TL;DR: 20 states will have comprehensive privacy laws by January 2026—but which actually enforce them? This tracker monitors real enforcement actions: fines, settlements, consent orders. California leads with millions in penalties. Most other states show little public enforcement. Updated January 2026.

The Enforcement Gap

State privacy laws are worthless without enforcement. A $10,000 per-violation fine means nothing if the attorney general never files charges.

Here's the reality: California has an active enforcement program with millions in settlements. A handful of other states show scattered enforcement. Most have done nothing visible.

This tracker monitors actual enforcement actions—not press releases about new laws, but penalties companies actually paid.

California: The Enforcement Leader

California has two enforcement bodies: the California Privacy Protection Agency (CPPA) and the Attorney General's office. Both are actively pursuing violations.

California Privacy Protection Agency (CPPA)

The CPPA launched a "Data Broker Enforcement Strike Force" in November 2025 to target data broker registration violations.[1]

Datamasters

$45,000 fine

January 2026 — Failed to register as data broker. Ordered to cease selling Californians' personal information.[2]

S&P Global

$62,600 fine

January 2026 — Failed to register as data broker.[2]

Tractor Supply Company

$1.35 million settlement

October 2025 — CCPA violations related to consumer privacy rights.[3]

American Honda Motor Co.

CPPA Board decision issued

March 2025 — Required excessive personal information for privacy rights requests.[4]

Ongoing investigations: The CPPA reports hundreds of investigations underway, many not yet public.[3]

California Attorney General

Sling TV

$530,000 settlement

October 2025 — Confusing and difficult opt-out framework.[5]

Jam City

$1.4 million settlement

November 2025 — Failed to provide opt-out methods; insufficient child privacy protections.[6]

Healthline

Settlement (amount undisclosed)

2025 — Novel term banning sharing article titles that reveal medical conditions.[7]

Enforcement Priorities

The California AG's office has signaled priorities for 2026:[8]

  • Location data: How companies collect and share precise location
  • Opt-out functionality: Whether "do not sell" mechanisms actually work
  • Data broker compliance: Registration requirements and DELETE Act obligations
  • Youth data: Special protections for minors' information

Fine Structure (2025-2026)

California adjusts CCPA penalties for inflation every two years:

  • Unintentional violations: Up to $2,663 per violation
  • Intentional violations: Up to $7,988 per violation
  • Violations involving minors under 16: Up to $7,988 per violation
  • Private right of action (data breaches): $107-$799 per person per incident

Other States: Limited Visible Enforcement

Most states with privacy laws show little public enforcement activity. This doesn't mean they're doing nothing—investigations may be ongoing. But visible action is rare.

States with Comprehensive Privacy Laws (by effective date)

StateEffective DateEnforcement Status
California (CCPA/CPRA)Jan 2020/Jan 2023Active enforcement
Virginia (VCDPA)Jan 2023No public enforcement actions reported
Colorado (CPA)Jul 2023No public enforcement actions reported
Connecticut (CTDPA)Jul 2023No public enforcement actions reported
Utah (UCPA)Dec 2023No public enforcement actions reported
Oregon (OCPA)Jul 2024No public enforcement actions reported
Texas (TDPSA)Jul 2024Investigations reported, no public actions
Montana (MTCDPA)Oct 2024Too new for significant enforcement
DelawareJan 2025Too new for significant enforcement
IowaJan 2025Too new for significant enforcement
New JerseyJan 2025Too new for significant enforcement
TennesseeJul 2025Too new for significant enforcement
IndianaJan 2026Just effective
KentuckyJan 2026Just effective
Rhode IslandJan 2026Just effective
Maryland (MODPA)Oct 2025 (enforcement Apr 2026)Enforcement begins April 1, 2026

Note: "No public enforcement actions" doesn't mean no enforcement. Many states pursue confidential settlements or issue warning letters before public action. But it does mean no visible deterrent effect.

Why California Leads

Several factors explain California's enforcement advantage:

  • Dedicated agency: The CPPA exists solely to enforce privacy law. Other states rely on AG offices with many competing priorities.
  • Self-funding: CPPA fines fund its own operations, creating enforcement incentive.
  • Private right of action: Californians can sue directly for data breaches. Other states only allow AG enforcement.
  • Earlier effective date: California's law has been in effect since 2020. Most others started in 2023 or later.
  • Larger economy: More companies operate in California, more violations occur, more resources to enforce.

What to Watch in 2026

California Escalation

  • ADMT regulations: New automated decision-making technology rules effective January 2026. Expect enforcement actions against companies using AI for decisions affecting Californians.
  • DELETE Act platform: Data broker opt-out platform fully operational. CPPA will target non-compliant brokers.
  • Risk assessment requirements: Companies must conduct privacy risk assessments for new processing. Enforcement for failures expected.

Other States Waking Up?

States that haven't publicly enforced may start in 2026:

  • Texas: AG Ken Paxton has shown willingness to pursue tech companies. Privacy enforcement could follow.
  • Colorado: Privacy enforcement could accompany AG's broader consumer protection agenda.
  • Connecticut: Data broker registration requirements may trigger enforcement.

New Laws Taking Effect

Three new state privacy laws took effect January 1, 2026:

  • Indiana: 180-day cure period limits immediate enforcement
  • Kentucky: 30-day cure period, standard enforcement model
  • Rhode Island: No cure period—immediate enforcement possible, up to $10,000 per violation

Rhode Island's lack of cure period makes it worth watching for early enforcement.

Penalty Comparison by State

StateMax Fine per ViolationCure PeriodPrivate Right of Action
California$7,988None (since 2023)Yes (data breaches)
Rhode Island$10,000NoneNo
Texas$7,50030 daysNo
Colorado$20,00060 days (expires 2025)No
Virginia$7,50030 daysNo
Connecticut$5,00060 days (expires 2025)No
Maryland$10,000 ($25,000 repeat)60 days (expires Apr 2027)Limited (data breaches)

Note: High maximum fines mean little without enforcement. A $20,000 Colorado fine that's never imposed is worth less than a $2,663 California fine that's actually collected.

What You Can Do

File Complaints

If a company violates your state's privacy rights, file a complaint. AGs won't act without evidence of violations. Your complaint creates the paper trail.

Test Your Rights

Submit access, deletion, and opt-out requests. Document company responses. If they're non-compliant, that's evidence for enforcement.

Push Your AG

Contact your state attorney general's office. Ask about privacy enforcement priorities. Constituent pressure matters.

Use California's Tools

If you're in California: use the DELETE Act platform to opt out of all registered data brokers at once.

The Bottom Line

State privacy laws are only as strong as their enforcement. California leads by a mile—millions in fines, hundreds of investigations, a dedicated agency. Most other states show little visible action.

This matters because companies respond to actual penalties, not theoretical ones. A law with no enforcement is a suggestion. A law with $1.4 million settlements is a mandate.

If you're in California, you have real privacy protections. If you're elsewhere, your protections exist mostly on paper. Push your attorney general to change that.

We'll update this tracker as enforcement actions become public. Check back for updates.

References

  1. CPPA - Data Broker Enforcement Strike Force Announcement (November 2025)
  2. Hunton Andrews Kurth - CPPA Data Broker Enforcement Actions (January 2026)
  3. Privacy World - Tractor Supply Settlement (October 2025)
  4. Usercentrics - CPPA Honda Board Decision Analysis (March 2025)
  5. Jenner & Block - Sling TV Settlement Analysis (October 2025)
  6. California Attorney General - Jam City Settlement (November 2025)
  7. JD Supra - Healthline Settlement Analysis (2025)
  8. Bloomberg Law - California AG Privacy Enforcement Priorities (2026)
  9. IAPP - State Privacy Legislation Tracker
  10. Clym - CCPA Fine Structure 2025-2026