top of page
Search

Privacy fines in the U.S.

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 5 hours ago
  • 2 min read

The privacy enforcement landscape in the United States is changing very quickly, and privacy violations are becoming materially more expensive.

 

According to Gartner, U.S. states issued an estimated $3.425 billion in privacy-related fines in 2025. What is even more important: Gartner states that more privacy fines were levied in the U.S. in 2025 than in the previous five years combined, and expects this trend to accelerate through 2028.

This is a major signal for boards, privacy teams, security leaders, legal teams, risk managers, and compliance officers.

 

 

For many years, large privacy fines were mostly associated with GDPR enforcement in the EU or UKGDPR enforcement in the UK. Today, this is clearly no longer only a European topic. We are seeing a broader, global regulatory shift: privacy is becoming an area where regulators are increasingly willing to move from awareness-building to real enforcement.




Gartner highlights several important factors.

  • U.S. state privacy laws have been in place long enough for regulators to start moving toward enforcement.

  •  AI adoption is making privacy risk more complex. Personal data is becoming central not only to model training, but also to inference, profiling, automation, personalization, and decision support.

  • The U.S. privacy landscape is becoming broader. Gartner states that 22 U.S. states have passed consumer privacy legislation, covering more than 50% of the U.S. population, while another 24 states have proposed privacy legislation expected to progress over the next five years.

 

For organizations operating in the U.S., or processing data connected to U.S. residents, privacy has to be treated as high risk.

Many fines and violations are connected with weaknesses in privacy UX: data subject rights, consent, and privacy notices.

 

From my perspective, privacy enforcement also means one more thing: companies need to treat security requirements linked to privacy much more seriously.

Privacy obligations often depend on security controls: access management, logging, encryption, retention, deletion, vendor governance, incident response, secure development, data inventory, monitoring, and evidence of control effectiveness.

You cannot have real privacy compliance without operational and technical security.


 
 
 

Comments

Stay in touch

office@itgrcadvisory.com

ITGRC ADVISORY LTD. 

590 Kingston Road, London, 

United Kingdom, SW20 8DN

​company  number: 12435469

Privacy policy

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page