Listen to this post

KeypointIn its second non-data broker enforcement action for violations of the CCPA, the California Privacy Protection Agency entered into a stipulated final order with a retailer for a $345,178 administrative fine and other remedial measures.

On May 6, 2025, the California Privacy Protection Agency (Agency) announced its second non-data broker enforcement action, requiring a national retailer to pay a $345,178 administrative fine and implement certain remedial actions for violations of the California Consumer Privacy Act (CCPA). The Agency’s enforcement action comes just two months after its first enforcement action in which it required a vehicle manufacturer to pay a $632,500 administrative fine and implement remedial actions. It also follows remarks from the Agency’s Deputy Director of Enforcement, Michael Macko, at last month’s IAPP Global Privacy Summit indicating that the Agency is enforcing CCPA violations across a wide range of industries.

In the below post, we provide an overview of the violations and penalties.

CCPA Violations

The Stipulated Final Order identifies three CCPA violations.

First, the retailer incorrectly configured and failed to monitor its consent management platform such that the retailer did not effectuate consumer requests to opt out of third-party tracking technologies (i.e., cookies and pixels). Specifically, for forty days in late 2023, when consumers clicked on a “Cookie Preference Center” link, a consent banner appeared on the side of the screen but immediately disappeared. Therefore, it was impossible for consumers to submit opt-out requests. The misconfiguration also meant that the site did not recognize the Global Privacy Control signal.

Significantly, the fact that the retailer used a third-party software company to manage its tracking technologies was not enough to avoid liability because the retailer failed to monitor its website. Specifically, the Stipulated Final Order states the retailer “would have known that Consumers could not exercise their CCPA rights if the company had been monitoring its Website.” However, the retailer “instead deferred to third-party privacy management tools without knowing their limitations or validating their operation.”

The Agency’s explanation is an important reminder for businesses that they need to ensure they are not only properly onboarding consent management tools but also regularly checking and verifying that these tools are working correctly.

Second, the retailer improperly required consumers to verify their identity when making opt-out requests. The Agency’s first enforcement action against the vehicle manufacturer also raised this issue.

Third, the retailer required consumers to submit more information than necessary – including government identification – when submitting requests. According to the Agency, by “requiring Consumers to submit government identification to exercise Verifiable Consumer Requests, instead of using other available data points,” the retailer “unlawfully required Consumers to provide more information than necessary to exercise their CCPA rights and discouraged Consumers from submitting CCPA requests.” Perhaps signaling how the retailer initially came to the Agency’s attention, the Stipulated Final Order states that the retailer “received complaints from Consumers about its Verification practices.”

Remedial Measures

As noted, the retailer must pay an administrative fine of $345,178. The Stipulated Final Order does not identify how that fine amount was calculated. In addition to the administrative fine, the retailer must take the following remedial actions:

  • Not require consumers to verify their opt-out requests;
  • Not require consumers to provide more information than necessary to process opt-out requests;
  • Develop, implement, and maintain procedures to identify any disclosures of personal information that constitute sales or shares to ensure that it appropriately processes opt-out requests;
  • Establish, implement, and maintain policies and procedures to monitor the effectiveness and functionality of its methods for submitting opt-out requests;
  • Recognize opt-out preference signals;
  • Develop, implement, and maintain procedures to ensure personnel handling personal information are informed of the business’ requirements under the CCPA; and
  • Maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of personal information.