Breaking down data rules from around the globe

Privacy laws

Cpra Enforcement 2025 Lessons And Expectations

CPRA Enforcement 2025: Lessons and Expectations

With regulators paying closer attention, compliance isn't just a checkbox—it's part of showing users that you respect their privacy. In this article, you’ll find out what CPRA is, why it matters, how to stay compliant, and more.

Key Takeaways

  • The CPRA builds on the original CCPA, but with sharper teeth—giving Californians more control over how their data is collected, corrected, and shared.
  • Sensitive data like geolocation, racial background, and health details now come with extra restrictions and user rights that businesses can’t afford to overlook.
  • Collecting “just in case” data is a liability—websites are expected to limit what they collect to what’s truly needed for a clear, stated purpose.
  • Regulators in 2025 aren’t scanning for banners—they’re watching how websites behave behind the scenes, especially when it comes to cookies and trackers.
  • Honda, Sephora, and others have already learned the hard way that vague privacy notices and clunky opt-outs don’t pass muster anymore.
  • The CPPA isn’t easing into its role—it’s issuing enforcement advisories, levying fines, and raising the bar for what compliance actually looks like.
  • If users want to opt out or delete their data, your site shouldn’t be asking for more information than it needs to honor that request.
  • Doing a one-time audit isn’t enough—data mapping, retention planning, and ongoing staff training are essential to keep pace with evolving expectations.
  • Consent Management Platforms like CookieScript are becoming table stakes—they help automate cookie control, handle consent, and support Google Consent Mode V2.
  • Compliance has moved from being a legal formality to a signal of trust. If your site can’t explain its data habits, someone else—maybe a regulator—will.

What is CPRA?

The California Privacy Rights Act (CPRA) is a major update to California’s data privacy laws. It builds on the earlier CCPA to give residents more say over how their Personal Information is collected and used.

Voters approved it back in November 2020 through Proposition 24, but it didn’t fully kick in until January 1, 2023—with enforcement officially starting in July that same year. The law pressures businesses to be transparent, responsible, and respectful of people’s data.

One of the big shifts with the CPRA is how it treats sensitive information—like your precise location, racial background, or health data. It allows Californians to limit how that data is shared or used. It also lets people correct inaccurate info held by companies which wasn’t covered under the CCPA.

Another idea baked into the law is data minimization, which means companies should only collect what they genuinely need and not keep it longer than necessary.

To oversee all this, the law created a new enforcement agency—the California Privacy Protection Agency (CPPA)—the first of its kind in the U.S.

If the CPRA covers a business, there are some real responsibilities: they have to update privacy policies, respond to user requests about data, and put proper security measures in place.

Violations can cost up to $2,500 each, and if a company knowingly breaks the rules or mishandles children’s data, that jumps to $7,500.

Penalties for Non-Compliance With CPRA

As California's CPRA enforcement gains momentum, several well-known companies are in regulators' crosshairs. Here's a look at some of the most notable fines issued recently—and what triggered them.

  • American Honda Motor Co. – $632,500
    Regulators took issue with Honda's handling of consumer privacy requests, saying it created unnecessary hurdles for users trying to opt out of data sharing. The company also shared personal data with advertisers without proper contractual safeguards.
  • National Public Data (Jerico Pictures, Inc.) – $46,000
    This company failed to register as a data broker, as required under California law. The registration finally happened—but only after regulators got involved, more than 200 days past the deadline.
  • Tilting Point Media LLC – $500,000
    A mobile game publisher landed in hot water for collecting and sharing data from children without parental consent. This ran afoul of both CPRA and COPPA rules, which treat minors' data with heightened sensitivity.
  • Blackbaud, Inc. – $6.75 million
    Following a major ransomware attack, Blackbaud was found to have failed to protect consumer information, exposed sensitive data, and drawn scrutiny for insufficient security practices.
  • DoorDash, Inc. – $375,000
    DoorDash participated in a marketing data-sharing program but didn't give users proper notice or a straightforward way to opt out. That lack of transparency ultimately cost them.
  • Glow, Inc. – $250,000
    The maker of a fertility-tracking app was fined for security gaps that exposed sensitive health data. The enforcement emphasized the importance of safeguarding medical-related information under privacy laws.
  • Anthem, Inc. – $8.69 million
    This major fine was imposed after a breach affecting tens of millions of users. Investigators cited weak cybersecurity defenses and poor data protection standards.
  • Equifax, Inc. – Up to $600 million
    Although the breach happened years ago, CPRA-related actions continued as the fallout persisted. With millions of Californians affected, this case remains one of the most extensive and most costly.
  • Premera Blue Cross – $10 million
    Another healthcare-related breach exposed the personal and medical data of over 10 million individuals. Regulators flagged it as a case of preventable failure in security systems.
  • Sephora, Inc. – $1.2 million
    Sephora was penalized for selling customer data without adequate disclosure and ignoring global opt-out signals like Global Privacy Control. It marked one of the CPRA's earliest high-profile enforcement actions.

CPRA Key Principles for Data Minimization

At the core of the CPRA are foundational principles designed to ensure that websites collect and manage user data in a focused and responsible way.

These rules are intended to help site owners avoid common pitfalls like over-collection, which can easily lead to non-compliance—even unintentionally.

Purpose Limitation

Collect user data only when your website has a clearly defined reason for doing so—and make that reason visible in your Privacy Policy or consent banner. If you later decide to use that data for something else (like personalized marketing), you must update your policies and potentially request new consent.

Storage Limitation

Don't let collected data sit in your system indefinitely. If a visitor submits their email address for a whitepaper or newsletter, it should be deleted once it's no longer necessary. If you can't define an exact retention period, you should disclose how long you typically keep the data or what criteria you use to decide.

Data Minimization

Limit data collection on your site to only what's truly needed to provide the service or functionality the visitor expects. For example, don't ask for a phone number on a contact form if you plan to reply by email. Leaner data collection also reduces your exposure in the event of a breach.

CPRA Enforcement and Official Guidance

In April 2024, the California Privacy Protection Agency (CPPA) issued Enforcement Advisory No. 2024-01, emphasizing that data minimization applies across a website's entire user data lifecycle—from when a user lands on the page to the eventual deletion or anonymization of their data.

Here are two real-world examples shared in the advisory, both directly relevant to websites:

opt-out Requests

Suppose your website allows users to opt out of the sale or sharing of their data (e.g., via a Cookie Banner or footer link). In that case, you should not require identity verification for that process—especially when it concerns tracking cookies or behavioral ad sharing. For instance, if you're tracking user behavior for ad targeting, there's no need to request names or emails just to process an opt-out.

Deletion Requests

When a user asks your site to delete their data—like removing a user account or erasing form submissions—you can confirm their identity.

Still, you should collect only the minimum verification info needed. For example, instead of asking for a government-issued ID, consider verifying via email confirmation or account login—methods that are secure yet respectful of the user's privacy.

Best Practices for Website Data Minimization Under CPRA

Understanding the law is one thing—integrating it into your website's day-to-day operations is another.

Below are practical ways site owners and developers can align with the CPRA's data minimization expectations:

  • Conduct Data Mapping
    Identify every piece of Personal Information your website collects—via forms, cookies, plugins, or third-party scripts—and understand where it goes and why it's needed. This will often uncover outdated or unnecessary data flows.
  • Review Data Collection Practices
    Audit your forms, cookie settings, and user flows. Are you collecting information that isn't essential? If a contact form asks for a mailing address, but you only respond via email, that's a red flag.
  • Implement Retention Policies
    Decide how long your website stores different types of data (e.g., analytics logs, support tickets, and form submissions) and configure automatic deletion or anonymization where possible. For example, a best practice is to auto-delete form data after 30 days unless it's linked to a user account.
  • Update Privacy Notices
    Make your Privacy Policy clear, specific, and easy to find—ideally linked in your footer. Tell users exactly what data is collected, why, how long it's kept, and their rights under the CPRA.
  • Train Your Web Team
    Whether you work with an internal dev team or a third-party agency, make sure everyone who touches your site understands basic CPRA responsibilities, especially those regarding cookies, consent, and data retention.
  • Audit Third-Party Integrations
    Review all third-party tools on your site (like analytics, ad scripts, and chat widgets) to ensure they don't collect more data than necessary and that you've documented what data they access. To stay compliant, you may need to revise contracts or configure tools more conservatively.

How CMPs Can Help Comply With CPRA

If you run a website in 2025, keeping up with California’s privacy laws—especially the CPRA—can feel like a moving target. It’s not just about having a Cookie Banner anymore; regulators are watching how data is collected, stored, and shared.

That’s where a Consent Management Platform (CMP) comes in—it takes much of the heavy lifting off your plate.

Automated Cookie Scanning

Most site owners don’t know precisely what every script or third-party service is doing on their pages—and that’s a problem under CPRA. CookieScript solves this with automatic cookie scanning that detects and categorizes all cookies used on your site. It also supports cookie auto-blocking prior to consent, which helps you stay aligned with CPRA’s data minimization requirements.

Customizable Cookie Consent Banners

The law requires websites to tell users, clearly and upfront, what data is being collected—and let them say no. CMPs let you create consent banners that match your site’s look and feel while offering real choices. CookieScript offers fully customizable cookie banners, complete with region-specific consent behavior and multilingual support for 30+ languages, so your visitors see the right message in the right language, every time.

Integration with Google Consent Mode v2

If you rely on Google Analytics, Ads, or Tag Manager, you’ve likely heard of Google Consent Mode v2. CMPs that support this—like CookieScript—enable seamless integration with Google Consent Mode v2, ensuring that tags dynamically adjust to match user consent choices without disrupting core site functionality.

Multilingual Support for Global Visitors

Probably not all your users speak the same language—and CPRA doesn’t care if you “meant well.” CookieScript provides multilingual support and Geo-targeted cookie banners, helping ensure every user understands what they’re agreeing to—regardless of region or language.

Privacy Policy Generator and Documentation Tools

Your Privacy Policy needs to reflect what’s happening on your site. CookieScript includes a Privacy Policy Generator, opt-out link generator, and automated consent log log, making it easier to maintain compliance and show proof if a user files a request—or if regulators come knocking.

CookieScript works seamlessly with all popular website platforms—not only WordPress, but also Shopify, Wix, Squarespace, and even custom-developed sites. More than 150,000 businesses rely on it globally, including well-known names like LG, Hyundai, ISS, and Suzuki.

In spring 2025, CookieScript was honored with its fourth straight Leader badge from G2, a trusted user review site—further solidifying its reputation as a top-tier Consent Management Platform (CMP) for the year.

Final Thoughts on CPRA Enforcement in 2025

Let’s be honest—most websites never set out to mishandle data. But in 2025, “we didn’t know” doesn’t fly anymore.

Regulators are digging into how websites function, not just what’s written in a footer. If your site quietly grabs more information than it needs or hides opt-out links behind extra clicks, you’re not just being clever—you’re asking for a fine.

We’re seeing a shift from checkbox compliance to cultural accountability. Privacy isn’t something you slap on with a banner—it’s something your site has to live and breathe.

That means working with tools you trust, keeping your teams informed, and being ready to explain your choices if anyone asks. Because they will. Not just regulators, but users too—and they’re paying closer attention than ever.

Frequently Asked Questions

What does the CPRA require websites to do about cookies and trackers?

Under the CPRA, websites must disclose what personal data is collected through cookies and allow users to opt out of tracking. CookieScript helps with this by automatically detecting cookies and generating a customizable consent banner that respects user choices.

How does the CPRA define sensitive personal information?

Sensitive data includes things like precise geolocation, health data, or race. If your site uses cookies that process this type of data, CookieScript helps identify them and ensures you inform users clearly and obtain proper consent.

Do I need to provide users with a way to opt out of data sharing?

Yes. CPRA gives users the right to opt out of the sale or sharing of their personal information. CookieScript makes this easy by offering a consent solution that includes opt-out options directly in the Cookie Banner or footer link.

How can I make sure my website complies with CPRA data minimization rules?

You must only collect data that’s necessary for a specific purpose and not retain it longer than needed. CookieScript’s cookie scanner helps you uncover unnecessary tracking scripts so you can limit what data your site collects.

What happens if I don’t comply with CPRA requirements?

Non-compliance can result in fines, even if the violation was unintentional. CookieScript reduces that risk by helping you meet core CPRA requirements like transparency, consent logging, and Privacy Policy updates.

Is it enough to just have a cookie banner to comply with CPRA?

Not anymore. Regulators look at how your site actually behaves—not just what’s displayed. CookieScript ensures your cookies don’t activate until proper consent is given and that users can change their preferences at any time.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.