US Privacy 2026: State Laws, FTC Actions, and Class Action Risk

Table of contents

US Privacy Fines: The Numbers That Matter in 2026
Three Enforcement Tracks, Not One
The 10 Biggest US Privacy Fines and Settlements
The 20-State Patchwork
Fines by Enforcement Body
CIPA: A 1967 Wiretap Law Reshaping Website Compliance
The Five Failure Modes Behind Almost Every US Privacy Fine
What Comes Next
What This Means for Your Compliance Stack
Frequently Asked Questions
About UniConsent

Table of contents

US Privacy Fines: The Numbers That Matter in 2026
Three Enforcement Tracks, Not One
The 10 Biggest US Privacy Fines and Settlements
The 20-State Patchwork
Fines by Enforcement Body
CIPA: A 1967 Wiretap Law Reshaping Website Compliance
The Five Failure Modes Behind Almost Every US Privacy Fine
What Comes Next
What This Means for Your Compliance Stack
Frequently Asked Questions
About UniConsent

There is no US federal privacy law. There are twenty state laws, a Federal Trade Commission that treats broken privacy promises as "unfair or deceptive" trade practices, sector-specific statutes covering health, finance, education, and children's data, and — perhaps most consequentially — a California wiretap statute from 1967 that plaintiffs' lawyers have turned into a $5,000-per-violation weapon against modern website tracking.

Read the headline numbers and US privacy enforcement looks like one of the most expensive regulatory regimes in the world: Meta's $5 billion FTC settlement, Equifax's $700 million, the billion-dollar-plus penalty Texas extracted under its state law. Read the daily numbers — a $375,000 settlement here, a $1.35 million state-agency fine there, another batch of class action demand letters landing at companies that have never once heard from a regulator — and a different picture appears. The real financial exposure is bottom-up: the cumulative weight of class actions, state agencies acting in concert, and fifty attorneys general who are increasingly coordinating on enforcement priorities.

We built this guide because we kept seeing the same question from UniConsent customers: where are the actual fines coming from, and what triggers them? The answer turned out to be more specific — and more operational — than most coverage suggests.

US Privacy Fines: The Numbers That Matter in 2026

$5 billion — largest single US privacy penalty ever (Meta, FTC, 2019)
~$1.4 billion — estimated total US privacy fines and settlements in 2025
20 states now have comprehensive consumer privacy laws, up from 5 in 2023
3 enforcement tracks operate independently: federal regulators, state attorneys general / CPPA, and private class actions
4,000+ wiretap-based class action lawsuits filed against website operators since 2022
11 states require websites to honour the Global Privacy Control (GPC) browser signal
$2.75 million — largest California Consumer Privacy Act fine on record (Disney, February 2026)
$1.35 million — largest California Privacy Protection Agency fine to date (Tractor Supply, September 2025)
$5,000 per violation — statutory damages under California's CIPA wiretap law, no proof of harm required

Three Enforcement Tracks, Not One

The Three US Privacy Enforcement Tracks

Most people talk about "US privacy enforcement" as if it is a single system. It is not. Three parallel tracks operate under different statutes, target different conduct, and produce wildly different financial outcomes. Understanding the distinction is the starting point for managing the risk.

Track 1 — Federal regulators. The FTC is the closest thing the US has to a general privacy regulator. It does not enforce a federal privacy law (none exists) but uses Section 5 of the FTC Act to go after "unfair or deceptive" practices — a framing that has covered broken privacy promises, bad data security, and dark patterns for over two decades. The Department of Health and Human Services handles HIPAA, the CFPB handles financial privacy, the FCC covers telecoms, and the FTC itself also enforces COPPA (children's data) and CAN-SPAM (email). Federal penalties are large, infrequent, and almost always follow a major breach or systemic deception.

Track 2 — State enforcement. Twenty states now have comprehensive privacy laws. California leads with a dedicated regulator (the CPPA) and no cure period. The remaining nineteen broadly follow the Virginia model, empowering the state attorney general to investigate and impose civil penalties. Individual state fines tend to be smaller — hundreds of thousands to low millions — but they arrive more frequently, and multi-state coordination is accelerating.

Track 3 — Class actions. This is the track most businesses underestimate. Older statutes — California's Invasion of Privacy Act (1967), the Illinois Biometric Information Privacy Act, the federal Video Privacy Protection Act (1988) — provide private rights of action with statutory damages and no requirement to prove actual harm. Plaintiffs sue over technologies those laws never anticipated: tracking pixels, session replay, chatbots, smart-TV content recognition. Individual settlements run from $50,000 to $85 million, but the aggregate volume — thousands of suits and tens of thousands of demand letters since 2022 — now drives more compliance spending than state enforcement does at most companies we talk to.

The practical result: a retailer can have an immaculate California privacy notice and still get a CIPA demand letter the same week. A SaaS company can satisfy every FTC data-security expectation and still face a state AG action over a broken opt-out link. Compliance in the US is not a single audit — it is a layered defence across all three tracks. A properly configured consent management platform is one of the few pieces of infrastructure that addresses all three simultaneously.

The 10 Biggest US Privacy Fines and Settlements

The 10 Biggest US Privacy Fines

The largest penalties cluster around three categories: massive FTC consent-order fines for systemic deception, multi-state attorney general settlements, and class actions at the high end of the statutory damages range.

#	Entity	Amount	Year	Forum	What happened
1	Meta (Facebook)	$5.0 billion	2019	FTC	Cambridge Analytica scandal + violation of 2012 consent decree
2	Meta (Facebook)	$725 million	2023	Class action	Cambridge Analytica civil settlement
3	Equifax	$700 million	2019	FTC + CFPB + 50 state AGs	2017 breach exposing 147 million consumers
4	Epic Games (Fortnite)	$520 million	2022	FTC	COPPA violations + dark-pattern in-app purchases
5	T-Mobile	$500 million	2022	Class action	2021 breach exposing 76 million consumers
6	Google	$391.5 million	2022	40 state AGs	Location tracking persisted with location services off
7	Meta (Facebook)	$100 million	2019	SEC	Misleading investor disclosures about Cambridge Analytica risk
8	Zoom	$85 million	2021	Class action	Privacy and security misrepresentations during pandemic
9	Cognosphere (Genshin Impact)	$20 million	2025	FTC	COPPA + collecting data from players under 16
10	Disney	$10 million	2025	FTC	COPPA: YouTube videos not tagged "Made for Kids"

Not included: the $1 billion-plus settlement the Texas attorney general finalised in 2025 against a major technology company under the Texas Data Privacy and Security Act. The public terms remain limited and sources characterise the matter differently.

A few things jump out of this list.

Federal fines are enormous but rare. Five of the top ten are FTC actions. Meta's $5 billion penalty was triggered not by the Cambridge Analytica incident alone, but by the fact that the company was already under a 2012 consent decree — and violated it. That pattern (breach of a prior order multiplying the penalty) repeats across FTC enforcement.

State AGs produce the second-largest category when they coordinate. Google's $391.5 million location-tracking settlement involved forty state attorneys general acting as a bloc. Equifax's $700 million combined FTC, CFPB, and all-fifty-states resources. In 2025, Connecticut, California, and New York jointly settled a $5.1 million ed-tech case against Illuminate Education. Expect more of this.

Class actions can match or exceed regulator penalties. Facebook's $725 million Cambridge Analytica class action is larger than every state enforcement action on record. T-Mobile's $500 million breach settlement is comparable. Class actions are the only enforcement mechanism that scales with the number of affected consumers without requiring a regulator to act first.

Children's data is the FTC's current focus. Five of the largest 2024–2026 federal actions invoke COPPA: Epic Games, Microsoft Xbox, Cognosphere, Apitor, and Disney. This priority is not going away — Connecticut, Maryland, Oregon, and Nebraska all enacted minor-specific provisions effective in 2025–2026.

The 20-State Patchwork

US State Privacy Laws Map 2026

As of May 2026, twenty states have comprehensive consumer privacy laws on the books: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Indiana, Kentucky, and Rhode Island joined on January 1, 2026. Connecticut and Oregon added Global Privacy Control recognition requirements on the same date. (Washington's My Health My Data Act covers consumer health data specifically and is not always counted in the comprehensive total.)

The twenty laws share more than they differ. All grant residents some combination of the rights to access, delete, correct, port, and opt out of data sales or targeted advertising. All require privacy notices disclosing what is collected and why. Most define "sensitive data" to include health, biometric, geolocation, and children's information, with either opt-in consent or a documented opt-out required to process it.

The differences, though, are where compliance gets expensive.

California stands alone. It is the only state with a dedicated privacy regulator (the CPPA), the only one with a private right of action (limited to certain breach scenarios), and the only one with no cure period — a violation triggers enforcement immediately, with no notice-and-fix window. California also covers employee and B2B contact data, which almost every other state exempts.

Texas catches everyone. Most state laws kick in at revenue or data-volume thresholds — typically 100,000 residents or $25 million in data-related revenue. The Texas Data Privacy and Security Act has no such threshold. It applies to any business "conducting business in Texas or producing products or services consumed by Texas residents," with exemptions only for federal SBA-qualifying small businesses. The Texas AG has been the most aggressive non-California state enforcer.

Maryland is the strictest on data minimisation. The Maryland Online Data Privacy Act, effective for newly collected data from April 2026, prohibits collection beyond what is "reasonably necessary" for the product or service, bans selling sensitive data outright, and bans targeting anyone under 18. Privacy lawyers have called it the closest US analogue to GDPR's purpose-limitation principle.

Eleven states now require GPC recognition. California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas all require websites to treat the Global Privacy Control browser signal as a binding opt-out. Firefox and Brave send GPC by default. If your site is not detecting and honouring those signals, you already have a compliance gap. UniConsent detects GPC signals automatically and applies opt-out preferences across all consent categories without additional configuration — a detail that has become the single most common trigger for state enforcement actions in 2025–2026.

Enforcement is concentrated — for now. Public enforcement actions in 2024–2026 have come primarily from California (AG and CPPA), Texas (AG), and Connecticut (AG). Colorado, Maryland, Minnesota, New Jersey, and Oregon are expected to bring their first public cases through 2026.

Fines by Enforcement Body

Ranking US privacy fines by enforcement body — the way GDPR fines are ranked by country — exposes the asymmetry: federal penalties are bigger per case, state actions are more numerous, and class actions outweigh both in cumulative volume.

Federal Trade Commission. Roughly $7 billion in privacy and security penalties since 2018, driven by the Meta ($5 billion) and Equifax ($700 million) settlements. Recent actions have targeted COPPA violations (Epic Games, Cognosphere, Apitor, Disney), data security failures (GoDaddy, Drizly, Illuminate Education), health data sharing with ad platforms (BetterHelp at $7.8 million, Cerebral), and broken privacy promises (Match Group). The FTC also settled with Amazon Ring for $5.8 million over employee access to customer video feeds.

California Attorney General. The largest CCPA fines have come from this office. Disney's $2.75 million settlement in February 2026 is the current record, overtaking Healthline Media's $1.55 million from July 2025. Earlier actions include Sephora ($1.2 million, 2022) and DoorDash ($375,000, 2024). The AG also brought a $1.4 million action against Jam City in November 2025 for sharing data of 13-to-16-year-olds without affirmative consent, and joined Connecticut and New York in the $5.1 million Illuminate Education ed-tech settlement.

California Privacy Protection Agency. The CPPA began issuing public enforcement decisions in 2024. Its largest fine is the $1.35 million Tractor Supply settlement in September 2025 — a case that turned on failure to honour opt-out requests submitted through a webform, failure to honour GPC signals, and a consumer privacy notice that provided no information about CCPA rights. Other actions: American Honda ($632,500, 2025), Todd Snyder ($345,000, 2025), PlayOn Sports ($1.1 million, March 2026), and Ford Motor Company.

Texas Attorney General. The largest single state-law settlement on record: over $1 billion, finalised in 2025 against a major technology company. The Texas AG also sued Allstate, alleging a software development kit embedded in third-party apps collected and sold driving and location data from over 45 million Americans without disclosure. A separate matter targeted a smart-TV manufacturer over automatic content recognition — the first US state ACR enforcement since the FTC's 2017 Vizio case.

Connecticut Attorney General. First CTDPA enforcement action in 2025: an $85,000 settlement with TicketNetwork over a privacy notice the AG called "largely unreadable," missing required disclosures, and connected to opt-out mechanisms that did not work. Connecticut matters because the AG has committed publicly to coordinating with California and other states — a leading indicator for how the Virginia-model laws will be enforced.

HHS (HIPAA). A separate regime targeting covered entities and business associates. The largest HIPAA settlement remains Anthem's $16 million in 2018 for the 78.8-million-person breach. Functionally different from the consumer privacy track but worth noting for any business handling protected health information.

CIPA: A 1967 Wiretap Law Reshaping Website Compliance

The CIPA Litigation Surge

The fastest-growing source of US privacy financial exposure right now is not a regulator. It is the wave of class action lawsuits under California's Invasion of Privacy Act and parallel state wiretap statutes.

CIPA was written in 1967 to address telephone wiretapping. It provides $5,000 in statutory damages per violation — available to anyone who alleges interception of a communication, with no requirement to prove actual harm. After the Ninth Circuit's 2022 ruling in Javier v. Assurance IQ that session replay technology could constitute "interception," the plaintiffs' bar moved fast. By our count, roughly 4,000 wiretap-based class actions have been filed against website operators since 2022, with an estimated 50,000 to 100,000 demand letters issued alongside them.

The targets are not exotic. They are standard website technologies:

Tracking pixels from Meta, LinkedIn, TikTok, and Microsoft that fire before any consent interaction
Session replay tools recording on-page behaviour and transmitting it to third-party servers
Chatbot widgets storing conversations and sharing transcripts with vendors
Google Analytics in default configurations that transmit user identifiers
Pen-register theories applying CIPA's trap-and-trace provisions to any tool collecting routing data
Phone recording disclosures that do not meet California's two-party consent requirement

Demand letters are calibrated to cost less to settle than to litigate — typically $15,000 to $40,000 per claim. The larger class settlements are substantial: the Los Angeles Times agreed to $3.85 million in early 2026 over tracking technologies deployed between January 2023 and December 2025.

The courts have not reached consensus. Massachusetts's Supreme Judicial Court ruled in 2024 that Google Analytics and Meta Pixel do not violate the state wiretap statute because the third-party recipients are "intended communicants." The Ninth Circuit in Popa v. Microsoft (2025) held that some session replay CIPA claims lack Article III standing. Several California trial courts have rejected pen-register theories applied to internet traffic. But filings continue to accelerate — January 2026 produced twice as many CIPA decisions as December 2025.

California's proposed reform, SB 690, would create a "commercial business purpose" exception. It passed the Senate unanimously in 2025 but stalled in the Assembly and will not take effect before 2027 at the earliest. Twenty-eight states have similar wiretap statutes; the federal Wiretap Act (18 U.S.C. § 2510) adds $10,000 per violation and is increasingly pleaded alongside CIPA claims.

The blunt operational takeaway: CIPA exposure is not about being a "bad actor." It is about whether your analytics, ad pixels, and chat widgets fire before the user has had a chance to consent, and whether your privacy notice accurately describes what those tools do. A consent management platform that gates tag execution on consent signals — blocking all non-essential scripts until the visitor acts — is the primary technical defence. UniConsent does this at the page-load layer, ensuring no tracking pixel, session replay tool, or chatbot fires before the user has made a choice. For the 4,000-plus lawsuits filed so far, that configuration is the difference between being a defendant and not being one.

The Five Failure Modes Behind Almost Every US Privacy Fine

We went through every significant federal, state, and class action enforcement from 2018 through early 2026. Five patterns account for nearly all of them.

1. Opt-out signals that do not propagate. Disney, Healthline, Tractor Supply, Sephora, DoorDash, TicketNetwork — each case involved the same basic problem: a consumer submitted an opt-out (via a form, a "Do Not Sell" link, or a GPC signal) and the company did not apply it across all properties, devices, and accounts tied to that person. Regulators now expect universal propagation. A partial opt-out is treated as no opt-out.

2. Tracking that fires before consent. Tags, pixels, and scripts loading on page load — before the visitor has interacted with any consent mechanism. This is the fact pattern behind virtually every CIPA suit, and it overlaps with CCPA and other state laws requiring notice at or before the point of collection. The fix is technical: server-side gating of tags through a consent management platform like UniConsent, which blocks non-essential tags until consent is recorded.

3. Privacy notices that are wrong or unreadable. Connecticut's first CTDPA enforcement action centred on a privacy notice the AG described as "largely unreadable." California actions have repeatedly cited policies that fail to name specific data-sharing categories or that misdescribe opt-out rights. The regulatory bar is now a privacy notice that is specific, current, readable, and accurate — with named or categorised third parties and explicit consumer-rights disclosures.

4. Health data flowing to ad platforms. The FTC actions against BetterHelp ($7.8 million), Cerebral, and GoodRx; the California AG's Healthline settlement ($1.55 million); and multiple HIPAA settlements all involved the same scenario: health-related data reaching Meta, Google, or other advertising platforms through tracking pixels or SDK integrations, without meaningful consent and often without disclosure. If your site collects health-adjacent information — including article titles suggesting a diagnosis — this category applies to you.

5. Children's data without parental consent. Five of the largest 2024–2026 federal actions invoke COPPA. Disney's $10 million settlement covered YouTube videos not tagged "Made for Kids." Cognosphere's $20 million action alleged marketing Genshin Impact to children under 13 while collecting personal information. Apitor's $500,000 fine (suspended for inability to pay) involved a robot toy app collecting children's geolocation data. If your product or content is accessed by children, COPPA compliance is not optional — it is the FTC's stated 2026 priority.

These five categories overlap constantly. A tracking pixel that fires before consent and captures health data disclosed in a chatbot creates simultaneous CIPA, CCPA, and FTC exposure. Failure to honour a parental opt-out request triggers both CCPA and COPPA liability. The line between "regulatory risk" and "litigation risk" is notional at this point.

What Comes Next

Five trends are shaping the rest of 2026 and into 2027.

No federal law is coming soon. The American Privacy Rights Act, the Kids Online Safety Act, and other proposals remain stalled. The patchwork of twenty state laws plus the FTC plus class actions is the operating environment for the foreseeable future.

State AGs are coordinating like a federal agency. The Connecticut–California–New York Illuminate Education settlement, multi-state GPC compliance sweeps, and aligned enforcement priorities across offices all point toward aggregate state enforcement that functions without federal legislation.

AI regulation is arriving at the state level. California's CCPA Automated Decision-Making Technology regulations take effect January 1, 2027, with opt-out rights when AI makes significant decisions about consumers. Texas's Responsible AI Governance Act took effect January 1, 2026. State legislatures and AGs are filling the gap that no federal AI law addresses.

Children's privacy enforcement is intensifying. COPPA actions accelerated through 2025 and show no sign of slowing. Maryland now prohibits selling personal data of anyone under 18. Connecticut, Oregon, and Nebraska added minor-specific provisions in 2025–2026.

CIPA reform will not arrive before 2027. SB 690 is a two-year bill. Even if reintroduced and passed in 2026, it would take effect no earlier than January 2027. The plaintiffs' bar is treating the window as an opportunity, and filing volume is accelerating.

What This Means for Your Compliance Stack

US privacy enforcement does not work like GDPR. There is no single regulator, no harmonised rule set, and no central fine registry. Exposure comes from three independent tracks, and a business can be clean on one while accruing liability on the other two.

The biggest penalties are federal — Meta's $5 billion, Equifax's $700 million — but the typical 2025–2026 fine is a state action in the $300,000-to-$3 million range, targeting a mid-sized company whose opt-out mechanism did not work or whose privacy notice did not describe what was actually happening on its website.

The fastest-growing source of exposure is not regulators at all. It is the CIPA class action wave: 4,000 lawsuits and tens of thousands of demand letters since 2022, targeting standard configurations of tracking pixels, session replay, chatbots, and analytics tools. Reform is not coming before 2027.

The operational pattern behind nearly every US privacy penalty is the same: tracking technologies fire before consent, opt-out signals are not honoured, privacy notices misrepresent what happens to user data, and sensitive information — health data, children's data — flows to advertising platforms without meaningful disclosure.

The compliance work is not abstract policy. It is the configuration of your consent management layer, your tag governance workflow, and the systems that propagate opt-out signals across every property. UniConsent handles the core of this: blocking tags until consent is recorded, detecting and honouring GPC signals across all eleven states that require it, maintaining a consent audit trail that holds up under regulatory scrutiny, and scanning your site to verify that actual tag behaviour matches your consent configuration through our cookie scanner. It is the difference between having a privacy policy and having a defensible privacy posture.

Frequently Asked Questions

What is the biggest privacy fine ever issued in the United States? Meta was fined $5 billion by the FTC in 2019 for the Cambridge Analytica scandal and violation of a 2012 consent decree. It is the largest privacy penalty in US history.

What is the largest CCPA fine? Disney's $2.75 million settlement with the California Attorney General in February 2026, for failing to honour opt-out requests across all devices and services tied to consumer accounts.

Which US state has the strictest privacy law? California, with its dedicated regulator (CPPA), no cure period, and limited private right of action. Maryland's MODPA is the strictest Virginia-model law, with strong data-minimisation requirements and an outright ban on selling sensitive data or targeting minors under 18.

How many US states have comprehensive privacy laws in 2026? Twenty. Indiana, Kentucky, and Rhode Island joined on January 1, 2026.

Who enforces US privacy laws? The FTC handles federal enforcement. State AGs enforce state privacy laws (California also has the CPPA). HHS enforces HIPAA. Private plaintiffs bring class actions under CIPA, BIPA, the VPPA, and the federal Wiretap Act.

What is CIPA and why is it driving so many lawsuits? The California Invasion of Privacy Act is a 1967 wiretap statute. Since 2022, plaintiffs have used it to sue websites for deploying tracking pixels, session replay, chatbots, and analytics that "intercept" communications without consent. Statutory damages are $5,000 per violation with no harm requirement. Roughly 4,000 suits have been filed.

Does the US have a federal privacy law? No. Federal proposals — including the American Privacy Rights Act — have not passed Congress. Federal law covers specific sectors: health (HIPAA), finance (GLBA), children (COPPA), education (FERPA), and electronic communications (ECPA).

What is the Global Privacy Control? A browser signal that automatically communicates an opt-out preference. Eleven states require websites to honour it. Firefox and Brave enable GPC by default. UniConsent detects GPC and applies the opt-out automatically across all consent categories.

How much do US privacy fines total per year? Roughly $1.4 billion in 2025 across federal, state, and class action settlements. The number is accelerating through 2026.

Can US consumers sue companies directly for privacy violations? In some cases. CCPA provides a limited private right of action for certain data breaches. CIPA, BIPA, the VPPA, and the federal Wiretap Act all provide statutory damages. Most Virginia-model state laws do not include a private right of action.

What triggers most US privacy fines? Four patterns: opt-out signals not honoured across all properties, tracking technologies firing before consent, privacy notices that do not match actual data practices, and health or children's data shared with ad platforms without disclosure.

How does a consent management platform help with US privacy compliance? A CMP like UniConsent blocks non-essential tags until consent is recorded, detects and honours GPC signals, maintains an auditable consent record, and verifies that on-page tag behaviour matches your consent configuration. This addresses the root cause of the most common enforcement actions and CIPA lawsuits.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform serving tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post-GDPR. Contact us to know more: hello@uniconsent.com