In February 2026, the California Attorney General handed down the largest CCPA enforcement action to date – a $2.75 million settlement with a major global entertainment company. The fine wasn’t about a data breach. It wasn’t about ignoring consumer rights on paper. It was about something more nuanced: the company had built its privacy controls one way, and its marketing infrastructure another, and the gap between the two cost them millions.
For any enterprise running large-scale digital operations, this case sets a new bar. Here’s what happened, and what your organization should take away from it.
What triggered the $2.75M CCPA fine
The company gave consumers three ways to opt out of having their personal data sold or shared. On paper, the setup looked compliant. In practice, the controls didn’t work the way California regulators expected.
The opt-out settings only applied to the specific device or app where the user submitted the request. Someone who opted out on their phone could still be tracked on their laptop or through another app connected to the same account.
The company’s privacy webform also failed to stop third-party tracking technologies running across its sites and apps, meaning data sharing continued behind the scenes.
The same issue applied to Global Privacy Control (GPC) signals. Even when users were logged into their accounts, requests were still treated as device-specific rather than account-wide. The company could recognize users across connected systems, but failed to apply their privacy preferences consistently.
The CCPA enforcement principle behind the fine
Attorney General Rob Bonta summarized the regulator’s position clearly: a consumer’s opt-out rights must apply everywhere a company sells or shares their data. Businesses can’t require users to opt out separately across every device, app, or service.
Translation: if a company can recognize the same user across multiple systems for advertising and tracking purposes, it also needs to honor that user’s privacy choices consistently across those same systems. “It’s technically complex” stops being a defence when you’ve already solved the same problem on the marketing side.
That’s the new technical parity standard. Your privacy infrastructure has to be at least as sophisticated as your marketing one.
Streamline GRC workflows with no blind spots.
Three CCPA compliance lessons for enterprise teams
1. Why consent banners alone are not enough for CCPA compliance
A consent banner, preference toggle, or webform is only where customers communicate their choice. It’s not where that choice gets enforced. Real enforcement happens deeper in your systems – across data pipelines, third-party tracking tags, identity systems, and ad platforms. If your privacy tooling only works at the surface level, you may be collecting consent while still allowing data to flow behind the scenes.
2. The compliance risks of disconnected privacy and consent tools
Some vendors market privacy compliance as something legal teams can manage without engineering involvement. Convenient on paper, expensive in practice. Anything that doesn’t connect to your underlying data infrastructure can’t fully stop or control how data is shared. This case showed that surface-level controls are no longer enough for regulators.
3. The operational cost of a CCPA investigation
The fine may grab attention, but the investigation itself can be even more costly. In this case, California’s investigation lasted nearly two years and required extensive documentation, audit trail reconstruction, and engineering support across consent systems, identity logic, data pipelines, and third-party vendors. That’s months of unexpected work pulled away from product and business priorities.
Why enterprises need continuous privacy compliance monitoring
Enforcement of the California Consumer Protection Act isn’t slowing down. After the February settlement, California issued two more enforcement actions in early March, including another seven-figure fine. Regulators are moving from “Did you offer an opt-out?” to “Did your opt-out actually do what it said?” That shift puts pressure on engineering, data infrastructure, and system architecture, not just policy documents.
For enterprises, the real question is whether your Governance, Risk and Compliance (GRC) program treats privacy as a core part of how systems are built, or as a layer added on after the fact. The companies getting penalized aren’t the ones without privacy programs. They’re the ones whose programs look complete from the customer’s side and fall apart at the data layer.
That’s the gap worth closing. Review your consent flows the way a regulator would: choose a user, choose a moment, and trace exactly what happened to their data end-to-end. If you can’t clearly follow that path from the user interface to internal systems and third-party vendors, there’s likely a compliance gap that needs attention.
AI-native GRC for how enterprise teams work today.
How enterprises can strengthen CCPA and privacy compliance
The $2.75M fine is a clear sign that privacy enforcement is catching up to the way modern enterprises actually operate. Privacy and compliance can no longer be treated as something separate from growth, marketing, and product infrastructure. They need to be built into the business from the start.
Leading AI GRC platforms like Scytale help enterprises and fast-growing SaaS companies build compliance into day-to-day operations across frameworks like CCPA, GDPR, HIPAA, SOC 2, ISO 27001, and more, backed by dedicated data privacy experts who guide teams through every step of getting and staying compliant.
Because today, the cost of getting compliance wrong goes far beyond reputational damage. It can quickly become a major operational and financial burden that’s hard to ignore.
