CCPA is a relatively new regulation that came into effect in 2020. As of 2024, the communication technology company Zoom holds the biggest fine enforced by the CCPA – $85 million. While the list of fines isn’t broad, they exceed from thousands to millions of dollars per case.
In this article, you’ll find out what are the biggest CCPA fines as of 2024. You’ll learn who CCPA fines apply to, their sizes, and how to comply with the regulations so your business doesn’t get penalized.
Ensure CCPA compliance and avoid fines by adopting a cookie consent banner, automatically collecting consent, and managing cookies with one Shopify app
Get TinyCookie todayWhat are CCPA fines and penalties?
CCPA fines can be issued by the Attorney General or the California Privacy Protection Agency (CCPA) to anyone who processes California resident data and satisfies at least one of the following conditions:
- Has an annual gross revenue of $25 million or more
- At least 50% of annual revenue is made from data selling
- At least 100,000 California residents’ personal data is processed each year
There are a few types of CCPA fines that businesses can get. For starters, it depends if the violation is intentional or not.
Under CCPA, violations can be unintentional, meaning the business wasn’t aware of or didn’t understand specific requirements. In such cases, a fine can be up to $2,500 per single unintentional violation.
Meanwhile, intentional violations, or violations that were done knowingly or willfully, get higher fines. For example, intentional violations are ignoring user rights, such as requests to delete or correct data. The fine can go up to $7,500 per single intentional violation.
While it may look small compared to GDPR fines, consider that a single violation can be considered a violation to a singular user. If thousands of users are affected, the total sum quickly adds up.
Furthermore, it’s important to mention class actions. Under CCPA, there aren’t many violations for which users can sue companies. But, for example, in case there’s a data breach due to failure to adopt security measures, users have the right to sue the company. Monetary damages can go up to $750 per violation.
Top CCPA fines and penalties
Considering CCPA went into effect in 2020, there aren’t as many penalties of this regulation as with GDPR fine examples. However, after rigorous research, we found the 4 biggest fines that companies have received under the CCPA:
1. Zoom – $85 million CCPA fine
| Fine size | $85 million |
| Reason | Failure to protect the personal data of users |
In 2021, the communication technologies company Zoom was issued a $85 million fine – the largest CCPA penalty to date. According to the lawsuit, the company failed to protect user data and violated user rights to privacy.
For starters, the company shared personal data of users with Google, LinkedIn, and Facebook. Zoom also allowed hackers to disrupt meetings on the platform, a practice also referred to as “Zoombombing.” During this practice, hackers would hijack meetings and use racist language or display pornography.
It’s important to note that Zoom agreed to improve its security practices and inform users whenever another party in the meeting was using third-party apps.
2. Sephora – $1.2 million CCPA fine
| Fine size | $1.2 million fine |
| Reason | Wrongful data sharing and selling practices |
In 2022, the multinational retailer of beauty products called Sephora received enforcement action under the CCPA which resulted in a $1.2 million fine.
Some of the main reasons for the CCPA fine, according to the Attorney General, included failure to disclose to users that Sephora was selling personal data. It also couldn’t fulfill user requests to opt out of data selling, failing to provide a “Do Not Sell My Personal Information” link.
Plus, Sephora was given a 30-day cure period and ignored or failed to ensure compliance during that period.
3. Hanna Andersson – $400,000 CCPA fine
| Fine size | $400,000 |
| Reason | Hacker attack and stolen credit card information |
In December 2020, the children’s clothing brand Hanna Andersson agreed to pay the $400,000 fine of a lawsuit due to a large data breach.
The company confirmed the hack by sending an email to its customers stating that user data was sold on the dark web. The hackers stole highly personal information, including credit card details with their payment card numbers, CVV codes, full names, and expiration dates.
The $400,000 settlement was paid and used to cover the $500-$5,000 compensation for affected users who purchased from Hanna Andersson during the period from September 16 to November 11, 2019.
4. Doordash – $375,000 CCPA fine
| Fine size | $375,000 |
| Reason | Selling user data without consent |
In February 2024, Doordash settled the investigation and received a civil fine of $375,000 for violating the CCPA.
According to the Attorney General’s press release, DoorDash exchanged and sold data to third-party businesses as part of a marketing cooperative. This was done without informing, acquiring consent, or providing an option to opt out of data selling.
The privacy policy also did not explicitly mention that identifiable information of users can be given out to other partners during these marketing cooperatives.
Smaller CCPA cases
Many CCPA case examples don’t disclose penalized company names, but that doesn’t erase the fact that it can happen to anyone. Here are a few CCPA enforcement examples:
- Healthcare service company. The company violated user rights and deleted or permanently deleted consumer data after the request to know. The company held staff training to ensure it doesn’t happen again.
- Pet industry website. A pet adoption platform didn’t provide an option for users to opt out of data selling and required notarized verification from users to exercise their CPPA rights.
- Mobile app game. The business that’s responsible for the app installed software that made the private consumer data, including that of minors, available to third-party software providers. The business removed the ad software after being notified of non-compliance.
- Education technology company. The business failed to provide a CCPA-compliant privacy policy. It didn’t inform users about their rights or how to exercise their rights to know or delete. Additionally, there was no “Do Not Sell My Personal Information” on the website. The business updated its privacy policy and included the button after being informed about it.
While these businesses were notified and given a 30-day cure period, note that “As of January 1, 2023, the CCPA no longer requires notice of a violation or an opportunity to cure before filing an enforcement action” according to the Attorney General. So, it’s better to ensure compliance than risk getting penalized without warning.
How to comply with CCPA correctly?
Complying with CCPA means providing users with a consent withdrawal option, allowing them to manage preferences, securing their data, providing transparent information, and more. Here are the main steps to ensure your website complies with CCPA:
- Get a cookie consent banner. While you don’t have to ask for consent to add cookies on user devices, you still have to provide them with an option to deny consent. A cookie consent banner like TinyCookie on Shopify lets you add this option in just a few clicks and easily manage cookies.
- Collect user consent. While it isn’t obligatory to acquire user consent for storing cookies on their devices under CCPA, you still have to collect automatic consent and store it in a secure place. Cookie consent tools like TinyCookie automatically collect all consent or preferences in one place.
- Add a privacy policy. A privacy policy is necessary to ensure compliance because CCPA requires listing all the personal user information that is collected, reasons and purpose for collection, and expiry date. You must also provide a lawful basis for processing, information about data sharing with third parties, and user rights.
- Write a cookie policy. You can create a cookie policy as a separate page or as part of the privacy policy. Whichever approach you choose, you must include what cookies are used, for how long, instructions on how to withdraw consent, user rights, and when the policy becomes in effect. You can find the full requirement list in our cookie policy guide.
- Secure user data. Gathering user data comes with a responsibility to protect it from harm and breaches. Make sure you adopt security measures such as employee IDs or antivirus software to ensure you don’t get penalized for failing to secure user data.
Conclusion
Zoom holds the biggest CCPA penalty as of 2024 with a $85 million fine for failing to secure consumer data and letting hackers access meetings. And huge businesses aren’t the only ones getting hit… while the names aren’t disclosed, there are many small businesses that were already warned for violations.
For this reason, it’s crucial to ensure CCPA compliance no matter how big or small your company is. Start by using a cookie consent banner like TinyCookie on Shopify and the tool will collect consent automatically. Plus, you have to add a privacy and cookie policy to your website as well as adopt data protection practices.
Frequently asked questions
Intentional violation fines under the CCPA go up to $7,500 per single violation. Unintentional fines are up to $2,500 per violation.
For most CCPA violations, it’s not possible to sue a company. However, certain circumstances when there’s a data breach allow suing a business, but it’s required to provide them a 30-day cure period first.
Under CCPA, only California residents have rights. This only refers to individuals (not businesses) who live in California.
