Enforcement tracker

Real cases. Real penalties. Real stores.

Every notable U.S. state privacy law enforcement action with relevance to e-commerce — what they were hit for, what it cost, and what to do on your store to avoid it.

Tracked actions
8
States enforcing
5
Largest single penalty
$1.20M
Total monetary penalties
$2.16M
2025-01-13·TX · TDPSA

Allstate / Arity

AG lawsuit (pending)
AG lawsuit (pending) · Texas · Insurance

Texas AG Ken Paxton sued Allstate and its subsidiary Arity for collecting, using, and selling driving data from over 45 million Americans without consent, alleging violations of the Texas Data Privacy and Security Act and the Texas Insurance Code.

Why this matters for your store
Demonstrates Texas AG's willingness to bring high-profile TDPSA cases. The complaint focuses on opaque data collection through embedded SDKs in third-party apps — analogous to embedded marketing pixels on e-commerce sites.
What to do
Texas requires sensitive-data consent and a clear opt-out for sale and targeted advertising. If your trackers collect precise geolocation, biometric, or health-adjacent data, get explicit consent first.
AG AnnouncementTDPSA Guide →
2025-01-09·CT · CTDPA

TicketNetwork

$85,000
AG settlement · Connecticut · Online ticketing

Connecticut AG announced a settlement with TicketNetwork resolving alleged violations of the Connecticut Data Privacy Act, including failure to provide a clear and conspicuous privacy notice, failure to honor opt-out requests, and failure to honor universal opt-out signals (GPC).

Why this matters for your store
First CTDPA enforcement action against an online retailer. The AG explicitly cited GPC non-compliance — Connecticut requires honoring browser-level signals.
What to do
If you sell to Connecticut consumers, your site must read and honor the Sec-GPC HTTP header. A consent management platform configured for opt-out signals is the cleanest path.
AG AnnouncementCTDPA Guide →
2024-11-01·CO · CPA

Multiple (AG sweep)

AG cure notices
AG cure notices · Colorado · E-commerce (general)

Colorado AG sent a wave of cure notices to online retailers and data-driven businesses operating in Colorado, citing failure to honor universal opt-out mechanisms, missing privacy notices, and inadequate sensitive-data consent flows. Cure notices are private but were confirmed by recipient counsel.

Why this matters for your store
Colorado's cure period sunset on January 1, 2025. After that date, the AG can pursue enforcement immediately. The 2024 cure-notice sweep is the warning shot — repeat violators face full penalties.
What to do
Colorado requires GPC honoring as of July 2024. If you received a cure notice in 2024 and did not fully remediate, you are now exposed to immediate enforcement.
AG AnnouncementCPA Guide →
2024-09-23·OR · OCPA (preview)

Clearview AI

AG investigation
AG investigation · Oregon · Data broker

Oregon AG opened investigations within weeks of the Oregon Consumer Privacy Act taking effect July 1, 2024. The DOJ Privacy Unit issued cure notices to multiple data brokers and online retailers for failure to honor consumer rights requests.

Why this matters for your store
Oregon is enforcing aggressively from day one. Cure notices are still available until 2026 sunset, but the AG has demonstrated they will use them.
What to do
Oregon's response window is 45 days. Stand up a consumer rights intake form on your privacy page and document every request and response.
AG AnnouncementOCPA (preview) Guide →
2024-09-12·CA · CCPA

Tilting Point Media

$500,000
AG settlement · California · Mobile gaming

California AG settled for $500,000 with mobile game maker Tilting Point for collecting and sharing children's personal information without parental consent and failing to configure third-party SDKs to comply with CCPA's opt-out requirements.

Why this matters for your store
The case turned on misconfigured third-party SDKs — the same Meta Pixel, Google Tag Manager, and analytics scripts used on every Shopify store. If your trackers fire before consent or ignore opt-out signals, you are exposed.
What to do
Audit every third-party script on your store. Confirm it (1) does not fire before consent in opt-in jurisdictions, (2) honors Do Not Sell / GPC signals, (3) has a written DPA with you covering CCPA processor obligations.
AG AnnouncementCCPA Guide →
2024-06-04·TX · TDPSA

Multiple online sellers (sweep)

AG enforcement notice
AG enforcement notice · Texas · E-commerce (general)

Texas AG Paxton announced the formation of a dedicated team within the Consumer Protection Division to enforce Texas privacy laws, including TDPSA, Texas SCOPE Act, and the Identity Theft Enforcement and Protection Act. The team explicitly targets businesses that collect, process, or sell consumer data.

Why this matters for your store
Texas has stood up a dedicated enforcement team. With no cure period sunset and a $7,500/violation penalty, this is the highest-risk state for e-commerce stores selling into Texas.
What to do
Treat Texas as a no-grace-period state. Audit privacy notice, opt-out mechanism, and sensitive-data handling now — the AG will not give written warning before bringing an action.
AG AnnouncementTDPSA Guide →
2024-02-21·CA · CCPA

DoorDash

$375,000
AG settlement · California · Food delivery

California AG announced a $375,000 settlement with DoorDash for selling consumer personal information without notice or opt-out, in violation of the CCPA and the California Online Privacy Protection Act (CalOPPA). DoorDash had participated in a marketing co-op that disclosed names, addresses, and order data to third parties.

Why this matters for your store
DoorDash argued the data exchange was not a 'sale' because no money changed hands. The AG rejected that — value was exchanged (consumer data for marketing reach). E-commerce stores doing similar 'data co-op' programs (loyalty exchanges, lookalike-audience swaps) are squarely in scope.
What to do
If you participate in any data co-op, lookalike-audience exchange, or loyalty data swap, you are 'selling' under CCPA — regardless of whether money changes hands. Add a Do Not Sell link and honor GPC.
AG AnnouncementCCPA Guide →
2022-08-24·CA · CCPA

Sephora

$1,200,000
AG settlement · California · Beauty e-commerce

First major CCPA enforcement action. California AG fined Sephora $1.2M for failing to disclose to consumers that it was selling personal information, failing to process opt-out requests via the Global Privacy Control signal, and failing to cure violations within the (then-existing) 30-day cure period.

Why this matters for your store
This is the foundational CCPA case for online retailers. Sephora was using third-party tracking (analytics, ad networks) — the AG declared that any such use is a 'sale' of personal information requiring a Do Not Sell link, opt-out, and GPC honoring.
What to do
If you run third-party trackers (Meta Pixel, Google Analytics, ad pixels) on a California-facing storefront, you are selling personal information under CCPA. You must (1) disclose the sale, (2) provide a Do Not Sell My Personal Information link, (3) honor browser GPC signals.
AG AnnouncementCCPA Guide →
Don't end up on this list.

Run a free 60-second compliance check. We'll tell you which laws apply to your store and what to fix before an AG asks.

Check my compliance →
Source links go to the official state Attorney General announcement. BriefStack is not a law firm and this is not legal advice.