1,338 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,338
Total Actions
14
Jurisdictions
$50.6B+
Total Fines Tracked
Florida Attorney General James Uthmeier issued an investigative subpoena to TP-Link Systems Inc. as part of a consumer protection investigation into the company’s cybersecurity practices, supply-chain infrastructure, and handling of U.S. consumer data, including allegations of unauthorized data sharing with the Chinese Communist Party. The probe will determine if TP-Link misled customers about foreign government access to their personal data, which would violate the Florida Deceptive and Unfair Trade Practices Act, with no findings of wrongdoing yet.
California Attorney General Rob Bonta, joined by Connecticut and New York Attorneys General, secured a $5.1 million multistate settlement with edtech company Illuminate Education, Inc. over a 2021 data breach that exposed sensitive personal and medical information of millions of students, including over 434,000 California students. The investigation found Illuminate failed to implement basic security measures, including failing to terminate former employee credentials, lacking suspicious activity monitoring, and unsecured backup databases, as well as making false statements in its privacy policy. Illuminate must pay $3.25 million to California, implement enhanced security practices, and notify the CA DOJ of future student data breaches.
$5.1M
New York, California, and Connecticut attorneys general reached a $5.1 million settlement with educational technology company Illuminate Education, Inc. for failing to protect student data, resulting in a 2022 breach exposing millions of students’ personal information. The investigation found Illuminate failed to implement basic security measures including data encryption, suspicious activity monitoring, and proper decommissioning of inactive user accounts, and did not delete student data when required by contracts. Illuminate must pay the penalty and implement enhanced data security measures including a comprehensive information security program, encryption of student data, and annual notice to schools about data collection and deletion options.
$5.1M
Connecticut Attorney General William Tong, along with California and New York Attorneys General, settled with Illuminate Education, Inc. for failing to protect student data in a breach that exposed personal information of millions of students. The settlement, the first under Connecticut's Student Data Privacy Law, requires Illuminate to pay $5.1 million and implement enhanced cybersecurity measures.
$5.1M
Texas Attorney General Ken Paxton secured a $1.375 billion settlement with Google for unlawfully tracking Texans' geolocation data, incognito browsing activity, and biometric identifiers without consent. This is the largest single-state privacy settlement against Google, significantly larger than multistate settlements. The agreement resolves two major privacy enforcement actions brought by Texas.
$1.4B
Texas Attorney General Ken Paxton opened an investigation into Lorex Technology Inc. for allegedly deceptively selling security cameras with components from CCP-linked Dahua, posing privacy and national security risks. The investigation will determine if Lorex misrepresented the cameras as secure and safe for residential use despite known supply chain vulnerabilities and federal restrictions on Dahua products.
The California Attorney General conducted an investigation into OpenAI's recapitalization plan and secured a memorandum of understanding ensuring charitable assets are used for their intended purpose, safety is prioritized, and OpenAI remains in California. The AG will not oppose the plan and will monitor ongoing adherence to these commitments.
Florida Attorney General James Uthmeier filed a civil enforcement action against Roku, Inc. for violating the Florida Digital Bill of Rights (FDBOR) and Florida Deceptive and Unfair Trade Practices Act (FDUTPA). The complaint alleges Roku collected, sold, and enabled reidentification of children’s sensitive personal data, including viewing habits and voice recordings, without parental consent or meaningful notice to consumers. The state seeks civil penalties, injunctive relief, and requirements for Roku to implement transparent disclosures, lawful parental controls, and cease unauthorized processing of children’s data.
The Texas Attorney General opened an investigation into TP-Link Systems Inc. for potentially allowing the Chinese government to access Texans' consumer data through back doors in networking equipment. The investigation will examine whether TP Link violated Texas privacy law by misleading consumers about its independence and improperly collecting or disclosing data. This follows a prior privacy notice violation issued to the company.
The FTC filed a complaint against Iconic Hearts Holdings, Inc., operator of the Sendit anonymous messaging app, for unlawfully collecting personal data from children in violation of COPPA, misleading users by sending messages from fake personas, and tricking consumers into paid subscriptions by falsely promising to reveal anonymous senders.
The FTC secured a $2.5 billion settlement with Amazon, including a $1 billion civil penalty and $1.5 billion in consumer refunds, for enrolling millions of consumers in Prime subscriptions without proper consent and designing a deliberately difficult cancellation process. The order requires Amazon to implement clear enrollment disclosures, an easy cancellation method, and cease the unlawful practices.
$1.0B
The FTC issued 6(b) orders to seven technology companies to investigate the safety and privacy practices of their AI chatbots, particularly regarding impacts on children and teens. The inquiry focuses on compliance with children's privacy laws, data handling, and disclosures, requiring companies to provide information on these aspects.
Texas Attorney General Ken Paxton filed a lawsuit against PowerSchool, a provider of cloud-based services for K-12 schools, following a data breach that exposed the personal and health information of over 880,000 Texas school-aged children and teachers. The breach occurred in December 2024 when a hacker gained administrative access through a subcontractor's account and stole unencrypted data including Social Security numbers, medical details, and disability records. The lawsuit alleges PowerSchool violated Texas law by failing to implement basic security measures and by misleading customers about its security practices.
The FTC settled allegations against Apitor Technology for violating COPPA by allowing a third party to collect geolocation data from children without parental consent. Apitor must pay a $500,000 suspended fine, delete improperly collected data, and implement measures to comply with COPPA, including obtaining parental consent and notifying parents.
$500K
Florida Attorney General James Uthmeier issued a subpoena to Lorex as part of an ongoing consumer protection and data privacy investigation. The probe examines Lorex’s ties to Dahua Technology and potential foreign spying risks, including unauthorized access to children’s data, and whether the company misled consumers about the privacy and security of its camera products and apps. The subpoena seeks documents related to corporate structure, third-party contracts, software update origins, data center locations, security vulnerabilities, and marketing claims about privacy and security.
FTC Chairman Andrew Ferguson sent warning letters to major technology companies, urging them not to weaken data security or censor American consumers' speech in response to foreign government demands. He reminded them that such actions could violate the FTC Act's prohibition on unfair and deceptive practices, particularly if companies break promises about encryption and security. The letters cite foreign laws like the EU's Digital Services Act and UK's Investigatory Powers Act as pressures that might lead to non-compliance.
FTC Chairman Andrew Ferguson sent warning letters to over a dozen major technology companies, reminding them of their obligations under the FTC Act to protect American consumers' data security and privacy, even when facing pressure from foreign governments to weaken encryption or censor content. The letters warn that weakening security measures or censoring speech in response to foreign demands could constitute deceptive practices under the FTC Act.
Texas Attorney General Ken Paxton has opened an investigation into Meta AI Studio and Character.AI for deceptive practices in marketing AI chatbots as mental health services to children. The platforms are accused of impersonating licensed professionals, fabricating qualifications, and exploiting user data for advertising without proper disclosure. Civil Investigative Demands have been issued to examine violations of Texas consumer protection laws and the SCOPE Act.
Texas Attorney General Ken Paxton opened an investigation into Meta and Character.AI via Civil Investigative Demands, alleging deceptive trade practices including misrepresenting AI chatbots as confidential mental health tools while harvesting user data for targeted advertising. The probe assesses potential violations of Texas consumer protection laws and the SCOPE Act, particularly regarding privacy misrepresentations, concealment of data usage, and harms to children. This builds on prior investigations into Character.AI for SCOPE Act compliance.
Texas Attorney General Ken Paxton announced a comprehensive privacy enforcement initiative, achieving record settlements with Meta ($1.4B) and Google ($1.375B) for biometric and geolocation data violations, suing General Motors and TikTok, and investigating numerous companies for children's data and AI practices. The AG's office has enforced multiple Texas privacy laws and registered over 200 data brokers.
$2.8B
The FTC settled charges against GoDaddy Inc. and GoDaddy.com, LLC for misleading customers about their data security protections and failing to adequately secure their website hosting services. The company allegedly did not implement reasonable security measures, leaving customer websites vulnerable to attacks that could harm both the customers and visitors to those sites. The case resulted in a consent order requiring GoDaddy to improve its security practices.
The FTC finalized an order with GoDaddy for failing to implement adequate data security measures and misleading consumers about its security and Privacy Shield compliance. The order prohibits misrepresentations, requires a comprehensive security program, and mandates independent assessments.
The FTC settled charges against GoDaddy Inc. and GoDaddy.com, LLC for misleading customers about their data security protections and failing to adequately secure their website hosting services. The company's security failures left customers' and website visitors' data vulnerable to attacks. The final order requires GoDaddy to implement comprehensive data security measures.
Attorney General Ken Paxton sued Google for unlawfully tracking and collecting Texans' private data, including geolocation, incognito searches, and biometric data. The case resulted in a $1.375 billion settlement, the largest ever against Google for state privacy enforcement, marking a major win for data privacy rights.
$1.4B
Texas Attorney General Ken Paxton has notified several Chinese companies, including TP-Link, Alibaba, and CapCut, that they are violating the Texas Data Privacy and Security Act (TDPSA). The companies must comply with TDPSA requirements to disclose data processing, allow consumer opt-outs, and enable data deletion within 30 days. Failure to comply will result in further legal action.
Texas Attorney General Ken Paxton issued a 30-day compliance notice to TP-Link, Alibaba, CapCut, and other CCP-affiliated Chinese companies for violating the Texas Data Privacy and Security Act (TDPSA). The companies are accused of failing to disclose consumer data processing activities, allow opt-out of data collection, and enable consumer data deletion as required by Texas law. If the companies do not comply within 30 days, the Attorney General's office will pursue additional legal action.
Texas Attorney General Ken Paxton has issued notices to several Chinese companies, including TP-Link, Alibaba, and CapCut, for violating the Texas Data Privacy and Security Act (TDPSA). The companies must comply with TDPSA's requirements to disclose data processing, allow opt-outs, and enable data deletion within 30 days, or face further legal action.
Texas Attorney General Ken Paxton announced legal action against several Chinese companies, including TP-Link, Alibaba, and CapCut, for violating the Texas Data Privacy and Security Act (TDPSA). The companies have been given 30 days to comply with requirements to disclose data processing, allow consumers to opt out of data collection, and enable data deletion. Failure to comply will result in further legal action to protect Texans' privacy rights and prevent data from being accessed by the Chinese Communist Party.
Texas Attorney General Ken Paxton announced an investigation into Chinese AI company DeepSeek for alleged violations of the Texas Data Privacy and Security Act, citing concerns over the company’s privacy practices and ties to the Chinese Communist Party. The AG also notified DeepSeek of the alleged violations, issued a ban on DeepSeek’s platform on all Office of the Attorney General devices, and sent third-party Civil Investigative Demands to Google and Apple for documentation related to the DeepSeek app. The investigation stems from allegations that DeepSeek acts as a proxy for the CCP to steal Texas citizens’ data and undermine U.S. AI dominance.
New York Attorney General Letitia James secured a $450,000 settlement from three companies distributing eufy-branded home security cameras for failing to implement adequate data security measures. The companies’ cameras had unencrypted video streams accessible without authentication, exposing private consumer footage. The settlement requires the companies to implement stronger security protocols, including encryption, vulnerability testing, and a comprehensive information security program.
$450K
All data sourced from official government enforcement pages.