Below, we break down the $23.2 million in privacy fines handed out to companies so far for violating the California Consumer Privacy Act (CCPA) and discuss what they did that broke this massive privacy law.
Plus, discover how Termly can help your business easily align with the CCPA and other data privacy laws from around the world.
What Is the Total Cost of All CCPA Fines Given Out So Far?
So far, CCPA fines have totaled at least $23,205,881 as of May 2026.
The California Attorney General keeps a list of all enforcement actions in the Privacy Enforcement Tracker available publicly on their website.
This number is expected to continue to grow, especially now that the CCPA is in full force, and entities have had several years to fully adapt to and comply with the strict privacy law.
What are the 10 Biggest CCPA Fines Given Out So Far?
Privacy laws in the U.S. are relatively new, but they have massive consequences.
According to Gartner, there was an estimated total of $3.425 billion in fines from U.S. privacy laws in 2025.
Here are the top penalties and violations that have been passed out to various businesses for violating the California Consumer Privacy Act (CCPA), which is considered one of the strictest privacy laws in the country.
1. General Motors – $12,750,000 fine
In May 2026, the California Privacy Protection Agency (CalPrivacy or CPPA) announced a settlement resulting in the largest fine in the history of the CCPA with General Motors. It reached a whopping $12.75 million due to the company allegedly violating the CCPA by illegally selling the personal data of millions of Californians.
It’s also the first data minimization case in the history of the law.
This case, which is still subject to court approval, but in addition to the fine, it would also require the company to restrict its use of consumer driving data and ban this information from being sold to data brokers.
California Attorney General Rob Bonta spoke on the settlement, saying:
“General Motors sold the data of California drivers without their knowledge or consent and despite numerous statements reassuring drivers that it would not do so.“
He added, “Todays settlement requires General Motors to abandon these illegal practices and underscores the importance of the data minimization in California privacy law – companies can’t just hold on to data and use it later for another purpose.”
This settlement addresses how privacy laws apply to modern cars, which have become mobile data collection devices.
DISCLAIMER: This settlement is still subject to court approval.
2. The Walt Disney Company – $2,750,000 fine
In February 2026, Disney was fined for violating opt-out requirements outlined by the CCPA, leading to a $2,750,000 fine.
Specifically, the company failed to honor user opt-outs across services and devices, including Disney+, Hulu, and ESPN+.
Attorney General Rob Bonta was quoted by the OAG at the time saying:
“Consumers shouldn’t have to go to infinity and beyond to assert their privacy rights.”
This is because Disney’s opt out options at the time were found by the California Privacy Protection Agency to have several gaps that enabled the company to still sell and share consumer data.
When users used the opt out toggle, the request was only applied to the specific streaming service being watched, and often only on the actual device being used.
This led to their data still being sold or shared from other Disney-owned streaming services on different devices connected to their accounts.
They also provided a web form for opt outs, but it only stopped data sharing through Disney’s own advertising platform and offerings.
The company still sold and shared the data with third-party ad tech companies.
They also limited the opt out requests that came from Global Privacy Control settings to specific devices, regardless of if the consumer was signed into their account.
As a result, Disney was required to pay the multi-million dollar fine and was forced to implement opt out methods that genuinely and fully stop the sale and sharing of consumer data.
3. Healthline Media – $1,550,000 fine
In July 2025, Healthline Media LLC was fined for violating opt out guidelines under the CCPA, including opt out requests for targeted advertising and sharing data with third parties.
The final settlement included a fine of $1,550,000 in civil penalties and court ordered directives prohibiting the company from sharing article titles revealing what a consumer may have been diagnosed with, banning them from engaging in this type of data collection.
Attorney General Bonta was quoted on this matter saying:
“Our settlement with Healthline underscores that Californians have critical privacy rights under the CCPA to fight online surveillance – including by website publishers.”
According to the OAG website, Healthline.com is one of the 40 most visited websites in the world, and they generate revenue through ads.
But they enabled cookies and pixels that tracked data about their readers and communicated it to third parties, some of which could be used to uniquely identify individuals.
Dozens of trackers were found to be running and sharing data in the first milliseconds of when the web pages were loading.
Along with the hefty fine, the company was also required to ensure the opt out mechanisms actually work and were forced to stop disclosing information that can link a user to a specific article title implying that they’ve been diagnosed with a disease, among other remedial obligations.
4. Jam City – $1,400,000 fine
Mobile app gaming platform Jam City was fined $1,400,000 for violating the CCPA in November 2025 for violating opt-out requirements and mishandling data from known minors.
The company is known for creating games based on various franchises that are popular with children, including Harry Potter, Frozen, and others.
But this case is different than some of the others because it shows that even mobile apps are subject to the strict CCPA requirements.
Attorney General Bonta was quoted saying:
“Many Californians like to unwind after a long day by gaming on their cell phones. Even on apps, California law obligates companies to provide a way for consumers to opt-out of the sale and sharing of their personal data.”
In addition to the fines, the company was ordered to provide in-game opt-outs for the sale or sharing of data and must not sell the data of consumers between the ages of 13 and 16 without their affirmative opt-in consent.
5. Tractor Supply Company – $1,350,000 fine
In September 2025, Tractor Supply Company was fined $1,350,000 by the CPPA for failing to honor opt out requests and not maintaining a privacy policy that notified consumers and job applicants of their rights.
In addition, they were found disclosing personal information to other companies without entering contracts that contained privacy protections.
Along with the large fine, the nation’s largest rural lifestyle retailer was also ordered to implement broad remedial measures to correct their data processing activities, including requiring a corporate officer or director to certify compliance within four years.
At the time, this was the largest fine in the history of the CPPA.
It was also the first decision to address the importance of privacy notices and the privacy rights of job applicants.
6. Sephora – $1,200,000 fine
In August 2022, makeup retailer Sephora was fined $1,200,000 for failing to disclose the sale of personal data and not honoring opt-out rights in line with the CCPA.
Specifically, the company failed to follow opt out requests from consumers using technologies like Global Privacy Control.
The company was also ordered to clarify its online disclosures and privacy policy to include affirmation that it does sell data, provide opt-out mechanisms for consumers, and confirm its service provider agreements to the CCPA requirements, among other remedial measures.
At the time, Attorney General Bonta had this to say:
“I hope today’s settlement sends a strong message to businesses that are still failing to comply with Califonria’s consumer privacy law. My office is watching, and we will hold you accountable.”
Nearly four years later, and with millions of dollars in fines now handed out to additional companies, it’s clear that he meant every word.
7. PlayOn Sports – $1,100,000 fine
In March 2026, the youth sports media company PlayOn Sports was fined for violating the CCPA because of their use of dark patterns and misusing student data.
Used by schools across America to sell tickets to school sporting events, theater performances, and other extracurricular activities including prom and homecoming, the entity was using tracking technologies to unlawfully deliver targeted advertisements to ticketholders and others using its services.
CalPrivacy’s head of enforcement, Michael Macko, was quoted on the matter by privacy.ca.gov saying:
“Students trying to go to prom or a high school football game shouldn’t have to leave their privacy rights at the door.”
In addition to the fine, the company was also ordered to conduct risk assessments, provide proper disclosures that are easy to read and understand, and implement prop opt-out protocols.
8. Ford Motor Company – $375,703 fine
In March 2026, Ford Motor Company was fined $375,703 for violating opt out rights and implementing non-compliant mechanisms under the CCPA.
Specifically, Ford required customers to complete an email verification step before enabling them to opt out of the sale or sharing of their personal data.
The company was also ordered to change its data processing practices, including providing consumers with an easy way to submit opt-out requests and conduct an audit of their tracking technologies.
Tom Kemp, the Executive Director of CalPrivacy, was quoted at the time on the privacy.ca.gov website saying:
“This case shows that the Enforcement Division will take all appropriate action when practices fall short of the law’s requirements.”
9. DoorDash – $375,000 fine
In February 2024, DoorDash was fined $375,000 for improperly sharing personal data without disclosing it clearly to consumers, and for not having proper opt-out options available.
The sale of data specifically was with an undisclosed marketing cooperative, which uses personal data of members’ consumers to advertise products to one another.
At the time, Attorney General Bonta was quoted saying:
“DoorDash’s participation in a marketing cooperative is a sale under the CCPA and violates its consumers’ rights under our landmark state privacy law.”
In addition to the fine, DoorDash was also ordered to fully comply with the CCPA and CalOPPA, review all contracts with marketing and analytics vendors, and to provide annual reports to the Attorney General.
10. Todd Snyder – $345,178 fine
In May 2025, clothing retailer Todd Snyder was fined $345,178 for cookie and tracking related non-compliance under the CCPA.
It was found by the CPPA’s enforcement division that the company failed to properly configure their privacy portal, resulting in the failure of honoring consumer opt-out requests for the sale or sharing of their data.
The company was also in trouble due to requiring consumers to submit more information than necessary to process privacy requests, including verifying their identity before enabling them to opt-out of the sale or sharing of their data.
CalPrivacy Head of Enforcement, Macko at the time gave a good warning to all businesses that fall under this law:
“Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with businesses that use them.”
He added, “Using a consent management platform doesn’t get you off the hook for compliance.”
This emphasizes how integral it truly is for businesses to ensure any consent solution being used is secure, legally backed, and accurately works in ways that align properly with privacy laws.
A Common Theme: Companies Fail to Follow CCPA Opt-Out Requirements
There’s a common theme with the nine CCPA violations covered in this article:
These companies continue to fail to follow the CCPA opt-out requirements meant to protect consumers and enable them to follow through on their privacy rights.
The CCPA clearly gives Californians the right to say no to data processing for:
- Targeted advertising,
- Sharing or selling of their data,
- Limiting the use of their sensitive personal information,
- Browser level opt-out requests set by tools like Global Privacy Control must also be honored.
It’s obvious that the California OAG and the CPPA are not planning on slowing down when it comes to performing investigations and punishing privacy violations.
Ensure you’re performing targeted advertising and sharing and selling data in a way that properly aligns with all data privacy laws impacting your business or be prepared to face the consequences.
How Termly Helps Businesses Align with the CCPA
Your website can avoid fines for the CCPA by ensuring you align with all consent and transparency guidelines outlined by the law.
Tools like Termly’s Consent Management Platform and Privacy Policy Generator make it extra easy, especially with features like script-auto blocking, cross-domain consent, and regional consent rules.
Backed by our legal team and data privacy experts, are tools were created to accommodate California privacy laws plus all additional U.S. state-level laws currently in force, and global laws like the GDPR, POPIA, and more.
Take the guess work and fears of fines out of compliance by trying Termly today!
Biggest CCPA Fine So Far: Frequently Asked Questions
Below are answers to frequently asked questions about CCPA fines.
Fines for violating the CCPA can reach up to $7,500 per violation. Consumers also have the right to pursue private action under this law.What is the penalty for violating the CCPA?
If you are subject to following the CCPA and you are investigated by the Attorney General or CalPrivacy and found in noncompliance with the law, you can get in trouble, especially if you do not remedy the situation in a timely manner.Can I get in trouble for violating the CCPA?
Citations
Sources cited in this article include:
- https://cppa.ca.gov/
- https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
- https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general
- https://oag.ca.gov/news/press-releases/california-wont-let-it-go-attorney-general-bonta-announces-275-million
- https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-largest-ccpa-settlement-date-secures-155
- https://oag.ca.gov/news/press-releases/attorney-general-bonta-secures-14-million-settlement-mobile-app-gaming-company
- https://cppa.ca.gov/announcements/2025/20250930.html
- https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
- https://privacy.ca.gov/2026/03/youth-sports-media-company-to-pay-1-1-million-fine-change-practices-over-privacy-violations/
- https://privacy.ca.gov/2026/03/ford-to-change-practices-pay-fine-for-adding-unnecessary-friction-to-opt-out-process/
- https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-doordash-investigation-finds-company
- https://cppa.ca.gov/announcements/2025/20250506.html
DISCLAIMER: The contents of this article reflect publicly available information as of May 12, 2026, but may not reflect the actual totals of all ongoing CCPA/CPRA fines and settlements.
Written by Natasha Piirainen
Natasha Piirainen is a privacy writer with a Bachelor’s Degree in English and Philosophy from Wheaton College and over 10 years of professional experience in research-driven content development.
Read all posts by Natasha Piirainen
Reviewed by Amanda Lee
Amanda is a Documentation Specialist and Certified Privacy Professional (US). She converts product documentation into easily understood product for Termly's customers. She also has strong understanding of US privacy laws and regulations, helping to keep customer policies up to date at a time when US states are enacting more and more privacy laws.
Read all posts reviewed by Amanda Lee
