What data privacy laws or enforcement actions are in the news?

TL;DR: State privacy enforcement is intensifying across the U.S., with California leading through the California Privacy Protection Agency (CPPA) issuing record fines including $2.75 million against Disney and $1.1 million against PlayOn Sports. Oklahoma became the 21st state to enact comprehensive privacy legislation in March 2026, while federal agencies like the FTC continue targeting AI-related privacy violations and children's data protection under COPPA.

Key Takeaways

• California issued its largest-ever CCPA fine of $2.75 million against Disney in January 2026 for making it difficult for consumers to opt out of data sharing across all devices and services [16] • Oklahoma Governor Stitt signed comprehensive consumer privacy legislation (Senate Bill 546) on March 20, 2026, making Oklahoma the 21st state with such laws, effective January 1, 2027 [11] • The California Privacy Protection Agency (CPPA) fined PlayOn Sports $1.1 million in March 2026 for privacy violations involving student data and targeted advertising practices [19] • State attorneys general are increasingly collaborating on privacy enforcement, with bipartisan coalitions investigating AI chatbots and data broker violations [2] • The FTC announced its first privacy enforcement actions under the second Trump administration in September 2025, focusing on COPPA violations by Disney, Apitor, and Iconic Hearts Holdings [9]

What major state privacy enforcement actions occurred recently?

California continues to lead state privacy enforcement through aggressive action by both the Attorney General and the California Privacy Protection Agency (CPPA). The state's $2.75 million settlement with Disney represents the largest fine ever levied under the California Consumer Privacy Act (CCPA) [16]. The investigation found that Disney's opt-out processes contained "key gaps that allowed Disney to continue to sell and share consumers' data," with different opt-out methods only applying to specific devices or services rather than comprehensive account-wide protection [16].

The CPPA also imposed a $1.1 million fine against PlayOn Sports, a youth sports media company operating the GoFan digital ticketing platform, marking the first CCPA enforcement action specifically addressing privacy violations involving students and schools [19]. This enforcement action emphasized that companies cannot solely rely on industry-approved opt-out tools and must provide their own opt-out mechanisms for targeted advertising activities [19].

Connecticut achieved another milestone with its first monetary penalty under the Connecticut Data Privacy Act (CTDPA), fining TicketNetwork, Inc. $85,000 on July 8, 2025, for failing to address privacy notice deficiencies during the permitted cure period [6].

How are states collaborating on privacy enforcement?

State attorneys general are increasingly working together through bipartisan coalitions to investigate privacy violations. A consortium of states including Indiana, California, Delaware, and Connecticut warned companies during a Tuesday panel at the IAPP industry conference that they've been "very busy" with investigations and non-public enforcement activity [2].

In August 2025, a bipartisan coalition of state attorneys general issued a joint warning to leading AI developers, emphasizing accountability for harms stemming from AI systems' access to and use of consumer data, particularly affecting children [15]. Minnesota and New Hampshire joined this bipartisan consortium in October 2025, demonstrating the growing nationwide privacy collaboration [5].

The California Privacy Protection Agency announced a joint investigative privacy sweep in September 2025, indicating coordinated enforcement efforts across multiple jurisdictions [5].

What new privacy legislation passed in 2025-2026?

Oklahoma became the 21st state to enact comprehensive consumer privacy legislation when Governor Stitt signed Senate Bill 546 into law on March 20, 2026 [11]. The Oklahoma Data Privacy Act applies to businesses that either process personal data of at least 100,000 Oklahoma consumers annually or process data of at least 25,000 consumers while earning over 50% of revenue from selling personal data [11]. The law becomes effective January 1, 2027, and includes familiar consumer rights such as data access, correction, deletion, portability, and opt-out rights [12].

However, 2025 marked the first year since 2020 without any new state comprehensive privacy laws being enacted, though nine states amended their existing privacy laws [7]. Bills in Alabama, Oklahoma (initially), and Georgia all failed at final legislative steps, suggesting either shifting priorities or more complex legislative challenges [7].

Massachusetts is making a late push with S2619, which passed the Senate 40-0 on September 25, 2025, featuring Maryland-style strict data minimization requirements [7]. Pennsylvania's HB 78 passed the House on October 1, 2025, though a similar bill stalled in the Senate the previous year [7].

What federal privacy enforcement trends are emerging?

The Federal Trade Commission announced its first privacy enforcement actions of the second Trump administration in September 2025, focusing heavily on Children's Online Privacy Protection Act (COPPA) violations [9]. Three cases targeted Disney, robot toy maker Apitor Technology Co., and the operators of the Sendit app for alleged COPPA violations [9].

The FTC's Disney case involved allegations that the company designated child-directed videos on YouTube channels marked as "Not Made for Kids," enabling targeted advertising and collection of children's personal information without required parental consent [9]. Disney agreed to pay $10 million and implement an "Audience Designation Program" for 10 years [9].

Federal agencies are also intensifying scrutiny of AI-related privacy practices. The FTC launched "Operation AI Comply" to curb false or misleading representations about AI capabilities, while state attorneys general focus particularly on AI chatbots and their potential risks to children [15].

How are data brokers being targeted for enforcement?

Data broker enforcement has become a priority focus area, with California leading through both registration requirements and direct enforcement actions. The California Privacy Protection Agency's Enforcement Division announced an "investigative sweep" of compliance with the Delete Act, which requires data brokers to register and pay annual fees [18].

The CPPA brought enforcement actions against six data brokers, with most settling for modest amounts like Jerico Pictures, Inc. (National Public Data) for $46,000 [18]. More significantly, in February 2025, the CPPA announced a stringent settlement with Background Alert, Inc., requiring the California-based data broker to shut down operations through 2028 or face a $50,000 fine [18].

The CPPA issued an enforcement advisory in December 2025 highlighting data broker registration requirements and launched a "Data Broker Enforcement Strike Force" in November 2025 [5]. The agency also fined a marketing firm in December 2025 for selling custom audiences without proper data broker registration [5].

Why This Matters

The intensification of state privacy enforcement represents a fundamental shift in U.S. data protection landscape, with states filling the vacuum left by the absence of comprehensive federal privacy legislation. California's record-breaking fines against major companies like Disney signal that privacy violations carry real financial consequences, while the emergence of interstate cooperation suggests coordinated enforcement strategies that could create de facto national standards.

The focus on vulnerable populations, particularly children and students, reflects growing regulatory concern about data practices affecting minors. The CPPA's enforcement action against PlayOn Sports specifically emphasized that "students constitute a uniquely vulnerable population whose personal information warrants heightened protection" [19].

For businesses, these developments indicate that privacy compliance can no longer be treated as a secondary concern. With 21 states now having comprehensive privacy laws and enforcement agencies actively collaborating across jurisdictions, companies face a complex patchwork of requirements that demand sophisticated compliance programs and proactive privacy-by-design approaches.

FAQ

Q: Which states have the most active privacy enforcement programs? A: California leads with both the Attorney General and CPPA actively pursuing enforcement, followed by Connecticut with its first CTDPA monetary penalty. Texas, Indiana, Delaware, and other states are increasingly active through collaborative enforcement efforts and individual investigations [2][6].

Q: What are the most common violations leading to enforcement actions? A: Common violations include failure to honor opt-out requests (especially Global Privacy Control signals), inadequate cookie banner implementations, excessive data collection for privacy requests, and improper verification procedures. Data broker registration failures are also increasingly targeted [16][5].

Q: How much are privacy violation fines typically? A: Fines vary significantly by state and violation severity. California's largest CCPA fine was $2.75 million against Disney, while Connecticut's first CTDPA penalty was $85,000. Data broker violations typically result in smaller fines ranging from $46,000 to $50,000 [16][6][18].

Q: Are there federal privacy enforcement trends to watch? A: The FTC continues focusing on COPPA violations and AI-related deceptive practices through initiatives like "Operation AI Comply." Federal enforcement particularly targets children's privacy violations and unsubstantiated AI marketing claims [9][15].

Q: What should businesses do to prepare for privacy enforcement? A: Companies should implement comprehensive opt-out mechanisms that work across all devices and services, ensure proper data broker registration where applicable, review AI-related marketing claims for accuracy, and establish robust privacy programs with regular compliance assessments [16][19].

Sources

[1] https://www.reuters.com/legal/data-privacy/ [2] https://news.bloomberglaw.com/privacy-and-data-security/states-hint-at-growing-privacy-fines-imminent-ai-enforcement [3] https://www.dlapiperdataprotection.com/?c=US [4] https://libguides.law.villanova.edu/privacy_task_force/news [5] https://cppa.ca.gov/announcements/ [6] https://www.quarles.com/newsroom/publications/state-privacy-enforcement-heats-up-key-actions-and-compliance-trends-every-business-needs-to-know [7] https://iapp.org/news/a/retrospective-2025-in-state-data-privacy-law [8] https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement [9] https://perkinscoie.com/insights/blog/lessons-ftcs-first-privacy-enforcement-actions-during-trump-20 [10] https://www.corporatecomplianceinsights.com/data-privacy-news/ [11] https://www.jdsupra.com/legalnews/signed-sealed-and-soon-to-be-delivered-7482625/ [12] https://www.jdsupra.com/legalnews/oklahoma-enacts-consumer-data-privacy-4237761/ [13] https://www.techtarget.com/healthtechsecurity/news/366640780/Data-privacy-enforcement-actions-shift-focus-to-business-associates [14] https://iapp.org/news/a/retrospective-2025-in-state-data-privacy-law [15] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20260202-year-in-review-2025-artificial-intelligence-privacy-litigation-trends [16] https://therecord.media/california-fines-disney-data-privacy [17] https://www.hipaajournal.com/healthcare-data-breach-statistics/ [18] https://www.reuters.com/legal/legalindustry/year-review-regulatory-enforcement-state-consumer-privacy-laws-2025--pracin-2025-11-25/ [19] https://www.jdsupra.com/legalnews/youth-sports-media-company-to-pay-1-10-1840694/ [20] https://www.hipaajournal.com/hipaa-violation-cases/