Compliance Resources

CCPA Enforcement Actions Tracker: Every Fine to Date

Every public CCPA/CPRA settlement from the California Privacy Protection Agency and the California Attorney General, with verified penalty amounts, violations, and links to the primary source. Updated as new actions land.

Showing 9 enforcement actions totaling $21,328,381 in penalties
Sorted newest first

General Motors (OnStar)

California AG
$12,750,000
Data MinimizationPurpose LimitationDeceptive Privacy Policy

California's Attorney General, joined by several district attorneys and the CPPA, secured the largest CCPA penalty to date over GM's OnStar connected-vehicle service. GM sold names, geolocation, and driving-behavior data for hundreds of thousands of Californians to data brokers LexisNexis and Verisk despite a privacy policy stating it did not sell driving or location data, and the case was the first CCPA enforcement action built on the data-minimization and purpose-limitation principles.

Primary sourceRelated citations:§ 1798.100

Ford Motor Company

CPPA
$375,703
Opt Out FrictionUnlawful VerificationGPC

The CPPA fined Ford for requiring consumers to verify their email address before an opt-out of sale/sharing request would be processed, which the agency found imposed an unlawful identity-verification requirement on a right that must be frictionless. Ford also continued selling or sharing personal information for some consumers after they had already opted out, and must now audit its site-wide tracking technology for Global Privacy Control compliance.

The Walt Disney Company

California AG
$2,750,000
Incomplete Opt OutGPCAd Tech Sharing

California's largest CCPA penalty at the time it was announced: Disney's opt-out toggle only applied to the specific streaming service being viewed rather than the whole account, its webform stopped first-party ad sharing but not embedded third-party ad-tech partners, and Global Privacy Control signals were honored only for the specific device rather than the logged-in account.

Tractor Supply Company

CPPA
$1,350,000
Missing Privacy Policy RightsOpt Out FailureGPCVendor Contracts

The CPPA fined the nation's largest rural lifestyle retailer for a privacy policy that failed to notify consumers (and California job applicants) of their CCPA rights, for lacking an effective mechanism to opt out of the sale/sharing of personal information including via Global Privacy Control, and for sharing personal information with other companies without CCPA-required contract protections.

Healthline Media LLC

California AG
$1,550,000
Opt Out FailurePurpose LimitationVendor ContractsHealth Data Sharing

California's Attorney General secured what was then the largest CCPA settlement to date after Healthline.com's consent banner appeared to disable tracking cookies but did not, continued sending identifying data to ad partners after consumers opted out, and shared article titles suggestive of a medical diagnosis with advertisers without required contract protections.

Todd Snyder, Inc.

CPPA
$345,178
Opt Out FailureExcessive Verification

A misconfigured cookie-preferences portal left Todd Snyder unable to process opt-out of sale/sharing requests for 40 days, and the retailer's privacy portal separately required a government-issued ID before honoring any opt-out request — far more identity verification than the CCPA allows for the opt-out right.

American Honda Motor Co., Inc.

CPPA
$632,500
Dark PatternsExcessive VerificationVendor Contracts

The CPPA's first-ever settlement found Honda's cookie management tool required two steps to opt out of advertising cookies (toggle off, then confirm) but only one step to opt in — an asymmetrical dark pattern — plus excessive identity verification for opt-out and limit requests and ad-tech data sharing without CCPA-compliant service-provider contracts.

DoorDash, Inc.

California AG
$375,000
Undisclosed SaleNo Opt Out

DoorDash transferred names, addresses, and transaction histories of California customers to marketing-cooperative partners in exchange for new customer leads — a sale of personal information under the CCPA — without disclosing the practice or giving consumers a way to opt out.

Sephora, Inc.

California AG
$1,200,000
Undisclosed SaleGPC

California's first public CCPA settlement: Sephora allowed third-party advertising and analytics trackers on its site and app without disclosing that this constituted a sale of personal information, did not honor Global Privacy Control opt-out signals, and failed to cure the violations within the CCPA's 30-day cure period.

Would Your Site Survive an Enforcement Sweep?

Run a free, instant network-layer audit to check for unauthorized trackers, dark patterns, and GPC signals before a regulator finds them for you.

Run a Free Scan