractor Supply Company (September 2025): The CPPA’s largest penalty to date, a $1.35 million settlement for failing to provide effective opt-out mechanisms, failing to notify consumers of privacy rights, and disclosing personal information without required contractual protections.^[27]
• American Honda Motor Co. (2025): Required to pay a $632,500 fine for CCPA violations.
• Todd Snyder, Inc. (May 2025): Ordered to pay $345,178 and overhaul its privacy practices.^[28]
• Data broker enforcement: The CPPA has settled with at least five data brokers for failing to register under the Delete Act, including Rickenbacher Data LLC (d/b/a Datamasters, $45,000) and S&P Global ($62,600).^[29]

Attorney General Enforcement

Attorney General Rob Bonta’s office has pursued its own parallel enforcement track:

• Walt Disney Company (2025): A $2.75 million penalty, the largest CCPA settlement by the AG to date, for noncompliance with opt-out requirements.^[30]
• Healthline Media (July 2025): A $1.55 million settlement for CCPA violations.

The CPPA has reported that hundreds of investigations and enforcement actions are in progress as of early 2026, suggesting continued enforcement activity.^[27]

DELETE Act Regulations and DROP Launch

On November 13, 2025, the CPPA approved final regulations implementing the Delete Act’s accessible deletion mechanism.^[10] The DROP platform launched on January 1, 2026, and the CPPA simultaneously announced its Data Broker Strike Force to enforce registration and deletion compliance, as detailed in the DELETE Act section above.^[13]

Penalty Inflation Adjustments

On December 17, 2024, the CPPA announced that CCPA fines and penalties would automatically increase for 2025 based on the Consumer Price Index, establishing a transparent, recurring adjustment mechanism to ensure penalties maintain their deterrent effect over time.^[5]

Sources