If you thought US privacy enforcement was winding down, think again. Despite predictions that changes in Washington would put the brakes on data protection efforts, the reality on the ground tells a different story. Between active state regulators, an engaged FTC, and a growing wave of private litigation, US privacy enforcement is thriving.
Here’s what’s actually happening—and why organisations everywhere should be paying attention.
Federal Enforcement Remains Active
The Federal Trade Commission continues to pursue privacy violations with force. In 2024, the FTC finalised a $16.5 million order against Avast, banning the UK-based security company from selling consumer browsing data. The case demonstrated that being based outside the US offers no protection from American regulators.
The FTC has shown particular interest in sensitive data categories. Its enforcement action against Avast made clear that web browsing data is “sensitive, full stop”—a position that signals stricter scrutiny for any company handling such information.
Children’s data remains a priority. In January 2025, the FTC announced significant amendments to COPPA, limiting how companies can monetise children’s information. These represent the most substantial changes to children’s privacy rules in over a decade.
Sectoral laws add another layer. The HHS guidance on tracking technologies has put healthcare organisations on notice that cookies and pixels on their websites may violate HIPAA. This has sparked significant enforcement activity around browser-based tracking tools.
State Privacy Laws Have Multiplied
The state-level picture has transformed dramatically. Twenty states now have comprehensive consumer privacy laws in effect, up from just California a few years ago. The IAPP’s state privacy legislation tracker shows this trend continuing to accelerate.
Eight new state privacy laws took effect in 2025 alone, covering Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee, and Maryland. Each brings its own requirements for privacy notices, consumer rights, and data protection practices.
California continues to lead on enforcement. The California Privacy Protection Agency issued a record $1.35 million fine against Tractor Supply in September 2025—the largest CCPA administrative penalty to date. The CPPA has announced that penalty amounts increased in 2025, with civil penalties now ranging from $2,663 to $7,988 per violation.
Texas and other states are following suit. The Texas Attorney General has been actively enforcing the Texas Data Privacy and Security Act, while Connecticut and Oregon have also begun enforcement activities.
AI Regulation Is Here
Contrary to assumptions that US AI regulation would lag behind Europe, several states have moved forward with dedicated AI laws.
The Colorado AI Act, taking effect in February 2026, requires developers and deployers of high-risk AI systems to conduct impact assessments, implement risk management programmes, and provide consumer disclosures. Skadden’s analysis describes it as a “landmark” piece of legislation adopting a risk-based approach similar to the EU’s AI Act.
Texas followed with the Texas Responsible AI Governance Act (TRAIGA), signed into law in June 2025 and taking effect January 2026. The law imposes disclosure, consent, and compliance requirements on AI developers and deployers.
Beyond these dedicated AI laws, existing consumer protection frameworks apply to AI-related harms. The FTC has pursued “AI washing” claims against companies that overstate their AI capabilities.
Private Litigation Poses Major Risks
Perhaps the most underappreciated enforcement mechanism in the US is private litigation. Thousands of privacy-related lawsuits are filed each year, targeting everything from website tracking to biometric data collection.
Illinois’s Biometric Information Privacy Act (BIPA) has generated hundreds of class action lawsuits. The $51.75 million equity settlement with Clearview AI illustrates the scale of potential liability. Even after 2024 amendments to BIPA that capped certain damages, plaintiffs can still recover $1,000 to $5,000 per violation.
Website tracking litigation targeting cookies, pixels, and session replay tools remains a significant risk for organisations across all sectors.
What This Means for Your Organisation
The message is clear: US privacy enforcement shows no signs of slowing. Organisations should:
- Audit current data practices against the requirements of states where you have customers or operations
- Review AI deployments for compliance with emerging state AI laws, particularly if you operate in Colorado or Texas
- Examine website tracking practices, especially if you handle health information or operate in sectors with heightened regulatory scrutiny
- Assess biometric data collection practices if you use facial recognition, fingerprint scanning, or voice authentication
- Prepare for private litigation by ensuring your privacy notices and consent mechanisms are defensible
The regulatory environment may be fragmented across 50 states, but that fragmentation doesn’t mean weakness. If anything, it means more potential enforcers, more potential plaintiffs, and more reasons to get privacy right.
