What Happens If You Don't Comply? State Privacy Law Penalties

The Cost of Non-Compliance Is Rising

State privacy law enforcement is no longer theoretical. Regulators across the country are actively investigating businesses, issuing fines, and entering consent decrees. For e-commerce businesses, understanding the potential penalties is essential for prioritizing compliance investments.

Penalty Structures by State

California (CPRA)

California has the most aggressive enforcement apparatus:

• Civil penalties: Up to $2,500 per unintentional violation and $7,500 per intentional violation
• Per-violation calculation: Each affected consumer and each instance of non-compliance can constitute a separate violation. A single data practice affecting 10,000 California consumers could theoretically result in a $75 million fine
• No cure period: Under the CPRA, the CPPA can bring enforcement actions without giving businesses an opportunity to cure violations first (the original CCPA's 30-day cure period was removed)
• Private right of action: Consumers can sue directly for data breaches involving unencrypted or non-redacted personal information, with statutory damages of $100 to $750 per consumer per incident (or actual damages, whichever is greater)
• CPPA enforcement budget: The California Privacy Protection Agency has a dedicated budget and staff focused exclusively on enforcement

Virginia (VCDPA)

• Civil penalties: Up to $7,500 per violation, enforced by the Attorney General
• Cure period: 30-day cure period (the AG must give you an opportunity to fix the violation before filing suit)
• No private right of action: Only the AG can enforce the VCDPA

Colorado (CPA)

• Civil penalties: Up to $20,000 per violation under the Colorado Consumer Protection Act
• Cure period: 60-day cure period (sunset in 2025)
• AG enforcement: The Colorado AG has been active in issuing guidance and signaling enforcement priorities

Connecticut (CTDPA)

• Civil penalties: Up to $5,000 per violation under the Connecticut Unfair Trade Practices Act
• Cure period: 60-day cure period (sunset on December 31, 2024)
• AG enforcement only: No private right of action

Texas (TDPSA)

• Civil penalties: Up to $7,500 per violation
• Cure period: 30-day cure period
• AG enforcement: The Texas AG has been increasingly active in consumer protection enforcement

Oregon (OCPA)

• Civil penalties: Up to $7,500 per violation
• Cure period: 30-day cure period (sunsets January 1, 2026)
• AG enforcement only

Real Enforcement Actions and Settlements

California Leads the Way

The CPPA and California AG have pursued numerous enforcement actions:

• Sephora (2022) — $1.2 million settlement for failing to disclose the sale of consumer data, failing to process opt-out requests, and failing to honor GPC signals. This was a landmark case because it established that sharing data with analytics and ad tech providers can constitute a "sale" under the CCPA.

• DoorDash (2023) — The CPPA found that DoorDash sold consumers' personal information to a marketing cooperative without adequate notice or opt-out mechanisms.

• CPPA sweep actions (2024-2025) — The CPPA has conducted industry-wide sweeps of streaming services, data brokers, and e-commerce businesses, sending inquiry letters and initiating investigations.

FTC Enforcement (Federal)

While not state law enforcement, FTC actions set important precedents:

• CafePress (2022) — $500,000 penalty plus mandatory security requirements after a data breach that exposed millions of customers' personal information. The FTC found that CafePress failed to implement reasonable security measures.

• Chegg (2022) — Required to implement a comprehensive security program after four data breaches. The FTC order included requirements for MFA, data minimization, and employee training.

Attorney General Actions in Other States

State AGs beyond California are also taking action:

• Indiana AG — Has issued civil investigative demands to companies suspected of violating the state's new privacy law
• Connecticut AG — Has publicly stated that enforcement is a priority and has opened investigations
• Colorado AG — Has issued formal guidance and signaled that enforcement will follow

Beyond Fines: Other Consequences

Financial penalties are only part of the picture. Non-compliance can result in:

Consent Decrees and Injunctions

Regulators often seek consent decrees that impose ongoing requirements:

• Mandatory compliance programs — You may be required to implement specific privacy and security measures under regulatory supervision
• Regular audits — Third-party assessments every 1-2 years, at your expense
• Reporting obligations — Regular reports to the regulator on your compliance status
• Duration — Consent decrees often last 10-20 years

Reputational Damage

Privacy violations make headlines. For e-commerce businesses, where customer trust is paramount:

• Media coverage of enforcement actions damages brand reputation
• Customer churn increases when consumers learn their data was mishandled
• Business partner scrutiny — Vendors and partners may reconsider relationships with companies that have enforcement actions on their record

Class Action Lawsuits

California's private right of action for data breaches has spawned a significant class action industry:

• Law firms actively monitor breach disclosures and recruit plaintiffs
• Settlements frequently exceed the regulatory fines
• Defense costs alone can reach hundreds of thousands of dollars
• Class action risk creates pressure to settle even arguable claims

Operational Disruption

Responding to regulatory investigations is expensive and distracting:

• Document production and response to investigative demands
• Internal investigation costs
• Legal fees for regulatory defense
• Diversion of management attention from business operations

How Enforcement Is Triggered

Understanding how regulators find violations can help you prioritize:

1. Consumer complaints — The most common trigger. Consumers who cannot exercise their rights (opt-out links that don't work, DSARs that go unanswered) file complaints with the AG or CPPA
2. Sweep investigations — Regulators target entire industries or specific practices (like GPC compliance) and audit multiple businesses at once
3. Media reports — High-profile incidents or investigative reporting can trigger regulatory interest
4. Data breach reports — If you report a data breach, regulators may investigate your broader privacy practices
5. Competitor or partner complaints — Business disputes sometimes lead to privacy complaints

What Smart Businesses Do

Companies that manage enforcement risk effectively:

1. Invest in compliance proportionate to their risk — You don't need a Fortune 500 compliance program, but you need the basics
2. Fix consumer-facing issues first — Working opt-out links, responsive DSAR processes, and accurate privacy policies prevent the complaints that trigger investigations
3. Document good faith — Regulators consider whether a business acted in good faith when determining penalties. Documented compliance efforts demonstrate good faith
4. Monitor enforcement trends — Understanding what regulators are targeting helps you prioritize (right now, GPC compliance and opt-out mechanisms are top priorities)
5. Respond promptly to regulatory inquiries — If you receive an inquiry letter, take it seriously and respond within the deadline. Ignoring it guarantees escalation
6. Consider cyber insurance — Policies that cover regulatory defense costs and penalties can reduce the financial impact of enforcement