Skip to main content
Wordmark logo

CCPA Enforcement 2025: What to Do Before (and After) the Letter Arrives

June 12, 2025

CCPA Enforcement 2025: What to Do Before (and After) the Letter Arrives
Summer Swigart

Posted by

Summer Swigart

If your business operates a public-facing website and collects California addresses, now is the time to review your privacy program. The California Attorney General’s Office continues to issue enforcement letters under the California Consumer Privacy Act (CCPA)—most recently targeting companies that collect or share precise geolocation data. On March 10, 2025, Attorney General Rob Bonta announced an “investigative sweep” focused on advertising networks, mobile-app publishers, and data brokers that handle this sensitive information.

These actions build on years of steady CCPA enforcement and reflect the expanded consumer rights introduced by the 2020 California Privacy Rights Act (CPRA) amendment, which took effect on January 1, 2023. This post updates our earlier guidance: we’ll explain what’s changed, why enforcement is ramping up in 2025, and how to prepare if a letter arrives.

Have You Gotten a Letter Yet?

The Attorney General’s Office continues to send a steady stream of enforcement notices, each citing potential violations of the CCPA (as amended). In 2025, the focus has shifted to businesses that fail to honor opt-out rights, obscure those rights with dark patterns, or use confusing language in privacy notices. If you run a public-facing site and collect California addresses, there’s a real possibility one of these notices could be headed your way.

Why the Notices Keep Coming

The March 2025 sweep targets companies suspected of mishandling geolocation data—legally defined as Sensitive Personal Information (SPI). Notices demand evidence that businesses honor consumer opt-out requests, including signals sent via Global Privacy Control (GPC), and that they limit the use of SPI across all data flows.

Who Is Receiving Notices

The CCPA applies to any for-profit business that collects personal data from California residents and meets at least one of these thresholds:

  • $25 million or more in annual gross revenue
  • Buys, sells, or shares the personal data of 100,000+ consumers
  • Derives 50% or more of annual revenue from selling or sharing personal data

Because geolocation data qualifies as SPI, even modest B2B or nonprofit websites that embed third-party analytics or mapping SDKs may fall within scope.

What the Letter Looks Like

A standard enforcement letter typically includes:

  • Citations of specific CCPA sections—most often 1798.120 and 1798.135, which cover opt-out rights and SPI restrictions
  • A request for a written explanation of your privacy practices, including screenshots that demonstrate GPC support and a working “Do Not Sell or Share” link
  • A request for vendor contracts that show compliance across your data partners
  • A warning that unresolved violations may result in administrative fines of up to $2,500 per violation—or $7,500 per intentional violation

Recent Enforcement Examples

Todd Snyder – May 1, 2025

The menswear retailer agreed to pay $345,178 and overhaul its cookie banner, opt-out flow, and data subject request process.

Honda – March 12, 2025

American Honda Motor Co. accepted a $632,500 penalty tied to 153 CCPA violations, including inadequate opt-out functionality and unauthorized data sharing with advertisers.

These actions underscore that penalties are assessed per affected consumer—and that the Attorney General intends to keep enforcement efforts active throughout 2025.

What This Means for You

If your mailbox is still empty, treat the silence as a head start. Use it to tighten your privacy disclosures, test your opt-out workflows, and audit your third-party scripts—especially those that handle location data. The goal is simple: fix issues before enforcement finds them.

CCPA to CPRA: What Changed?

California’s privacy law is still called the California Consumer Privacy Act (CCPA), but voters gave it a major overhaul by passing the California Privacy Rights Act (CPRA) in 2020. Those amendments took effect on January 1, 2023—and they reshaped the rules, raised the stakes, and changed how every organization handling Californians’ data needs to operate. If you’re wondering why enforcement activity is accelerating in 2025, this refresher outlines the key shifts.

The CPPA: A New Watchdog with a Singular Focus

Before 2023, the state Attorney General was solely responsible for enforcing the CCPA. CPRA created a separate agency—the California Privacy Protection Agency (CPPA)—with its own board, budget, investigative powers, and authority to issue penalties. The similarity in acronyms between the Act (CCPA/CPRA) and the Agency (CPPA) is unfortunate—but make no mistake: this is a new enforcement body with real teeth.

While the Attorney General still brings major sweeps (such as the March 2025 action against location-data firms), the CPPA now runs its own parallel investigations and can issue administrative fines independently. A business won’t be penalized by both, but it can be investigated by either.

No More Automatic “Cure Period”

Under the original CCPA, companies had 30 days to fix violations after receiving a notice—essentially a built-in grace period. CPRA removed that provision. Now, regulators can assess penalties immediately if they believe a violation is ongoing or especially harmful.

In practice, most notices still allow around 30 days to respond—but that time is no longer guaranteed. The Attorney General and the CPPA are under no obligation to offer a second chance.

Expanded Definition of Sensitive Personal Information (SPI)

CPRA introduced a formal SPI category and gave consumers the right to limit how businesses use or disclose this data. SPI now includes precise geolocation and, as of January 1, 2024, also covers citizenship and immigration status. The result: more businesses fall under regulatory scrutiny—and more users can exercise control.

Stronger, Clearer Consumer Rights

Since January 2023, Californians have gained additional rights, including the ability to:

  1. Correct inaccurate personal information a business holds
  2. Limit the use and disclosure of their SPI
  3. Opt out of sales and cross-context behavioral advertising—including through Global Privacy Control (GPC) browser signals

These expand on the original rights to access, delete, and avoid discrimination for exercising privacy choices. Each right requires operational support—from how forms are built to how signals are recognized and processed.

Higher Thresholds—But a Wider Net

To reduce burdens on the smallest companies, CPRA raised the data-volume threshold from 50,000 to 100,000 California consumers or households. But many mid-sized businesses are now captured another way: “sharing” personal data for advertising purposes also counts toward the threshold. The $25 million annual revenue trigger still applies—and catches a wide range of firms.

Contract Requirements and Risk Governance

Under CPRA, businesses must have written agreements with every service provider, contractor, and third party that receives personal data. These contracts must:

  • Prohibit further selling or sharing of personal information
  • Require specific security measures
  • Grant the business audit rights

CPRA also requires covered businesses to:

  • Map data flows and retain information only as long as necessary
  • Conduct regular risk assessments and cybersecurity audits for high-risk data practices (with final rules still pending)

These aren’t checklist items—they are foundational responsibilities, and missing them can lead to direct liability.

Five CPRA Requirements Every Site Owner Must Address

  1. Universal opt-out: Accept and process GPC signals automatically. Make your “Do Not Sell or Share” link visible and functional—no extra steps.
  2. Limit SPI: Add a clear “Limit the Use of My Sensitive Personal Information” link and ensure it works across your entire vendor stack.
  3. Contract hygiene: Update all agreements with ad networks, analytics providers, and SaaS partners to include CPRA-compliant terms.
  4. Data retention rules: Know why you’re keeping each category of data—and set defensible deletion schedules.
  5. No cure period: Assume the first notice is also your last. Keep documentation ready to prove compliance from day one.

Why These Changes Are Driving 2025 Enforcement

CPRA gave regulators sharper tools—and easier ways to spot violations. Ignoring GPC signals, missing SPI-limit links, or sharing geolocation data without proper contracts are no longer gray areas. They’re clear violations, and they’re easy to detect.

That’s what the March 2025 location-data sweep demonstrates. Enforcement isn’t about reading between the lines—it’s about spotting visible failures. Staying compliant means building simple, effective, user-first controls and backing them up with documentation that stands up to scrutiny.

CPRA letters are no joke. Learn what to do next

I Got a Letter—Now What?

Opening an envelope from the California Attorney General can be unsettling—but it’s also an opportunity. Most notices provide around 30 days to explain how you’re addressing the alleged violations. That window is your chance to deliver a clear, documented, and credible response—not scramble under pressure.

Confirm Authenticity and Loop in Counsel

CCPA enforcement letters arrive on official letterhead, reference specific code sections, and name a deputy attorney general with direct contact information. Start by verifying the signature. Then immediately bring privacy counsel—or your internal legal lead—into the loop. Forward the letter exactly as received, annotate the receipt date, and set up a privileged workspace to track every decision, document, and task throughout the response process.

Pause Risky Data Flows

Until you’ve scoped the issue, freeze any data-sharing operations related to the cited violation. If geolocation is in question, disable location-based ad pixels, pull mapping SDKs that send coordinates to external platforms, and shut off internal dashboards exposing raw GPS data. A fast pause demonstrates good faith and limits ongoing exposure while you work on remediation.

Conduct a Rapid Gap Analysis

Start with the citation and work backward. Map each named data point—what you collect, where it flows, which vendors touch it, and how long it’s retained. Visibly, your site should have a functioning “Do Not Sell or Share My Personal Information” link, a “Limit the Use of My Sensitive Personal Information” link, and automatic recognition of Global Privacy Control (GPC) signals. On the back end, confirm that data-subject access requests (DSARs) route to the correct queue and that opt-out logs are maintained within the required timeframe.

Build a Complete Response Packet

The Attorney General wants evidence, not intentions. Prepare a concise, defensible packet that includes:

  • Your current privacy policy
  • Screenshots showing compliant opt-out and SPI-limit links
  • A short narrative describing your DSAR intake and fulfillment process
  • Logs that confirm your system receives and acts on GPC signals
  • Signed data-processing agreements with every analytics, advertising, or cloud vendor involved

Also include a remediation timeline—assign clear ownership and set completion dates for every remaining fix.

Prioritize High-Impact Fixes

Focus on changes that immediately reduce risk and prove compliance. Enable GPC recognition in your consent-management platform. Simplify or remove any dark-pattern steps in your opt-out flow. Add a prominent SPI-limit link and route it directly to a working preference center. Purge historical geolocation data that no longer serves a disclosed purpose. As you go, document every step—screenshots, code commits, updated contracts—so you can show measurable progress if regulators follow up.

Push Compliance Downstream

Your responsibility doesn’t stop at your firewall. Notify your ad networks, analytics partners, and contractors about the state’s inquiry. Confirm they can suppress data sale or sharing in response to opt-outs, and update contracts to include CPRA-required terms that ban secondary use of SPI. Keep all signed contract addenda on file and include them in your response packet.

Retrain Your Employees Behind the Workflow

Policy updates fail when staff follow outdated playbooks. Host a short, focused training session for developers, customer service reps, and marketing teams. Cover the new SPI limits, how GPC signals work in real-time, and the proper handling of DSARs. Log attendance and archive the training materials alongside your other compliance evidence.

Make Monitoring Routine

Once your response is submitted, shift into proactive mode. Schedule quarterly reviews of your consent banner, semi-annual audits of your data-retention policies, and annual contract checks. Set up automated scans to catch broken opt-out links or ignored GPC signals. Ongoing monitoring shows regulators you’ve embedded privacy into your operations—not just your inbox.

Know When to Bring in Help

If your data landscape spans multiple cloud environments or relies on a complex legacy martech stack, closing every gap in 30 days is going to be tough. In those cases, bring in a privacy-engineering partner. At STAUFFER, we help organizations stand up GPC compliance, streamline consent UX, and build auditable DSAR workflows that hold up under scrutiny.

The point isn’t to panic—it’s to act with purpose. Regulators are looking for signs you take consumer privacy seriously and you’re making real progress. By freezing risky flows, addressing critical gaps, pushing compliance across your ecosystem, and retraining your people, you send the right signal—and put your business on firmer ground long after the letter is filed away.

Beyond Compliance: Privacy as Trust Currency

Regulators aren’t the only ones paying attention to your privacy posture—your customers are watching, too. In the March 2025 enforcement sweep, the California Attorney General made clear that location data can be exploited in ways that put people at risk. When users encounter a working Global Privacy Control (GPC) signal, a clearly labeled opt-out link, and an honest explanation of why their data is collected, it sends a powerful message: you respect their safety as much as their business.

And that respect delivers real results:

  • Higher conversion and retention: Sites with intuitive, low-friction privacy choices tend to see lower bounce rates and higher renewal rates. When users feel in control, they’re more likely to stick around.
  • Better search and ad performance: Google’s ranking factors include user experience—and that now means avoiding dark patterns. A clean, compliant consent banner also reduces tracking-prevention errors, making your analytics more accurate and your campaigns more effective.
  • Faster incident response: With a current, well-mapped data inventory, teams can quickly assess the scope of a breach—or confirm they’re in the clear. That speed protects both your legal exposure and your brand reputation.

Privacy done right isn’t just a legal requirement—it’s a business advantage. Every opt-out honored and every data-retention limit enforced reinforces the message: You can trust us with what matters most—your information.

Enforcement letters aren’t going away—but they don’t have to keep you up at night. Review your data flows now, address the compliance gaps we’ve outlined, and document each step as you go. If time or tooling is a barrier, bring in a partner that knows CCPA compliance inside and out.

At STAUFFER, we help organizations implement Global Privacy Control, redesign consent UX for clarity and speed, and build repeatable, auditable DSAR workflows—so you’re ready when the envelope arrives.

Ready to turn privacy risk into a trust advantage? Let’s talk.