State Privacy Enforcement Reaches an Inflection Point
U.S. states collectively imposed $3.45 billion in privacy-related fines on companies during 2025, a figure that exceeds the combined total from the prior five years, according to research and advisory firm Gartner. The dramatic surge reflects stronger, more mature privacy statutes at the state level, newly formed interstate enforcement partnerships, and a heightened regulatory focus on how artificial intelligence and automated systems interact with personal data.
Gartner's analysis concludes that regulators have decisively moved away from an educational posture toward full-scale enforcement — a shift the firm characterizes as increasingly the baseline expectation heading into 2026 and beyond.
California Leads the Charge After Years of Dormant Enforcement
The California Consumer Privacy Act (CCPA) granted consumers new data privacy rights with enforcement provisions that went live in 2023, yet for several years actual enforcement activity was minimal. Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, explained that this lag was intentional — mirroring the approach taken with Europe's General Data Protection Regulation (GDPR), which similarly began by offering companies guidance before ramping up penalties.
That period of leniency, however, appears to have ended. In 2025, the California Privacy Protection Agency pursued violators across a diverse range of sectors, targeting not just major corporations but also smaller and mid-sized companies in technology, the automotive industry, and consumer products — including apparel and off-the-shelf goods.
Heinen attributed some of the pain felt by businesses to a false sense of complacency that developed during the enforcement gap. "Unfortunately, what happens when so much time passes between the legislation and starting enforcement regularly, is a lot of organizations let their privacy program atrophy," he said. He noted that some companies simply "weren't paying attention" while regulators were quietly building their enforcement teams.
Ten States Form the Consortium of Privacy Regulators
Beyond California, states have been pooling resources to extend their enforcement reach across state lines. Last year, ten states joined forces to establish the Consortium of Privacy Regulators, committing to coordinate investigations and enforcement of shared privacy statutes. The coalition focuses in particular on individuals' rights to access, delete, and prevent the sale of their personal information.
This collaborative structure allows member states to pursue companies that may operate in multiple jurisdictions, effectively closing loopholes that previously let some firms avoid accountability by virtue of where they were incorporated or headquartered.
AI and Automated Decision-Making Drive New Regulatory Priorities
State privacy regulators are also updating existing data-protection frameworks to address the specific harms posed by automated decision-making technologies. A central concern is how companies use personal and private data to train AI systems and to enable those systems to draw inferences about individuals.
Gartner anticipates that privacy fines will continue climbing in the years ahead. Heinen argued that state legislatures will likely remain the primary architects of the legal infrastructure governing data privacy in the AI era, filling a vacuum left by the absence of comprehensive federal legislation.
"You have to put yourself in the position of these state legislatures," Heinen said. "Their constituencies — the voting public — is telling them we're worried about AI. AI anxiety is a thing. Everybody's worried about whether AI is going to take their job or impact their capacity to find a job, so they want to see legislation in place to protect them."
Federal Preemption Bill Draws Sharp Opposition
The record enforcement activity at the state level coincides with a renewed push by House Republicans to pass comprehensive federal privacy legislation — a bill that would preempt stricter state laws, including the CCPA. A key provision at stake is the CCPA's private right of action, which gives California residents the legal standing to sue companies directly for privacy violations.
On Monday, Tom Kemp, executive director of the California Privacy Protection Agency, sent a letter to House Energy and Commerce Chair Brett Guthrie (R-Ky.) opposing the measure. Kemp argued the legislation would effectively establish a ceiling on Americans' data privacy protections rather than a minimum floor from which states could build stronger safeguards.
"Preemption would strip away important existing state privacy provisions that protect tens of millions of Americans now. That would be a significant step backward in privacy protection at a time when individuals are increasingly concerned about their privacy and security online, and when challenges from data-intensive new technologies such as AI are developing quickly."
What This Means for Businesses
The combination of record fines, a multi-state enforcement coalition, and looming federal legislative battles creates a complex compliance environment for organizations of all sizes. Key takeaways for businesses include:
- Enforcement of state privacy laws is no longer theoretical — the $3.45 billion in 2025 fines demonstrates regulators' willingness to pursue companies across industries and company sizes.
- Membership in the Consortium of Privacy Regulators means violations in one state may trigger investigations in multiple jurisdictions simultaneously.
- AI-related data practices — particularly the use of personal data for model training and inferential profiling — are a specific and growing focus for state regulators.
- Organizations that allowed privacy programs to deteriorate during the enforcement gap face elevated exposure and should conduct immediate program assessments.
Gartner's findings make clear that the era of regulatory patience has passed. Companies that have not yet aligned their data practices with the current enforcement environment face mounting legal and financial risk as state regulators continue to sharpen their tools and broaden their reach.
Source: CyberScoop