California’s privacy regulators have significantly ramped up enforcement in 2025. Both the California Attorney General (AG) and the California Privacy Protection Agency (CalPrivacy) have moved beyond initial warning letters to issuing substantial fines and detailed corrective orders.
This year’s settlements reveal a shift in focus towards technical compliance, user interface design, and the handling of sensitive data.
Here is a summary of five key enforcement actions from 2025.
American Honda: Dark patterns and excessive verification
In March 2025, the CalPrivacy reached a $632,500 California Consumer Privacy Act (CCPA) settlement with American Honda Motor Co.
The investigation, part of a wider review of connected vehicle manufacturers, focused on how Honda managed consumer rights requests.
CalPrivacy alleged that Honda required consumers to provide unnecessary personal information to exercise rights and used a privacy management tool that failed to offer “symmetrical or equal” choices, effectively making it harder for consumers to protect their privacy.
Honda was also found to have made it difficult for “authorized agents” to act on a consumer’s behalf and shared data with ad tech companies without the necessary contractual safeguards.
To resolve the issue, Honda agreed to overhaul its privacy rights process. Notably, the settlement requires the company to consult a user experience (UX) designer to evaluate its methods for submitting privacy requests.
Todd Snyder: CalPrivacy targets technical barriers
In May 2025, CalPrivacy announced a major enforcement action against menswear brand Todd Snyder, resulting in a fine of $345,178.
This case centered on the technical hurdles users faced when exercising their rights. The CalPrivacy found that Todd Snyder’s privacy portal was misconfigured, causing a 40-day failure in processing opt-out requests.
The company was also accused of demanding excessive personal information from consumers attempting to submit privacy requests, such as photos of ID documents.
Healthline Media: The cost of tracking health data
In July 2025, Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC, which stands as the largest CCPA fine issued to date.
The AG’s investigation focused on Healthline.com, a medical information site. The regulator found that the company was allowing third-party trackers to collect data about users’ interactions with the site, including the titles of articles they viewed. This data could effectively reveal a visitor’s private medical conditions.
The AG alleged that Healthline failed to obtain the necessary consent for this sharing and did not provide a functional opt-out mechanism.
Tractor Supply Company: CalPrivacy’s largest ever fine
August 2025 saw CalPrivacy issue its largest fine yet in a $1.35 million settlement with “rural lifestyle” retailer Tractor Supply Company.
The decision was the first CCPA fine targeting HR data, as Tractor Supply was found to have failed to provide mandatory information to job applicants about their privacy rights and how to execute them.
Other findings against Tractor Supply involved a broken opt-out mechanism and the failure to enter into mandatory contracts with service providers using personal data on its behalf.
Sling TV: Streaming services in the spotlight
Following an investigative sweep of streaming platforms announced earlier in the year, the California Attorney General secured a $530,000 settlement with Sling TV in October 2025.
The investigation revealed that Sling TV’s opt-out mechanisms were “confusing and hard to find.”
Specifically, the AG criticized the company for directing users who clicked “Do Not Sell or Share My Personal Information” to a “cookie preferences” center. This meant that the opt-out process applied only to browser-based trackers and failed to address other forms of data selling and sharing.
The regulator also found that Sling TV failed to provide adequate protection for children’s data.
Common themes: Beyond the privacy notice
Collectively, these settlements highlight the current priorities of California regulators:
- Regulators are targeting “dark patterns” in user interfaces, penalizing asymmetrical choices and confusing redirects that hinder the opt-out process.
- Privacy mechanisms must function technically; broken links and misconfigured portals are attracting fines regardless of compliant policy text.
- Excessive verification, such as requiring government IDs for simple rights requests, is being enforced as an unlawful barrier.
- Controllers are being held liable for their supply chains, specifically regarding missing contracts with service providers and ad tech partners.
