The California Privacy Protection Agency (CPPA) is now in its second year with full enforcement powers and has begun to exercise its authority under the California Consumer Privacy Act (CCPA) in significant ways in 2025. With the creation of the CPPA and its recent assumption of enforcement authority, a new chapter of privacy rights enforcement has begun. Two recent enforcement actions against American Honda Motor Co. and menswear retailer Todd Snyder Inc. offer the most valuable insights to date into the CPPA’s priorities and expectations. They also highlight operational privacy gaps of which companies of all sizes and in all industries should take note and work to comply with. And, California’s Attorney General has reminded everyone that it is not to be forgotten in privacy enforcement, announcing the highest CCPA settlement to date in connection with a recent enforcement action involving health data.
In March 2025, the CPPA announced its first enforcement order—a $632,500 administrative fine against American Honda Motor Co., one of the largest companies to face a formal enforcement action to date. The action stemmed from the CPPA’s 2023 sweep of connected vehicle manufacturers, aimed at scrutinizing how automakers collect and share consumer data via in-vehicle systems and online platforms.
In May 2025, the CPPA announced its second public enforcement order, this time against Todd Snyder Inc., a New York-based menswear retailer with several California locations. In settling with the CPPA, Todd Snyder agreed to pay a $345,178 fine and undertake numerous remedial steps. The case provides a useful contrast to Honda given that Todd Snyder is a smaller company facing many of the same privacy compliance challenges, but with different technical root causes.
On July 1, 2025, the California Attorney General (AG) announced the largest settlement to date under the CCPA: a $1.55 million fine against Healthline Media LLC, a health and wellness website publisher. Unlike the CPPA-led actions against Honda and Todd Snyder, this enforcement was brought by the AG’s office and underscores the ongoing parallel enforcement powers shared between the two agencies.
The case against Healthline marked the first CCPA enforcement action focused on health-related data, highlighting how regulators are applying the law’s provisions to sensitive data practices even where traditional health privacy laws like HIPAA may not apply.
The enforcement actions against Honda, Todd Snyder, and Healthline reveal a consistent set of compliance failures—and signal where California regulators are focusing their scrutiny.
California regulators have made clear that privacy rights must be real, accessible, and aligned with consumer expectations. Enforcement is no longer just about having a policy—it’s about making privacy work in practice. From broken cookie banners to overbroad data sharing, businesses subject to the CCPA should be proactively and carefully evaluating their practices and making necessary improvements.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.