CCPA Enforcement Actions in 2025: What Businesses Got Fined and Why

2025 was the year CCPA enforcement stopped being theoretical. The California Privacy Protection Agency (CPPA) and the California Attorney General's office handed out millions in fines, and the pattern is clear: they're going after real companies for specific, avoidable failures.

If you're a California business still treating CCPA compliance as a "we'll get to it" project, these cases should change your mind. Here's every major enforcement action from 2025, what triggered it, and what your business needs to learn from each one.

The Big Ones: 2025's Largest CCPA Fines

Healthline Media -- $1.55 Million (July 2025)

The California Attorney General reached a $1.55 million settlement with Healthline, the online health and wellness publisher. The core issue: Healthline failed to include CCPA-compliant language in its contracts with third-party data partners. They were sharing personal information -- including sensitive health-related browsing data -- with advertising partners whose contracts didn't meet the CCPA's service provider requirements.

The lesson: Your vendor contracts matter just as much as your internal policies. If you're sharing personal data with third parties and your contracts don't include the required CCPA provisions -- purpose limitations, data deletion obligations, audit rights -- you're exposed. This is exactly the kind of gap a cybersecurity audit would catch.

Tractor Supply Company -- $1.35 Million (September 2025)

The CPPA's largest penalty to date. Tractor Supply was fined for multiple violations including failing to honor opt-out requests, inadequate privacy disclosures, and insufficient data handling controls. The CPPA Board approved the settlement at the same board meeting where they advanced the new cybersecurity audit regulations -- a deliberate signal about enforcement priorities.

The lesson: The CPPA is looking at operational compliance, not just whether you have a privacy policy on your website. They want to see that your opt-out mechanisms actually work, that your disclosures are accurate, and that your internal processes match your public commitments. Having a privacy page isn't enough if the systems behind it don't function as described.

Disney -- $2.75 Million (2025)

The largest CCPA settlement to date came from the California AG's office. Disney was hit for failing to comply with opt-out requirements across its digital properties. When consumers submitted opt-out requests, Disney's systems didn't process them consistently -- some subsidiaries honored them, others didn't. The fragmented approach to privacy compliance across a large organization is what sank them.

The lesson: If you operate multiple brands, websites, or business units, your CCPA compliance can't be siloed. A consumer who opts out expects that opt-out to apply everywhere you process their data. Organizations with complex structures need centralized privacy operations, not a patchwork of individual compliance efforts.

Unnamed Automaker -- $632,500 (March 2025)

The CPPA fined an unnamed automotive company for collecting and sharing geolocation data from connected vehicles without adequate disclosure or consent mechanisms. Drivers didn't know their location data was being shared with third parties, and there was no clear way to opt out.

The lesson: Connected devices and IoT data are squarely in the CPPA's crosshairs. If your business collects data from devices -- vehicles, apps, sensors, wearables -- you need to disclose exactly what you're collecting and provide functional opt-out mechanisms. "Buried in the terms of service" doesn't count.

Todd Snyder (Fashion Retailer) -- $345,178 (May 2025)

A smaller company, but an important signal. Todd Snyder was fined for failing to honor Global Privacy Control (GPC) signals. When a consumer's browser sent a GPC signal indicating they wanted to opt out of data sales, Todd Snyder's website ignored it.

The lesson: GPC compliance isn't optional. Following a joint enforcement sweep by California, Colorado, and Connecticut attorneys general in September 2025, regulators are actively testing whether websites honor GPC signals. If your site doesn't detect and respond to GPC, you're a target. This is a technical fix that most web development teams can implement in a day.

Unnamed Marketing Firm -- Fine Amount Undisclosed (December 2025)

CalPrivacy (the CPPA's new public-facing name as of January 2026) fined a marketing firm for selling custom audience data without registering as a data broker. Under the California DELETE Act, companies that buy, sell, or share consumer data for purposes beyond a direct transaction must register with the state.

The lesson: If your business model involves any form of data brokerage -- even if you don't think of yourself as a "data broker" -- check the registration requirements. The definition is broader than most businesses realize, and the CPPA is actively enforcing it.

The Enforcement Trend Line

Step back and look at the numbers:

• 2023-2024: Scattered enforcement, mostly cure-period warnings. Total fines under $1 million combined.
• 2025: Over $5 million in penalties across multiple cases. No more cure periods for most violations.
• 2026 and beyond: Hundreds of open investigations. Cybersecurity audit requirements kicking in. The CPPA publicly stated at their September 2025 board meeting that many businesses under investigation don't even know they're being targeted yet.

That last point deserves emphasis. The CPPA told the public that they have hundreds of enforcement actions in progress, and many of the targeted businesses haven't been notified. By the time you get a letter from the CPPA, the investigation is already well underway.

What Changed in 2025 That Made Enforcement Spike

Three things converged:

1. The CPPA got its footing. The agency was established in 2020 but spent years building staff, writing regulations, and fighting legal challenges. By 2025, they had a functioning enforcement team with experienced investigators.

2. Inflation-adjusted fines took effect January 2025. The CPPA announced increased penalty amounts for 2025, adjusting upward for inflation. The per-violation maximums went up, making enforcement more costly for businesses that hadn't corrected known issues.

3. Multi-state coordination. California is no longer enforcing privacy law alone. The September 2025 joint GPC enforcement sweep with Colorado and Connecticut showed that state privacy regulators are sharing intelligence and coordinating investigations. A CCPA violation flagged by California could trigger inquiries from other states where you do business.

Common Threads Across Every 2025 Case

Looking at all six enforcement actions together, the same compliance failures show up repeatedly:

1. Opt-out mechanisms that don't actually work. Disney, Tractor Supply, the automaker -- all had opt-out processes that looked compliant on the surface but failed in execution. The CPPA is testing these systems, not just reading your privacy policy.
2. Third-party contracts missing required provisions. Healthline's entire case was about vendor contracts. If you're sharing data with partners, your contracts need specific CCPA language -- not generic confidentiality clauses.
3. Ignoring GPC signals. Todd Snyder's fine was entirely preventable. GPC detection is a straightforward technical implementation. There's no excuse for not supporting it in 2026.
4. Inadequate disclosure. Multiple cases involved businesses that weren't telling consumers what data they collected or how it was used. Transparency isn't just good practice -- it's a legal requirement with real penalties attached.

What This Means for the Cybersecurity Audit Requirement

Here's the connection most businesses are missing: the cybersecurity audit regulations were approved at the same CPPA board meeting as the Tractor Supply penalty. That's not a coincidence. The CPPA is building toward a compliance framework where audits are mandatory, penalties are substantial, and enforcement is proactive -- not reactive.

The first cybersecurity audit certifications are due April 1, 2028 for businesses over $100 million in revenue. But the groundwork for those audits -- the policies, controls, documentation, and processes -- takes 12-18 months to build properly. If you're waiting for 2027 to start preparing, you're already behind.

Every compliance gap that triggered a fine in 2025 is something a proper cybersecurity audit would have flagged: broken opt-out systems, missing contract provisions, inadequate access controls, incomplete data inventories. The audit requirement exists precisely because these failures are so common.

Three Things to Do This Week

Based on every enforcement action from 2025, here are the three highest-priority items for any California business processing personal data:

1. Test your opt-out mechanisms. Don't just check that the button exists -- submit an actual opt-out request and verify it propagates through all your systems and third-party integrations. Do this today.
2. Audit your GPC compliance. Open your website in a browser with Global Privacy Control enabled (Firefox has it built in) and verify your site detects and honors the signal. If it doesn't, fix it this week.
3. Review your vendor contracts. Pull the contracts for every third party that receives personal data from you. Check that each one includes CCPA-required provisions: purpose limitations, deletion obligations, and restrictions on selling or sharing the data. Flag any that don't and start the amendment process.

2025's enforcement actions were warnings. The fines will get bigger, the investigations will get broader, and the cybersecurity audit requirement will add another layer of accountability. The businesses that started preparing last year are ahead. The ones that start today are on time. Everyone else is behind.