In 2025, U.S. state regulators and private litigants delivered a staggering $3.425 billion in privacy-related fines — a figure that eclipsed the combined total from the previous five years and nearly doubled 2024’s $1.827 billion haul. Gartner’s April 2026 analysis, which aggregates enforcement actions by state attorneys general, new privacy protection agencies, and statutory private rights of action under both state and federal laws, marks a decisive turning point. The era of “awareness-building” is over. Regulators have shifted to aggressive, penalty-driven enforcement, with the trend projected to accelerate through 2028.
This isn’t just a California story anymore. While the Golden State led in volume and innovation under the CCPA/CPRA, Texas delivered one of the single largest privacy settlements in U.S. history. Mid-sized companies, retailers, automakers, media outlets, and even gaming apps all felt the sting. The dollars tell a clear story: privacy compliance failures are now a material financial risk, not a regulatory checkbox.
The Blockbuster Settlements That Moved the Needle
A handful of mega-cases accounted for a disproportionate share of the 2025 total. Here are the standout dollar amounts:
Texas v. Google: $1.375 billion
In October 2025, Texas Attorney General Ken Paxton finalized a historic $1.375 billion settlement with Google — the largest single-state privacy settlement against the tech giant to date. The case centered on alleged deceptive tracking of geolocation data, incognito browsing activity, and biometric identifiers (including voiceprints and facial geometry). This one settlement alone dwarfed most prior multi-state efforts and represented a massive chunk of the national total.
General Motors (OnStar): $12.75 million
In May 2026 (reflecting 2025-era violations), California Attorney General Rob Bonta, the California Privacy Protection Agency (CPPA), and local district attorneys announced the largest CCPA settlement in history. GM allegedly sold detailed driving habits and geolocation data from hundreds of thousands of OnStar subscribers to data brokers without proper notice or consent. The penalty included strict five-year bans on selling certain consumer driving data.
Disney: $2.75 million
California settled with Disney over failures to honor consumer opt-out signals and related CCPA violations — one of the higher-profile early enforcement actions cited in Gartner’s analysis.
Healthline Media: $1.55 million
The largest CCPA settlement at the time of announcement (July 2025). California alleged Healthline shared sensitive health-related article data (e.g., titles suggesting medical conditions) with advertisers in violation of purpose-limitation rules, while also failing to honor opt-outs and maintain proper vendor contracts.
Tractor Supply Company: $1.35 million
In September 2025, the CPPA issued its then-largest administrative fine against the national retailer for failures in privacy notices, opt-out mechanisms (including Global Privacy Control signals), job-applicant rights, and vendor contracts.
Jam City (mobile gaming): $1.4 million
California targeted the sale and sharing of personal information of known minors (ages 13–16) without consent, plus weak age-gating.
PlayOn Sports (youth sports media): $1.1 million
First major student-privacy-focused CCPA action; alleged failures around opt-out signals and notices for student data.
Smaller but still significant 2025 actions included Honda ($632,500 for excessive identity verification on opt-outs), Sling TV ($530,000 for children’s profile protections), and Connecticut’s first monetary penalty under the CTDPA against TicketNetwork ($85,000). Multi-state efforts, such as the California–Connecticut–New York collaboration on an ed-tech company, added another $5.1 million.
Publicly reported CCPA/CPRA penalties alone exceeded $23 million in high-profile cases by early 2026, but the broader $3.425 billion figure also captures thousands of smaller enforcement actions, class-action settlements, and private rights of action across 22+ states with active comprehensive privacy laws.
Why the Explosion in 2025?
Gartner attributes the surge to three converging forces:
1. Maturity of laws — 22 states covering >50% of the U.S. population now have comprehensive consumer privacy statutes. Regulators have moved past education to sustained enforcement.
2. New obligations, especially around AI and automated decision-making — Recent amendments target how companies use personal data in algorithms, scoring, and profiling.
3. Focus on “privacy user experience” failures — The vast majority of fines stemmed from broken consent mechanisms, ignored opt-out signals (including Global Privacy Control), inadequate privacy notices, and purpose-limitation violations.
Interstate cooperation and “privacy notice sweeps” (e.g., Connecticut’s two-dozen cure notices) amplified the pressure. No longer was enforcement limited to Big Tech — retailers, automakers, media companies, and app developers all paid seven- and eight-figure sums.
The Road to 2028: Acceleration Ahead
Gartner explicitly forecasts the upward trend will intensify through 2028. More states are expected to enact laws (only a handful remain without comprehensive rules), new amendments will layer on obligations, and regulators will continue refining their enforcement playbooks. Private litigation via statutory rights of action will likely grow as well, adding another layer of dollar exposure.
Billions in Fines for Privacy Violations
The $3.425 billion message is unmistakable: privacy programs established in 2020 and left on autopilot are now liabilities. Companies operating in the U.S. should treat this as a board-level financial risk. Immediate priorities include:
– Auditing privacy notices, consent flows, and opt-out systems (especially GPC signals).
– Reviewing data-sharing contracts and purpose limitations.
– Preparing for automated decision-making and AI-specific rules.
– Stress-testing programs against the enforcement playbook that produced these record fines.
2025 proved that privacy violations now carry billion-dollar consequences — sometimes in a single settlement. The dollars don’t lie, and the trend is only accelerating.
