U.S. Privacy Fines Surge to $3.45 Billion in 2025 as States Enforce Strict Laws

U.S. states issued a record $3.45 billion in privacy-related fines to companies in 2025, a total exceeding the combined amount from the previous five years, according to research and advisory firm Gartner.

The dramatic increase is attributed to stronger state privacy laws, new interstate enforcement partnerships, and heightened scrutiny of how AI and automation impact data privacy. Gartner’s analysis indicates that regulators are shifting from awareness campaigns to large-scale enforcement, marking a significant change from recent years.

“This is increasingly becoming the standard in 2026 and for the coming two years,” concluded Gartner’s research.

“Regulators are shifting their efforts away from awareness to full-scale enforcement.” — Gartner

Privacy fines have risen sharply in recent years. The California Consumer Privacy Act (CCPA), which took effect in 2023, initially saw limited enforcement. According to Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, this enforcement lag mirrors the approach of Europe’s Global Data Protection Regulation (GDPR), which prioritized guidance before ramping up penalties.

However, that era has ended. In 2025, the California Privacy Protection Agency aggressively enforced the CCPA, targeting violators across industries—not just large corporations but also smaller and mid-sized businesses in tech, automotive, consumer products, and apparel.

“Unfortunately, what happens when so much time passes between legislation and regular enforcement is that a lot of organizations let their privacy programs atrophy. They weren’t paying attention.” — Nader Heinen, Gartner

States have also collaborated to strengthen enforcement. In 2024, ten states formed the Consortium of Privacy Regulators, a coalition dedicated to coordinating investigations and enforcing privacy laws related to accessing, deleting, and preventing the sale of personal information.

Beyond existing laws like the CCPA, states are updating their privacy and data-protection regulations to address harms from automated decision-making technologies, including AI. Regulators are particularly focused on how personal data is used to train AI systems and make inferences.

Gartner expects privacy fines to continue rising in the coming years. Heinen predicts that states will lead in building the legal framework to enforce data privacy in the AI era, addressing public concerns about the technology’s negative impacts.

“You have to put yourself in the position of these state legislatures. Their constituencies—the voting public—are telling them they’re worried about AI. AI anxiety is real. Everybody’s worried about whether AI is