Structured enforcement actions from 21 federal and state jurisdictions. Every event traced back to its official source.
1,000+
Events Tracked
21
Jurisdictions
$1.8B+
Total Fines
Showing recent highlights. Full dataset available via MCP and API.
A coalition of 16 state attorneys general, led by New York, filed an enforcement action challenging the Department of Education's handling of student financial aid data, alleging systemic failures to protect sensitive student records. The action cites the Department's failure to implement required security controls for FAFSA data, potentially exposing financial and personal information of millions of student aid applicants.
Multistate: CA, CT, CO, IL, MA, MD, MN, NJ, NM, OR, PA, RI, VA, VT, WA
$2.8M
California AG secured a $2.75M settlement after finding Disney's streaming platforms failed to honor consumer opt-out requests for the sale and sharing of personal information under CCPA. Disney's opt-out processes failed to stop the sale or sharing of consumer data across all devices and streaming services, including Disney+, Hulu, and ESPN+.
$750K
Colorado AG brought the first enforcement action under the Colorado AI Act, penalizing GenAI Corp $750K for deploying a high-risk AI system in hiring decisions without required impact assessments or consumer disclosures. The company's AI screening tool disproportionately filtered out qualified candidates based on protected characteristics, and applicants were not told their applications were evaluated by an automated system.
$5.6M
The NY AG fined Citibank $5.6M for failing to reimburse victims of electronic theft and delaying breach notifications, citing inadequate security measures that left customer accounts vulnerable to unauthorized access. Citibank's online banking platform lacked adequate multi-factor authentication, allowing account takeovers that cost consumers millions in unauthorized transfers.
$16.5M
HHS OCR secured a $16.5M settlement following a ransomware attack that exposed protected health information of over 600,000 patients and a delayed breach notification that exceeded HIPAA requirements. The attack disrupted operations at 140 hospitals across 21 states, and CommonSpirit failed to notify HHS and affected individuals within the required 60-day window.
$200K
Virginia AG penalized Data Broker LLC $200K for failing to register under the Virginia Consumer Data Protection Act and continuing to sell personal information without complying with consumer access and deletion requests. The company ignored multiple consumer data access requests and failed to register as a data broker as required by the VCDPA.
$275.0M
The FTC imposed a record $275M penalty on Epic Games for deploying dark patterns in Fortnite that tricked children into making purchases and collecting children's personal information without parental consent. Epic used confusing button layouts and purchase flows that caused players, including children, to make unintended purchases totaling hundreds of millions of dollars.
$450K
New Jersey AG settled for $450K with an analytics firm that collected and sold browsing data from New Jersey residents without adequate privacy notices or consumer consent mechanisms. The company's tracking scripts were present on thousands of websites and collected detailed browsing histories, shopping behavior, and form inputs without disclosing data collection or providing opt-out options.
$1.4M
Mobile game developer Jam City agreed to pay $1.4M to resolve allegations it collected and sold children's personal data without parental consent and ignored opt-out signals. The company's popular games, including Cookie Jam and Panda Pop, collected device identifiers and usage data from players under 13.
$500K
Oregon AG obtained a $500K settlement and permanent injunction against Clearview AI for scraping facial images of Oregon residents from the internet without consent and selling access to its biometric database. Clearview scraped over 30 billion facial images from social media platforms and the open web, building a facial recognition database sold to law enforcement and private companies without individual consent.
$5.1M
A coalition of three states secured a $5.1M settlement from Illuminate Education after a data breach exposed student records, including health data, due to inadequate security controls. The breach affected student information from school districts in California, Connecticut, and New York, exposing names, dates of birth, and in some cases IEP and medical accommodation records.
Multistate: CT, NY
$530K
Sling TV agreed to pay $530K to settle allegations it failed to process consumer opt-out requests and collected children's viewing data without proper parental consent mechanisms. The streaming service continued to share personal information with advertising partners after consumers submitted opt-out requests, and collected viewing history from child profiles without COPPA-compliant consent.
$1.1M
Connecticut AG obtained a $1.15M settlement from Anthem after a data breach exposed personal health information of over 80,000 state residents due to inadequate encryption and access controls. Attackers exploited an unpatched vulnerability in Anthem's web-facing portal, accessing member names, Social Security numbers, dates of birth, and claims information.
$60.0M
T-Mobile agreed to pay $60M to settle FTC charges related to repeated data breaches affecting tens of millions of customers, stemming from systemic failures in its data security infrastructure. Between 2021 and 2023, T-Mobile suffered multiple breaches exposing names, Social Security numbers, and account PINs of approximately 76 million customers.
$7.1M
The FTC fined Cerebral $7.1M for sharing sensitive mental health data of nearly 3.2 million users with third-party advertising platforms without consent, including diagnosis and treatment information. Cerebral embedded tracking pixels from Meta, Google, and TikTok in its telehealth platform, transmitting prescription data and therapy session details to advertisers.
$1.4B
Texas AG secured a landmark $1.4B settlement from Meta for illegally capturing and using biometric data from millions of Texans through Facebook's photo tagging feature without obtaining informed consent. This represents the largest privacy settlement in U.S. state enforcement history. Meta's Tag Suggestions and face recognition features automatically scanned photos uploaded by Texas users, creating facial geometry maps without disclosure or consent.
The FTC barred InMarket from selling precise consumer geolocation data after finding the company tracked consumers' visits to sensitive locations, including medical facilities and places of worship, without adequate consent. InMarket's SDK, embedded in hundreds of popular apps, collected location data every few seconds and built profiles based on visits to reproductive health clinics, addiction treatment centers, and houses of worship.
The FTC prohibited X-Mode Social from selling sensitive geolocation data, marking one of the first enforcement actions specifically targeting location data brokers who sold data revealing visits to sensitive facilities. X-Mode sold raw location data to government contractors and private companies that could be used to track individuals' movements to reproductive health clinics, homeless shelters, and places of worship.
The FTC issued a consent order requiring GoDaddy to overhaul its information security program after finding the company misrepresented its security practices and failed to notify customers of breaches promptly. GoDaddy's hosting environment suffered multiple intrusions between 2019 and 2022, affecting over 1.2 million customers.
$375K
DoorDash settled for $375K over allegations it sold consumer personal information to third-party advertising networks without honoring opt-out requests, including data from accounts belonging to minors. DoorDash participated in an ad industry data-sharing cooperative that the AG characterized as a sale of personal information under CCPA.