+44 212 582 0192 [email protected]

Surge in US Data Privacy Enforcement

by | Jan 3, 2026 | Global Privacy Laws: | 0 comments

showing the Surge in US Data Privacy Enforcement

The Year of Reckoning: Navigating the Surge in US Data Privacy Enforcement – A Formiti Data International Briefing

For US and Global Organizations

In 2025, the landscape of US data privacy transitioned definitively from preparation to aggressive enforcement. The era of “wait and see” is over. What was once a fragmented regulatory environment with theoretical penalties has solidified into a complex web of active investigations, substantial fines, and clear signals from state attorneys general and dedicated privacy agencies.

This isn’t just about compliance; it’s about navigating a new operational reality where data governance failures carry significant financial and reputational risks. For both US-based companies and international organizations processing the data of US residents, understanding these recent enforcement actions is paramount. Formiti Data International stands as your essential guide through this evolving challenge.

The Enforcement Avalanche: Key Cases and What They Mean

The following recent actions are not isolated incidents but a clear pattern demonstrating the maturity of US state privacy laws and the readiness of regulators to impose penalties.

1. California (CPRA): Setting the Benchmark for Seven-Figure Fines

The California Privacy Protection Agency (CPPA), tasked with enforcing the California Consumer Privacy Act (CCPA) and its robust amendment, the California Privacy Rights Act (CPRA), has emerged as a formidable regulator. Its 2025 enforcement actions have set a new standard for fines and highlighted critical areas of non-compliance.

Case Study: Healthline Media LLC ($1.55 Million Settlement – July 2025)

The Allegations: Healthline Media was penalized for a series of failures, including:

  • Disregarding Universal Opt-Out Signals: Specifically, failing to honor consumer requests to opt-out of data sales and sharing via the Global Privacy Control (GPC) signal.
  • Deceptive Cookie Banners: Implementing cookie banners that appeared to offer choices but did not effectively disable tracking technologies, leading to continued data collection without valid consent.
  • Insufficient Vendor Contracts: Lacking proper contractual agreements with third-party advertising partners, failing to adequately define their roles and responsibilities under the CPRA.

The Precedent: This settlement was a wake-up call, emphasizing that technical implementation of privacy controls must be robust and functional, not merely performative. It solidified the GPC as a recognized, enforceable consumer right.

Formiti Insight:

  • Organizations must conduct rigorous technical audits of their cookie consent mechanisms and ensure they are genuinely honoring GPC and other opt-out signals. Vendor contracts (Data Processing Agreements/DPAs) must be meticulously crafted to meet CPRA requirements, clearly outlining data use limitations and security obligations.

Case Study: Tractor Supply Company ($1.35 Million Fine – Sept/Oct 2025)

The Allegations: Tractor Supply Company faced a substantial fine for issues surrounding:

  • Failure to Notify All Data Subjects: Specifically, failing to inform job applicants of their privacy rights under the CPRA.
  • Inadequate Opt-Out Mechanisms: Making it unduly difficult for consumers and applicants to exercise their rights to opt-out of data sales or sharing.

The Precedent: This case expanded the CPRA’s enforcement scope beyond traditional “consumer” data to include employee and job applicant data. It underscored that organizations must ensure privacy rights are accessible and easily actionable for all categories of individuals whose data they process.

Formiti Insight: Your privacy program must encompass your entire data ecosystem, including HR data. Comprehensive Data Subject Request (DSR) portals must be intuitive, widely publicized, and handle all applicable rights for all data subjects.

Continuing Trend: These followed other significant fines earlier in 2025, including American Honda Motor Co. ($632,500) and Todd Snyder, Inc. ($345,178), both for similar issues around confusing opt-out processes and impeding consumer rights.

2. Connecticut (CTDPA): The End of the Grace Period

Connecticut’s enforcement of the Connecticut Data Privacy Act (CTDPA) marked a crucial milestone: the expiration of the mandatory “right to cure” period. As of January 1, 2025, companies are no longer guaranteed a warning period before facing penalties.

Case Study: TicketNetwork, Inc. ($85,000 Fine – July 2025)

The Allegations: TicketNetwork received the first monetary fine under the CTDPA for:

  • Unreadable and Incomplete Privacy Policy: Its privacy policy was deemed “largely unreadable,” failed to detail key data rights, and contained “broken or inoperable” links for exercising those rights.

The Precedent: The AG’s office had initially sent a “cure notice” in late 2023. When TicketNetwork failed to rectify the identified issues within the stipulated 60-day period, the monetary penalty followed. This clearly demonstrates that the era of “warning first” is over.

Formiti Insight: Organizations operating under CTDPA (and other state laws with similar cure periods) must understand that proactive compliance is now non-negotiable. Your privacy notices and mechanisms for exercising rights must be clear, accessible, and fully functional. Regular audits of privacy policies and DSR portals are essential.

3. Texas (TDPSA): A Dual Focus on Privacy and National Security

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, has rapidly become a tool for enforcement, notably with a focus that transcends traditional consumer privacy to include national security concerns, particularly targeting foreign-owned entities.

Key Action: Noncompliance Notices to Chinese-Owned Companies (May 2025)

The Allegations: The Texas Attorney General publicly announced sending noncompliance notices to several Chinese-owned companies. The notices cited failures to comply with the TDPSA’s requirements regarding:

  • Data Processing Disclosures: Inadequate transparency about data collection and processing activities.
  • Opt-Out and Deletion Rights: Failure to provide consumers with clear and effective mechanisms to opt out of data processing or request data deletion.

The Precedent: This action is particularly significant as the AG explicitly linked the enforcement to “growing federal concerns about foreign access to U.S. personal data.” It showcases a trend where state privacy laws are being leveraged not just for individual consumer rights but also as a mechanism to address broader geopolitical and national security risks.

Formiti Insight: International organizations, especially those with ties to “countries of concern” (as defined by federal rules), must recognize they are under heightened scrutiny. Compliance with state privacy laws is not just about local regulatory adherence; it’s increasingly intertwined with national security and cross-border data transfer regulations. A thorough review of your data flows and corporate structure is critical.

Earlier Enforcement: Allstate/Arity Lawsuit (January 2025)

The AG’s first TDPSA lawsuit was filed against Allstate and its subsidiary Arity, alleging illegal collection and sale of vast amounts of personal data from mobile apps. This signaled early and aggressive enforcement of the TDPSA’s broad prohibitions on unauthorized data collection and sharing.

Why Global Organizations Must Act Now

These enforcement actions underscore several critical realities for international organizations:

  • Extraterritorial Reach is Real: Most US state privacy laws (including CPRA, CTDPA, TDPSA, and upcoming laws in Maryland, New Jersey, etc.) apply based on the number of state residents whose data you process, not on physical presence.
  • Harmonization is a Myth: The nuances between state laws require a granular approach. A “GDPR-lite” strategy is insufficient; bespoke compliance for each applicable state is often necessary.
  • Cross-Border Data Flows are Under Scrutiny: Federal rules (like the DOJ’s “Countries of Concern” rule and PADFAA) layer an entirely new dimension of national security risk onto international data transfers, particularly for organizations connected to specific foreign adversaries.

Reputation and Trust are at Stake: Beyond fines, enforcement actions lead to negative press, eroded consumer trust, and potential class-action lawsuits.

Your Questions Answered: FAQs on US Privacy Enforcement

Here are common questions we receive from organizations grappling with this new enforcement landscape:

Q1: Our company is based outside the US. Do these state laws really apply to us?

A1: Absolutely. If you process the personal data of a sufficient number of residents from California, Connecticut, Texas, or other states with active privacy laws (typically 100,000 residents, or fewer if you derive significant revenue from data sales), these laws likely apply, regardless of where your company is headquartered.

Q2: What’s the biggest mistake companies are making in 2025?

A2: Assuming that a basic “privacy policy” and a simple “cookie banner” are enough. Regulators are now looking for functional, enforceable mechanisms for consumer rights, robust data mapping, appropriate vendor contracts, and a clear understanding of data flows. Ignoring universal opt-out signals (like GPC) is also a major pitfall.

Q3: We have a robust GDPR program. Is that sufficient for US compliance?

A3: While GDPR provides an excellent foundation, it is not sufficient on its own for US state privacy laws. There are significant differences in definitions (e.g., “sale,” “sharing,” “sensitive data”), enforcement mechanisms, and specific rights. A tailored US privacy program is essential.

Q4: How do the new federal restrictions on data transfers (e.g., to China) interact with state privacy laws?

A4: They create a new layer of complexity. Federal rules (like the DOJ’s “Countries of Concern” rule) prohibit or restrict data transfers based on national security. State laws focus on individual privacy rights. Organizations must comply with both. This means not only protecting individual data rights but also ensuring your data doesn’t flow to prohibited foreign entities, even if the individual has “consented.”

Q5: What’s the immediate priority for an organization that’s concerned about these enforcements?

A5: 

  • Data Mapping: Understand exactly what personal data you collect, where it comes from, where it goes, and who has access to it.
  • Privacy Policy & Notices Review: Ensure they are clear, comprehensive, easily accessible, and reflect all applicable state laws.
  • DSR Mechanism Audit: Verify that your systems for handling consumer requests (access, deletion, opt-out) are fully functional, responsive, and easy to use.
  • Vendor Contract Review: Update all vendor agreements to reflect the specific requirements of the state laws you’re subject to.
  • GPC/UOM Compliance: Implement and test mechanisms to honor universal opt-out signals.

Formiti Data International: Your Trusted Partner in Data Privacy

The intensity of data privacy enforcement in the US is undeniable. The financial penalties are significant, the regulatory scrutiny is increasing, and the complexity for global organizations is unprecedented.

Formiti Data International provides the expert guidance, strategic insights, and practical solutions needed to navigate this challenging landscape. Our team of global privacy specialists helps organizations:

  • Conduct comprehensive US state privacy assessments.
  • Develop tailored compliance programs (CPRA, CTDPA, TDPSA, MODPA, etc.).
  • Implement robust data mapping and governance frameworks.
  • Audit and optimize consent and DSR mechanisms.
  • Advise on complex cross-border data transfer challenges and national security implications.
  • Provide ongoing monitoring and regulatory updates.

Don’t wait for a non-compliance notice or a seven-figure fine. Partner with Formiti Data International to ensure your organization is not just compliant, but strategically positioned for future data privacy challenges.

Contact Formiti Data International today for a confidential consultation.