1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
The California Privacy Protection Agency (CPPA) settled with data broker Key Marketing Advantage, LLC for failing to register and pay fees under the Delete Act. KMA will pay $55,800 and comply with injunctive terms, including covering attorney fees for non-compliance. This is the fifth enforcement action in CPPA's sweep against unregistered data brokers.
$56K
Connecticut officials, including Attorney General William Tong, warned businesses about a scam by CT UCC Statement Service, which charges $90 for free UCC reports. The company's mailings are designed to look like government documents, but reports are available for free at business.ct.gov. Businesses should verify notices and avoid paying fees for free services.
The FTC settled with data brokers X-Mode Social and Outlogic for selling precise location data without informed consent and failing to protect sensitive information. The proposed order bans the sale of sensitive location data, requires deletion of collected data, and mandates a comprehensive privacy program. This is the FTC's first action against a data broker for sensitive location data practices.
Refuah Health Center, Inc. failed to implement adequate data security measures, leading to a ransomware attack that compromised the personal and health information of approximately 250,000 New Yorkers. The New York Attorney General reached a settlement requiring Refuah to invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties.
$450K
NewYork-Presbyterian Hospital used third-party tracking tools on its website that collected and shared patients' health information with tech companies without adequate safeguards, violating HIPAA. The hospital agreed to pay $300,000 and implement enhanced privacy policies, data deletion, and regular audits.
$300K
The FTC has proposed amendments to the COPPA Rule to enhance children's privacy protections. Key changes include requiring separate parental consent for targeted advertising, prohibiting conditioning access on data collection, limiting push notifications, strengthening data security and retention requirements, and restricting commercial use in educational technology. The proposal shifts responsibility from parents to companies to safeguard children's data.
The FTC settled charges that Rite Aid deployed AI facial recognition technology in hundreds of stores from 2012 to 2020 without reasonable safeguards, resulting in false-positive matches that disproportionately harmed women and people of color. The proposed order bans Rite Aid from using facial recognition for surveillance for five years and requires comprehensive biometric data safeguards, data deletion, consumer notifications, and a certified security program.
Attorney General William Tong announced details for consumers to receive restitution from a $700 million antitrust settlement with Google. The settlement, secured in December 2023 by a coalition of 53 attorneys general, addresses Google's monopoly in the Google Play Store that led to inflated fees for consumers. Eligible consumers who made purchases between August 2016 and September 2023 will receive automatic payments via PayPal or Venmo.
$700.0M
CRI Genetics, LLC was charged by the FTC and California Attorney General for deceptive marketing of DNA testing services, including false accuracy claims, fake reviews, and using dark patterns in billing. The company agreed to a settlement, paying a $700,000 civil penalty, and is prohibited from deceptive practices, must obtain consent for data sharing, and allow data deletion for consumers who requested it.
$700K
The FTC proposed a consent order against Global Tel*Link Corp. for failing to secure sensitive user data, leading to a breach affecting nearly 650,000 consumers, and for delaying notification for about nine months. The order requires the company to implement a comprehensive security program, notify affected users with credit monitoring, and report future breaches promptly.
Morgan Stanley failed to properly decommission computer devices containing unencrypted customer data, leading to the sale of devices with personal information at auction and missing servers with potential data. A multistate coalition secured a $6.5 million settlement requiring Morgan Stanley to implement enhanced data security measures.
$6.5M
New Jersey Attorney General Matthew Platkin announced a multistate settlement where Morgan Stanley will pay $1.27 million to NJ over data security incidents that compromised personal information of over 755,000 NJ residents and millions nationwide. The incidents involved improper decommissioning of devices and a software flaw, leading to unauthorized access. The settlement requires Morgan Stanley to strengthen its data security and disposal procedures.
$1.3M
US Radiology Specialists, Inc. failed to upgrade its firewall, leading to a ransomware attack that compromised the personal and health data of over 198,000 patients, including 92,000 New Yorkers. The company agreed to pay $450,000 in penalties and implement comprehensive data security measures, including encryption and data deletion policies.
$450K
New Jersey, leading a coalition of 41 other attorneys general, sued Meta for knowingly designing addictive Instagram and Facebook features targeting children and teens while falsely claiming the platforms were safe. The lawsuit alleges Meta collected personal data from users under 13 without parental consent, violating the federal Children's Online Privacy Protection Act (COPPA) and state consumer protection laws like the New Jersey Consumer Fraud Act.
A coalition of 42 attorneys general filed a federal lawsuit against Meta, alleging that the company designed addictive features that harm youth mental health and violated COPPA by collecting children's data without parental consent. The lawsuit seeks injunctive relief, monetary penalties, and restitution.
Connecticut Attorney General William Tong expanded the complaint against Stone Academy, alleging its owners siphoned millions for personal luxury while students were denied promised education and clinical training. Revenues surged during the pandemic, but exam pass rates fell and students lacked textbooks and qualified teachers. The AG seeks civil penalties, restitution, and a receiver to protect assets for student relief.
New York Attorney General Letitia James secured a $350,000 settlement from Personal Touch Holding Corporation for failing to protect patient and employee data. A ransomware attack in January 2021 compromised the personal and medical information of approximately 316,845 New Yorkers due to inadequate security measures. As part of the agreement, Personal Touch must pay penalties, enhance its cybersecurity program, and provide free credit monitoring to affected individuals.
$350K
The FTC and CFPB settled with Trans Union LLC and its subsidiary for violating the Fair Credit Reporting Act by including inaccurate and incomplete eviction records in tenant screening reports, harming consumers' ability to obtain housing. The settlement requires Trans Union to pay $15 million, with $11 million for consumer compensation and $4 million as a civil penalty, and to implement measures to ensure report accuracy and disclose data sources.
$15.0M
Blackbaud, a software company, experienced a ransomware attack in 2020 that exposed sensitive personal information, including protected health data, due to inadequate security practices and delayed breach notification. A multistate investigation resulted in a $49.5 million settlement, requiring Blackbaud to enhance data security, implement breach response plans, and undergo third-party assessments.
$49.5M
Blackbaud, a cloud company providing donor management software, experienced a 2020 data breach exposing personal information of millions of donors through its nonprofit customers. A multistate investigation found Blackbaud failed to implement adequate data security and delayed breach notifications. As a result, Blackbaud agreed to pay $49.5 million and overhaul its security practices.
$49.5M
Marymount Manhattan College suffered a data breach in 2021 affecting 99,097 New Yorkers. The New York Attorney General found that MMC failed to secure its network infrastructure and update security policies. As part of the agreement, MMC must invest $3.5 million over six years to improve data encryption, enable multi-factor authentication, and implement other security measures.
The FTC issued warnings to five tax preparation companies against using or disclosing consumer tax data for unrelated purposes like advertising without explicit consent. The agency cites its penalty offense authority, referencing a previous case against Beneficial Corp, and warns that such practices violate the FTC Act and could incur penalties up to $50,120 per violation. The notices highlight that using tracking technologies for data collection without consent is also prohibited.
California Attorney General Rob Bonta announced a $93 million settlement with Google for deceiving users about location tracking. Google continued to collect location data even after users opted out, violating California consumer protection laws. The settlement includes injunctive terms to enhance transparency and user controls over location settings.
$93.0M
The FTC settled with background report providers TruthFinder and Instant Checkmate, charging they deceived consumers about the accuracy of their reports (often mischaracterizing traffic tickets as criminal records) and violated the Fair Credit Reporting Act (FCRA) by operating as consumer reporting agencies without following its requirements, including ensuring accuracy and limiting permissible purposes. The companies will pay a $5.8 million penalty and implement a comprehensive FCRA compliance monitoring program.
$5.8M
California Attorney General Rob Bonta, alongside six county district attorneys, announced a $49 million settlement with Kaiser Foundation Health Plan, Inc. and Kaiser Foundation Hospitals resolving allegations of unlawful disposal of hazardous waste, medical waste, and protected patient health information. Investigations of 16 Kaiser facilities found hundreds of hazardous and medical waste items and over 10,000 paper records containing data of more than 7,700 patients in unsecured dumpsters. The settlement requires Kaiser to pay up to $49 million in penalties and compliance costs, retain an independent auditor for five years of regular audits, and implement enhanced waste and data disposal procedures.
$49.0M
California Attorney General Rob Bonta announced a $49 million settlement with Kaiser for illegally disposing of hazardous waste, medical waste, and protected patient information at facilities statewide. The settlement resolves allegations of violations under health privacy and environmental laws, requiring Kaiser to pay penalties, implement compliance measures, and undergo independent audits.
$49.0M
The FTC finalized an order against 1Health.io for failing to secure genetic data and unfairly changing its privacy policy. The company must pay $75,000 for consumer refunds, destroy DNA samples, and implement security measures. It deceived consumers about data deletion and shared data without proper consent.
$75K
The FTC settled charges against Experian Consumer Services for violating the CAN-SPAM Act by sending marketing emails to consumers who signed up for credit management accounts without providing an opt-out mechanism. The emails promoted products like Experian Boost and Dark Web scans but lacked unsubscribe links. Experian must pay $650,000 and is prohibited from future violations.
$650K
Attorney General William Tong of Connecticut led a bipartisan coalition of 30 state attorneys general in submitting comments to the Federal Trade Commission. The comments aim to improve collaboration between the FTC and state AGs to prevent and prosecute unfair and deceptive practices, addressing issues raised by the AMG Capital decision that may limit restitution. The coalition emphasizes the importance of joint efforts for national consumer protection.
Attorney General William Tong of Connecticut joined a bipartisan coalition of 44 attorneys general to issue a letter supporting the G.U.A.R.D. VA Benefits Act. The legislation aims to hold unaccredited and unregulated actors accountable for defrauding veterans applying for VA benefits by requiring proper accreditation and imposing penalties, as unaccredited services waste veterans' money and time and may lead to fraud and identity theft.
All data sourced from official government enforcement pages.