US state privacy fines reached $3.425 billion in 2025

Mirko Zorz, Director of Content, Help Net Security April 28, 2026 Share US state privacy fines reached $3.425 billion in 2025 State privacy regulators across the United States collected $3.425 billion in privacy-related fines from companies in 2025. Gartner said the upward trend is expected to accelerate through 2028. Annual cumulative fines stood at $1.827 billion in 2024, putting the 2025 result at nearly double the previous year’s level. Gartner derived the estimate by compiling and aggregating enforcement actions and statutory private rights of action tied to state and federal privacy laws. A turning point for state-level enforcement Privacy regulators are moving from awareness-building into direct penalty activity. “Privacy laws across the U.S. have been in place long enough for Gartner to start seeing a trend of new amendments introducing fresh obligations. These new obligations are primarily focused on automated decision-making technologies,” said Nader Henein, VP Analyst at Gartner. “Regulators are also shifting their efforts away from spreading awareness to full-scale enforcement. This is increasingly becoming the standard in 2026 and beyond.” The shift coincides with continued growth in the number of US states with consumer privacy statutes. Twenty-two states have passed privacy laws aimed primarily at consumer privacy rights, covering more than half of the US population. Another 24 states have proposed similar legislation and are expected to pass it over the next five years. Kansas, Idaho, South Dakota, and Wyoming sit outside this trend, focusing on narrower measures covering areas such as children’s data and genetic information. Henein said the state-by-state pattern resembles the earlier rollout of breach disclosure laws, which spread from California in July 2003 to Alabama as the 50th state in March 2018. AI and automated decisions are driving new amendments Personal data has moved to the center of AI model training and inference, and state regulators are revising privacy frameworks to address automated decision-making technologies alongside a parallel patchwork of state AI governance laws. Because much of the world’s data sits with US-registered companies, US privacy laws affect data protection levels well beyond US residents. Enforcement intensity tracks with regulator activity Independent research published this month reinforces a pattern that helps explain why state-level totals are climbing. A measurement study of web tracking across ten jurisdictions found that privacy laws produce results where regulators bring cases, and produce far less where they do not. EU regulators have issued 833 fines totaling €3.01 billion for processing data without a valid legal basis. Germany and Spain were categorized as high-enforcement jurisdictions, with California, Canada, Australia, and South Korea grouped at a medium level of activity that depends heavily on individual high-profile cases. The same research documented recent California enforcement actions. The California Attorney General settled with Disney for $2.75 million over failures to honor opt-out signals, and the California Privacy Protection Agency has brought actions against PlayOn Sports and Ford. These cases align with Gartner’s view that state enforcement has moved into a sustained penalty phase. The analysis also found that advertising trackers account for roughly two-thirds of recorded tracking connections on the web, with consent management consolidating around a small number of platforms. Recent California cases have centered on operational failures in this layer, particularly failures to honor consumer opt-out signals. Recommendations for CISOs and privacy leaders Gartner recommends two priorities for CISOs and leaders responsible for privacy programs. The first is a critical review of existing programs. Many organizations operating only in the United States built their privacy programs in 2020 and have allowed them to atrophy in the years since, leaving them poorly positioned for the current enforcement environment. Programs need to be reassessed to confirm they continue to provide adequate and defensible compliance. The second priority is privacy user experience. Most fines and violations tie back to shortcomings in how organizations handle subject rights, consent, and privacy notices. Improvements in these areas address the operational gaps that regulators are most likely to find and penalize. Webinar: The IT Leader’s Guide to AI Governance More about CISO data collection data protection Gartner regulation USA Share