CCPA breach cost: $7,500 per intentional violation, plus $750 per consumer private right of action.

CCPA enforcement runs on two parallel tracks. The first is regulatory enforcement by the California AG (under the original CCPA) and the California Privacy Protection Agency (CPPA, created under CPRA and fully operational from July 2023). The regulatory penalty structure is $2,500 per violation for negligent violations and $7,500 per violation for intentional violations or violations involving the personal information of consumers under 16. The cure period of 30 days that originally applied to all violations was eliminated by CPRA for violations occurring after 1 July 2023, leaving only a discretionary cure period.

The second pathway is the private right of action under Civil Code 1798.150, which allows consumers to bring civil lawsuits where their nonencrypted and nonredacted personal information was subject to unauthorized access and exfiltration as a result of a business's violation of the duty to implement and maintain reasonable security procedures. Statutory damages are between $100 and $750 per consumer per incident, or actual damages, whichever is greater. For a large California breach, the private right of action is typically the larger cost line.

For a hypothetical breach affecting 5 million California consumers, the maximum private-action exposure at $750 per consumer is $3.75 billion. The realistic settlement value is materially lower because not all consumers join the class and statutory damages settle at heavily discounted per-class rates, but the leverage is real and shapes settlement negotiation materially.

The California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and effective 1 January 2023 with enforcement from 1 July 2023, materially expanded the CCPA. CPRA created a new category of "sensitive personal information" including SSN, driver-licence, financial account, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, contents of email/text/mail, genetic data, biometric data, health data, and sexual orientation data. Consumers have new rights to limit the use and disclosure of sensitive personal information.

CPRA also created the California Privacy Protection Agency, the first US state-level dedicated data-protection authority. The CPPA has rulemaking, enforcement, and administrative-adjudication authority. CPPA enforcement actions began in 2023 and have accelerated since. The CPPA's adjudication structure (administrative law judges within the agency, similar to the FTC's approach) makes enforcement faster than traditional court-based AG enforcement.

For breach response specifically, the CPRA changes that matter most are the requirement to disclose security incidents to the CPPA, the expanded definition of sensitive personal information that triggers different protection obligations, and the requirement to conduct annual risk assessments and cybersecurity audits for businesses whose processing presents significant risk to consumer privacy. The risk-assessment requirement is the most operationally consequential and has produced material consulting demand at California-exposed businesses.

CCPA regulatory enforcement has so far been notably modest in dollar amounts compared to GDPR, partly because cure periods reduced exposure under the original CCPA and partly because the CPPA is still building its enforcement record. The post-2023 CPRA enforcement trajectory is expected to produce larger settlements as the cure period was eliminated.

The private right of action under Civ. Code 1798.150 has produced the largest CCPA-related settlements, but those settle as class actions rather than as CCPA per se. The pattern has been: an enterprise suffers a breach affecting California residents; California-resident plaintiffs file a class action including CCPA claims alongside negligence, breach-of-contract, and state consumer-protection claims; the case settles on the aggregate of all claims rather than the CCPA component specifically.

The Hanna Andersson + Salesforce.com breach class-action settled for $400K with the CCPA claims providing a notable component of plaintiff leverage. The Marriott multidistrict litigation includes CCPA claims for California-resident class members. The Capital One $190M settlement included a California subclass that received enhanced compensation reflecting CCPA exposure. The pattern is that CCPA private action is rarely the sole or even primary basis for a settlement but is typically a meaningful component of the plaintiff's leverage stack.

For breach-cost modelling at the California-resident-cohort level, a rough rule of thumb that has emerged from observed settlements is that CCPA exposure adds approximately $5-$25 per affected California resident to total class-action settlement value, depending on data sensitivity. The figure is materially below the $750 statutory damages cap because settlements consistently discount the statutory maximum to reflect litigation risk and class-action administration practicality.

As of mid-2026, comprehensive state privacy laws are in effect in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Florida (FDBR), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (SB 255), and Kentucky (KCDPA). Each operates a distinct enforcement structure but the substantive protections largely converge on a CCPA-inspired model.

For breach response, the multi-state coordination problem has become significant. A single breach affecting consumers in 15 states with comprehensive privacy laws triggers 15 distinct regulator notifications, each with its own format, deadline, and content requirements. The cost of multi-state notification compliance has grown from a modest line item in the pre-2018 era to a meaningful component of breach cost, with specialist legal counsel and breach-notification platform vendors charging $10K-$100K just for the multi-jurisdictional coordination piece of a large breach.