California Intensifies CCPA Enforcement: Record Fines and New Priorities Emerge in Summer 2025

Compliance Hub

02 Oct 2025 — 10 min read

Photo by Maarten van den Heuvel / Unsplash

A Watershed Moment in Privacy Enforcement

Summer 2025 marked a dramatic escalation in California's privacy enforcement landscape, with regulators imposing record-breaking fines and establishing groundbreaking precedents that sent shockwaves through businesses nationwide. From July through September 2025, California authorities demonstrated an unprecedented commitment to holding companies accountable for privacy violations, culminating in penalties exceeding $3.2 million and establishing new enforcement priorities that every business must understand.

The Healthline Settlement: A Record-Breaking $1.55 Million Fine

On July 1, 2025, California Attorney General Rob Bonta announced the largest CCPA settlement to date—a $1.55 million penalty against Healthline Media LLC for violations involving its health information website. This groundbreaking enforcement action represents multiple "firsts" for public CCPA enforcement:

First publisher enforcement action under the CCPA
First health information-related enforcement
First invocation of the "purpose limitation principle" in a public regulatory context by any state regulator

What Healthline Did Wrong

The investigation revealed that Healthline, which operates one of the top 40 most-visited websites globally with approximately 6.5 million monthly California visitors, committed several critical violations:

Failed Opt-Out Mechanisms: Even after consumers exercised their right to opt out using multiple methods—including the "Do Not Sell or Share My Personal Information" link, Global Privacy Control (GPC), and cookie banner settings—Healthline continued transmitting personal information to dozens of third-party advertisers. In what investigators called a "triple opt-out" test, the website still maintained 118 cookies and 82 pixels associated with third-party advertisers.

Sharing Sensitive Health Data: Perhaps most troubling, Healthline shared article titles with third-party advertisers that could reveal intimate health conditions. Titles such as "Newly Diagnosed with HIV? Important Things to Know" were transmitted to advertising partners, creating detailed consumer profiles about potentially sensitive medical diagnoses. The AG argued this violated the CCPA's purpose limitation rule, as consumers would not reasonably expect such intimate data sharing even if general advertising practices were disclosed in privacy policies.

Inadequate Vendor Contracts: Healthline failed to maintain CCPA-compliant contracts with many advertising technology vendors. The company had assumed—but never verified—that vendors participated in an industry contractual framework containing required privacy protections. Investigation revealed many vendors were not part of this framework at all.

Deceptive Privacy Practices: The website featured a "consent banner" that purported to disable tracking cookies when consumers unchecked certain boxes, but the mechanism failed to function as advertised.

The Penalty and Remediation

Beyond the $1.55 million fine, Healthline must implement a comprehensive three-year compliance program including:

Quarterly testing of opt-out mechanisms
Annual contract reviews with all third parties receiving consumer data
Annual public reporting of privacy metrics
Permanent prohibition on sharing article titles that could reveal specific medical diagnoses
Annual reports to the Attorney General detailing compliance measures and remediation steps

Tractor Supply's $1.35 Million Fine: Targeting Job Applicant Data

Just months later, on September 30, 2025, the California Privacy Protection Agency announced its largest fine yet—$1.35 million against Tractor Supply Company, the nation's largest rural lifestyle retailer. This enforcement action marked another significant milestone: the first-ever enforcement action specifically involving job applicants.

Why This Case Matters

The investigation began with a single consumer complaint, demonstrating that any complaint—from a disgruntled former employee, a job applicant, or even a website visitor—can trigger a comprehensive CPPA investigation. The agency found that Tractor Supply failed to:

Provide compliant privacy notices to job applicants
Inform applicants of their rights and how to exercise them
Maintain a legally sufficient privacy policy
Honor opt-out requests submitted through the website
Recognize browser-based opt-out preference signals like Global Privacy Control
Enter into appropriate contracts limiting how third-party vendors could use shared personal data
Use proper contracts with advertising and analytics providers

Critical Insight: California is the only state that subjects employee and job applicant data to comprehensive privacy obligations under state consumer privacy law. Even businesses that are entirely B2B (dealing only with other entities, not individual consumers) are at risk of enforcement actions related to job applicant and employee privacy rights.

The Pattern: Spring and Summer 2025 Enforcement Actions

The summer 2025 record fines didn't emerge in a vacuum. They followed a consistent pattern of escalating enforcement throughout 2025:

American Honda Motor Co. - March 2025: $632,500

In its first non-data broker enforcement action, the CPPA fined Honda for:

Requiring excessive information from consumers making privacy requests
Failing to separate opt-out requests from other request types
Lacking proper contracts with third-party advertising technology companies

The settlement explicitly stated that Honda required consumers to provide eight data fields when only two were necessary to identify consumers in their database, effectively applying verification standards to opt-out requests in violation of the CCPA.

Todd Snyder (National Retailer) - May 2025: $345,178

The CPPA's second enforcement action targeted a clothing retailer for:

Failing to properly configure its privacy portal and cookie banner, resulting in a 40-day period where opt-out requests weren't processed
Requiring consumers to submit government identification (driver's licenses, passports) to exercise privacy requests
Applying verification requirements to opt-out requests

Key Enforcement Message: The CPPA emphasized that businesses cannot defer to third-party privacy management tools without monitoring their effectiveness. The stipulated order stated the retailer "would have known that Consumers could not exercise their CCPA rights if the company had been monitoring its Website, but instead deferred to third-party privacy management tools without knowing their limitations or validating their operation."

Emerging Enforcement Priorities and Trends

The summer 2025 enforcement actions reveal clear regulatory priorities:

1. Functional Testing is Mandatory

Simply implementing privacy tools isn't enough. Regulators expect businesses to actively test and verify that opt-out mechanisms, cookie banners, and consent management platforms work as intended across all devices and browsers. Technical malfunctions are not excuses—they're violations.

2. Third-Party Tools Don't Shield You from Liability

Using consent management platforms or third-party privacy vendors doesn't transfer compliance responsibility. Businesses remain fully accountable for ensuring these tools function correctly and comply with the law. As CPPA Enforcement Chief Michael Macko stated: "Using a consent management platform doesn't get you off the hook for compliance."

3. Purpose Limitation is Now Actively Enforced

The Healthline case marks the first time California (or any state) has publicly invoked the purpose limitation principle in enforcement. This principle restricts businesses to processing personal information only for disclosed purposes that consumers would reasonably expect. Processing that goes beyond primary purposes—even if technically disclosed in a privacy policy—can violate the CCPA if it's not consistent with reasonable consumer expectations.

4. Sensitive Data Deserves Extra Protection

While Healthline's case didn't explicitly invoke "sensitive personal information" definitions under the CCPA, the AG's focus on health-related article titles signals that certain data types—especially those revealing medical conditions, diagnoses, or health concerns—may face heightened scrutiny regardless of technical classification.

5. Contracts Must Contain Specific Statutory Language

Generic contract provisions are insufficient. Contracts must include the specific terms required by the CCPA statute. Provisions stating data will be used "for purposes contemplated" or "as otherwise agreed in writing" don't meet legal requirements. Businesses must follow the statute's exact language.

6. Job Applicant and Employee Data is Fully Covered

The Tractor Supply case eliminates any ambiguity: job applicant and employee data is subject to the same comprehensive CCPA obligations as consumer data. Businesses must provide separate privacy notices for applicants and workers, clearly disclosing rights and providing accessible methods for submitting data requests.

7. Self-Correction Doesn't Erase Liability

Both Healthline and Tractor Supply corrected many issues after investigations began, but these remediation efforts didn't prevent substantial fines. The right to cure—which was eliminated from the CCPA by subsequent legislation—no longer provides a safety net. Proactive compliance is essential; reactive fixes are too late.

Updated 2025 Fine Amounts

Effective January 1, 2025, California adjusted CCPA penalties to account for inflation:

Administrative fines: Up to $2,663 per violation (previously $2,500)
Intentional violations or violations involving minors: Up to $7,988 per violation (previously $7,500)
Civil penalties: Same structure as administrative fines
Consumer statutory damages: $107 to $799 per consumer per incident (previously $100 to $750)
Business revenue threshold: $26.625 million (previously $25 million)

With no limit on the number of violations that can be cited, enforcement actions can quickly reach seven-figure penalties. The Healthline settlement affected over 65,000 consumers who experienced failed opt-outs, demonstrating the multiplicative effect of systemic compliance failures.

The Multistate Collaboration Trend

On September 9, 2025, the CPPA announced a joint investigative sweep with attorneys general from California, Colorado, and Connecticut targeting businesses' compliance with opt-out preference signals and universal opt-out mechanisms. This multistate approach represents a growing trend in privacy enforcement.

The "Consortium of Privacy Regulators"—formed in April 2025 and including California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon—aims to address gaps in federal privacy enforcement through coordinated state action. Businesses should expect increased information sharing, coordinated investigations, and harmonized enforcement approaches across participating states.

Six Critical Action Steps for Businesses

Based on the summer 2025 enforcement patterns, businesses should take these immediate steps:

1. Test Everything, Repeatedly

Conduct quarterly audits of:

Opt-out mechanisms across all devices and browsers
Cookie banner functionality
Privacy portal processing of different request types
Global Privacy Control detection and response
Consent management platform accuracy

Document all testing and maintain records of results and any remediation taken.

2. Separate and Simplify Privacy Request Processing

Create distinct pathways for:

Opt-out requests: No verification required, minimal information collection (typically just email or similar identifier)
Access, deletion, and correction requests: May include verification, but collect only the minimum necessary data points

Never apply verification requirements to opt-out requests or requests to limit use of sensitive personal information.

3. Audit All Vendor Contracts Immediately

Review every contract with parties receiving personal information to ensure inclusion of all CCPA-required terms:

Specific enumerated purposes for data use
Prohibitions on retention, use, or disclosure outside those purposes
Requirements to comply with consumer opt-outs
Obligations to notify you of inability to comply
Rights to audit and enforce compliance

Don't assume industry framework participation (like IAB MSPA) covers all vendors—verify each relationship individually.

4. Implement Robust Vendor Monitoring

Create a data-sharing inventory tracking:

Which platforms receive what categories of personal information
Contractual terms governing each relationship
How each vendor handles opt-out requests
Verification of framework participation where claimed
Quarterly or annual review schedules

Assign specific personnel responsibility for ongoing monitoring.

5. Create Job Applicant-Specific Privacy Infrastructure

Develop and post:

Job applicant privacy notice: Separate from website privacy policy, describing data collected through application processes
Job applicant privacy policy: Detailing applicant rights and request procedures
Employee privacy policy: Separate from employee handbook, updated annually, accessible to current and former employees

Ensure HR systems can process privacy requests from applicants and employees separately from customer request workflows.

6. Don't Rely on "Close Enough" Compliance

Regulators are enforcing strict compliance with statutory language and functional requirements. Privacy policies that "mostly" disclose practices, contracts that "generally" address requirements, and opt-out mechanisms that "usually" work are insufficient. Systems must function exactly as required, policies must precisely track practices, and contracts must contain specific statutory language.

Looking Ahead: What to Expect

The summer 2025 enforcement actions signal a new phase of CCPA enforcement characterized by:

Higher penalties: With five years of enforcement experience, regulators are imposing larger fines reflecting the law's maturity
Broader industry targeting: From tech platforms to retailers to publishers, no sector is immune
Technical scrutiny: Regulators are conducting sophisticated technical investigations of tracking technologies, opt-out mechanisms, and data flows
Purpose limitation enforcement: Expect increased focus on whether data processing aligns with reasonable consumer expectations, regardless of disclosure adequacy
Multistate coordination: Investigations may involve multiple state regulators simultaneously

As the CPPA moves toward finalizing regulations on automated decision-making technology and cybersecurity audits—with a goal of submitting final rules to California's Office of Administrative Law by November 2025—businesses face an expanding compliance landscape requiring sustained attention and investment.

Conclusion: Proactive Compliance is No Longer Optional

The summer 2025 enforcement actions deliver an unambiguous message: California privacy regulators have moved decisively beyond educational guidance to substantial financial penalties. With the largest CCPA fines yet imposed, the first job applicant enforcement action, and the inaugural invocation of purpose limitation principles, these cases establish precedents that will shape privacy compliance for years to come.

Businesses can no longer view CCPA compliance as a checkbox exercise. The combination of elevated fine amounts, strict functional testing requirements, comprehensive vendor oversight obligations, and elimination of cure rights demands a fundamental shift toward proactive, systematic, and continuously monitored privacy programs.

Those who wait for enforcement letters to address compliance gaps will find themselves facing six- or seven-figure penalties and years of regulatory oversight. The time to audit, test, update, and verify your privacy practices is now—before you become the next record-breaking enforcement action.

For questions about CCPA compliance or to discuss your organization's privacy program, consult with qualified privacy counsel familiar with California's evolving enforcement landscape.