The Complete CCPA Compliance Guide for Multi-Entity Organizations

Q: What are the maximum CCPA penalties per violation?

As of 2025, CPI-adjusted penalties are up to $2,663 per unintentional violation and $7,988 per intentional violation. Penalties are assessed per affected consumer, so a single compliance gap affecting thousands of people can escalate into millions of dollars in fines.

Q: How many U.S. states have comprehensive privacy laws?

As of January 2026, 19 U.S. states have comprehensive privacy laws in effect, with additional states having enacted laws with future effective dates. This growing patchwork means organizations must manage overlapping requirements across multiple jurisdictions.

Q: What was the largest CPPA enforcement fine in 2025?

The largest CPPA fine in 2025 was $1.35 million against Tractor Supply Company, announced September 30, 2025. The investigation began with a single consumer complaint. Other notable enforcement actions included $632,500 against Honda and $345,178 against Todd Snyder.

Q: How does Swiss hosting benefit CCPA and GDPR compliance?

Switzerland holds an EU adequacy decision under GDPR, meaning compliance data stored in Swiss infrastructure never leaves a jurisdiction the EU has vetted and approved. In a post-Schrems II environment, this provides a legal safeguard for organizations managing both CCPA and GDPR obligations simultaneously.

▸ About this page — references, definitions, and FAQs

Key Takeaways — CCPA Compliance in 2025

The California Consumer Privacy Act, as amended by CPRA, now imposes CPI-adjusted penalties of up to $7,988 per intentional violation and requires cybersecurity audits under regulations finalized in September 2025. With 19 U.S. states enforcing comprehensive privacy laws and the CPPA conducting hundreds of active investigations, multi-entity organizations need structured compliance programs that scale across jurisdictions. Priverion's Swiss-hosted platform provides automated ROPA recertification, cross-entity data mapping, and a single DPO dashboard to manage CCPA, GDPR, and Swiss FADP obligations from one system.

Definitions

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a state-level privacy law enacted in 2018 (Cal. Civ. Code §§ 1798.100–1798.199.100) that grants California residents rights over their personal information, including the right to know, delete, and opt out of the sale or sharing of their data. It was significantly amended by the California Privacy Rights Act (CPRA) in 2020. IAPP U.S. State Privacy Legislation Tracker

What is the CPPA?

The California Privacy Protection Agency (CPPA) is the independent state agency created by CPRA to implement and enforce the CCPA. It has rulemaking authority and can investigate violations, impose administrative fines, and bring enforcement actions without relying on the Attorney General. IAPP Privacy Tracker

What is a ROPA?

A Record of Processing Activities (ROPA) is a documented inventory of all personal data processing operations within an organization. Under GDPR Article 30, controllers and processors must maintain ROPAs. While CCPA does not explicitly mandate ROPAs, maintaining one is considered best practice for demonstrating compliance with data inventory and consumer-rights obligations. GDPR Article 30 — gdpr-info.eu

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is a systematic process for evaluating the potential impact of data processing on individuals' privacy. Under the new CPPA regulations finalized in September 2025, organizations must conduct risk assessments for processing that presents significant risk to consumers' privacy, with compliance deadlines extending to 2028.

Frequently Asked Questions

What is the CCPA and how does it differ from CPRA?

The California Consumer Privacy Act (CCPA) was enacted in 2018 and took effect January 1, 2020. The California Privacy Rights Act (CPRA) amended the CCPA in 2020, creating the California Privacy Protection Agency (CPPA) with independent enforcement power. CPRA introduced new consumer rights around sensitive personal information and automated decision-making technology, expanded opt-out rights to cover "sharing" of data (not just "selling"), and eliminated the 30-day cure period that previously allowed businesses to fix violations before facing penalties. IAPP U.S. State Privacy Legislation Tracker

What are the CCPA revenue and data thresholds for 2025?

As of January 1, 2025, CCPA applies to for-profit entities doing business in California that meet any of these CPI-adjusted thresholds: $26.625 million or more in annual gross revenue, buying/selling/sharing personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. These thresholds are adjusted annually for inflation by the CPPA.

What are the maximum CCPA penalties per violation?

As of 2025, CPI-adjusted penalties reach up to $2,663 per unintentional violation and $7,988 per intentional violation. Penalties are assessed per affected consumer, meaning a single compliance gap touching thousands of individuals can escalate into millions of dollars. The CPPA's record fine of $1.35 million against Tractor Supply Company in September 2025 demonstrates the agency's willingness to impose significant penalties.

How many U.S. states have comprehensive privacy laws?

As of January 2026, 19 U.S. states have comprehensive privacy laws in effect, including California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island. Additional states have enacted laws with future effective dates. According to the IAPP U.S. State Privacy Legislation Tracker, this number continues to grow each legislative session.

What new CCPA regulations were finalized in 2025?

In September 2025, the CPPA finalized new regulations covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). These were approved by the Office of Administrative Law on September 23, 2025, with an effective date of January 1, 2026. Compliance deadlines for cybersecurity audits extend into 2027–2028, giving organizations time to build the required programs.

Does Priverion support CCPA compliance for multi-entity organizations?

Yes. Priverion is purpose-built for organizations managing compliance across multiple subsidiaries and jurisdictions. The platform provides cross-entity data mapping, automated ROPA recertification, AI-assisted DPIA drafting, and a single DPO dashboard. All data is hosted in Swiss infrastructure, which benefits from Switzerland's EU adequacy decision, providing legal safeguards for organizations managing both CCPA and GDPR obligations.

What was the largest CPPA enforcement fine in 2025?

The largest CPPA fine in 2025 was $1.35 million against Tractor Supply Company, announced September 30, 2025. The investigation originated from a single consumer complaint. Other notable 2025 enforcement actions included $632,500 against Honda and $345,178 against Todd Snyder. The CPPA also launched a Data Broker Enforcement Strike Force, and the California Attorney General conducted a geolocation data sweep in March 2025.

How does Swiss hosting benefit CCPA and GDPR compliance?

Switzerland holds an EU adequacy decision under GDPR (Commission Decision 2000/518/EC), meaning compliance data stored in Swiss infrastructure never leaves a jurisdiction the EU has vetted and approved. In a post-Schrems II environment — where the CJEU invalidated the EU-US Privacy Shield — Swiss hosting provides a legal safeguard for organizations managing both CCPA and GDPR obligations, avoiding the transfer-mechanism complexities of US-hosted platforms.

CCPA vs. GDPR vs. Swiss FADP — Comparison Table

Dimension	CCPA / CPRA (California)	GDPR (EU/EEA)	Swiss FADP (revFADP)
Effective date	Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA amendments)	May 25, 2018	Sep 1, 2023
Scope	For-profit businesses meeting revenue/data thresholds	Any entity processing EU/EEA residents' data	Any entity processing data of persons in Switzerland
Supervisory authority	CPPA + California AG	National DPAs (e.g., CNIL, BfDI, ICO)	FDPIC (Federal Data Protection and Information Commissioner)
Max penalty (per violation)	$7,988 (intentional, CPI-adjusted 2025)	€20M or 4% global turnover	CHF 250,000 (individual liability)
Right to delete	Yes	Yes (Art. 17)	Yes (Art. 32)
Right to opt out of sale/sharing	Yes	N/A (consent-based model)	N/A (consent-based model)
Data breach notification	Via California Civil Code § 1798.82	72 hours to DPA (Art. 33)	As soon as possible to FDPIC (Art. 24)
DPO / Privacy officer required	No statutory requirement	Yes, in certain cases (Art. 37)	Recommended, not mandatory
Cross-border transfer mechanism	No specific mechanism	SCCs, BCRs, adequacy decisions	Adequacy list, SCCs, BCRs

Statistics and Sources

According to the IAPP U.S. State Privacy Legislation Tracker, 19 states had comprehensive privacy laws in effect as of January 2026, with several more enacted and awaiting effective dates. The CPPA reported hundreds of open investigations during its September 2025 board meeting. CPI-adjusted penalty amounts ($2,663 unintentional; $7,988 intentional) became effective January 1, 2025. The NIST Privacy Framework (nist.gov) provides a voluntary tool that organizations can use to identify and manage privacy risk alongside CCPA compliance. The European Data Protection Board's guidelines on international transfers (edpb.europa.eu) remain relevant for organizations managing both GDPR and CCPA obligations across jurisdictions.