$7,500 per violation.
Per consumer. Per incident.
The California Privacy Rights Act (CPRA) expanded CCPA with stricter consent requirements, a dedicated enforcement agency (CPPA), and penalties up to $7,500 per intentional violation. With 40 million California residents, non-compliance scales fast.
CCPA / CPRA penalty structure
Each failure to comply — per consumer, per incident. No cap on aggregate penalties. 30-day cure period eliminated for most violations under CPRA.
Intentional disregard of CCPA obligations. Also applies to violations involving minors under 16. No cure period available.
Private right of action under Section 1798.150. Consumers can sue directly for statutory damages of $100–$750 per incident, or actual damages if greater.
Notable CCPA enforcement actions
Failed to process opt-out requests, sold personal data without disclosure, ignored Global Privacy Control signals
Sold consumer personal information through advertising networks without opt-out notice
Collected and sold children's personal information without parental consent
Failed to honor Global Privacy Control opt-out signals, no opt-out mechanism on website
CPPA investigative sweep targeting mobile apps — failure to provide opt-out, dark patterns in consent flows
The California Privacy Protection Agency (CPPA) became fully operational in 2024 with dedicated enforcement authority, separate from the Attorney General.
Global Privacy Control is now legally binding
Under CPRA, businesses must honor the GPC browser signal as a valid opt-out of sale/sharing. Sephora's $1.2M fine proved regulators are serious. FOCTTA detects and respects GPC automatically.
- ✗ GPC signals silently ignored
- ✗ Opt-out links buried in footer text
- ✗ No record of opt-out requests
- ✗ Dark patterns in consent UI
- ✗ $7,500 per violation risk
- ✓ GPC signals detected and honoured automatically
- ✓ Prominent "Do Not Sell" link with one-click opt-out
- ✓ Every opt-out recorded with compliance receipt
- ✓ CPPA-compliant consent flows, no dark patterns
- ✓ Full audit trail for enforcement defense
CCPA / CPRA sections mapped to FOCTTA features
Automated data subject access requests with 45-day SLA tracking, identity verification, and multi-system data retrieval.
Multi-system erasure orchestration with legal hold checks, retention overrides, and signed erasure certificates.
DSAR workflow supports correction requests with before/after audit trail and system propagation tracking.
Complete ROPA (Record of Processing Activities) with data categories, purposes, recipients, and retention periods.
One-click opt-out with GPC signal detection. "Do Not Sell or Share My Personal Information" link generation.
Granular purpose-based consent with separate flows for sensitive personal information categories.
Automatic detection and enforcement of Global Privacy Control signals. Compliance receipt for every GPC-triggered opt-out.
Pre-built CPRA consent templates, dark pattern avoidance checks, and automatic regulation updates as CPPA rules evolve.
The math is simple.
The risk is not.
A single data practice affecting 10,000 California consumers at $7,500 per violation = $75 million in potential penalties. Plus private right of action lawsuits.
CCPA / CPRA compliance, automated.
Opt-out management, GPC enforcement, DSAR automation, and audit-ready records — all in one platform. See how FOCTTA simplifies CCPA compliance.
Get CCPA Ready