Gartner just released data that should be on every executive’s radar: U.S. states assessed $3.425 billion in privacy-related fines in 2025 alone, more than the prior five years combined. And Gartner says the trend will accelerate through 2028.
Let that sink in! Five years of enforcement were surpassed in twelve months.
What changed?
Privacy laws didn’t just emerge in 2025; many have been on the books for years. What changed is that regulators finished their “guidance phase” and moved into full-scale enforcement. Regulators are no longer spreading awareness. They are issuing penalties. And the amounts are real dollars.
California led the charge, settling with Disney for $2.75 million over failures to honor consumer opt-out signals and bringing enforcement actions against companies ranging from Fortune 500s to mid-market players in tech, automotive, and consumer goods. This is no longer a “big company” problem.
The legislative map is nearly complete.
22 states have already passed comprehensive consumer privacy laws covering more than half the U.S. population. Another 24 states are expected to follow within five years. Only a handful of states — Kansas, Idaho, South Dakota, and Wyoming — remain outside the trend, and even they have enacted narrower privacy protections.
This mirrors the trajectory of data breach notification laws, which spread from California in 2003 to all 50 states by 2018. Comprehensive consumer privacy legislation is on the same path. If your company isn’t currently subject to a state privacy law, it will be.
AI is the next enforcement frontier.
New amendments to existing privacy statutes are specifically targeting automated decision-making technologies. As AI adoption accelerates and personal data becomes central to model training and inference, regulators are building the legal infrastructure to govern it, and state legislatures are hearing from worried constituents.
Where are companies failing?
According to Gartner, the majority of fines trace back to three operational shortcomings: consent mechanisms, privacy notices, and subject rights fulfillment; in other words, the consumer-facing infrastructure of your privacy program. Advertising trackers alone account for roughly two-thirds of recorded tracking connections implicated in enforcement.
What should you do right now?
If your privacy program was built in 2020 or 2021 and hasn’t been meaningfully updated, it is almost certainly out of compliance with the laws in force today. You need to perform a critical review. Don’t assume that because you haven’t received a regulatory inquiry, your program is adequate.
As a privacy attorney, I’ll emphasize that the cost of a compliance audit is a fraction of a single enforcement action, and the exposure isn’t limited to regulators. Statutory private rights of action are embedded in many of these laws, meaning consumers can sue directly.
The bottom line: Privacy compliance is no longer a legal formality. At $3.425 billion in a single year, and climbing, it is a material financial risk that belongs on the agenda of every board, every executive team, and every general counsel.
If you are attending the Law Conference of Champions, I will discuss the current state of data privacy laws in the United States. If you couldn’t make it this year, you are missing out on an epic event and useful information. I hope you will attend next year.
If you have questions about where your organization stands, I’m happy to talk.