California — Enforcement & Penalties

The California Privacy Protection Agency (CPPA) is the primary enforcement authority for the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Established by Proposition 24 (approved November 3, 2020, operative December 16, 2020), the CPPA is "vested with full administrative power, authority, and jurisdiction to implement and enforce" the CCPA. Cal. Civ. Code § 1798.199.10(a). The agency is governed by a five-member board, with members appointed by the Governor (two members, including the chairperson), the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly. The board appoints an executive director who acts in accordance with agency policies and applicable law. Cal. Civ. Code § 1798.199.30.

Administrative enforcement model. The CPPA enforces the CCPA through administrative proceedings rather than civil litigation. When the agency "determines there is probable cause for believing [the CCPA] has been violated, it shall hold a hearing to determine if a violation has or violations have occurred." Cal. Civ. Code § 1798.199.55(a). The CPPA has issued regulations at Title 11, Division 6 of the California Code of Regulations governing investigations (11 CCR § 7301), probable-cause proceedings (§ 7302), stipulated orders (§ 7303), and audits (§ 7304). These regulations took effect March 29, 2023, when the California Office of Administrative Law approved the CPPA's comprehensive CCPA regulations.

Investigation and audit powers. The CPPA is tasked with enforcing the CCPA through administrative enforcement actions. The agency "can investigate possible violations, audit businesses to ensure compliance with the CCPA, and bring enforcement actions." Cal. Civ. Code § 1798.199.40(a) directs the agency to "implement, administer, and enforce" the CCPA, and subdivision (b) authorizes the CPPA to "adopt, amend, and rescind rules and regulations" to carry out the statute's purposes. The agency may initiate investigations based on sworn complaints filed with the agency (11 CCR § 7300) or on its own motion. The board may delegate authority to the chairperson or executive director to act between meetings, except for resolution of enforcement actions and rulemaking. Cal. Civ. Code § 1798.199.35.

Administrative fine structure. Following a determination of violation, the CPPA may order a person responsible for the violation to cease the conduct and "pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers." Cal. Civ. Code § 1798.199.55(a)(2). These per-violation amounts are "[s]ubject to Section 1798.155," which imposes aggregate fine caps and a 30-day cure opportunity for certain first violations (discussed separately in this guide). If two or more persons are responsible for violations, they are jointly and severally liable. Cal. Civ. Code § 1798.199.55(b). When the agency determines that no violation occurred, it must publish a declaration so stating. Cal. Civ. Code § 1798.199.55(a).

Coordination with Attorney General. The California Attorney General retains concurrent enforcement authority over the CCPA under Cal. Civ. Code § 1798.199.90. However, "[n]o civil action may be filed by the Attorney General under [§ 1798.199.90] for any violation of this title after the agency has issued a decision pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55 against that person for the same violation." Cal. Civ. Code § 1798.199.90(d). This bar does not affect the private right of action under Cal. Civ. Code § 1798.150 for data-breach violations involving certain unencrypted or unredacted personal information. § 1798.199.90(e).

Additional statutory duties. Beyond enforcement, the CPPA is responsible for promoting public awareness of consumers' rights and businesses' responsibilities under the CCPA, adopting regulations to implement the statute, and cooperating with other agencies with jurisdiction over privacy laws to ensure consistent application of privacy protections. Cal. Civ. Code § 1798.199.40(a). The agency was appropriated $5 million during fiscal year 2020–2021 and $10 million (adjusted for cost-of-living changes) for each fiscal year thereafter from the General Fund. Cal. Civ. Code § 1798.199.95(a).

Source: Cal. Civ. Code § 1798.199.10 Source: Cal. Civ. Code § 1798.199.30 Source: Cal. Civ. Code § 1798.199.35 Source: Cal. Civ. Code § 1798.199.40 Source: Cal. Civ. Code § 1798.199.55 Source: Cal. Civ. Code § 1798.199.90 Source: Cal. Civ. Code § 1798.199.95 Source: CPPA FAQ

Mandatory cure period eliminated. The California Privacy Rights Act (CPRA) eliminated the mandatory 30-day cure period for CCPA violations effective January 1, 2023. Under the original CCPA, codified at Cal. Civ. Code § 1798.155(b) (as enacted in 2018), "[a] business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance." This language created a safe harbor: no penalties could attach unless the business failed to cure within 30 days of receiving notice of the violation. The CPRA, passed by California voters as Proposition 24 on November 3, 2020 and operative January 1, 2023, deleted this subdivision in its entirety.

Current statutory posture. Section 1798.155 now governs administrative enforcement by the California Privacy Protection Agency (CPPA) but contains no mandatory cure language. Subdivision (a) sets the per-violation fine amounts ($2,500 for unintentional violations; $7,500 for intentional violations or violations involving minors' personal information), subject to the cure and aggregate-cap provisions originally set forth in former subdivision (b). The deletion means businesses are now exposed to administrative fines immediately upon a CPPA finding of violation, without an automatic 30-day window to remediate.

Discretionary cure authority. The CPRA vested the CPPA with discretionary authority to grant cure opportunities. Cal. Civ. Code § 1798.199.45(a) provides: "Upon notification of alleged noncompliance, the agency may provide a business, service provider, contractor, or person with a time period to cure the alleged violation, which shall be based on the totality of circumstances, including but not limited to: (1) The lack of intent to violate this title. (2) The voluntary efforts undertaken by the business, service provider, contractor, or person to cure the alleged violation prior to being notified by the agency." This authority is expressly discretionary — the CPPA "may" grant cure time, not "shall." In exercising this discretion, the CPPA may also consider the nature of the violation, the remediation already undertaken, and whether the violation appears to be systemic or isolated.

Practical effect. The shift from mandatory to discretionary cure changes the enforcement calculus. Under the original regime, the California Attorney General (who held enforcement authority until the CPPA stood up) sent hundreds of notice letters and approximately 75% of recipients cured the violation within 30 days, avoiding fines altogether. The discretionary cure regime gives the CPPA flexibility to escalate repeat violators or particularly egregious violations directly to administrative penalties, while still permitting first-time, inadvertent violators to demonstrate good faith through prompt remediation. However, businesses should no longer assume they will receive a cure window; the statutory entitlement no longer exists.

Private right of action — separate cure rule preserved. The CPRA did not eliminate the 30-day cure requirement for the private right of action under Cal. Civ. Code § 1798.150(b), which authorizes consumers to sue for statutory damages after a data breach involving specified categories of unencrypted or unredacted personal information. Section 1798.150(b) still requires that "prior to initiating any action against a business for statutory damages … a consumer shall provide a business 30 days' written notice identifying the specific provisions of this title the consumer alleges have been or are being violated." This separate cure provision remains intact and applies only to § 1798.150 breach actions, not to administrative enforcement by the CPPA.

Comparison to pre-CPRA enforcement. Before January 1, 2023, the California Attorney General enforced the CCPA and issued numerous "notice and cure" letters targeting businesses missing required disclosures or "Do Not Sell My Personal Information" links. Notable enforcement actions included a $1.2 million settlement with Sephora in August 2022, which occurred despite the mandatory cure period because Sephora failed to cure the violations within 30 days of the Attorney General's notice. The elimination of the mandatory cure provision means that businesses can no longer count on a guaranteed second chance before facing administrative penalties.

Source: Cal. Civ. Code § 1798.155 Source: Cal. Civ. Code § 1798.199.45 Source: Cal. Civ. Code § 1798.150

The California Consumer Privacy Act (CCPA) grants consumers a limited private right of action to sue businesses directly for statutory damages following a data breach involving specified categories of personal information. Cal. Civ. Code § 1798.150(a)(1). This right is distinct from the administrative enforcement authority vested in the California Privacy Protection Agency (CPPA) and the California Attorney General, and it is the only provision of the CCPA that authorizes a private lawsuit—consumers cannot sue for violations of other CCPA rights such as deletion, access, or opt-out.

Triggering event: unauthorized access and exfiltration, theft, or disclosure. A consumer may bring a civil action when the consumer's "nonencrypted and nonredacted personal information" is "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Cal. Civ. Code § 1798.150(a)(1). The statute does not define "reasonable security procedures and practices"; practitioners must assess whether security measures are "appropriate to the nature of the information" based on the facts of each case.

Covered personal information categories. The private right of action under § 1798.150 applies only to breaches involving the specific categories of personal information enumerated in Cal. Civ. Code § 1798.81.5(d)(1)(A), which include:

• Social Security numbers
• Driver's license or California identification card numbers
• Account, credit, or debit card numbers combined with any required security code, access code, or password
• Medical information
• Health insurance information
• Unique biometric data (fingerprints, retinal images, etc.)
• Genetic data

Breaches involving only email addresses, names, or general commercial data do not trigger the § 1798.150 private right of action unless those elements are combined with one of the enumerated categories above.

Statutory damages and actual damages alternative. A prevailing consumer may recover the greater of:

• Statutory damages of not less than $100 and not greater than $750 per consumer per incident, or
• Actual damages

Cal. Civ. Code § 1798.150(a)(1)(A). Effective January 1, 2025, the CPPA adjusted these amounts for inflation pursuant to the biennial Consumer Price Index adjustment mandated by Cal. Civ. Code § 1798.199.95(d). The adjusted statutory damage range for 2025–2026 is $119 to $893 per consumer per incident. The next adjustment will occur January 1, 2027. The CPPA publishes the current amounts at https://cppa.ca.gov/regulations/cpi_adjustment.html.

Section 1798.150 does not impose a cap on aggregate damages. Cal. Civ. Code § 1798.150(a)(2) expressly permits consumers to seek "injunctive or declaratory relief," to bring "a class action," and to obtain "any other relief the court deems proper." The absence of a cap in the statutory text means that a certified class action involving millions of California consumers may result in statutory damages claims of hundreds of millions of dollars.

Mandatory 30-day cure for § 1798.150 claims. Unlike the CPPA's discretionary cure authority under § 1798.199.45, the private right of action under § 1798.150 retains a mandatory 30-day cure provision. Cal. Civ. Code § 1798.150(b) provides: "Prior to initiating any action against a business for statutory damages on an individual or class-wide basis … a consumer shall provide a business 30 days' written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business."

The cure window is procedural—failure to provide 30 days' written notice before filing suit may result in dismissal. The cure must be actual, not merely promised, and the business must provide a written statement confirming both the cure and a commitment that no further violations will occur. The statute does not define when a cure is "possible" for purposes of subdivision (b), and courts have not yet settled whether certain breaches—such as one-time exfiltration of data in an intrusion that has been remediated—are inherently "incurable" or whether the cure provision contemplates only prospective remediation of inadequate security practices.

Relationship to administrative enforcement. The private right of action under § 1798.150 is not displaced by CPPA or Attorney General enforcement actions. Cal. Civ. Code § 1798.199.90(e) expressly provides that the Attorney General's enforcement authority "shall not affect the private right of action provided for in Section 1798.150." Similarly, CPPA enforcement decisions do not bar § 1798.150 suits arising from the same breach. However, the private right of action is limited to data-breach violations involving the enumerated personal information categories—consumers cannot use § 1798.150 to sue for violations of access, deletion, opt-out, or other CCPA rights.

No waiver of CCPA rights. Cal. Civ. Code § 1798.192 provides: "Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable." This includes the § 1798.150 right of action. Whether a pre-dispute arbitration agreement requiring individual arbitration of CCPA claims is enforceable under the Federal Arbitration Act presents a separate question not addressed by § 1798.192 or § 1798.150.

Injunctive and declaratory relief. In addition to statutory or actual damages, § 1798.150(a)(2) authorizes courts to award "injunctive or declaratory relief" and "any other relief the court deems proper." The statute does not expressly address attorney's fees; California Code of Civil Procedure § 1021 generally requires a statutory or contractual basis for shifting fees to the losing party. Whether the "any other relief" language in § 1798.150(a)(2) supports an award of attorney's fees to a prevailing consumer is unresolved in published California or federal decisions interpreting the CCPA.

Operative date. Section 1798.150 became operative January 1, 2020. Cal. Civ. Code § 1798.198(a). The provision applies to data breaches occurring on or after that date; it does not apply retroactively to pre-2020 breaches.

Source: Cal. Civ. Code § 1798.150 Source: Cal. Civ. Code § 1798.81.5 Source: Cal. Civ. Code § 1798.199.95 Source: CPPA CPI Adjustment — January 1, 2025 Source: Cal. Civ. Code § 1798.192 Source: Cal. Civ. Code § 1798.199.90 Source: Cal. Civ. Code § 1798.198

No aggregate cap on administrative fines. Unlike the European Union's General Data Protection Regulation (GDPR), which caps administrative fines at the greater of €20 million or 4% of annual worldwide turnover (Art. 83(5) GDPR), the California Consumer Privacy Act (CCPA) imposes no statutory ceiling on the total administrative fine that the California Privacy Protection Agency (CPPA) may assess in a single enforcement action. Cal. Civ. Code § 1798.155(a) establishes per-violation fines of "not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation or violations involving the personal information of consumers whom the business … has actual knowledge are under 16 years of age," as adjusted for inflation. The statute does not impose an upper limit on the number of violations that may be counted or the aggregate fine that may result.

Inflation-adjusted amounts effective January 1, 2025. Pursuant to the biennial Consumer Price Index adjustment mandated by Cal. Civ. Code § 1798.199.95(d), the CPPA increased the per-violation fine amounts effective January 1, 2025. The adjusted amounts are $2,975 per unintentional violation and $8,925 per intentional violation or violation involving minors' (under age 16) personal information. The next CPI adjustment will occur January 1, 2027. The CPPA publishes current amounts at https://cppa.ca.gov/regulations/cpi_adjustment.html.

Per-violation counting — CPPA's granular approach. The critical interpretive question is what constitutes "each violation" for purposes of multiplying the per-violation fine. The CCPA does not define "violation," and no published California or federal court decision has construed the term in the CCPA context. The CPPA's first major enforcement action, a March 12, 2025 stipulated order against American Honda Motor Co., signals that the agency will count violations granularly—on a per-consumer or per-affected-consumer basis—rather than treating a systemic practice as a single violation.

Honda enforcement decision — per-consumer counting. The CPPA's Honda order required Honda to pay a $632,500 administrative fine to resolve claims that Honda violated the CCPA by (1) requiring excessive personal information to verify consumers exercising privacy rights, (2) using a privacy management tool that failed to offer choices symmetrically, (3) making it difficult for authorized agents to submit requests on consumers' behalf, and (4) sharing personal information with advertising technology companies without executing contracts containing required privacy terms. In announcing the settlement, CPPA Enforcement Division head Michael Macko stated: "The order spells out the number of consumers whose rights were implicated by some of Honda's practices, underscoring that fines apply on a per violation basis. … We won't hesitate to use our cease-and-desist authority to change business practices, and we'll tally fines based on the number of violations."

The Honda settlement demonstrates that the CPPA will count each affected consumer as a separate violation when a systemic business practice implicates multiple consumers' rights. A business that denies 100,000 deletion requests by imposing an unlawful verification requirement faces potential exposure of up to $297.5 million (100,000 violations × $2,975 per violation) for an unintentional violation or up to $892.5 million (100,000 violations × $8,925) for an intentional violation—before any settlement discount for cooperation, remediation, or first-violation status.

Open questions on violation-counting methodology. The CPPA has not yet published regulations or formal guidance defining how violations will be counted in all contexts. Unresolved questions include:

• Multiple violations per consumer. If a business simultaneously violates several CCPA provisions with respect to the same consumer—for example, failing to provide a "Do Not Sell or Share My Personal Information" link, failing to honor an opt-out request, and selling the consumer's personal information without a contract compliant with Cal. Civ. Code § 1798.140(w)(2)(A)—does the CPPA count three violations or one?

• Continuing vs. discrete violations. If a business fails to post a required privacy notice for 365 days, is that one violation or 365 daily violations?

• Data-element granularity. If a business sells 50 data elements (name, email, browsing history, etc.) concerning a single consumer in a single transaction, is that one violation or 50?

The Honda order suggests the CPPA will favor consumer-based counting (each affected consumer = one violation per distinct CCPA requirement breached) rather than incident-based counting (one systemic failure = one violation regardless of consumer count). This methodology mirrors the approach taken by the California Attorney General in pre-CPPA enforcement actions, including the August 2022 Sephora settlement, in which the Attorney General alleged violations on a per-affected-consumer basis.

Comparison to GDPR fine caps. The absence of a statutory cap in the CCPA creates markedly different exposure than under the GDPR. A business with €10 billion in annual revenue faces a maximum GDPR fine of €20 million or €400 million (4% of turnover), whichever is greater—functionally capped at €400 million for Art. 83(5) violations. The same business, if it violates the CCPA with respect to 10 million California consumers, faces potential CCPA fines of $29.75 billion (unintentional) to $89.25 billion (intentional) under the per-violation × per-consumer multiplication—orders of magnitude larger than the GDPR cap, even before accounting for the practical reality that the CPPA has discretion to assess lower amounts and routinely settles enforcement actions for negotiated sums.

CPPA's discretion in fine assessment. While the statute sets a ceiling on the per-violation fine ($2,975 / $8,925 as adjusted), it does not mandate a floor. Cal. Civ. Code § 1798.155(a) states fines are "not more than" the specified amounts. The CPPA has full discretion to assess lower per-violation fines—or to decline to pursue certain violations—based on the totality of circumstances, including the factors enumerated in the discretionary cure provision at Cal. Civ. Code § 1798.199.45(a): lack of intent to violate, voluntary remediation efforts, the nature of the violation, and whether the violation is systemic or isolated. The Honda settlement ($632,500) reflects a negotiated resolution, not the theoretical maximum exposure.

Joint and several liability. When two or more persons are responsible for a violation, they are jointly and severally liable for the administrative fine. Cal. Civ. Code § 1798.199.55(b). This provision allows the CPPA to pursue the full fine amount from any one responsible party, leaving allocation among co-violators to private contribution or indemnity claims. Joint and several liability is particularly relevant in service provider and contractor relationships, where both the business and the service provider may be found responsible for the same CCPA violation.

No private right of action for non-breach violations. The per-violation fine structure under § 1798.155 applies only to administrative enforcement actions brought by the CPPA. Consumers cannot sue for statutory damages based on non-breach CCPA violations. The private right of action under Cal. Civ. Code § 1798.150 is limited to data breaches involving specified categories of unencrypted or unredacted personal information (see separate section). For all other CCPA violations—failure to honor deletion requests, missing disclosures, unlawful sale of personal information, etc.—only the CPPA (and the California Attorney General under concurrent authority) may pursue administrative fines. Cal. Civ. Code § 1798.199.90(a).

Practical risk mitigation. Because there is no aggregate cap and the CPPA has signaled it will count violations on a per-consumer basis, businesses subject to the CCPA should:

• Monitor consumer request volumes to quantify exposure. A business processing 500,000 consumer requests annually that inadvertently applies an unlawful verification standard to all requests faces potential exposure exceeding $1.4 billion (500,000 × $2,975) for an unintentional violation.

• Prioritize systemic compliance over incident-by-incident remediation. Violations that affect large consumer populations—such as missing "Do Not Sell or Share My Personal Information" links, non-compliant privacy policies, or failure to honor Global Privacy Control signals—generate the highest fine exposure under per-consumer counting.

• Document voluntary remediation to support a discretionary cure request under § 1798.199.45(a) or a reduced fine in settlement negotiations. The CPPA has discretion to credit good-faith compliance efforts and first-time violations.

• Conduct regular compliance audits of high-volume consumer-facing processes (request intake and response, opt-out mechanisms, automated decision-making disclosures) to identify and remediate violations before they accumulate exposure across hundreds of thousands of consumers.

Source: Cal. Civ. Code § 1798.155 Source: Cal. Civ. Code § 1798.199.95 Source: CPPA CPI Adjustment — Effective January 1, 2025 Source: CPPA Announcement — Honda Settlement (March 12, 2025) Source: Cal. Civ. Code § 1798.199.55 Source: Cal. Civ. Code § 1798.199.45 Source: Cal. Civ. Code § 1798.150 Source: Cal. Civ. Code § 1798.199.90

The California Attorney General retains independent civil enforcement authority over the California Consumer Privacy Act (CCPA) even after the California Privacy Protection Agency (CPPA) commenced administrative enforcement on July 1, 2023. Cal. Civ. Code § 1798.199.90(a) provides that "[a]ny business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers … which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General."

This dual-enforcement model creates parallel risk: a business may face either an administrative enforcement action by the CPPA or a civil enforcement action by the Attorney General, but not both for the same violation. The statutory coordination rules and the practical history of Attorney General enforcement define which authority a business is likely to confront.

Civil penalty amounts and inflation adjustment. The per-violation civil penalty under § 1798.199.90(a) mirrors the CPPA's administrative fine structure: $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors' (under age 16) personal information, as adjusted biennially for inflation pursuant to Cal. Civ. Code § 1798.199.95(d). Effective January 1, 2025, the inflation-adjusted amounts are $2,975 per unintentional violation and $8,925 per intentional violation or minors violation. The next adjustment will occur January 1, 2027. Unlike administrative fines assessed by the CPPA following a probable-cause hearing (Cal. Civ. Code § 1798.199.55), civil penalties under § 1798.199.90 are assessed by a court in a civil enforcement action filed in superior court. The Attorney General must prove the violation and the court has discretion to determine the appropriate penalty amount within the statutory ceiling. Cal. Civ. Code § 1798.199.90(a) expressly directs that "[t]he court may consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty."

No aggregate cap — per-consumer multiplication risk. Like the CPPA's administrative fine authority, the Attorney General's civil penalty provision imposes no statutory ceiling on the aggregate penalty that may be assessed in a single enforcement action. The statute sets a per-violation maximum but does not cap the number of violations that may be counted or the total penalty. In the Attorney General's first major CCPA settlement—Sephora, Inc., resolved on August 24, 2022—the Attorney General alleged violations on a per-affected-consumer basis, demonstrating that systemic violations affecting large numbers of California consumers generate proportionally large penalty exposure. Under the settlement, Sephora paid $1.2 million in civil penalties and agreed to injunctive relief requiring updated disclosures, Global Privacy Control (GPC) implementation, conforming service-provider contracts, and two years of compliance reporting. The settlement followed the Attorney General's June 2021 notice of noncompliance, which Sephora failed to cure within the then-mandatory 30-day cure window.

The Sephora enforcement signals the Attorney General's approach to violation counting: systemic business practices that violate the CCPA with respect to multiple consumers are counted as one violation per affected consumer, not as a single systemic violation. This methodology is consistent with the CPPA's per-consumer counting approach articulated in the March 12, 2025 Honda settlement and creates potential exposure of hundreds of millions of dollars for large-scale violations affecting millions of California consumers.

Coordination with CPPA — bar on duplicative enforcement. Although the Attorney General and CPPA hold concurrent enforcement authority, Cal. Civ. Code § 1798.199.90(d) bars duplicative enforcement: "No civil action may be filed by the Attorney General under this section for any violation of this title after the agency has issued a decision pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55 against that person for the same violation." Once the CPPA has issued a final administrative decision or order resolving a violation, the Attorney General may not pursue a civil penalty for that same violation. The converse, however, is not expressly stated—the statute does not bar the CPPA from pursuing administrative enforcement after the Attorney General files a civil action, though practical comity and resource constraints make such overlap unlikely.

Cal. Civ. Code § 1798.199.90(c) imposes a mandatory deference rule favoring the Attorney General: "The agency shall, upon request by the Attorney General, stay an administrative action or investigation under this title to permit the Attorney General to proceed with an investigation or civil action and shall not pursue an administrative action or investigation, unless the Attorney General subsequently determines not to pursue an investigation or civil action." If the Attorney General requests a stay of a CPPA investigation or proceeding, the CPPA must comply and may not resume its action unless the Attorney General affirmatively declines to pursue the matter. The statute also provides that "[t]he agency may not limit the authority of the Attorney General to enforce this title." § 1798.199.90(a).

Consumer Privacy Fund — penalty deposit. Any civil penalty recovered by the Attorney General in a CCPA enforcement action, and the proceeds of any settlement, "shall be deposited in the Consumer Privacy Fund," established by Cal. Civ. Code § 1798.160. § 1798.199.90(b). The Fund is appropriated to the CPPA "upon appropriation by the Legislature" to support the agency's operations and to "fully offset the costs incurred by the state courts" in adjudicating CCPA civil actions and the private right of action under § 1798.150. § 1798.160(a). The Fund may also be used to fund privacy-related grants to promote investment in the development of new technologies that facilitate consumer privacy, support the establishment of secure data repositories for data collected from connected devices, and promote education and awareness of California consumer privacy rights. § 1798.160(b).

No double recovery — single penalty for same violation. Cal. Civ. Code § 1798.199.100 prohibits double recovery: "A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation." If a business has already paid an administrative fine to the CPPA for a particular violation, it cannot be assessed a civil penalty by the Attorney General (via court judgment) for that same violation, and vice versa. This rule protects businesses from duplicative monetary sanctions but does not prevent injunctive relief from being imposed by either or both authorities.

Private right of action not displaced. The Attorney General's civil enforcement authority under § 1798.199.90 is separate from, and does not displace, the private right of action under Cal. Civ. Code § 1798.150 for data breaches involving specified categories of unencrypted or unredacted personal information. § 1798.199.90(e) expressly provides: "This section shall not affect the private right of action provided for in Section 1798.150." A consumer may pursue a § 1798.150 data-breach action regardless of whether the Attorney General or CPPA has brought an enforcement action addressing the same incident or the same business's broader practices.

Injunctive relief — broader equitable powers. In addition to civil penalties, § 1798.199.90(a) authorizes the Attorney General to seek and obtain injunctive relief requiring a business to cease violating the CCPA and to implement specific compliance measures. The Sephora settlement illustrates the breadth of injunctive terms the Attorney General may negotiate or seek from a court: requirements to revise privacy policies, implement GPC recognition, amend service-provider contracts to include required privacy terms under Cal. Civ. Code § 1798.140(w)(2)(A), and submit periodic compliance reports to the Attorney General for a defined monitoring period (two years in Sephora). Injunctive relief may also be sought preventatively—the statute does not require that a violation has already occurred, only that a business is engaging in conduct that violates or threatens to violate the CCPA.

Historical enforcement posture and transition to CPPA. The Attorney General served as the sole enforcement authority for the CCPA from the statute's operative date (January 1, 2020) until the CPPA commenced administrative enforcement on July 1, 2023. During that period, the Attorney General issued hundreds of notice-and-cure letters to businesses alleging CCPA violations and published anonymized summaries of enforcement actions (without naming the businesses) on the California Department of Justice website. The vast majority of these early enforcement actions resolved through voluntary compliance during the then-mandatory 30-day cure period, avoiding civil penalties.

The Sephora settlement (August 24, 2022) was the first publicly disclosed CCPA enforcement action resulting in a monetary penalty. The Attorney General announced the settlement as part of an enforcement sweep targeting online retailers that failed to disclose the sale of personal information and failed to honor Global Privacy Control signals. In conjunction with the Sephora announcement, the Attorney General sent additional notice letters to unnamed businesses alleging similar GPC-related violations and signaled a shift toward more aggressive enforcement as the mandatory cure period neared its January 1, 2023 expiration.

Since the CPPA commenced administrative enforcement on July 1, 2023, the Attorney General's public CCPA enforcement activity has been limited—the CPPA has emerged as the primary regulator for administrative CCPA violations. However, the Attorney General retains full civil enforcement authority and may elect to pursue high-profile or egregious violations through civil litigation, particularly when injunctive relief or statewide impact justifies the Attorney General's broader public-enforcement role. Practitioners should assume that both authorities remain active and that the Attorney General may intervene in matters involving novel legal issues, widespread consumer harm, or systemic noncompliance by large businesses.

Strategic enforcement considerations. Businesses subject to the CCPA face a strategic choice when contacted by either the Attorney General or CPPA: cooperate and seek a negotiated resolution (potentially with a stay or reduced penalty based on good-faith cooperation and voluntary remediation), or contest the allegations through formal proceedings. The Attorney General's civil enforcement model differs procedurally from the CPPA's administrative model—civil actions are filed in superior court, subject to full civil discovery and motion practice, and resolved by a judge (or jury if triable issues of fact exist). Administrative enforcement by the CPPA follows the California Administrative Procedure Act (Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code), with probable-cause determinations by the agency and formal hearings before an administrative law judge.

The good-faith-cooperation credit recognized in § 1798.199.90(a) and the discretionary cure authority vested in the CPPA under § 1798.199.45(a) both reward early, voluntary compliance efforts. Businesses that discover potential CCPA violations through internal audits or third-party assessments and remediate the violations before receiving a notice from either enforcement authority may be in a stronger position to argue for reduced penalties or prosecutorial discretion declining enforcement altogether.

Source: Cal. Civ. Code § 1798.199.90 Source: Cal. Civ. Code § 1798.199.95 Source: CPPA CPI Adjustment — Effective January 1, 2025 Source: California AG Press Release — Sephora Settlement (August 24, 2022) Source: Cal. Civ. Code § 1798.199.55 Source: Cal. Civ. Code § 1798.199.85 Source: Cal. Civ. Code § 1798.160 Source: Cal. Civ. Code § 1798.199.100 Source: Cal. Civ. Code § 1798.150 Source: Cal. Civ. Code § 1798.199.45