Court Rules
Enforcement Data7 min read

Privacy Enforcement Is Becoming Product Data

No one should read 1,338 enforcement releases and regulatory records one at a time. The useful work begins when those materials become source-linked records: dates, regulators, violation types, remedies, penalties, and citations that a legal workflow can actually use.

Abstract enforcement data dashboard with source documents

Regulatory enforcement is usually consumed as a stream of press releases. A new FTC settlement, a state attorney general investigation, an HHS breach report, a warning letter, a consent order. Each item matters, but the stream is hard to use. It tells you what happened, then leaves your team to decide whether it affects contracts, product settings, vendor reviews, board reporting, or customer-facing policy.

That is the wrong shape for modern legal work. A legal team does not need another inbox. It needs enforcement data that can move through systems.

1,338
Enforcement records

Source-linked actions, guidance, investigations, settlements, and regulatory updates.

14
Jurisdictions

Federal and state authorities, including FTC, HHS OCR, state AGs, and CPPA.

$50B+
Tracked penalties

Monetary exposure is only one signal. Remedies and warnings often move first.

As of May 23, 2026, the CourtRules.app enforcement tracker contains 1,338 records across 14 jurisdictions. The tracker covers monetary penalties, but the more interesting signal is not the penalty total. It is the combination of violation type, remedy, source language, and regulator behavior.

The top enforcement signals in the dataset

Data breach789 records
Health data780 records
Security failure747 records
Unauthorized data sharing221 records
Notice failure146 records
Consent failure121 records

The recent feed is already changing shape

The most recent privacy and platform-safety records are not just classic data breach settlements. They are about nonconsensual intimate images, AI-enabled devices, sensitive location data, youth social media design, consent flows, and biometric capture. Those categories look less like after-the-fact litigation and more like product governance.

FTCMay 20, 2026

Warning letters to 12 nudify tool providers

The useful field is not a fine amount. It is the remedy clock: covered platforms must remove qualifying nonconsensual intimate images within 48 hours of a valid request.

Official source
TXMay 20, 2026

Investigation into Meta AI glasses

The event clusters biometric data, notice failure, consent failure, unauthorized data sharing, and dark patterns in one record. That is exactly the kind of bundle a privacy team needs to route correctly.

Official source
FTCMay 4, 2026

Kochava sensitive location data settlement

The headline is location data. The workflow signal is stronger: consent assessments, retention schedules, incident reporting, data deletion, and a ban on certain sensitive-data sales.

Official source
CTMay 1, 2026

Youth social media and AI harm legislation

This is not a company settlement. It is still operationally important because it creates future enforcement hooks around minors, addictive algorithms, AI chatbots, reporting, and consent.

Official source

Put those events side by side and a pattern appears. The enforcement system is moving earlier in the product lifecycle. It is not waiting for one giant fine to tell the market what matters. Warning letters, investigations, civil investigative demands, new enforcement authorities, and remedy terms all tell a product and compliance team where regulator attention is headed.

Fine amount is a weak sorting key

A fine is easy to sort. It is also late. By the time a large penalty appears, the market has usually had months or years of warning. In our data, many important records have no penalty at all: warning letters, investigations, guidance, new laws, complaint filings, and consent orders with operational restrictions.

That matters for legal operations. A zero-dollar enforcement record can still trigger contract review if it names a sensitive data category. It can trigger a product review if the remedy involves deletion, affirmative consent, reporting, or a ban. It can trigger a vendor review if the source language names subcontractors, data brokers, or onward sharing.

In other words, the workflow question is not only "how much did they pay?" It is "what conduct did the regulator identify, and what would we have to prove if asked?"

Structured records make the pattern visible

The same enforcement action can be read several ways. A press release is a news item. A consent order is a legal document. A source quote is evidence. A violation type is a routing key. A remedy is a product requirement. A source URL is an audit trail.

Fields that turn news into workflow

  • jurisdiction tells the system which regulator is moving.
  • violation_types normalize messy agency language into a usable taxonomy.
  • remedy_types show what the company has to change, not only what it paid.
  • primary_source_url preserves the official record for verification.
  • source_quotes make the extracted claim auditable.

This is why the data model matters. A plain-English summary is useful for a reader, but a workflow needs stable fields. An AI agent cannot reliably answer "show me recent actions involving consent failure and children's data" unless those concepts are normalized. A contract system cannot flag a vendor agreement for review unless it can connect the event to search terms, industries, laws, and remedies.

The next alert is not an email

Most enforcement monitoring still looks like a newsletter. That is fine for awareness, but it is not enough for operational response. The useful version is an event record that can be routed.

A healthcare record with security failure and health data should go to privacy and security. A youth social media record involving dark patterns and children's data should go to product counsel. A data broker record involving sensitive location data should go to vendor management and commercial contracting. A biometric investigation should go to the team that owns device features, notices, and consent.

That is why we are building enforcement data next to court rules. Both domains have the same underlying problem. The source material is public, but it is not workflow-shaped. Lawyers can read it, but systems cannot reliably act on it until it has been normalized, cited, and connected to the decisions teams actually make.

Browse the enforcement tracker

Filter by jurisdiction, violation type, industry, and risk level. Every record links back to its official source.

View Enforcement DataUse the MCP Server

Data notes

The counts above come from the CourtRules.app enforcement tracker as of May 23, 2026. Records are extracted from official government sources and linked back to the source release or document. The tracker includes privacy enforcement, consumer protection records with privacy implications, HHS OCR breach records, state attorney general actions, FTC actions, CPPA activity, guidance, investigations, and new enforcement authorities.

Start with the enforcement tracker, or read the enforcement data docs for the fields exposed through our MCP tools.