:

US STATES HANDED OUT $3.45B IN PRIVACY FINES IN 2025

SECURITY DESK2 MIN READ
TUE, APR 28, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

US states issued $3.45 billion in privacy-related fines to companies in 2025—exceeding the total from the previous five years combined. The surge reflects enforcement of new state privacy laws and increased scrutiny of AI and automation practices.

Privacy enforcement in the United States reached a record high in 2025, with state regulators imposing $3.45 billion in fines on companies, according to Gartner data cited by CyberScoop. The figure dwarfs cumulative penalties from 2020 through 2024, signaling a dramatic shift in how aggressively states are policing data practices. The surge stems from several converging factors: Stronger State Laws Powerful privacy statutes in California and other states have given regulators the legal teeth to pursue meaningful penalties. These laws establish clearer standards for data handling and provide enforcement mechanisms with substantial financial consequences. Interstate Coordination New partnerships between state attorneys general have amplified enforcement efforts. Coordinated actions allow states to pool resources and target companies operating across multiple jurisdictions simultaneously, increasing pressure on national players. AI and Automation Focus Regulators have sharpened their focus on privacy impacts tied to artificial intelligence and automated decision-making. As companies deploy AI systems more widely, states are scrutinizing how these technologies handle consumer data and make decisions affecting individuals. Market Context The 2025 numbers reflect a maturation of the privacy enforcement landscape. After years of fragmented state regulations and relatively modest penalties, the US is moving toward a more stringent enforcement regime comparable to Europe's General Data Protection Regulation. Companies now face mounting financial exposure across state lines. The $3.45 billion in fines represents not just penalties but also a clear signal that privacy violations carry material business risk. Organizations lacking robust data governance and AI oversight programs face particular vulnerability to enforcement actions. The trend underscores a broader regulatory shift: privacy is no longer treated as a compliance afterthought but as a core business risk requiring executive-level attention and investment.

■ SOURCES

Techmeme

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

5H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

5H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

8H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

10H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.