The cost of non-compliance
State privacy law enforcement is no longer theoretical. In 2025, Texas secured a settlement exceeding $1 billion. California's Privacy Protection Agency has launched dozens of investigations. Multiple states are actively pursuing enforcement actions against businesses of all sizes.
Here's exactly what you face in each state — and what it looks like when things go wrong.
Penalties by state
Highest per-violation penalties
Florida — $50,000 per violation
The highest per-violation penalty, though the law's narrow scope (requires $1B+ revenue) limits who's affected.
Connecticut — $25,000 per violation
Treated as an unfair trade practice. The cure period expired December 2024, so the AG can pursue violations immediately.
Colorado — $20,000 per violation
Enforced under the Colorado Consumer Protection Act. Cure period expired January 2025.
Delaware — $10,000 per violation
Higher than most states. Cure period expired December 2025.
Standard penalty: $7,500 per violation
The majority of states set their maximum at $7,500 per violation:
- Virginia, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Nebraska, Kentucky
At $7,500 per violation, the math escalates quickly. If you have 10,000 affected consumers and each constitutes a separate violation, that's $75 million in potential penalties.
California's unique structure
- Intentional violations: $7,988 each
- Unintentional violations: $2,663 each
- DELETE Act violations: $200/day compounding fines
- The CPPA can investigate conduct going back to January 1, 2020
States with unspecified penalties
New Jersey, New Hampshire, Minnesota, Maryland, and Rhode Island enforce privacy violations under their consumer protection statutes, which may carry different penalty structures. The exact amount can vary based on the nature and scope of the violation.
Who enforces: AGs vs. dedicated agencies
Dedicated privacy agency:
- California (CPPA) — the only state with a standalone privacy enforcement body, in addition to AG enforcement
Attorney General enforcement (all other states):
Every other state relies on the Attorney General's office for enforcement. The AG's resources, priorities, and political motivations all affect enforcement intensity.
Most active enforcement:
- Texas AG — largest settlement to date ($1B+), actively investigating
- California CPPA + AG — dedicated resources, dozens of active investigations
- Oregon AG — enforcement ramping up since cure period expired January 2026
- Colorado AG — active enforcement since cure period expired January 2025
Real enforcement examples
Texas: $1 billion+ settlement (2025)
The Texas Attorney General secured the largest state privacy enforcement action in history, with a settlement exceeding $1 billion against a major technology company. The case involved unauthorized collection and use of biometric data and other privacy violations under the TDPSA and related statutes.
California: CPPA enforcement wave
The California Privacy Protection Agency has pursued enforcement actions against companies of various sizes, including:
- Enforcement against companies failing to honor opt-out requests
- Investigations into data brokers not complying with registration requirements
- Actions against businesses with deficient privacy notices
- Enforcement related to the new DELETE Act DROP platform requirements
Oregon: post-cure enforcement
With Oregon's 30-day cure period expiring January 1, 2026, the Oregon AG's office signaled it would begin active enforcement against businesses that failed to come into compliance during the cure period.
Private right of action
Most state privacy laws do not include a private right of action — only the AG can enforce. However:
- California allows a limited private right of action for data breaches involving unencrypted personal information (not for general privacy violations)
- Class action lawsuits under other legal theories (negligence, breach of contract) can still arise from privacy violations
The absence of a private right of action in most states is a significant protection for businesses, but it shouldn't create a false sense of security. AG enforcement alone can be devastating.
The math that matters
Consider a mid-size e-commerce business with 50,000 customers across multiple states:
- One violation per affected customer in a state with a $7,500 penalty and 10,000 customers in that state = $75 million in potential penalties
- Even a small enforcement action affecting 100 customers at $7,500 each = $750,000
For context: a BriefStack subscription costs $30/month ($360/year). One single $7,500 violation pays for over 20 years of BriefStack monitoring.
How to minimize enforcement risk
Prioritize no-cure states. California, New Jersey, Maryland, and Rhode Island can enforce immediately. These should be your first compliance targets.
Honor opt-out requests. Failure to honor consumer opt-out requests is one of the most common enforcement triggers.
Keep your privacy policy current. An inaccurate or incomplete privacy policy is low-hanging fruit for enforcement.
Document your compliance efforts. Good-faith compliance efforts can influence enforcement outcomes and penalty amounts.
Respond to consumer requests on time. Missing the 45-day response window is a clear, easily documented violation.
Implement universal opt-out. Required by 10 states and one of the most commonly investigated compliance areas.
Monitor enforcement trends. Understanding what AGs are targeting helps you prioritize your compliance efforts.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.