Penalties and Damages
The CCPA establishes a three-tiered enforcement framework: private civil actions for security breaches, administrative fines by the California Privacy Protection Agency (CPPA), and civil penalties by the Attorney General. Each enforcement mechanism has distinct penalty structures, procedures, and fund allocations.
Private Right of Action for Security Breaches
Statutory Provisions (Section 1798.150)
Consumers have a limited private right of action for security breaches only. This right applies when nonencrypted and nonredacted personal information (as defined in Section 1798.81.5(d)(1)(A)) or email addresses combined with passwords/security questions are subject to unauthorized access, exfiltration, theft, or disclosure due to a business's failure to maintain reasonable security procedures.
Available Remedies:
| Remedy Type | Amount/Description |
|---|---|
| Statutory Damages | $100–$750 per consumer per incident (adjusted for CPI) |
| Actual Damages | Whichever is greater than statutory damages |
| Injunctive Relief | Court-ordered preventive measures |
| Declaratory Relief | Court declaration of rights/duties |
| Other Relief | As deemed proper by the court |
Factors for Assessing Statutory Damages
Courts must consider relevant circumstances when determining damages amounts, including but not limited to:
- Nature and seriousness of the misconduct
- Number of violations
- Persistence of the misconduct
- Length of time over which the misconduct occurred
- Willfulness of the defendant's misconduct
- Defendant's assets, liabilities, and net worth
30-Day Cure Notice Requirement
Before initiating an action for statutory damages (individual or class-wide), consumers must:
- Provide the business 30 days' written notice identifying specific CCPA violations
- Allow the business to cure the violation if possible
- Receive an express written statement from the business confirming the cure and promising no further violations
Important Limitations:
- Implementing reasonable security procedures after a breach does not constitute a cure for that breach
- No notice is required for actions seeking actual pecuniary damages only
- If a business violates its written cure statement, consumers may sue to enforce the statement and pursue statutory damages for each breach plus any post-statement violations
Scope Limitations
The private right of action:
- Applies only to security breach violations under Section 1798.150(a)
- Does not apply to other CCPA violations
- Cannot serve as the basis for private actions under other laws
- Does not relieve parties of duties under other state/federal laws or constitutional provisions
(Amended by Stats. 2024, Ch. 121, Sec. 6 (AB 3286), effective January 1, 2025)
Administrative Enforcement by CPPA
Administrative Fine Structure (Section 1798.155)
The California Privacy Protection Agency may assess administrative fines against any business, service provider, contractor, or other person violating the CCPA:
| Violation Type | Fine Amount (per violation) |
|---|---|
| Standard violation | Up to $2,500 (CPI-adjusted) |
| Intentional violation | Up to $7,500 (CPI-adjusted) |
| Violations involving minors under 16 (with actual knowledge) | Up to $7,500 (CPI-adjusted) |
Adjustment Provision: Fine amounts are adjusted pursuant to Section 1798.199.95(d).
Fund Allocation
Administrative fines and settlement proceeds are distributed as follows:
- 95% → Consumer Privacy Subfund (for CPPA operational duties)
- 5% → Consumer Privacy Grant Subfund (grant programs)
(Amended by Stats. 2025, Ch. 20, Sec. 1 (AB 137), effective June 30, 2025)
Civil Enforcement by Attorney General
Civil Penalty Structure (Section 1798.199.90)
The Attorney General may bring civil actions for injunctive relief and civil penalties:
| Violation Type | Penalty Amount (per violation) |
|---|---|
| Standard violation | Up to $2,500 (CPI-adjusted) |
| Intentional violation | Up to $7,500 (CPI-adjusted) |
| Violations involving minors under 16 (with actual knowledge) | Up to $7,500 (CPI-adjusted) |
Penalty Fund Allocation
Civil penalties and settlement proceeds are distributed as follows:
- 95% → Attorney General Consumer Privacy Enforcement Subfund (for AG enforcement duties)
- Includes reimbursement to CPPA for joint investigation costs
- 5% → Consumer Privacy Grant Subfund (grant programs)
Coordination with CPPA Enforcement
- The CPPA must stay any investigation or action upon request by the Attorney General
- No duplicate enforcement: If the Attorney General initiates an action, the CPPA cannot pursue the same violations (and vice versa)
(Amended by Stats. 2025, Ch. 20, Sec. 3 (AB 137), effective June 30, 2025)
Consumer Privacy Fund Structure
Fund Overview (Section 1798.160)
The Consumer Privacy Fund is a special fund within the California State Treasury, available upon legislative appropriation. All funds and subfunds are used exclusively for CCPA enforcement and privacy initiatives.
Key Provisions:
- Funds cannot be transferred or appropriated for other purposes
- Interest and earnings are transferred annually to the General Fund for general legislative appropriation
Subfund Structure
Consumer Privacy Fund
├─ Consumer Privacy Subfund (CPPA operations)
│ └─ 95% of CPPA administrative fines
│
├─ Attorney General Consumer Privacy Enforcement Subfund (AG enforcement)
│ └─ 95% of AG civil penalties
│
└─ Consumer Privacy Grant Subfund (grant programs)
├─ 5% of CPPA administrative fines
└─ 5% of AG civil penalties
Consumer Privacy Grant Subfund
Purpose: Administer grants to promote and protect consumer privacy, educate children on online privacy, and fund international law enforcement cooperation.
Grant Distribution (three equal one-third allocations):
| Grant Recipient Category | Purpose |
|---|---|
| Nonprofit organizations | Promote and protect consumer privacy |
| Nonprofit organizations and public agencies (including school districts) | Educate children on online privacy |
| State and local law enforcement agencies | Fund cooperative programs with international law enforcement to combat consumer data breach fraud |
Grant Program Activation:
- Grant administration begins when the subfund exceeds $300,000
- Funds remain in the subfund until the $300,000 threshold is met
One-Time 2025–26 Fiscal Year Transfer
Any remaining Consumer Privacy Fund balances not appropriated in the 2025 Budget Act will be transferred as follows:
- 45% → Consumer Privacy Subfund (CPPA operations)
- 45% → Attorney General Consumer Privacy Enforcement Subfund
- 10% → Consumer Privacy Grant Subfund
(Amended by Stats. 2025, Ch. 20, Sec. 2 (AB 137), effective June 30, 2025)
Good Faith Cooperation Protections
No Double Payment Rule (Section 1798.199.100)
If a person demonstrates good faith cooperation with an investigation, they cannot be required to pay both:
- An administrative fine (by CPPA), and
- A civil penalty (by Attorney General)
This provision prevents duplicate financial penalties for the same violation when the violator cooperates with enforcement authorities.
Enforcement Framework Summary
Enforcement Framework
[1798.150] Personal Information Security Breaches (Private Right)
├─ (a) Consumer civil action
│ ├─ (1) Breach of security duty
│ │ ├─ (A) Statutory damages: $100-$750 per incident or actual
│ │ ├─ (B) Injunctive/declaratory relief
│ │ └─ (C) Other court-deemed relief
│ └─ (2) Factors for assessing damages (6 listed)
├─ (b) Pre-action 30-day cure notice requirement
└─ (c) Scope limited to security breaches only
[1798.155] Administrative Enforcement (CPPA)
├─ (a) Administrative fines by CPPA
│ ├─ Base: $2,500 per violation (CPI adjusted)
│ ├─ Intentional: $7,500 per violation
│ └─ Minor (<16): $7,500 per violation
└─ (b) Fund allocation: 95% CPPA subfund, 5% grant subfund
[1798.199.90] Attorney General Civil Enforcement
├─ (a) Civil penalties (injunction + fines)
│ ├─ Base: $2,500 per violation (CPI adjusted)
│ ├─ Intentional: $7,500
│ └─ Minor PI: $7,500
├─ (b) Penalty allocation
│ ├─ (1)(A) 95% to AG subfund
│ ├─ (1)(B) Reimbursement to CPPA for joint investigations
│ └─ (2) 5% to grant subfund
├─ (c) CPPA stay upon AG request
└─ (d) No duplicate enforcement (CPPA vs AG)
[1798.160] Consumer Privacy Fund Structure
├─ (a) Consumer Privacy Fund (general)
│ ├─ (1) Fund creation in General Fund
│ └─ (2) Exclusive use, no transfers
├─ (b) Consumer Privacy Subfund (CPPA operations)
│ └─ 95% of CPPA fines
├─ (c) Attorney General Subfund (AG enforcement)
│ └─ 95% of civil penalties
├─ (d) Consumer Privacy Grant Subfund (grants)
│ ├─ 5% of CPPA fines + 5% of AG penalties
│ ├─ (2) Grant distribution (three one-third allocations)
│ │ ├─ (i) Nonprofits (consumer privacy)
│ │ ├─ (ii) Nonprofits/agencies (child online privacy ed)
│ │ └─ (iii) Law enforcement (intl cooperation)
│ └─ (3) $300K threshold to begin grant program
└─ (e) 2025-26 one-time transfer
(45% CPPA subfund, 45% AG subfund, 10% grant subfund)
[1798.199.100] Good Faith Cooperation
└─ No double payment (admin fine + civil penalty)
Related Topics
- For information on the CPPA's investigative and adjudication procedures, see /cppa-oversight/investigation-procedures
- For details on the CPPA's structure and authority, see /cppa-oversight/agency-structure
- For an overview of consumer rights that these enforcement mechanisms protect, see /understanding-ccpa/consumer-rights