Between February 11 and March 5, 2026, California regulators collected over $4.8 million in CCPA penalties across five enforcement actions. That is not a trend line. That is a pattern, and it is not pointing anywhere businesses want to go.
The California Privacy Protection Agency (CPPA) and the California Attorney General did not invent new legal theories this quarter. They enforced rules that have been in effect for years. What changed is the scale: the Disney settlement is the largest CCPA penalty ever recorded. A data broker was ordered to shut down entirely. A student ticketing platform was fined for tracking kids at high school basketball games. Ford and Honda paid over a million dollars combined for making opt-out harder than the law allows.
If your business touches California consumer data and you have not started audit preparation, this quarter's enforcement record is the loudest possible signal that the window is closing.
Disney: $2.75 million, the largest CCPA penalty ever
On February 11, 2026, the California Attorney General announced a $2.75 million civil penalty settlement with The Walt Disney Company. The AG's office called it the largest CCPA penalty to date.
The core problem was fragmentation. Disney operates Disney+, Hulu, and ESPN+ as separate platforms, each with separate opt-out mechanisms. A consumer who opted out on Disney+ was not opted out on Hulu. A GPC signal respected on one service was ignored on another. An opt-out toggle on one device did not carry over to another device on the same account.
Beyond the platform fragmentation, the opt-out webform stopped data sharing within Disney's own advertising ecosystem but continued disclosures to third-party ad-tech partners. Consumers had no way to know the distinction existed.
The Attorney General's statement made the standard explicit: "Businesses can't force people to go device-by-device or service-by-service." That is not an interpretation. That is the enforcement position, and Disney's $2.75 million settlement is the price tag attached to ignoring it.
What this means operationally: if your organization has multiple brands, multiple apps, or multiple platforms under one corporate umbrella, opt-out rights are not scoped to a single product. They apply at the account level and across the portfolio.
PlayOn Sports / GoFan: $1.1 million, the first school-related CCPA action
On March 3, 2026, the CPPA Board issued a $1.1 million fine against PlayOn Sports, the company behind the GoFan digital ticketing platform. This was the first CCPA enforcement action involving schools and student event attendees.
GoFan processes digital ticket purchases for roughly 1,400 California schools. Before accessing their tickets, users were required to click "agree" to tracking for targeted advertising. That is a consent gate on a required workflow, which regulators treat as coerced consent rather than voluntary consent.
The company's opt-out mechanism directed consumers to the NAI and DAA, which are industry self-regulatory programs, rather than providing GoFan's own opt-out method. Under the CCPA, an industry opt-out registry does not satisfy your individual obligation. Businesses must provide their own method.
GoFan also failed to recognize opt-out preference signals, including GPC, from users' browsers.
The CPPA's language in this action was pointed. The agency noted the context: these are school-affiliated consumers, often minors or their parents, who had no practical choice but to use the platform to access tickets they had already purchased. That power dynamic is exactly the kind of situation the CCPA was designed to address.
Ford: $375,703 for email verification on opt-out requests
The CPPA issued a $375,703 fine against Ford Motor Company on March 5, 2026. The violation was a verification gate: Ford required consumers to complete an email verification step before processing opt-out requests. Requests that were not verified were not acted upon.
This is a structural compliance failure because opt-out requests are non-verifiable under the CCPA. They are preference signals. The law does not permit businesses to condition processing on identity verification for opt-outs. Ford's requirement predictably reduced the number of requests actually honored, and the CPPA found that sufficient to impose a fine and require Ford to retroactively process all previously ignored requests.
The remediation requirement is what makes this costly beyond the fine itself: going back through historical opt-out submissions, identifying which ones were not processed due to the verification step, and honoring them after the fact is a significant operational exercise.
Honda: $632,500 and required business practice changes
The CPPA also fined Honda $632,500, part of the same connected vehicle sweep that produced the Ford action. Honda was required to change specific business practices as a condition of the settlement, not just pay the fine. The details of Honda's specific violations follow the same pattern: opt-out mechanisms that did not function as the law requires and preference signals that were not properly recognized.
The connected vehicle context matters here. Vehicles collect substantial data, and the consent and opt-out workflows tied to connected vehicle services were a CPPA focus heading into 2026. If your business involves connected devices, IoT products, or any platform where data collection happens passively, the Honda and Ford actions are directly relevant.
Background Alert: ordered to shut down or pay a steep fine
The CPPA also issued an order against Background Alert, a data broker, that gave the company a choice: shut down or pay a steep fine. Data broker registration and deletion obligations under CCPA have been in place, but enforcement against brokers was slow for years. That changed this quarter.
If your business buys, sells, or licenses personal information, or if you operate a people-search or background check product, this action signals that the CPPA is now actively moving against brokers, not just warning them.
Not sure where your gaps are?
The free assessment identifies the most common failure modes from Q1 2026 enforcement: fragmented opt-out flows, missing preference signal support, broken verification gates, and incomplete data broker registration. Takes about five minutes.
Take the Free AssessmentThe enforcement pattern is not complicated
Five actions, five companies, five different fact patterns. But the common thread is consistent: opt-out mechanisms that do not actually work as advertised.
Disney's problem was cross-platform fragmentation. GoFan's problem was a consent gate and a redirect to industry programs instead of a real opt-out method. Ford's problem was an email verification gate. Honda's problem was similar. Background Alert's problem was operating as a data broker without meeting the compliance requirements that apply to brokers.
None of these companies were doing something exotic. They had opt-out links. They had privacy policies. They had mechanisms. The mechanisms just did not work reliably, completely, or in the way the CCPA requires.
That is the audit problem. A privacy policy and an opt-out link are not evidence of compliance. Evidence of compliance is a tested, documented workflow that honors opt-out requests promptly, recognizes preference signals like GPC, does not impose verification requirements, and covers the full scope of the business including related brands, platforms, and devices.
The new audit and risk assessment regulations add another layer
The CPPA's cybersecurity audit and risk assessment regulations took effect January 1, 2026. Businesses that meet the thresholds are now required to conduct annual cybersecurity audits and submit risk assessments on a defined schedule.
This matters in the enforcement context because regulators now have a formal mechanism to examine whether businesses have documented, tested, and attested to their data handling practices. An enforcement action that touches data sharing and opt-out behavior can pull in audit documentation. If you do not have it, you are not just out of compliance on the privacy side. You are potentially out of compliance on the audit obligation as well.
The practical implication: enforcement and audit obligations are converging. Running a privacy audit is no longer just about finding gaps before a regulator does. It is about producing documentation that demonstrates reasonable controls were in place and functioning.
What to do now
Based on the five Q1 2026 actions, here is the short list of what to check before a regulator checks it for you.
1) Map opt-out across your full product portfolio
If you operate more than one app, website, platform, or brand under a shared corporate identity, opt-out on one does not cover the rest. Document every opt-out entry point. Test each one. Confirm they are connected to the same backend processing, or document why they are not and what the remediation plan is.
2) Remove verification requirements from opt-out workflows
Opt-out is non-verifiable under the CCPA. Email verification, SMS confirmation, account login gates, and "confirm your request" links that must be clicked before processing begins are all forms of friction that the CPPA has now penalized at scale. Audit your opt-out form submissions and look for any step between submission and processing that a consumer could fail to complete.
3) Test GPC and other preference signals
Turn on GPC in a browser, visit your site with a fresh session, and observe what tracking technologies fire. If advertising pixels or third-party data-sharing tags load on pages after a GPC signal is present, you are not honoring the signal. Document the test, fix the tags, and document the fix.
4) Verify your opt-out method is yours, not a redirect
Pointing consumers to the NAI, DAA, or any other industry self-regulatory program does not satisfy your CCPA opt-out obligation. You must provide your own opt-out mechanism. Industry programs can be supplemental, not a substitute.
5) Inventory your data broker relationships
If you buy or sell consumer data, or if third parties access your users' data through tags, SDKs, or API integrations for purposes that include advertising, profile building, or resale, you may have data broker obligations or relationships with data brokers that affect your own compliance posture. The Background Alert action is a signal that broker compliance is now an active enforcement area.
The CCPA Audit Readiness Kit covers all five of these areas
Opt-out workflow test scripts, tag inventory templates, GPC testing procedures, evidence packs for counsel and auditors, and the documentation formats that map directly to CPPA audit requirements. Everything in one kit.
Get the Complete Kit - $497The CPPA and AG are not warning anyone anymore
For the first few years of CCPA enforcement, the playbook was: get a warning letter, fix the issue, avoid a fine. That period is over. Q1 2026 produced over $4.8 million in penalties across five actions, and the Disney settlement set a new ceiling for what a single CCPA action costs.
The new audit and risk assessment regulations give the CPPA additional enforcement hooks starting this year. Businesses that handle California consumer data at scale and cannot produce documented, tested evidence of their compliance posture are operating in a meaningfully higher risk environment than they were twelve months ago.
That is not a threat. It is what the enforcement record says.
Sources: California Attorney General press release (Feb 11, 2026), CPPA Board decisions (Mar 3 and Mar 5, 2026) as described in public announcements.