California Leads the Charge as Privacy Fines Soar
State privacy fines keep climbing and many businesses are unprepared. Artificial intelligence laws are accelerating the trend.
To help you understand the trends surrounding business and technology and what we expect to happen in the future, our highly experienced Kiplinger Letter team will keep you abreast of the latest developments and forecasts. (Get a free issue of The Kiplinger Letter or subscribe.) You'll get all the latest news first by subscribing, but we will publish many (but not all) of the forecasts a few days afterward online. Here's the latest…
Businesses need to prepare for state privacy law enforcement, and fast. Total privacy fines in all 50 states soared to $3.4 billion in 2025, versus $1.8 billion in 2024, according to a recent analysis by Gartner, a tech market research firm.
For perspective, the total was just $1.2 million in 2023, before a frenzy of new state enforcement action took off. Penalties hit companies of all sizes and across industries: Health care, finance, software, communications, insurance, entertainment, retail, tech, legal, advertising and more.
The payouts stem from both state fines and lawsuits brought under these laws by injured parties. The state laws enshrine consumer rights and data protections that companies must abide by. Gartner says 22 states have passed privacy legislation aimed at consumer rights and another 24 are expected to pass privacy legislation in the coming five years.
State regulations related to the use of AI are expanding fast, too. More than 100 state laws covering artificial intelligence were passed last year, while state agencies also issued new AI-related guidance. For example, in California, the leader in privacy enforcement, a rule covers automated decision-making in job recruitment and employment.
"A lot of organizations have let their privacy policies atrophy," says Nader Henein, an analyst at Gartner who compiled the data. Many privacy programs were implemented years ago when California passed its sweeping privacy law in 2018, which was enacted in 2020. The landmark law provides consumers the right to know about the personal information being collected from them and how it’s used; the right to delete personal info collected by the company; and the right to opt out of the sale or sharing of personal info.
Notable Enforcements by the California Privacy Protection Agency in 2025
- $1.35 million fine against Tractor Supply
- $345,178 fine against Todd Snyder Inc., a clothing retailer
- $632,500 fine against American Honda Motor Co.
- Forced the shutdown of Background Alert, a data broker
"Companies should dust off their privacy program and assess whether it works," says Henein. They should check to make sure those policies are being implemented and cover new rules being rolled out. Gartner also recommends focusing on the online user experience, since most of the violations come from the privacy user interface, such as website privacy notices.
Companies doing business in multiple states should default to the one with the most onerous rules. For example, if consumers have a right to their personal data within 45 days of requesting it in one state, and 30 days in another, the target should be 30 days across the board, says Henein. In practice, that could mean a 20-day policy to ensure compliance.
"Most business-to-consumer companies have bought privacy software," says Henein. Vendors include OneTrust, TrustArc, Osano or TrueVault, and the software often includes AI-related governance. Nader says business-to-business companies, and smaller companies that cater to consumers, may use a more piecemeal approach.
These mounting compliance costs are sure to catch the attention of Congress. But a federal law that preempts the states is unlikely anytime soon, leaving businesses to cope with a patchwork of state laws.
From just $107.88 $24.99 for Kiplinger Personal Finance
Become a smarter, better informed investor. Subscribe from just $107.88 $24.99, plus get up to 4 Special Issues
Sign up for Kiplinger’s Free Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.
Profit and prosper with the best of expert advice - straight to your e-mail.
This forecast first appeared in The Kiplinger Letter, which has been running since 1923 and is a collection of concise weekly forecasts on business and economic trends, as well as what to expect from Washington, to help you understand what’s coming up to make the most of your investments and your money. Subscribe to The Kiplinger Letter.
Related Content
- How to Protect Your Privacy While Using AI
- AI’s Rapid Rise Sparks New Cyber Threats
- New Ways to Keep Your Online Accounts Safe
- I Let AI Read Privacy Policies for Me. Here's What I Learned
