U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner.

The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy.

The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations.

“This is increasingly becoming the standard in 2026 and for the coming two years,” Gartner’s analysis concludes.

The California Consumer Privacy Act had consumer privacy provisions go live in 2023, but for years enforcement was largely dormant. According to Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, that enforcement lag mirrors the way other major privacy laws, like Europe’s Global Data Protection Regulation, have been carried out in order to “lead with a bit of guidance” for companies while using enforcement sparingly.

But that era appears to be over. In 2025, the California Privacy Protection Agency has used the law to pursue violators across a wide range of industries— not just large conglomerates, but smaller and mid-sized companies in tech, the auto industry, and consumer products, including off-the-shelf goods and apparel.

Heinen said some businesses “weren’t paying attention” and may have been lulled into a false sense of complacency as regulators spun up their enforcement teams, leading to a harsh 2025.

“Unfortunately what happens when so much time passes between the legislation and starting enforcement regularly, is a lot of organizations let their privacy program atrophy,” he said.

States have also sought to combine their resources to target and penalize privacy violators across state lines. Last year, ten states came together to form the Consortium of Privacy Regulators, pledging to coordinate investigations and enforcement of common privacy laws around accessing, deleting and preventing the sale of personal information.

Beyond laws like the CCPA, states have been updating existing privacy and data-protection laws to more directly address harms from automated decision-making technologies, including AI. State privacy regulators are especially focused on how personal or private data is used to train AI systems and  help it make inferences.

Gartner expects privacy fines to further increase in the coming years and Heinen said states will likely again lead the way on building the legal infrastructure to enforce data privacy in the AI age as they become the main conduit for lingering anxiety about the potential negative impacts of the technology.

“You have to put yourself in the position of these state legislatures,” Heinen said. “Their constituencies – the voting public – is telling them we’re worried about AI. AI anxiety is a thing. Everybody’s worried about whether AI is going to take their job or impact their capacity to find a job, so they want to see legislation in place to protect them.”

This past month, House Republicans unveiled their latest attempt to pass comprehensive federal privacy legislation with a bill that would preempt tougher state laws like those in California. In particular, the CCPA gives residents a private right of action – the legal right to sue companies directly – for violation of privacy laws.

On Monday, Tom Kemp, executive director of the California Privacy Protection Agency, wrote to House Energy and Commerce Chair Brett Guthrie, R-Ky., to oppose the bill, arguing it would provide “a ceiling” for Americans’ data privacy protections rather than a “floor” to build on.

“Preemption would strip away important existing state privacy provisions that protect tens of millions of Americans now,” Kemp wrote. “That would be a significant step backward in privacy protection at a time when individuals are increasingly concerned about their privacy and security online, and when challenges from data-intensive new technologies such as AI are developing quickly.”

The post U.S. companies hit with record fines for privacy in 2025 appeared first on CyberScoop.

Troutman Pepper Locke writes: In Part One of this series, we discussed how wellness products sit at the intersection of Food and Drug Administration (FDA), Health Insurance Portability and Accountability Act (HIPAA), Federal Trade Commission (FTC), and state privacy/breach laws. In Part Two, we analyzed FDA’s 2026 General Wellness guidance and what it means for device-level cybersecurity expectations....

Source

The Senate approved a short-term renewal until April 30 of a controversial surveillance program used by U.S. spy agencies.

The post Senate Extends Surveillance Powers Until April 30 After Chaotic Votes in House appeared first on SecurityWeek.

There’s an update to a lawsuit involving Blue Cross Blue Shield of Montana’s parent company, HCSC, and Montana’s state auditor. As previously reported, after BCBSMT notified the state of the Conduent breach that had affected 462,000 members, the state auditor opened an investigation into whether the notification to the state was timely. HCSC claimed the...

Source

CPI reports: Connecticut Attorney General William Tong has issued a sweeping advisory clarifying that businesses deploying artificial intelligence systems remain fully subject to the state’s existing legal framework—even in the absence of a comprehensive, AI-specific statute. The guidance, as analyzed by Squire Patton Boggs, underscores a central message for compliance officers and in-house counsel: AI does...

Source

Siobhan Harms reports: The Ohio Auditor of State’s Office will begin evaluating school districts’ cybersecurity policies in July. As outlined by House Bill 96, districts had to implement a cybersecurity program that safeguards the district’s data, information technology and information technology resources to ensure availability, confidentiality and integrity. The law reads, “The program shall be...

Source

The IAPP writes: Last year, the California Privacy Protection Agency adopted a major new rule requiring certain businesses to conduct an annual cybersecurity audit. The rule went into effect 1 Jan. 2026. This pioneering requirement, the first of its kind among state data privacy laws of general applicability, may entail substantial compliance efforts for affected companies to...

Source

From HHS OCR: This video presentation is intended to raise awareness and provide practical education to HIPAA covered entities and business associates of the HIPAA Security Rule’s Risk Management requirement. Like risk analysis, effective risk management is an essential component of both HIPAA Security Rule compliance and broader cybersecurity preparedness. Risk management is a critical step not only for...

Source

A press release on April 6, 2026 from Maine House Democrats:  On Thursday, the Maine House voted unanimously to advance a bill from Rep. Julie McCabe, D-Lewiston, that would help prevent cybersecurity attacks on Maine hospitals and ensure continuity of patient care when future cyberattacks occur. As amended, LD 2103 would require Maine hospitals to adopt a...

Source

Skyler Shepard reports: State investigators say Mirra Health jeopardized the safety of thousands of Floridians by sharing their sensitive health data with unauthorized companies overseas. Florida Insurance Commissioner Mike Yaworsky suspended Mirra Health Care LLC on Tuesday after investigators found the company sent private medical information to unlicensed companies in India and the Philippines. Mirra Health handles important claims...

Source

Theresa Defino of the Health Care Compliance Association reports: Calling the proposal “unprecedented in its scope and lack of specificity,” CVS Health—owner of Aetna—is among a chorus of firms and organizations opposing a renewed effort by the Office of Personnel Management (OPM) to establish what CVS termed a “wholesale collection of vast amounts of granular...

Source

The House Energy and Commerce committee unanimously passed a package of bipartisan cybersecurity bills Thursday targeting the energy sector, including legislation that would reauthorize and fund a critical federal cybersecurity assistance program for rural electric utilities across the country.

The Rural and Municipal Utility Cybersecurity Act, introduced by Reps. Mariannette Miller-Meeks, R-Iowa, and Jennifer McClellan, D-Va., reauthorizes the Rural and Municipal Utility Advanced Cybersecurity program at the Department of Energy, which funnels hundreds of millions of dollars in federal grants and technical assistance every year to help rural utilities and cooperatives defend against cyberattacks and other threats.

The program was created through the 2022 Infrastructure Investment and Jobs Act and is widely viewed in the energy sector as a cybersecurity lifeline for badly underfunded electric utilities that would otherwise be a weak link in the nation’s energy cybersecurity or reliability.

Smaller utilities play a crucial role supporting the nation’s energy grids, but many lack sophisticated IT or cybersecurity operations. Industry officials say it’s not uncommon for some entities to have one or two IT or cybersecurity officials, if that. The bill approves $250 million in additional grant funding for the program over the next five years, part of which would go to implementing more modern cybersecurity technologies and enhancing information sharing.  

Speaking ahead of the vote, Miller-Meeks said her Iowa district’s electric cooperative must serve rate payers across 20 different counties and faces “the same threats as metropolitan systems but with fewer resources.”

“At a time when cybersecurity attacks on our critical infrastructure are escalating and we have not yet authorized an appropriations bill for DHS, small and rural utilities need resources to defend against nation state actors and sophisticated threats,” she said.

Ranking member Frank Pallone, D-N.J., leveled his own criticism, claiming that the reauthorization was “held up for countless months due to senseless delays” by Energy officials.

Another bill, the Energy Emergency Leadership Act, would move responsibility for the cybersecurity functions of the Office of Cybersecurity, Energy Security and Emergency Response under a single, Senate-confirmed assistant secretary.

The bill’s chief sponsor, Rep. Laurel Lee, R-Fla., directly cited reports of ongoing threats to the nation’s energy sector from Chinese state-sponsored hackers as a driver of the legislation.

“At the same time our electric grid faces an increasingly complex threat landscape, state sponsored threats like Volt Typhoon have actively targeted U.S. critical infrastructure, including our electric grid,” said Lee. “These are real and ongoing threats from foreign adversaries seeking to undermine our national security and economic stability.”

The committee also passed bills that require states to include cybersecurity in their energy plans, clarify the Secretary of Energy’s role promoting and coordinating cybersecurity of the nation’s oil and natural gas pipelines, and codify a pilot Energy Threat Analysis Center.

The post Congress looks to revive critical cyber program for rural electric utilities appeared first on CyberScoop.

Jessica Adiele reports: Nigeria’s telecommunications regulator, the Nigerian Communications Commission (NCC), has directed telecom operators to notify the commission within four hours of detecting any cyberattack. The directive is contained in the Cyber Resilience Framework for Nigeria’s Communications Sector (CRF-NCS) released in February 2026. The rule will take effect in February 2027 and forms part of the regulator’s broader efforts to...

Source

A congressional investigation estimates broker breaches have cost consumers $20 billion in identity theft. Major brokers now promise to make it easier to opt out of their databases. By: Colin Lecher Breaches at data brokers have cost American consumers more than $20 billion, Congress’s Joint Economic Committee revealed Friday as part of an investigation triggered...

Source

Cassandre Coyer reports: A partial government shutdown threatens to further derail a key federal cybersecurity agency’s incident reporting rule—and delay answers that companies need to comply. The Department of Homeland Security shutdown, now entering its third week, may push back the finish line for a Biden-era rule that would create stringent disclosure requirements for critical infrastructure entities after...

Source

Hayley Steele and Gregory Szewczyk of Ballard Spahr write: A new bill introduced in Connecticut—Connecticut Senate Bill 117, An Act Concerning Breaches of Security Involving Electronic Personal Information—would create mandatory forensic examination requirements for entities that experience a “massive breach of security,” defined as a data breach affecting at least 100,000 Connecticut residents, and imposes...

Source