
Does your company have consumers in California? If so, you’ll want to listen up, because we’ve got a lot packed in for you today.
If your business violates the California Consumer Privacy Act knowingly or unknowingly you’ll be subject to fines and outside of the CCPA/CPRA there are other privacy laws where consumers have a private right of action to sue you and it’s happening thousands of times a month costing businesses millions of dollars for not following our advice and using privacy software that builds trust and protects your business.
If you don’t want to pay CCPA fines then you should follow our advice.
Understanding the Applicability Threshold of the CCPA
The California Consumer Privacy Act (CCPA), enacted in 2018 and amended by the California Privacy Rights Act (CPRA) in 2020, is a landmark U.S. privacy law granting California residents rights over their personal information. Effective since January 1, 2020, with CPRA amendments fully enforceable as of July 1, 2023, the CCPA applies to businesses meeting specific thresholds. These applicability thresholds define its scope, distinguishing it from broader laws like Europe’s GDPR by targeting for-profit entities with significant California ties. Understanding these thresholds is crucial for businesses to determine compliance obligations and avoid penalties.
The Core Applicability Criteria
The CCPA applies to for-profit entities—corporations, partnerships, LLCs, or sole proprietorships—that collect personal information from California residents, determine the purposes and means of processing that data, and “do business” in California. “Doing business” isn’t limited to having a physical presence; it includes online sales or services targeting Californians. However, simply meeting these baseline conditions isn’t enough. A business must also satisfy one of three specific thresholds to fall under the CCPA’s jurisdiction.
Threshold 1: Annual Gross Revenue
The first threshold applies to businesses with annual gross revenues exceeding $25 million (adjusted to $25.625 million for inflation as of January 1, 2025, per the California Privacy Protection Agency). This figure reflects the preceding calendar year’s revenue across the entire entity, including affiliates under common control sharing branding—like a parent company and its subsidiaries. For example, a national retailer with $30 million in revenue, even if only a fraction comes from California, triggers this threshold if it collects Californians’ data. This broad metric captures large enterprises but often exempts smaller firms, though revenue aggregation across affiliates can unexpectedly pull in subsidiaries.
Threshold 2: Volume of Personal Information
The second threshold, updated by the CPRA, targets businesses that annually buy, sell, or share the personal information of 100,000 or more California residents or households. Before CPRA, this was 50,000 consumers, households, or devices, but the 2023 amendment narrowed the focus to residents and households, doubling the count to reflect scale. “Personal information” includes names, IP addresses, geolocation, or browsing history—data often collected via websites or apps. A mid-sized e-commerce site tracking 120,000 Californians’ shopping habits would meet this threshold, even with modest revenue. “Sharing” now includes cross-context behavioral advertising, expanding the rule’s reach to ad-tech firms.
Threshold 3: Revenue from Data Sales
The third threshold applies to businesses deriving 50% or more of their annual revenue from selling or sharing California residents’ personal information. “Selling” means transferring data for monetary or other valuable consideration, while “sharing” (added by CPRA) covers ad-related disclosures. A data broker earning most of its income by selling Californians’ health records would qualify, regardless of size. This threshold zeroes in on data-driven business models, exempting companies where data sales are incidental. Notably, even a small firm hitting this mark must comply, making it a critical check for startups in the privacy space.
Beyond the Thresholds: Additional Scope
The CCPA’s reach extends beyond these thresholds. Entities controlled by a covered business—sharing common branding and data—may also fall under its purview, as can joint ventures where each partner holds at least a 40% stake. Voluntary certification with the California Privacy Protection Agency (CPPA) can also trigger compliance. Exemptions exist for data governed by HIPAA or the Gramm-Leach-Bliley Act, but only for that specific data, not the entire business. This patchwork ensures broad applicability while avoiding overlap with federal laws.
Implications and Compliance
Meeting any threshold mandates compliance with CCPA rights—like access, deletion, and opt-out requests—enforced by the CPPA with fines up to $7,500 per intentional violation. Businesses must assess their revenue, data volume, and revenue sources annually, a task complicated by the law’s extraterritorial reach: a company in Texas selling to Californians could still be liable. With no federal privacy law, the CCPA’s thresholds set a high bar, influencing states like Colorado and Virginia. For firms near the edge—say, $24 million in revenue or 90,000 consumers—proactive audits and legal counsel are wise to navigate this evolving landscape.
The California Consumer Privacy Act (CCPA) has undergone updates to its fines and penalties for 2025. These adjustments, effective January 1, 2025, are based on increases to the Consumer Price Index and include:
- Increased Threshold for Coverage: The annual revenue threshold for businesses to be covered by the CCPA has increased to $26,625,000.
- Monetary Damages: The potential damages per consumer per incident have been adjusted to a minimum of $107 and a maximum of $799.
- Administrative Fines and Civil Penalties: The maximum fine for each violation is now $2,663, while intentional violations or those involving minors’ personal information can incur fines up to $7,988.
These changes pose a significant risk to businesses that fail to comply with the CCPA. The increased fines and potential damages can lead to substantial financial losses, especially for larger companies or those with repeated violations. Additionally, the CCPA allows consumers to take legal action against businesses for violations, further increasing the risk of financial and reputational damage.
Businesses should prioritize CCPA compliance to mitigate these risks. This includes understanding the updated regulations, implementing necessary data protection measures, and ensuring transparency with consumers about their data privacy practices.
CCPA Explained

CCPA is a data privacy law that provides guidelines for how businesses should collect, store, and use personal information.
For a more detailed answer, we have Anderson Lunsford, the CEO and Co-Founder of BreachRx. He says:
“CCPA is the California Consumer Privacy Act. It is a privacy law for the state of California that was passed in June 2018, shortly after the European Union’s landmark privacy law, the General Data Protection Regulation (GDPR), went into effect in the EU (May 2018).
The CCPA is similar to GDPR in that it takes a much broader and more comprehensive view of privacy rights for consumers, but there are also key differences in the requirements each imposes on businesses and their use of consumer’s personal information.”
Under this act, consumers have a right to know the kind of personal data a business collects about them. In addition, they have a right to know how this data is processed and shared.
Consumers also have the right to demand that their personal information be deleted. However, it is essential to note that there are some exceptions to this law that you must know. For example, employee data, financial data, and health data do not apply to this law.
CCPA Fines Overview
If a business violates the California Consumer Privacy Act, it will receive a CCPA fine. Initially, CCPA violations were dealt with by the California Attorney General’s Office. However, CCPA violations are currently being handled by the California Privacy Protection Agency.
The agency is governed by a five-member board. The governor appoints the chairperson and one member of the board. In addition, the Attorney General appoints one member, and the Speaker of the Assembly and the Senate Rules Committee select one each.
CCPA enforcement is done using a combination of various mechanisms, such as regulatory enforcement, civil action, and private rights of action.
Once an offense has been committed, the California Privacy Protection Agency will investigate the violation, issue a subpoena and bring an enforcement action against the business.
Alfred Brunetti, Principal at Porzio, Bromberg and Newman PC says:
“A business, service provider or other person found to violate the CCPA as amended by the CPRA is subject to an injunction and a civil penalty of not more than $2,500 per violation and not more than $7,500 per intentional violation.”
This is only the tip of the iceberg, though; there are many nuances to this that we’ll cover below.
Types of CCPA Fines
There are several types of CCPA fines that businesses and consumers need to know about. This section discusses fines such as the private right of action, civil penalty, and fines for violating children’s rights.
Knowing these fines is essential so businesses can create robust compliance strategies to prevent these fines.
One strategy that can be implemented is having a data mapping and inventory system. This way, businesses can identify the type of personal data being collected and track how it is used.
Some of the fines that businesses need to know about are:
Civil Penalties
The California Privacy Protection Agency enforces civil penalties. However, a lawsuit can only be filed after a 30-day notice elapses.
The amount of civil penalties that can be enforced will depend on the nature and severity of the violations. A civil lawsuit is triggered when a business violates any CCPA law.
Examples of violations that can result in civil penalties are:
Failure to have a CCPA privacy policy
Failure to inform the consumer that their data is being collected
Failure to have a CCPA opt-out policy
Discriminating a consumer for exercising their CCPA rights
Civil penalties include $2,500 for each violation and $7,500 for each intentional violation. However, the amount might be lower if businesses prove that they have taken steps to guarantee the privacy of consumers as required by the CCPA act.
Do Not Sell My Personal Information Button Penalty
This penalty is enforced if a business fails to have a “Do Not Sell My Personal Information” link or button on its website. The link or button must be prominently displayed on the homepage or the CCPA privacy policy page.
Businesses that fail to provide this link can be fined up to $2,500 per violation. If it is proven that the breach was intentional, the fine can be as high as $7,500.
Fines for Failure to Disclose Data Collection Practices
This CCPA fine is enforced when businesses fail to disclose the data they are collecting and its intended purpose. In addition, CCPA enforcement will be done if a business fails to inform consumers that their data will be shared with third parties.
A business that fails to disclose this information will be fined $2,500 per violation and $7,500 per intentional violation.
Fines for Violating Children’s Privacy
According to the CCPA, it is illegal for a business to sell the personal information of a minor (Under 16) without the parent or guardian’s consent. If a business wants to sell a minor’s personal information, it must have opt-in consent from the guardian.
When opt-in consent is available, the business should verify the guardian’s identity and maintain proper records.
Businesses that sell a minor’s data without the consent of a guardian will be fined $7,500 per intentional violation and $2,500 per violation.
Private Right of Action
A private right of action is a legal lawsuit that allows consumers to sue a business for CCPA violations. These violations occur when a business fails to implement reasonable security measures that protect consumers’ data.
However, a consumer can only initiate a private right-of-action lawsuit if they establish that the business failed to encrypt their personal information, resulting in a breach. Consumers can also file a private right-of-action lawsuit if a business fails to comply with a request to know, opt out, or delete personal information.
A private right of action allows consumers to recover statutory damages. However, before filing the claim, the consumer must report the violation and give the business 30 days to remedy the problem.
If, after 30 days, the business is still non-compliant, CCPA penalties of $100 – $750 will be imposed per violation.
Want to avoid these CCPA fines? Contact us for a complimentary consultation with one of our experts.
Recent CCPA Fines and Enforcement Actions
Though CCPA fines might appear small, businesses have paid a hefty price for failing to implement reasonable data security measures. Below, we will look at recent high-profile CCPA fines to date and briefly analyze what led to the business being fined.
Zoom
In 2021, Zoom agreed to a settlement of $85 million after the state sued it for being non-compliant. The class action lawsuit alleged that Zoom violated CCPA laws by selling personal information to companies such as Google and Facebook without consumers’ knowledge.
Other CCPA violations alleged to have been committed by the company include failure to provide an end-to-end encryption video conference as advertised. In addition, it was also alleged that Zoom collected personal information without the user’s consent.
Lastly, Zoom was also accused of failing to implement adequate security measures that resulted in the information of its customers being breached and sold on the dark web.
Sephora
In 2022, Sephora, a global cosmetics retailer, hit the headlines after the court slapped it with a fine of $1.2 million through an enforcement action under the CCPA.
They were found guilty of not disclosing to consumers that their data and activities would be recorded and sold to third parties for monetary gain.
It is important to note that before the enforcement action, the petitioners notified Sephora of the offense and gave the business 30 days to rectify the violation. In addition, Sephora was also accused of failing to provide an opt-out service to consumers.
T-Mobile
T-Mobile is another business that faced a class action lawsuit for violating the CCPA. T- mobile is accused of failing to protect consumer data after a data breach exposed the information of millions of its customers.
The data breach exposed private information such as Social Security Numbers and IDs. T-Mobile has agreed to a $350 million settlement.
Online Retailers
Several online retailers and data brokers were found to be non-compliant with the CCPA regulations.
After an enforcement sweep, it was established that some online retailers secretly used web tracking technology to sell consumers’ data to third parties. This was done in exchange for advertising. In addition, it was also proven that these online retailers did not provide an opt-out mechanism as required.
The identified retailers were notified of the violations, after which they reviewed and updated their service provider contracts. They also used technology to send a ‘restricted use’ signal to third-party buyers of private information.
CPRA Fines
The California Privacy Rights Act (CPRA) is a privacy law passed that was enacted a few years ago in January 2023 and is considered to be an expansion of the CCPA.
The CPRA was enacted to strengthen privacy protections that existed under the CCPA, and it comes with additional privacy rights such as:
The right to restrict the use of sensitive personal data
The right of consumers to correct wrong personal data that a business may have
The right of consumers to request businesses to provide a copy of their data
It is also important to note that the CPRA law created a new enforcement body known as the California Privacy Protection Agency (CPPA).
Fines under the CPRA are higher than those of the CCPA. For example, businesses can be fined up to $7,500 per CPRA violation and up to $2,500 for violations involving minors.
The CPRA also introduced a new category known as negligent violations, which affects businesses that fail to take reasonable precautions to protect consumers.
Avoiding CCPA Fines
Businesses that are operating in the State of California must be CCPA compliant to avoid hefty fines. The law applies to all for-profit entities and those that meet any of the following qualifications:
Have a gross annual revenue of more than $25 million
Sells or shares personal information of more than 50,000 California consumers
The business derives more than 50% of its annual revenue from selling the personal information of California consumers
Besides monetary fines, businesses also face other consequences of the CCPA non-compliance, such as loss of consumer trust. Loss of consumer trust affects a business’s brand and loyalty.
Businesses found guilty of being CCPA non-compliant also risk damaging their reputation and getting negative media and social media coverage. This can result in a loss of trust and credibility with consumers.
Violating CCPA laws can also result in expensive legal lawsuits, as seen with companies such as Zoom and Sephora. Zoom agreed to an $85 million settlement, while Sephora was fined $1.2 million.
Want to mitigate the risk of CCPA fines? Contact Captain Compliance for a complimentary consultation with one of our experts.
CCPA Compliance Requirements
One of the essential CCPA compliance requirements for businesses operating in California is to notify their consumers of the type of data being collected and shared. If a business is collecting the personal data of minors, it must have consent from the guardian. Other compliance requirements include:
Providing information about the purpose of the collected data
Ensuring that third-party buyers of private data are CCPA-compliant
Providing consumers with the right to opt-out
Implementing reasonable security measures to protect against data breach
Providing a clear and conspicuous “Do Not Sell My Personal Information” link or button on the homepage
Achieving CCPA Compliance
The best way for a business to comply is to develop a CCPA/CPRA compliance checklist. A checklist is a tool that you can use to check if a business is compliant. Other things to do to ensure you are compliant are:
Train your employees on CCPA and CPRA laws
Update privacy policies and notices to be CCPA-compliant
Conduct a data inventory to know the type of data collected, how it is shared and stored
Give consumers the right to opt-out and put a mechanism in place for consumers to retrieve their data easily
Implement reasonable security measures to protect the privacy of consumers
Review agreements with third-party services to ensure they are CCPA-compliant
Appoint a data protection officer to be responsible for ensuring the business is CCPA-compliant
Ensure CCPA and CPRA laws are updated regularly to ensure compliance.
Responding to CCPA Fines
Before a business is fined, it will be given 30 days to come up with remedial strategies. If the violations still happen after 30 days, the Attorney General’s Office will take legal action. The best ways to respond to CCPA fines are:
Review the Fine
Businesses need to review the reason for the fine to understand the offense that was committed. This should be done with lawyers to ensure that the fine falls within the confines of California law.
Create a Course of Action
Once the business understands why it was fined, it needs to create a course of action to address the violations that caused the fine. The plan can include training your staff and updating procedures and policies.
Consider Legal Options
Businesses can consider legal options if they feel the fine imposed is unjustified or too severe. The legal action can be for the agency to reduce the penalty or to challenge the findings.
Create a Compliance Checklist
The business should develop a compliance checklist to ensure they do not get another fine in the future. In addition, it should have a compliance officer to ensure all laws are followed.
VPPA Lawsuits
Lawsuits are being filed and any plaintiff who visits your website who is a California resident can now sue you even if your not targeting California users or data subjects. This can happen with a VPPA claim if you have a video player on your website. In early 2025 there were a record number of VPPA claims and notices sent out for violation that it exceeded all of 2024. You can thank lawyers like Scott Ferrel and the Pacific Trial Attorneys for figuring out these 1980s based laws that are used to generate serious legal fines.
California Invasion of Privacy Act Lawsuits
CIPA is the common abbreviation and these claims are led by Josh of Swigart Law in California. These are rather letters that demand an arbitration hearing about a meta-pixel being used for retargeting and again are getting business owners who are not in California but having to pay thousands for arbitration and thousands more to get out of the case.
FAQS
What Are The Highest CCPA Fines?
The highest CCPA fines are $7,500 per intentional violation and $2,500 per unintentional violation. $7,500 for thousands of consumers can stack up very fast, resulting in millions of dollars in fines due.
The exact amount depends on whether the business has a history of violating CCPA laws and whether it took prompt action to remedy the contravention after being notified.
What is an Example of a Personal Data Breach?
An example of a personal data breach is when unauthorized individuals hack or access a consumer’s private information. For instance, if hackers steal your data from a bank, such as your ID, Credit number, email address, and password, that is a personal data breach.
When Did GDPR Come Into Force?
GDPR came into force on May 25, 2018.
Are There Exceptions to The CPPA?
Yes, CCPA laws do not apply if the collected personal information is used in an employment context. This means that the data collected is from an employee or job applicant.
Another CPPA exception is if the data collected is publicly available from government records and registries.
What Rights Do I Have Under The CCPA?
California residents have the right to request a business to provide any personal information that they may have about them. In addition, you have a right to request that they delete the information they have about you.
Lastly, consumers have a right under CCPA to instruct businesses not to sell their data to third parties.
Does The CCPA Apply to Companies Outside California?
CCPA applies to companies outside of California if they conduct business in the state or meet one of the following criteria:
Has an annual gross revenue of over $25 million
Commercially sells or shares personal information of more than 50,000 California residents
Receives at least 50% of yearly revenues from selling the personal information of California residents
How Can Captain Compliance Help?
Businesses collecting data from California residents must engage with a compliance expert to ensure they operate within the CCPA (now amended to CPRA).
Failure to comply with the CCPA can result in huge losses, as seen by T-Mobile. T-Mobile was forced to make a $350 million settlement.
To protect your businesses from such losses, get in touch with Captain Compliance. We have years of experience in Californian data privacy law and can ensure your company becomes compliant.
Contact Captain Compliance for a complimentary consultation with one of our experts.