Skip to main content
Back to Guides
Compliance6 min read

CPRA Enforcement 2025-2026: What the CPPA Is Doing

California now enforces the CCPA/CPRA through two agencies, and the fines are getting bigger. Here is what the CPPA and the Attorney General have actually pursued in 2025 and 2026, and what it means for your site.

For the first few years after the CCPA took effect, enforcement was quiet enough that plenty of companies treated compliance as optional. That's over. California now has two separate enforcers with overlapping authority, and both spent 2025 and early 2026 building a track record of six- and seven-figure penalties. If you sell or share personal information from California visitors, the enforcement pattern is now specific enough to plan around.

Here's what the California Privacy Protection Agency (CPPA) and the California Attorney General actually did, the recurring violations they went after, and the compliance work those cases point to.

Two enforcers, one law

California is unusual in that the CCPA (as amended by the CPRA) is enforced by two bodies. The Attorney General's office has enforced the law since 2020. The CPPA, the dedicated privacy regulator created by the CPRA, gained full enforcement authority and now runs its own Enforcement Division. They can and do pursue different companies in parallel.

One practical change matters more than any single case: the 30-day right to cure has narrowed. Early settlements like the 2022 Sephora case turned on a company's failure to fix problems within the old cure window. Under the current framework, businesses can no longer assume they'll get a grace period before a penalty attaches, so the cost of a broken opt-out is now immediate.

The CPPA's enforcement track

The CPPA opened its enforcement era with two headline actions.

American Honda Motor Co. (March 2025). In its first public enforcement action, the CPPA fined Honda $632,500. The agency alleged Honda used an online privacy request process that forced consumers to provide more information than necessary to opt out, made opt-out harder than opt-in (a symmetry problem the regulations specifically prohibit), and shared consumer data with ad tech vendors without the required contracts.

Todd Snyder, Inc. (May 2025). The CPPA ordered the clothing retailer to pay $345,178 and overhaul its practices. According to the CPPA's announcement, Todd Snyder's privacy portal was misconfigured so that opt-out requests failed to process for 40 days, the company asked for more information than needed, and it required consumers to verify their identity before they could opt out of sale or sharing. That last point is important: verification is not permitted as a condition of a sale/share opt-out.

The common thread is not exotic. Both companies had opt-out mechanisms that either didn't work or added friction the rules don't allow.

The Attorney General's track

The AG has pursued its own cases, and the numbers have grown.

Sephora (August 2022). The AG's first CCPA settlement, for $1.2 million, alleged Sephora failed to disclose it "sold" personal information by allowing third-party tracking cookies, didn't post a working "Do Not Sell" link, and ignored Global Privacy Control signals. The case established that letting ad tech vendors read cookies can count as a "sale," and that honoring GPC is mandatory.

Healthline (July 2025). The AG announced a $1.55 million settlement, the largest CCPA settlement to date. The state alleged Healthline kept sharing data for targeted advertising even after users opted out through GPC, and shared article titles that let advertisers infer a reader's likely diagnosis of conditions such as HIV, Crohn's, or multiple sclerosis. The settlement forced Healthline to stop sharing data combinations that reveal a reader's health condition and to test its opt-out mechanisms on an ongoing basis.

Data brokers are now a dedicated target

In November 2025 the CPPA announced a Data Broker Enforcement Strike Force inside its Enforcement Division, focused on brokers that fail to register under California's Delete Act and comply with the CCPA. It built on a 2024 investigative sweep, and the agency opened a fresh round of enforcement actions against unregistered brokers in January 2026. If your business buys or sells consumer data without a direct relationship to those consumers, you may meet California's data broker definition and its separate registration duty. Our Delete Act guide covers that regime.

New rules raised the compliance bar for 2026

On top of case-by-case enforcement, the CPPA finalized a major set of regulations. The rules were approved by the Office of Administrative Law in September 2025 and took effect January 1, 2026, with phased deadlines for the heaviest obligations. They add three new compliance streams:

  • Automated decisionmaking technology (ADMT): notice and opt-out rights when ADMT is used for "significant decisions" such as lending, housing, employment, or healthcare. Businesses already using ADMT this way must comply by January 1, 2027.
  • Risk assessments: required for high-risk processing, with compliance beginning in 2026 and an attestation due to the CPPA in 2028.
  • Cybersecurity audits: annual independent audits for larger businesses and those that make most of their revenue from selling or sharing data, phased in from 2028.

For a typical marketing website the ADMT and audit rules may not bite yet, but the direction is clear: the regulator expects documented, testable processes, not one-time checkboxes.

What the enforcement pattern tells you to do

Nearly every California action so far turns on the same handful of failures. Fixing them is the highest-value work:

  • Make your opt-out actually work. Test the full path end to end, on a schedule. The Todd Snyder portal failed silently for 40 days, and that alone drove the penalty.
  • Honor Global Privacy Control. Sephora and Healthline both turned on ignored GPC signals. Treat a GPC signal as an opt-out of sale and sharing automatically. See our Global Privacy Control explainer for the mechanics.
  • Keep choices symmetrical. Opting out can't be harder than opting in, and you can't demand identity verification or excess information to process a sale/share opt-out.
  • Post a working "Do Not Sell or Share" or "Your Privacy Choices" link if you share data for advertising. Our guide to building that link covers the exact rules.
  • Contract with your ad tech vendors. Missing service-provider terms were cited in the Honda and Healthline matters.

For the wider state picture, see our complete guide to US state privacy laws. For a survey of what regulators can charge, our cookie consent penalties guide puts California in global context. Additional analysis of these California cases is available from the Coblentz law firm.

CPRA Enforcement 2025-2026: What the CPPA Is Doing | CookieBeam | CookieBeam