CCPA: Enforcement and Penalties
Enforcement and Penalties [§ 1798.150, 155, 199]
Rule: The CCPA is enforced by the California Privacy Protection Agency (CPPA) and the Attorney General, with limited private right of action for data breaches only.
Enforcement Structure
| Authority | Scope | Citation |
|---|---|---|
| CPPA | Primary enforcement of all CCPA provisions | § 1798.199.40 |
| Attorney General | Can bring civil actions | § 1798.155 |
| Private plaintiffs | Data breach claims only | § 1798.150 |
California Privacy Protection Agency (CPPA)
Created by CPRA as independent agency with:
| Power | Description |
|---|---|
| Investigate | Investigate possible violations |
| Subpoena | Issue subpoenas for investigation |
| Audit | Conduct audits of businesses |
| Rulemaking | Adopt regulations implementing CCPA |
| Administrative enforcement | Bring enforcement actions |
| Issue fines | Impose administrative fines |
Administrative Penalties [§ 1798.155]
| Violation Type | Maximum Penalty |
|---|---|
| Per violation | $2,500 |
| Intentional violation | $7,500 |
| Violation involving minor | $7,500 |
Key points:
- Penalties are per violation (can multiply quickly)
- No cure period (30-day cure was eliminated by CPRA)
- CPPA has broad discretion on penalty amounts
Private Right of Action [§ 1798.150]
Consumers can sue only for data breaches involving:
Nonencrypted and nonredacted personal information… subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.
Recoverable Damages
| Damage Type | Amount |
|---|---|
| Statutory damages | $100 - $750 per consumer per incident |
| Actual damages | If greater than statutory |
| Injunctive relief | Court may order |
| Other relief | As court deems proper |
Requirements for Private Suit
- 30-day notice — Must notify business in writing
- Cure opportunity — Business has 30 days to cure AND provide written statement that violation is cured AND no further violations
- If cured — No suit (but consumer can still report to AG)
- If not cured — May proceed with lawsuit
No Private Right for Most Violations
Cannot sue for:
- Failure to honor opt-out requests
- Inadequate privacy notices
- Not responding to access/delete requests
- GPC non-compliance
- Most CCPA violations
These are enforced by CPPA/AG only.
Attorney General Enforcement
AG can:
- Bring civil actions for CCPA violations
- Seek injunctive relief
- Recover civil penalties (same amounts as CPPA)
- Pursue unfair competition claims
Class Actions
Data breach class actions are common under § 1798.150:
- Can aggregate statutory damages across affected consumers
- $100-750 × thousands of consumers = significant exposure
- Most CCPA litigation is data breach related
Recent Enforcement Trends
| Year | Focus Areas |
|---|---|
| 2023-2024 | GPC non-compliance, dark patterns in opt-out |
| 2024-2025 | Data broker registration, sensitive PI |
| 2025+ | Automated decision-making, profiling |
Compliance Program Factors
CPPA considers when setting penalties:
| Factor | Impact |
|---|---|
| Intent | Intentional = higher penalty |
| Consumer harm | Actual harm increases penalty |
| Number affected | More consumers = higher penalty |
| Cooperation | May reduce penalty |
| Remediation | Quick fix may reduce penalty |
| Prior violations | Repeat offenders penalized more |
| Financial resources | Considered for proportionality |
Risk Mitigation
To reduce enforcement risk:
- Honor opt-out signals — Especially GPC
- Respond to requests — Within 45 days
- Maintain security — Implement reasonable safeguards
- Document compliance — Keep records of program
- Train employees — Ensure proper handling
- Audit vendors — Verify service provider compliance