CCPA breach cost: $7,500 per intentional violation, plus $750 per consumer private right of action.

CCPA enforcement runs on two parallel tracks. The first is regulatory enforcement by the California AG (under the original CCPA) and the California Privacy Protection Agency (CPPA, created under CPRA and fully operational from July 2023). The regulatory penalty structure is $2,500 per violation for negligent violations and $7,500 per violation for intentional violations or violations involving the personal information of consumers under 16. The cure period of 30 days that originally applied to all violations was eliminated by CPRA for violations occurring after 1 July 2023, leaving only a discretionary cure period.

The second pathway is the private right of action under Civil Code 1798.150, which allows consumers to bring civil lawsuits where their nonencrypted and nonredacted personal information was subject to unauthorized access and exfiltration as a result of a business's violation of the duty to implement and maintain reasonable security procedures. Statutory damages are between $100 and $750 per consumer per incident, or actual damages, whichever is greater. For a large California breach, the private right of action is typically the larger cost line.

For a hypothetical breach affecting 5 million California consumers, the maximum private-action exposure at $750 per consumer is $3.75 billion. The realistic settlement value is materially lower because not all consumers join the class and statutory damages settle at heavily discounted per-class rates, but the leverage is real and shapes settlement negotiation materially.

The California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and effective 1 January 2023 with enforcement from 1 July 2023, materially expanded the CCPA. CPRA created a new category of "sensitive personal information" including SSN, driver-licence, financial account, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, contents of email/text/mail, genetic data, biometric data, health data, and sexual orientation data. Consumers have new rights to limit the use and disclosure of sensitive personal information.

CPRA also created the California Privacy Protection Agency, the first US state-level dedicated data-protection authority. The CPPA has rulemaking, enforcement, and administrative-adjudication authority. Its enforcement division opened its connected-vehicle investigative sweep in 2023, and the agency issued its first administrative enforcement orders in 2025: a $632,500 fine against American Honda (March 2025) and a $345,178 fine against menswear retailer Todd Snyder (May 2025). The CPPA's adjudication structure (administrative law judges within the agency, similar to the FTC's approach) makes enforcement faster than traditional court-based AG enforcement.

For breach response specifically, the CPRA changes that matter most are the requirement to disclose security incidents to the CPPA, the expanded definition of sensitive personal information that triggers different protection obligations, and the requirement to conduct annual risk assessments and cybersecurity audits for businesses whose processing presents significant risk to consumer privacy. The risk-assessment requirement is the most operationally consequential and has produced material consulting demand at California-exposed businesses.

CCPA regulatory settlements stayed modest through 2024 (low six figures), but the 2025-2026 trajectory has escalated sharply: the CPPA issued its first administrative orders in 2025 (Honda, Todd Snyder), and the California AG secured record settlements with Disney ($2.75M, February 2026) and then General Motors ($12.75M, May 2026, the first action grounded in the CCPA data-minimization and purpose-limitation duties). The elimination of the cure period and the maturing of both enforcement bodies are driving the increase.

The private right of action under Civ. Code 1798.150 has produced the largest CCPA-related settlements, but those settle as class actions rather than as CCPA per se. The pattern has been: an enterprise suffers a breach affecting California residents; California-resident plaintiffs file a class action including CCPA claims alongside negligence, breach-of-contract, and state consumer-protection claims; the case settles on the aggregate of all claims rather than the CCPA component specifically.

The Hanna Andersson + Salesforce.com breach class-action settled for $400K with the CCPA claims providing a notable component of plaintiff leverage. The Marriott multidistrict litigation includes CCPA claims for California-resident class members. The Capital One $190M settlement included a California subclass that received enhanced compensation reflecting CCPA exposure. The pattern is that CCPA private action is rarely the sole or even primary basis for a settlement but is typically a meaningful component of the plaintiff's leverage stack.

For breach-cost modelling at the California-resident-cohort level, a rough rule of thumb that has emerged from observed settlements is that CCPA exposure adds approximately $5-$25 per affected California resident to total class-action settlement value, depending on data sensitivity. The figure is materially below the $750 statutory damages cap because settlements consistently discount the statutory maximum to reflect litigation risk and class-action administration practicality.

As of mid-2026, comprehensive state privacy laws are in effect in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Florida (FDBR), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (SB 255), and Kentucky (KCDPA). Each operates a distinct enforcement structure but the substantive protections largely converge on a CCPA-inspired model.

For breach response, the multi-state coordination problem has become significant. A single breach affecting consumers in 15 states with comprehensive privacy laws triggers 15 distinct regulator notifications, each with its own format, deadline, and content requirements. The cost of multi-state notification compliance has grown from a modest line item in the pre-2018 era to a meaningful component of breach cost, with specialist legal counsel and breach-notification platform vendors charging $10K-$100K just for the multi-jurisdictional coordination piece of a large breach.

Two different numbers get conflated under "CCPA cost." Breach cost is what an incident triggers: the $2,500-per-negligent / $7,500-per-intentional per-violation penalty and the $100-$750 per-consumer private-action damages set out above. Compliance cost is the standing, pre-incident expense of building and running a CCPA program: mapping personal data, wiring opt-out, deletion, and access-request handling, updating privacy notices, vendor and service-provider contracting, and, under CPRA, the annual risk assessments and cybersecurity audits required of higher-risk processors.

The authoritative estimate of CCPA compliance cost is California's own. The California Department of Finance Standardized Regulatory Impact Assessment (SRIA), prepared in 2019 for the Attorney General's implementing regulations, put the total initial cost of CCPA compliance across all affected California businesses at $55 billion, roughly 1.8% of 2018 California Gross State Product, and projected that about 75% of California businesses would be in scope. Estimated initial per-business cost scaled by headcount:

Source: California Department of Finance, Standardized Regulatory Impact Assessment for the CCPA regulations, 2019. These are one-time initial-compliance estimates and predate the CPRA amendments (effective 2023), which added the sensitive-personal-information category, annual risk assessments, and cybersecurity audits and so raised ongoing compliance cost for higher-risk processors. The SRIA also found that small businesses bear a disproportionately higher share of compliance cost relative to size.

For budgeting, treat the two as additive and independent. A California-exposed business carries ongoing compliance cost every year whether or not it is breached, then the per-violation and private-action breach cost on top if an incident occurs. The compliance investment is also the cheapest available reduction of breach exposure, because the private right of action only attaches where the business failed its duty to maintain reasonable security procedures: a documented, audited program is the direct defence against the $100-$750 per-consumer damages.