U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner.

The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy.

The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations.

“This is increasingly becoming the standard in 2026 and for the coming two years,” Gartner’s analysis concludes.

The California Consumer Privacy Act had consumer privacy provisions go live in 2023, but for years enforcement was largely dormant. According to Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, that enforcement lag mirrors the way other major privacy laws, like Europe’s Global Data Protection Regulation, have been carried out in order to “lead with a bit of guidance” for companies while using enforcement sparingly.

But that era appears to be over. In 2025, the California Privacy Protection Agency has used the law to pursue violators across a wide range of industries— not just large conglomerates, but smaller and mid-sized companies in tech, the auto industry, and consumer products, including off-the-shelf goods and apparel.

Heinen said some businesses “weren’t paying attention” and may have been lulled into a false sense of complacency as regulators spun up their enforcement teams, leading to a harsh 2025.

“Unfortunately what happens when so much time passes between the legislation and starting enforcement regularly, is a lot of organizations let their privacy program atrophy,” he said.

States have also sought to combine their resources to target and penalize privacy violators across state lines. Last year, ten states came together to form the Consortium of Privacy Regulators, pledging to coordinate investigations and enforcement of common privacy laws around accessing, deleting and preventing the sale of personal information.

Beyond laws like the CCPA, states have been updating existing privacy and data-protection laws to more directly address harms from automated decision-making technologies, including AI. State privacy regulators are especially focused on how personal or private data is used to train AI systems and  help it make inferences.

Gartner expects privacy fines to further increase in the coming years and Heinen said states will likely again lead the way on building the legal infrastructure to enforce data privacy in the AI age as they become the main conduit for lingering anxiety about the potential negative impacts of the technology.

“You have to put yourself in the position of these state legislatures,” Heinen said. “Their constituencies – the voting public – is telling them we’re worried about AI. AI anxiety is a thing. Everybody’s worried about whether AI is going to take their job or impact their capacity to find a job, so they want to see legislation in place to protect them.”

This past month, House Republicans unveiled their latest attempt to pass comprehensive federal privacy legislation with a bill that would preempt tougher state laws like those in California. In particular, the CCPA gives residents a private right of action – the legal right to sue companies directly – for violation of privacy laws.

On Monday, Tom Kemp, executive director of the California Privacy Protection Agency, wrote to House Energy and Commerce Chair Brett Guthrie, R-Ky., to oppose the bill, arguing it would provide “a ceiling” for Americans’ data privacy protections rather than a “floor” to build on.

“Preemption would strip away important existing state privacy provisions that protect tens of millions of Americans now,” Kemp wrote. “That would be a significant step backward in privacy protection at a time when individuals are increasingly concerned about their privacy and security online, and when challenges from data-intensive new technologies such as AI are developing quickly.”

The post U.S. companies hit with record fines for privacy in 2025 appeared first on CyberScoop.

Jared Perlo reports: The long-running fight to rein in the government’s power to search Americans’ phone calls, emails and text messages without a warrant has gained new urgency on Capitol Hill over concerns that AI will supercharge state surveillance. Lawmakers are currently jockeying over reforms to a key law that enables warrantless monitoring of Americans’...

Hunton Andrews Kurth writes: On April 22, 2026, the House Energy & Commerce Committee announced the introduction of and intention to advance the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act, which was crafted by the majority committee members’ Privacy Working Group, would replace the...

Tech companies like Google, Facebook and Microsoft are ignoring data controls mandated under California law, researchers say. By: Colin Lecher A new audit has found that websites across the internet may be failing to abide by California privacy law, ignoring a requirement to not track visitors who set a privacy control. The report, from researchers...

Hunton Andrews Kurth writes: On April 17, 2026, Alabama Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (HB 351) (“APDPA” or “the Act”), making Alabama the twenty-first state to enact a comprehensive consumer privacy law. The law goes into effect on May 1, 2027. Alabama enacted the APDPA within an already maturing ecosystem...

Meredith Lee Hill, Jordain Carney, and Mia McCarthy report: Hill Republican leaders are finding themselves in a never-ending crisis over the fate of a government spy law that has unleashed a bitter, intraparty battle within the House while also threatening to derail a host of other GOP priorities. Republicans now have scant legislative days to...

Suzanne Smiley reports: The governor of Virginia on Monday signed a law banning the sale of citizens’ precise geolocation data, a sign of growing momentum for such laws at the state level. The legislation bars the sale of geolocation within a 1,750 foot radius, a buffer large enough to keep data brokers from pinpointing where...

Odia Kagan of FoxRothschild writes: The Italian Data Protection Authority (Garante) recently fined online classifieds platform Bakeca S.r.l. after an unknown user published two ads, including an explicit offer for sex work, listing the phone number of a person who had nothing to do with the ads and never consented to their publication. The decision,...

Henry Aleksandrov reports: An Ohio man who became the first person in the country to be convicted under the federal revenge porn law would be able to eventually reintegrate into society after Ohio lawmakers introduced several bills, some of which were already passed by the legislators. Among the ways the bills would help the man...

From the good folks at EPIC.org: Oklahoma and Alabama recently enacted “privacy” laws that fail to meaningfully protect consumers from the abuse of their personal data. Oklahama’s bill has been signed into law, and Alabama’s awaits the Governor’s signature. The bill mirrors laws in other states such as Virginia. EPIC and U.S. PIRG Education Fund released a report last year...

Odia Kagan of FoxRothschild writes: A new federal court decision denied a motion to dismiss in a case alleging Federal Electronic Communications Privacy Act (ECPA) claims arising from the sharing of health information through a website’s online tracking technology. What does this case teach and what should healthcare companies be doing about it? Recap of...

Hunton Andrews Kurth writes: On March 25, 2026, New Jersey enacted A4070, which restricts health care facilities’ collection and disclosure of certain patient information, including immigration status, citizenship status, place of birth, Social Security number and individual taxpayer identification number. Under the law, a health care facility may not request or collect the listed information unless...

by Amanda Seitz and Maia Rosenfeld April 8, 2026 The Trump administration is quietly seeking unprecedented access to medical records for millions of federal workers and retirees, and their families. A brief notice from the Office of Personnel Management could dramatically change which personally identifiable medical information the agency obtains, giving it the power to...

From the what-can-possibly-go-wrong dept., Rachel Sim reports: The Cabinet of Japan has approved a bill amending the Act on the Protection of Personal Information to support AI innovation and development. This marks a shift from a consent-based model towards a more flexible framework that prioritises data use for innovation. Previous regulation enforced that data such...

Hunton Andrews Kurth writes: On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit held that the 2024 amendment to Illinois’ Biometric Information Privacy Act (“BIPA”), limiting damages, applies retroactively to pending cases. The ruling in Clay v. Union Pacific Railroad Company, Docket No. 25-2185 (7th Cir. 2026), represents a major win for...

Jude Joffe-Block of NPR reports: As Justice Department officials are working to acquire sensitive voter registration data from states and have recently disclosed a plan to share it with the Department of Homeland Security, a key privacy officer in DOJ’s division tasked with enforcing civil and voting rights laws has resigned. Kilian Kagle was the chief...

Libbie Canter, Elizabeth Brim, and Clare Mathias of Covington and Burling write: At the state level, genetic privacy remains a fast-moving topic, and states continue to introduce and advance bills regulating genetic data. Several proposals that we covered in more detail earlier this year have progressed since our last update, including: Utah enacted HB 182, which regulates “foreign adversaries’”...

I wish some of this stuff was an April Fools joke, but it’s not. Back in September 2025, we reported that President Trump wanted to build a national voter roll. If his latest attempt survives a court challenge, he will be one step closer to achieving that. Daily Caller reports: President Donald Trump is expected...

Kelsey Reichmann reports: Ruling against Colorado’s conversion therapy ban, the Supreme Court on Tuesday held that a religious counselor had a First Amendment right to provide faith-based counseling to change sexual behaviors. In an 8-1 ruling, the court said Colorado’s law censored speech based on viewpoint because it prohibited not only long-abandoned aversive physical interventions but also...

Rose Lundy reports: The U.S. Department of Health and Human Services’ Office for Civil Rights announced on March 19 that it would investigate Maine and 12 other states that have laws requiring health insurance plans to cover abortion services. The office is asserting that a federal provision called the Weldon Amendment, which protects “health care entities” such as...