U.S. states levied $3.45 billion in privacy-related fines against companies in 2025, a sum exceeding the total from the previous five years combined, according to research and advisory firm Gartner. This significant increase reflects a shift towards more robust enforcement of data privacy laws across the nation.
The surge in penalties is attributed to a combination of factors, including the maturation of comprehensive privacy legislation like California’s Consumer Privacy Act (CCPA), the establishment of interstate collaborations for unified enforcement, and a heightened scrutiny of how artificial intelligence and automation impact personal data. Regulators are now actively penalizing violations, moving beyond initial awareness campaigns.
States Intensify Privacy Enforcement and Fines
The substantial rise in privacy fines marks a pivotal moment in data protection regulation. The research indicates that regulators are now prioritizing full-scale enforcement over mere awareness, a notable departure from previous years where investigations and penalties were less aggressive.
This trend is projected to continue. Gartner’s analysis suggests that the current level of enforcement intensity will become the standard in 2026 and the subsequent two years, signaling a permanent shift in how companies must approach data privacy compliance.
Key Drivers Behind the Enforcement Surge
The California Consumer Privacy Act, which saw its core consumer privacy provisions go into effect in 2023, initially experienced a period of limited enforcement. Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, compared this initial phase to the rollout of Europe’s General Data Protection Regulation. He noted that such major privacy laws often begin with a period of guidance before moving to more rigorous enforcement.
However, that more lenient period appears to have concluded. In 2025, the California Privacy Protection Agency significantly increased its enforcement actions under the CCPA. Violations were pursued across a diverse range of industries, targeting not only large corporations but also small and mid-sized businesses in sectors including technology, automotive, and consumer goods.
Heinen suggested that some companies may have become complacent during the period of reduced enforcement. This lack of sustained attention to privacy programs during the interim between legislation and active enforcement contributed to the surge in penalties in 2025.
Firms that allowed their privacy programs to deteriorate, assuming enforcement would remain lax, faced significant consequences. This highlights the critical need for continuous maintenance and updating of data privacy practices.
Interstate Collaboration and AI’s Privacy Implications
In addition to individual state efforts, there’s a growing trend of states pooling resources to address privacy violations that cross state lines. The formation of the Consortium of Privacy Regulators last year, comprising ten states, exemplifies this collaborative approach. The consortium aims to coordinate investigations and enforcement of shared privacy laws concerning data access, deletion, and the prevention of personal information sales.
Beyond established frameworks like the CCPA, states are actively updating existing privacy and data protection laws to specifically address the challenges posed by automated decision-making technologies, including AI. State privacy regulators are particularly focused on how personal and private data is utilized in training AI systems and in generating inferences.
Gartner anticipates a continued rise in privacy fines in the coming years. Heinen predicts that states will likely remain at the forefront of developing the legal frameworks necessary for enforcing data privacy in the age of AI. This is driven by public concern over the potential negative impacts of these rapidly advancing technologies.
Heinen explained that state legislatures are responding to public anxiety about AI. Growing concerns regarding job security and the broader societal impact of AI are prompting constituents to demand protective legislation, which legislators are then compelled to address.
Meanwhile, federal efforts to establish comprehensive privacy legislation are ongoing. This past month, House Republicans introduced a bill intended to preempt stricter state laws, such as those in California. A key provision of the CCPA that this federal proposal could potentially override is its provision granting consumers a private right of action, allowing them to sue companies directly for privacy violations.
On Monday, Tom Kemp, executive director of the California Privacy Protection Agency, formally opposed the federal bill. In a letter to House Energy and Commerce Chair Brett Guthrie, R-Ky., Kemp argued that the proposed federal legislation would establish a “ceiling,” rather than a “floor,” for data privacy protections, potentially limiting current consumer safeguards.
Kemp warned that such preemption would dismantle existing state privacy provisions that currently protect millions of Americans. He characterized this as a significant regression in privacy protection, especially at a time when public concern about online privacy and security is escalating, and challenges from data-intensive technologies like AI are rapidly evolving.
The ongoing debate between federal and state approaches to privacy regulation, particularly concerning AI and the future of existing state laws, will be critical to watch. The next expected step involves continued legislative discussions on the federal bill and potential responses from states regarding their existing privacy frameworks.