Privacy Enforcement Tracker

1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.

1,285

Total Actions

Jurisdictions

$35.3B+

Total Fines Tracked

Access this data programmatically:MCP Server API Docs

CANovember 6, 2025SettlementMultistate

Illuminate Education, Inc.(Illuminate Education)

Illuminate Education, Inc. suffered a data breach in 2021 due to security failures, exposing sensitive student data including medical conditions across millions of students. The company has agreed to pay $5.1 million in settlements to California, Connecticut, and New York and implement injunctive relief to strengthen data security practices.

HighStudent DataHealth DataSecurity Failure

$5.1M

CAJune 13, 2024Settlement

Blackbaud

Blackbaud, a software company, suffered a data breach in 2020 due to inadequate security measures and made misleading statements about the breach and its security practices. California Attorney General Rob Bonta secured a $6.75 million settlement requiring Blackbaud to pay penalties and implement enhanced data security and breach notification protocols.

HighData BreachSecurity FailureBreach Notification Delay

$6.8M

CASeptember 30, 2020SettlementMultistate

Anthem, Inc.(Anthem)

Anthem, Inc. settled with California for $8.69 million over a 2014 data breach that exposed personal information of 78 million consumers, including 13.5 million Californians. The breach resulted from security deficiencies, and the settlement includes injunctive relief to improve information security practices. This action was part of a parallel multistate settlement.

HighData BreachSecurity FailureHealth Data

$8.7M

CASeptember 17, 2020Settlement

Glow, Inc.(Glow)

California Attorney General settled with Glow, Inc. for $250,000 due to privacy and security failures in its fertility app that risked exposing users' sensitive health information. The settlement requires Glow to implement privacy and security measures, obtain affirmative consent for data sharing, and consider unique impacts on women.

MediumHealth DataSecurity FailureConsent Failure

$250K

CAJuly 22, 2019SettlementMultistate

Equifax

California Attorney General led a multistate settlement with Equifax for a 2017 data breach that exposed personal information of 147 million consumers due to security failures and delayed disclosure. Equifax must pay $175 million in state penalties, $425 million for consumer restitution, and implement data security enhancements including a comprehensive Information Security Program and credit monitoring for up to ten years.

CriticalData BreachSecurity FailureBreach Notification Delay

$175.0M

CAJuly 11, 2019SettlementMultistate

Premera Blue Cross(Premera)

Premera Blue Cross suffered a data breach in 2014 that exposed personal and medical information of 10.5 million consumers. As part of a multistate settlement, Premera agreed to pay $10 million in civil penalties and implement security improvements and a compliance program. California will receive over $1 million from the settlement.

HighData BreachHealth DataSecurity Failure

$10.0M

CASeptember 26, 2018SettlementMultistate

Uber Technologies, Inc.(Uber)

Uber Technologies, Inc. settled for $148 million over a 2016 data breach that exposed 57 million users' personal information. The company was accused of covering up the breach by paying hackers and failing to notify authorities or affected drivers as required by law. The settlement includes a large penalty and mandates robust data security practices, privacy-by-design integration, and regular reporting to prevent future incidents.

CriticalData BreachNotice FailureSecurity Failure

$148.0M

CANovember 22, 2017Settlement

Cottage Health System

Cottage Health System experienced two data breaches exposing medical information of over 50,000 patients due to inadequate security measures. The settlement requires a $2 million penalty and upgrades to security practices, including designating a Chief Privacy Officer.

HighHealth DataSecurity Failure

$2.0M

CASeptember 5, 2017SettlementMultistate

Lenovo

Lenovo preinstalled 'Visual Discovery' software on its computers that intercepted browsing data and broke encrypted connections without user consent, compromising security and privacy. The multi-state settlement imposes a $3.5 million penalty and requires Lenovo to implement disclosure, consent, opt-out, and security compliance measures.

HighNotice FailureConsent FailureOpt-Out Failure

$3.5M

CAMay 23, 2017SettlementMultistate

Target

Target settled a multi-state enforcement action for a 2013 data breach that exposed payment card information of over 40 million customers due to inadequate security. The $18.5 million settlement requires Target to implement advanced security measures, and California receives over $1.4 million.

CriticalData BreachSecurity Failure

$18.5M

CAJanuary 23, 2014Enforcement Action

Kaiser Foundation Health Plan, Inc.(Kaiser)

The California Attorney General filed a complaint against Kaiser Foundation Health Plan, Inc. for improperly disposing of patient medical records containing protected health information. The records, including diagnoses and lab results, were found discarded at a recycling facility, violating patient privacy. The action alleges breaches of the California Confidentiality of Medical Information Act.

LowHealth DataSecurity Failure

CAAugust 28, 2013Enforcement Action

Citibank, N.A.(Citibank)

In 2013, the California Attorney General filed a complaint against Citibank, N.A. alleging that the bank failed to implement adequate security measures and did not properly notify customers about a data breach exposing personal and financial information. The complaint asserts violations of California's data breach notification law.

LowSecurity FailureBreach Notification Delay