California’s privacy landscape continues to evolve, with the California Privacy Protection Agency (CPPA) significantly stepping up enforcement of the California Consumer Privacy Act (CCPA) and its amendments in 2024 and 2025. Businesses subject to these regulations have faced considerable administrative burdens and, more recently, substantial penalties for non-compliance.
The CPPA, which began exercising its enforcement authority alongside California’s AG on July 1, 2023, has been particularly active. Their actions stem from growing concerns over widespread non-compliance, especially among data brokers, e-commerce platforms, and ad tech companies.
Late in 2023, the CPPA initiated investigative sweeps, focusing on violations of consumer opt-out rights, dark patterns, and the improper use of tracking technologies. The CPPA found that many companies have failed to honor global opt-out signals, provide clear opt-out options, or secure adequate contracts with third-party service providers.
These enforcement efforts underscore a critical message: businesses can no longer simply deploy a consent or opt-out tool and assume compliance.
Continuous monitoring and testing of these mechanisms are essential to ensure they function correctly in practice. This ongoing vigilance is crucial, as any malfunction or excessive demand for personal information from the mechanism could lead to full liability for the company, potentially resulting in penalties and mandated operational changes.
CPPA enforcement advisories
The CCPA has issued two enforcement advisories to date, addressing specific provisions of the CCPA. These advisories provide examples of implementation, including questions that businesses may ask about the requirement, and highlight observations of non-compliance to deter violations.
The subjects of these advisories have lined up with the enforcement actions taken by the CPPA so far. Take a close look at these advisories, as they may indicate the CPPA’s areas of focus and align with their recommended implementation of the law to prevent eventual enforcement.
- Applying Data Minimization to Consumer Requests – emphasizes that businesses should only collect, use, retain, or share the personal information necessary when handling consumers’ requests.
- The Use of Dark Patterns – emphasizes to businesses the importance of reviewing their user interfaces to ensure they use clear and understandable language. This practice offers consumers symmetrical choices and avoids impairing their ability to make their decisions, instilling confidence in the transparency of the process.
Understanding recent CCPA enforcement actions
Let’s look at some recent high-profile cases that highlight the CPPA and the California Attorney General’s priorities:
Healthline Media LLC (California Attorney General, July 1, 2025)
In a significant settlement, the California Attorney General announced on July 1, 2025, that Healthline Media LLC agreed to pay a $1,550,000 penalty for alleged CCPA violations related to the unlawful sharing of data on Healthline.com. The allegations included:
- Continued data sharing post-opt-out: Healthline allegedly continued sharing users’ sensitive personal and health-related information for advertising purposes even after users opted out via cookie banners, forms, or Global Privacy Control (GPC) signals.
- Transmission of sensitive inferences: Article titles revealing potential medical diagnoses (e.g., HIV, MS, diabetes) were transmitted to advertising and tracking companies, enabling sensitive inferences about users.
- Misleading cookie consent banner: The cookie consent banner misrepresented its functionality, failing to block ad tracking and leaving up to 118 trackers active even after opt-out.
- Non-compliant advertising contracts: Healthline lacked CCPA-compliant contracts with advertising partners, failing to verify proper data usage or restrict use to allowed purposes.
- Cross-context behavioral advertising: The company engaged in cross-context behavioral advertising, resulting in users receiving targeted health-related ads across multiple platforms, which violated CCPA requirements.
As part of the settlement, Healthline committed to measures ensuring full CCPA compliance, including automatic honoring of GPC signals, prohibiting the sale or sharing of data that could reveal a medical condition (e.i, article titles or URLs revealing health conditions), ongoing compliance testing, and updating all third-party contracts.
This case highlights that companies sharing personal data for advertising purposes, especially when this data can lead to sensitive inferences about users’ health, must ensure that opt-out mechanisms are effective and transparent. Failure to prevent unauthorized sharing, particularly of information that can lead to inferred health conditions, carries significant legal risks.
Todd Snyder, Inc. (CPPA, May 6, 2025)
Effective May 1, 2025, the CPPA ordered clothing retailer Todd Snyder, Inc. to pay a $345,178 fine for violating the CCPA. The Enforcement Division alleged that Todd Snyder:
- Misconfigured cookie-consent banner: The website’s cookie-consent banner was misconfigured, preventing consumers from opting out of the sale or sharing of personal data, including for cross-context behavioral advertising, for a continuous 40-day period.
- Excessive identity verification: Consumers were required to submit sensitive identity documents (e.g., selfies matched to government IDs) to exercise simple opt-out rights, directly conflicting with CCPA rules prohibiting excessive verification.
- Excessive data collection for requests: The company collected more consumer data than necessary to process verifiable requests and failed to implement safeguards for sensitive information submitted during the process.
This decision highlights that simply deploying a consent tool is insufficient; companies must continuously test and maintain their functionality. Opt-out requests must be honored without requiring identity verification, demonstrating a commitment to respecting consumer privacy rights.
American Honda Motor Co., Inc. (CPPA, March 12, 2025)
Effective March 12, 2025, American Honda Motor Co., Inc. was ordered by the CPPA to pay a $632,500 fine for hindering Californians’ ability to exercise their opt-out rights. The CPPA’s allegations included:
- Excessive identity verification for verifiable requests (right to know, delete, and correct): Honda’s webform required consumers to provide at least eight data fields for verifying a consumer’s identity, despite needing only two data points to identify a consumer in its database.
- Non-verifiable requests (opt-out of sale/sharing and requests to limit use of sensitive data): Honda’s online process does not distinguish between verifiable and non-verifiable requests, using the same form for all types of requests, requiring identity verification for requests that do not require verification.
- Authorized agents: Honda required additional authorization steps for authorized agents to submit do not sell/share or restrict use of sensitive information requests.
- Confusing cookie banner design: The cookie banner design failed to present symmetrical opt-in and opt-out choices, as it required two steps to opt out but only one step to opt in, thereby undermining users’ ability to make clear privacy selections.
- Lack of compliant third-party contracts: Honda lacked or was unable to produce CCPA-compliant contracts with downstream ad-tech partners, raising doubts about whether consumer opt-out signals were honored across all parties.
Honda agreed to revise its privacy request processes, ensuring verification steps collect only the minimum necessary information for verifiable requests, do not require identity verification for non-verifiable requests, provide clear and symmetric opt-out options in its cookie banner, offer thorough CCPA training for employees, and include mandatory CCPA privacy provisions in all third-party data-sharing agreements.
This case clarifies that excessive identity checks on verifiable requests violate the CCPA’s “reasonableness” standard and may lead to significant fines. It also highlights that an individual’s identity must not be verified when exercising an opt-out request. Cookie banners must provide clearly equivalent opt-in and opt-out controls to prevent compliance failures due to design, and companies must keep and readily produce CCPA-compliant contracts with all service providers.
Want to take a deeper dive into how Honda’s case unfolded—and what it teaches us about lawful data processing under the CCPA? Read: What Honda’s $632,500 CCPA Fine Teaches Us About Lawful Data Processing.
Sephora USA, Inc. (California AG, August 24, 2022)
Although an older case, the Attorney General’s judgment against Sephora established an important precedent, resulting in a $1.2 million settlement for several violations of the CCPA. These included:
- Failure to disclose the sale of personal information to consumers.
- Failure to process consumer requests to opt out of the sale of their personal information signaled via Global Privacy Control (GPC) settings.
- Failure to cure these violations within the 30-day cure period allowed at the time.
Sephora was required to clearly disclose its intent to sell data, ensure consumers could opt out (including via GPC), update service provider contracts to be CCPA-compliant, and provide reports to the Attorney General.
Responding to CCPA Enforcement: Insights for Your Privacy Program
These decisions send a clear signal: California’s privacy regulators will hold companies fully accountable for any barriers, technical or procedural, that impede consumers from exercising their statutory rights. The “reasonableness” standard for identity verification is strictly interpreted; companies must collect only the minimum data necessary and cannot require sensitive documents, such as government IDs, for routine privacy checks.
To avoid disruptive enforcement actions and reputational harm, businesses must embed privacy compliance into everyday operations, including:
- Prioritize fortifying public-facing consent and individual rights interfaces and confirm that required website links with the required wording are present (e.g., “Do Not Sell Or Share My Personal Information”).
- Verify and monitor public-facing consent and individual rights interfaces to ensure proper implementation that meets regulatory requirements.
- Collect the minimum information necessary to fulfill a request based on the type of request received.
- Ensure that opt-out sale/sharing requests and the right to restrict the use of sensitive personal data do not require identity verification.
- Honor opt-out signals like Global Privacy Control (GPC) automatically and consistently across all platforms.
- Carefully review and assess their user interfaces to ensure that they offer symmetrical choices and use language that is easy for consumers to understand when presenting privacy options.
- Ensure parity regarding choices made on consent forms. When someone interacts with a banner or modal, the number of clicks to accept or reject should equal.
- Maintain up-to-date, CCPA-compliant contracts with all service providers/vendors.
- Train staff on how to handle or properly route individual rights requests.
Take the next step: Validate your CCPA compliance
If your business hasn’t already done so, now is the time to move beyond internal checklists and get formally validated. A TRUSTe-certified CCPA Validation offers independent, third-party assurance that your privacy practices align with California’s regulatory requirements.
It’s more than a badge. It’s proof of compliance you can share with partners, customers, and regulators alike. With TrustArc’s expert guidance and purpose-built platform, you’ll identify gaps, streamline remediation, and earn a Letter of Validation you can proudly display on your website or Trust Center.
Don’t wait for an enforcement action to test your program. Learn more about CCPA Validation and start building your privacy program’s credibility today.
CCPA Compliance, Certified.
Earn a TRUSTe-certified CCPA Validation to show customers, partners, and regulators you take data rights seriously while gaining operational clarity and audit-ready peace of mind.
Get validated
Cookie Compliance Without the Chaos.
Automate tracker scans, sync consent across devices, and stay ahead of global laws all from one powerful platform. TrustArc’s Cookie Consent Manager helps you honor preferences, boost trust, and keep regulators off your tail.
Streamline consent
