CCPA and CPRA Enforcement in 2025: What the California Privacy Protection Agency Is Actually Going After

TL;DR:

• The California Privacy Protection Agency issued multiple enforcement actions in 2025 totaling over $3.8 million in fines, including the $1.35 million Tractor Supply settlement — the largest CPPA administrative penalty on record.
• Four violation categories appear across every major enforcement action: nonfunctional opt-out mechanisms, Global Privacy Control noncompliance, missing vendor contracts, and outdated privacy policies.
• California, Colorado, and Connecticut launched a coordinated multistate GPC enforcement sweep in September 2025 — GPC compliance is no longer a California-only problem.
• New CCPA regulations took effect January 1, 2026. AB 566 requires browser-level GPC functionality by January 1, 2027.

Three years after the CCPA gave California consumers the right to opt out of the sale of their personal information, regulators decided to check whether opt-outs actually work. The answer, tested against Tractor Supply, American Honda, Healthline, and Todd Snyder, was: often not.

The California Privacy Protection Agency spent much of 2025 building its enforcement docket. The agency and the California Attorney General issued actions that collectively exceeded $3.8 million in penalties, established new precedents for what “CCPA compliance” actually requires in practice, and launched a multistate enforcement sweep that signals the opt-out problem has become a coordinated regulatory priority.

If your company has California customers, a website with advertising technology, or vendor relationships that involve personal data — and you haven’t tested your opt-out flows recently — this is worth reading carefully.

Honda: The First Major CPPA Settlement, and Why It Mattered

On March 12, 2025, the CPPA issued a decision requiring American Honda Motor Co. to pay $632,500 and change its business practices for 153 identified CCPA violations. The Honda case was significant not because of its size but because it was the first major CPPA enforcement settlement, establishing the practical template for what follows.

The violations broke down into four categories:

Excessive information requirements. Honda’s online privacy rights request form required consumers to provide eight data fields to exercise their opt-out rights — even when the request didn’t require identity verification. CCPA regulations prohibit businesses from requiring more information than necessary to process a consumer rights request. Asking for eight data elements to opt out of data sales fails that test.

Asymmetric cookie management. Honda’s cookie consent tool allowed consumers to opt out of cross-context behavioral advertising, but the opt-out process required more steps than the opt-back-in process. CCPA regulations require that choices to revoke consent be at least as easy to exercise as choices to provide consent. If opting out takes three clicks and opting back in takes one, that asymmetry is a violation.

Missing vendor contracts. Honda disclosed personal information to advertising technology vendors but could not produce contracts with those vendors containing the CCPA-required data protection terms. The agency didn’t find that Honda was actively violating its vendor obligations — Honda simply couldn’t prove the obligations existed in writing.

Authorized agent issues. Honda’s request form technically allowed authorized agents to submit privacy requests on behalf of consumers, but the form required the consumer to personally verify the request — which violates CCPA’s prohibition on requiring consumers to verify when an authorized agent has been designated.

The remedial requirements included simplifying the privacy rights request process, consulting a user experience designer, retraining employees on CCPA compliance, and updating contracting processes with data recipients.

The pattern the Honda case established: enforcement doesn’t require a dramatic data breach or egregious conduct. Procedural failures in your opt-out flows and missing vendor paperwork are sufficient.

Healthline: The Attorney General’s $1.55 Million Health Data Settlement

While the CPPA handles administrative enforcement, California’s Attorney General retains separate CCPA enforcement authority. In July 2025, AG Rob Bonta announced a $1.55 million settlement with Healthline Media LLC over CCPA violations tied to its health information website — the largest CCPA settlement in the law’s history at that point.

The Healthline case introduced a complicating factor that’s particularly relevant for any company handling health-adjacent data: advertising technology that shares article-level data can constitute sensitive health information disclosure.

The AG’s investigation found:

Failed opt-out mechanisms. Healthline’s privacy controls purported to give consumers control over targeted advertising. The investigation tested those controls — using a “triple opt-out” employing all three available methods — and found 118 cookies still tied to third-party advertisers were active, with unique identifiers and article details still being transmitted. The opt-out theater was elaborate; the opt-out was ineffective.

Purpose limitation violations. Healthline shared the titles of articles consumers had read — articles with titles like “Signs You May Have [Specific Medical Condition]” — with advertising technology vendors for targeting purposes. Sharing data that suggests a consumer may have a serious medical condition for advertising purposes violates CCPA’s purpose limitation principles.

Deceptive consent banner. Healthline’s consent banner allowed consumers to uncheck a box to decline tracking. Unchecking the box did not actually disable the tracking cookies. The banner created the appearance of control without the substance.

Inadequate vendor contracts. Rather than verifying that advertising vendors had agreed to CCPA data protection obligations, Healthline assumed they had agreed to an industry contractual framework. Assumption is not compliance.

The settlement terms included three years of mandatory transparency reporting in which Healthline must publish details of what personal information it shares and how it transmits opt-out signals to third parties. That ongoing disclosure obligation is the kind of remedial measure that gets noticed across an industry.

Tractor Supply: The Largest CPPA Administrative Fine on Record

In September 2025, the CPPA announced a $1.35 million settlement with Tractor Supply Company — the nation’s largest rural lifestyle retailer, with more than 2,500 stores — for four categories of CCPA violations. The settlement set the record for the largest administrative fine the CPPA has issued to date.

Ineffective opt-out mechanisms. Tractor Supply’s “Do Not Sell My Personal Information” link routed to a privacy request form. Submitting a do-not-sell request through the form, however, did not stop the company from selling or sharing consumer data through third-party tracking technologies used for advertising. The link existed; the opt-out didn’t work.

Global Privacy Control noncompliance. Tractor Supply failed to recognize or process opt-out preference signals — including GPC — on its website. The company did not begin processing GPC signals until July 2024. The CPPA’s investigation covered the period before that remediation, and the failure to honor GPC during that window was treated as a violation for each affected consumer interaction.

Privacy policy staleness. CCPA requires businesses to review and update their privacy policies at least annually. Tractor Supply’s last privacy policy update before the CPPA’s investigation had occurred in November 2021 — a three-year gap. The policy also failed to include required disclosures about consumer opt-out preference signals.

Employee privacy rights gap. Tractor Supply’s career site did not provide job applicants with the required disclosures about their California privacy rights or instructions on how to exercise them. This is notable: CPRA extended CCPA protections to employees and job applicants, and the Tractor Supply case is the first CPPA decision to address job applicant privacy rights specifically.

As part of the settlement, a corporate officer must certify compliance annually for four years. The company must also conduct quarterly scanning of its digital properties to maintain a current inventory of tracking technologies — a meaningful operational requirement.

The Violation Pattern Across All Four Cases

The common thread across every case: the opt-out didn’t actually work. Companies had privacy controls; those controls didn’t stop the data flows they were supposed to stop. The CPPA and AG are running technical investigations — they test the opt-out, they check the cookies, they verify the vendor contracts — and they’re finding gaps between what the privacy notices promise and what the technology delivers.

The GPC Enforcement Sweep: This Is Now a Multi-State Problem

In September 2025, the California Privacy Protection Agency, alongside the Attorneys General of California, Colorado, and Connecticut, announced a coordinated enforcement sweep specifically targeting businesses that fail to honor Global Privacy Control signals.

This is significant for two reasons.

First, GPC compliance is no longer a California-specific obligation. Colorado’s CPA and Connecticut’s CTDPA both require businesses to honor universal opt-out mechanisms, and GPC satisfies that requirement. An enforcement sweep involving three states’ attorneys general signals that GPC compliance is being treated as a multi-jurisdiction standard, not a California quirk.

Second, the sweep targets companies “at a stage that the applicable businesses were not yet aware that they are a target” — in the agency’s own words, hundreds of investigations are in progress before companies know they’re being looked at. You don’t get a warning letter first.

For any business operating websites with advertising technology and California, Colorado, or Connecticut customers: if your site doesn’t process GPC signals, you are in the scope of this enforcement environment.

What Changed in 2026: New Regulations and AB 566

On January 1, 2026, revised and new CCPA regulations issued by the CPPA took effect. These regulations update requirements across several areas, including consumer rights request handling, risk assessment obligations, and automated decision-making technology disclosures.

In October 2025, California Governor Gavin Newsom signed AB 566, the Opt Me Out Act. The law requires all browsers distributed in California to include built-in opt-out preference signal functionality — essentially mandating GPC capability at the browser level — by January 1, 2027. California becomes the first state to legislate browser-level opt-out signal capability. Once major browsers build GPC in natively, the volume of GPC signals hitting business websites will increase substantially.

The trajectory is clear: GPC will go from a technical compliance consideration to a mass consumer behavior within 12 to 18 months.

What Compliance Teams Should Fix Now

The 2025 enforcement record is a detailed specification of what “CCPA compliance” actually requires. Here’s the audit your team should be running:

Test your opt-out flows end-to-end. Submit a do-not-sell request on your own website. Then verify — using browser developer tools or a cookie audit — whether third-party data flows stop. If they don’t, your opt-out is broken. The CPPA and AG are running exactly this test.

Implement and verify GPC processing. If your website serves California, Colorado, or Connecticut residents (or realistically any US consumers), GPC should be recognized and honored. Check your consent management platform’s GPC documentation. Verify that GPC signals trigger the same outcome as a manual opt-out request.

Audit your vendor contracts. For every advertising technology, analytics, or data processing vendor, confirm that a written contract exists containing CCPA-required data protection terms — limiting use of personal information to specified purposes, prohibiting onward sharing, and including CCPA compliance obligations. Assumption of compliance is not documented compliance.

Update your privacy policy. CCPA requires annual review and update. Check the date on your current policy. If it’s more than 12 months old, update it. Include required disclosures about opt-out preference signals and consumer rights.

Review your employee and job applicant privacy notices. CPRA extended CCPA protections to employees and applicants. Your HR site, job application portal, and onboarding materials need California-specific privacy rights disclosures.

So What?

The CPPA’s enforcement story for 2025 isn’t about a few bad actors. It’s about the gap between privacy controls that look right and privacy controls that work. Companies invested in consent banners, opt-out links, and privacy policies — and then didn’t verify that the underlying data flows actually changed.

Technical testing of privacy controls is no longer optional due diligence. The regulators are doing it. The question is whether you find your gaps before they do.

For financial services companies and fintechs, the GLBA exemption doesn’t provide blanket CCPA protection. Marketing technology, consumer analytics platforms, and advertising vendors fall outside the exemption’s scope in many configurations. The Honda case involved advertising technology — the exact vendor category that financial services companies use heavily.

If you need to build or audit your data privacy compliance program — including a data inventory, DSAR workflow, vendor data processing agreement checklist, and GLBA Safeguards Rule compliance documentation — the Data Privacy Compliance Kit covers the full compliance lifecycle for teams that don’t have a dedicated privacy officer.

For the regulatory context behind the GLBA exemption and where state privacy preemption may be headed, see Congress Wants to Kill State Privacy Laws for Banks: What the GLBA Overhaul Means. On the data rights implications for AI and automated decision-making — which CCPA’s new ADMT regulations will expand in 2027 — see AI and Consumer Data Rights: Where CCPA, State Privacy Laws, and AI Decisions Collide. And for vendor risk management frameworks that cover the data protection contracting gaps the CPPA keeps finding, see Vendor AI Risk Assessment: The Third-Party Due Diligence Gap.

Sources:

• CPPA: Honda Settles With CPPA Over Privacy Violations — March 12, 2025
• CPPA: Nation’s Largest Rural Lifestyle Retailer to Pay $1.35M Over CCPA Violations — September 30, 2025
• California AG: Attorney General Bonta Announces Largest CCPA Settlement to Date, Secures $1.55 Million from Healthline.com
• Goodwin Law: Multistate Privacy Enforcement Sweep Puts Global Privacy Control in the Spotlight — September 12, 2025
• CPPA: CalPrivacy Launches Data Broker Enforcement Strike Force — November 19, 2025
• Greenberg Traurig: Revised and New CCPA Regulations Set to Take Effect on Jan. 1, 2026