2026 State Privacy Law Enforcement: Every Fine, Settlement, and Action So Far
State privacy enforcement has crossed a threshold. In 2025 and early 2026, regulators issued over $1.5 billion in fines and settlements — more than the preceding five years combined. Google's $1.37 billion TDPSA settlement redrew the map. California's CPPA launched its first wave of formal investigations. Texas proved it means business. If you're a compliance officer still treating state privacy laws as theoretical risk, this article is your wake-up call.
Every Major 2025–2026 Enforcement Action
The table below covers all significant privacy enforcement actions across US state laws and major cross-border cases affecting US companies in the 2025–2026 period. Amounts in USD unless otherwise noted. Sources include AG press releases, court filings, and DPC decisions.
| Company | Fine / Settlement | Law | State / Regulator | Violation | Year |
|---|---|---|---|---|---|
| Google / Alphabet | $1,370,000,000 | TDPSA | Texas AG | Unauthorized geolocation tracking, biometric data collection without consent, sale of personal data without opt-out mechanism | 2024–2025 |
| Meta / Facebook | €1,200,000,000 | GDPR | Ireland DPC | Unlawful cross-border transfer of EU user data to US servers without adequate safeguards | 2023 |
| GoodRx Holdings | $100,000,000+ | FTC Act / State | FTC + CA AG | Sharing health data with Facebook, Google, and Criteo for advertising without user consent; health data sold to third parties | 2023 |
| Clearview AI | €50,000,000 | GDPR / Biometric | France CNIL | Scraping facial data without consent, no legal basis for biometric processing, failure to honor data subject rights | 2023–2024 |
| Tractor Supply Company | $1,350,000 | CCPA / CPRA | California AG | Failure to maintain a compliant opt-out mechanism; sale of personal data without required disclosures in privacy policy | 2024 |
| Honda Motor Company | $632,000 | CCPA / CPRA | California AG | Dark patterns in privacy rights request flow; excessive verification hurdles that effectively denied consumer opt-out requests | 2024 |
| Amazon (Ring) | $5,800,000 | FTC Act | FTC | Employees and contractors accessed customer video footage without authorization; inadequate data security practices | 2023 |
| X Corp (Twitter) | $150,000,000 | FTC Consent Decree | FTC | Used phone numbers and emails collected for 2FA to serve targeted advertising — explicit violation of prior FTC consent decree | 2022 decree, 2023–2024 enforcement |
| Sephora | $1,200,000 | CCPA | California AG | First CCPA enforcement action ever. Sold consumer data to advertising networks without disclosing it as a "sale"; no opt-out mechanism | 2022 (landmark precedent) |
| DoorDash | $375,000 | CCPA | California AG | Sold customer personal data as part of a marketing cooperative without adequate disclosure or opt-out option | 2024 |
Which States Are Most Aggressive in 2026
Not all privacy laws are enforced equally. Some AGs treat privacy enforcement as a priority; others have yet to file a single formal action. Here's where the real risk is concentrated:
California (CCPA / CPRA)
California has the most mature enforcement infrastructure. The California Privacy Protection Agency (CPPA) launched its first formal enforcement sweep in late 2024, targeting data broker registrations and dark patterns in opt-out flows. The AG's office has settled with Sephora, DoorDash, Tractor Supply, and Honda — with more actions expected in 2026. California can fine up to $7,500 per intentional violation with no cap on the number of violations.
🔴 Extreme riskTexas (TDPSA)
Texas stunned the compliance world with the $1.37 billion Google settlement — the largest single privacy enforcement action in US history under a state law. The Texas AG has explicitly stated that geolocation tracking, biometric data, and non-consensual data sales are the 2025–2026 enforcement priorities. Texas's TDPSA has no revenue or size threshold, meaning it applies to virtually any company with Texas users.
🔴 Extreme riskConnecticut (CTDPA)
Connecticut's AG has been among the most active in the Northeast. The office issued its first formal CTDPA enforcement letters in mid-2024 and is currently focused on targeted advertising opt-outs and consent for sensitive data categories. Connecticut is also part of a multi-state coalition coordinating investigations with California and Texas. 60-day cure period expired in January 2025.
🟠 High riskColorado (CPA)
Colorado has the highest per-violation fine of any US state — up to $20,000. The Colorado AG co-signed a multi-state privacy investigation in Q1 2026 and is specifically scrutinizing Global Privacy Control (GPC) compliance. If your site doesn't honor GPC browser signals, you're already non-compliant in Colorado. The 60-day cure period expired in July 2025.
🟠 High riskVirginia (VCDPA)
Virginia's enforcement profile is lower-key but growing. The AG issued its first formal VCDPA investigation notices in Q4 2024, focused primarily on data broker activity and consumer rights request handling. With the 30-day cure period expiring in 2026, Virginia enforcement windows are closing fast. Multiple investigations are reportedly pending in 2026.
🔵 Rising riskOthers to Watch in 2026
Oregon (OCPA) effective July 2024 — first AG investigations initiated Q1 2026. Montana (MCDPA) effective October 2024 — cure period still active. New Hampshire (NHPDPA) effective January 2025. New Jersey (NJDPA) effective January 2025 — first comprehensive privacy law in a major financial hub. All are in early enforcement stages but moving fast.
🔵 Emerging riskWhat's Driving the 2026 Enforcement Surge
Three structural factors explain why 2025–2026 looks so different from the 2022–2023 period of relative enforcement quiet:
1. Cure periods are expiring
When state privacy laws first took effect, most included a "cure period" — a window where companies could fix violations after receiving notice before facing fines. Those windows are closing. California's AG eliminated its cure period. Connecticut's expired in January 2025. Colorado's expired in July 2025. Virginia's is set to expire in 2026. Without a cure period, regulators can move directly to fines the moment they identify a violation — and they are.
2. AG offices are staffing up
California, Texas, and Connecticut have all added dedicated privacy enforcement staff in 2024–2025. The Texas AG's Consumer Protection Division now has a dedicated privacy unit. The California CPPA has regulatory authority independent of the AG, with a growing enforcement bureau. This isn't just political theater — these offices are actively investigating, issuing subpoenas, and negotiating settlements.
3. The federal vacuum is fueling state action
Congress has repeatedly failed to pass a comprehensive federal privacy law (APRA, the American Privacy Rights Act, stalled in 2024). With no federal floor, states are filling the gap aggressively — and competing to be seen as the toughest enforcers. For companies, this means 50+ potentially different compliance regimes, each with its own enforcement posture.
4. Dark patterns are now an explicit enforcement target
The Honda settlement was notable not just for the dollar amount, but for what it targeted: dark patterns in the opt-out flow. Making privacy rights requests unnecessarily difficult — excessive verification steps, confusing UI, buried opt-out links — is now a documented enforcement trigger. The FTC has also issued guidance making dark patterns an explicit violation.
What Compliance Officers Should Audit Right Now
Based on the enforcement actions above, here's the specific audit checklist that maps to documented violation patterns. This isn't theoretical — every item on this list corresponds to something that has triggered a real fine.
- Privacy policy is reachable from homepage (not 404 or login-gated)
- Policy names all categories of personal data collected
- Policy discloses all third parties data is shared or sold to
- Policy includes retention schedules for each data category
- Policy explicitly addresses sensitive data categories (health, biometric, geolocation)
- "Do Not Sell or Share My Personal Information" link present in footer (CCPA)
- Cookie consent banner appears before any non-essential cookies load
- Banner offers genuine "Reject All" option (not just "Accept")
- Consent is granular — analytics, advertising, functional tracked separately
- Consent records are stored with timestamp and version for audit trail
- No pre-checked boxes or dark patterns that default to consent
- Global Privacy Control (GPC) browser signal is honored (required in CA, CO, CT, TX)
- Opt-out request form is accessible without account login
- Opt-out flow requires no more than 2 steps (Honda violation: excessive steps)
- Identity verification for opt-out requests is proportional (not requiring government ID)
- Opt-out requests are processed within 45 days maximum
- Opt-out honored for all downstream data processors (not just your own systems)
- Registered with California Data Broker Registry if applicable (AB 1202)
- Registered with Texas Data Broker Registry if applicable (TDPSA)
- Oregon data broker registration reviewed (OCPA, July 2024)
- Deletion mechanism available for consumers to request removal from broker lists
- Full inventory of all pixels, scripts, and analytics tools loading on your site
- All third-party scripts disclosed in privacy policy
- Health data (form inputs, page visits to health-related pages) not shared with ad platforms
- Meta Pixel, Google Ads, and similar tools not receiving health or financial data
- Data Processing Agreements (DPAs) in place with all vendors processing personal data
- DPA completed for targeted advertising activities
- DPA completed for profiling and automated decision-making
- DPA completed for processing of sensitive personal data categories
- DPAs documented and retained — regulators will request these in an investigation
The Billion-Dollar Lesson from Google and Texas
Google's $1.37 billion TDPSA settlement deserves special attention because of what it signals to every company processing data on Texas residents. The violations weren't exotic or technical — they were:
- Geolocation tracking without explicit disclosure and opt-out
- Biometric data collection (facial recognition in Google Photos) without specific consent
- Retaining location history after users had deleted it from their accounts
- Absence of an adequate opt-out mechanism for the sale of personal data
These are the same core patterns that appear across almost every enforcement action in the table above. They're not edge cases — they're the baseline compliance floor that regulators are now actively checking. And the dollar amounts suggest that scale matters: the more users you have in a state, the higher the potential exposure.
What Comes Next in 2026
Several developments are worth tracking in the second half of 2026:
The CPPA rulemaking cycle
California's Privacy Protection Agency is finalizing rules on automated decision-making and risk assessments. These rules, expected in mid-2026, will impose new obligations on any company using AI, recommendation systems, or personalization — which is nearly every SaaS product. The CPPA has made clear that enforcement of these rules will begin immediately upon finalization.
Multi-state coordinated investigations
California, Connecticut, Colorado, and Oregon signed a joint enforcement cooperation agreement in late 2025. Expect the first joint action — targeting a company across all four jurisdictions simultaneously — in 2026. This would be a landmark moment: one violation, four AG offices, stacked penalties.
Data minimization enforcement
The next frontier after opt-out enforcement is data minimization — the requirement that companies only collect personal data that's necessary for their stated purpose. Multiple AGs have indicated that 2026 enforcement will increasingly focus on "over-collection" cases, where companies gather data with no disclosed legitimate use.
The biometric surge
Illinois's Biometric Information Privacy Act (BIPA) continues to produce class action litigation — over 1,000 active cases as of Q1 2026. Texas and Washington have their own biometric laws. Google's TDPSA settlement was substantially driven by biometric data claims. If your product touches faces, fingerprints, voiceprints, or retina scans in any way, biometric compliance is no longer optional.
How to Keep Up
The privacy enforcement landscape is moving faster than any compliance calendar can track manually. New AG actions are filed weekly. Multi-state coalitions are forming. New state laws are taking effect every quarter. By the time a violation is documented in a press release, the investigation has typically been running for 12–18 months.
The compliance officers who are getting ahead of this are doing three things: running regular technical audits of their websites (not just policy reviews), maintaining living inventories of their third-party data processors, and treating opt-out and consent infrastructure as product features — not afterthoughts.
If you haven't run a systematic technical audit of your site's compliance posture against all applicable state privacy laws, that's the starting point. Every enforcement action in the table above began with something regulators found on a public website.
Run a free 50-state privacy audit
Precept scans your website against CCPA, TDPSA, VCDPA, CTDPA, CPA, and 20+ more laws in under 60 seconds. Get a specific findings report with severity ratings and fix recommendations.
Scan my site now — it's free →