State Attorney General Enforcement

Privacy, Security & AI
Enforcement Report

January – April 2026
Report Period   Bi-Monthly Edition 1
Dataset   314 enforcement activities*
01
Executive Summary

This report covers State AG enforcement activity in privacy, cybersecurity, and artificial intelligence through April 2026, drawing on 314 tracked enforcement activities — including regulatory investigations and actions, regulator sweeps, and stated regulator enforcement priorities.*

📋Enforcement activities tracked in this report include formal regulatory investigations and actions (e.g., CIDs, consent orders, lawsuits, settlements), regulator sweeps (coordinated multi-target or multi-state enforcement campaigns), and stated regulator enforcement priorities (published guidance, advisories, and formal policy announcements signaling intended enforcement focus areas).

Key Findings

+52%

Year-over-Year Enforcement Growth

2025 saw 99 actions — up 52% over 2024's 65. At current pace, 2026 projects to ~135.

See Historical Overview →
48

2026 Actions YTD

43 actions filed Jan–Apr 2026, including major AI enforcement and multistate coalitions.

See Period in Review →
12

AI Actions in 2026 YTD

AI enforcement continues its surge: 14 actions in 2025 (up 56% from 9 in 2024), with 12 already in 2026 through April.

See Category Breakdown →
$241.1M

Non-Outlier Settlement Baseline

Excluding mega-settlements, 57 actions produced $241.1M — the real enforcement cost baseline for most companies.

See Settlement Analysis →

Analysis & Guidance

Insights & Trends

What the data tells us

AI enforcement acceleration, multistate coalition expansion, and Privacy as the dominant enforcement vector.

Read Analysis →
Response & Defense

How to respond when it happens

Resolution patterns, multistate defense coordination, and practical response considerations.

Read Defense Dynamics →
Compliance Corner

What to do proactively

AI governance, children's data audits, data broker monitoring, and multistate preparedness.

Read Guidance →
02
Historical Overview

Cumulative enforcement trends since the dataset's earliest entries. Action volume, category distribution, geographic concentration, and year-over-year momentum.

Total Actions Tracked
314
Since 2020 · Primary growth since 2022*
2026 YTD Actions
48
Proj. ~135 annualized
Total Settlements
$5.56B
69 resolved actions
Excl. Outliers
$241.1M
57 non-outlier settlements
Multistate Actions
83
26% of all actions involve 5+ states
Actions by Year (Stacked by Category)
YoY % change shown · 2026 data through April · Projection based on YTD run-rate · *Excludes 37 NC robocall sweep actions
0501001501307202042021-43%312022+675%462023+48%652024+41%992025+52%462026*thru Apr+31% proj.~130 proj.PrivacyCybersecurityAIProjected
Actions by Category (All Time)
Distribution across 314 enforcement activities* · Excludes NC robocall sweep
314 activities* Privacy203 (64.6%) Cybersecurity75 (23.9%) AI36 (11.5%)
Enforcement Activity Type
Classification of tracked enforcement activities
314 activities* Investigations & Actions 266 (84.7%) Stated Regulator Priorities 31 (9.8%) Regulator Sweeps 17 (5.4%)
Top 10 Most Active States
By number of actions initiated (as lead state)*
California32
New York27
North Carolina24
Texas19
Connecticut11
Oregon11
West Virginia11
Pennsylvania10
Oklahoma9
Hawaii8
Monthly Actions: 12-Month Lookback (Year-over-Year)
Current (May '25 – Apr '26) vs. prior year (May '24 – Apr '25) · Total: 104 vs. 87 (+20%)
2
8
May
+300%
9
8
Jun
-11%
4
8
Jul
+100%
5
10
Aug
+100%
4
4
Sep
0%
12
5
Oct
-58%
3
4
Nov
+33%
10
14
Dec
+40%
10
9
Jan
-10%
10
15
Feb
+50%
10
12
Mar
+20%
8
7
Apr
-12%
Prior Year (May '24 – Apr '25)
Current (May '25 – Apr '26)
03
Period in Review

New enforcement actions filed during the current reporting period (January–April 2026).

New Enforcement Activities This Period
43 enforcement activities filed January–April 2026 · Full list in Appendix A →
Total This Period
43
Jan–Apr 2026
Investigations & Actions
27
Named defendants
Stated Priorities
12
Guidance, advisories & AG coalition statements
Regulator Sweeps
4
Industry-wide actions
Settlements
$560K
2 actions with monetary outcomes
04
Enforcement by Category

Three-level enforcement taxonomy with a one-to-one relationship between categories. Each L3 tag belongs to exactly one L2 subcategory under one L1 category. Click any category or subcategory to expand.

Privacy 205 actions 4 subcategories · click to expand
Cybersecurity 75 actions 3 subcategories · click to expand
Artificial Intelligence 36 actions 4 subcategories · click to expand
Each enforcement activity belongs to one Level 1 Category, with one or more Level 2 Subcategories and Level 3 Tags assigned within that category · L3 tags have a one-to-one relationship with their L2 Subcategory
05
Settlement Analysis

Financial outcomes of AG enforcement. 69 of 266 investigations & actions (25.9%) resulted in monetary settlements.* Outlier settlements are defined as those ≥$40M (12 actions, 96% of total settlement dollars) and are analyzed separately to reveal the typical enforcement baseline.

Total Settlement Dollars
$5.56B
69 actions with payments
Outlier Settlements
$5.32B
12 actions (96% of total $)
Non-Outlier Total
$241.1M
57 actions — the baseline
No Payment
197
74% of investigations & actions
Total Settlement Payments by Year
Includes all settlements · Outliers dominate 2022–2025
$0$750M$1.5B$269.0M2020$3.5M2021$1.23B2022$1.11B2023$1.48B2024$1.42B2025$560K26*
Settlement Payments — Excluding Outliers
57 non-outlier settlements reveal the typical enforcement baseline
$0$30M$60M$44.5M2020$3.5M2021$56.2M2022$17.4M2023$27.2M2024$46.4M2025$560K26*2025 non-outlier settlements: highest on record
Settlement Central Tendencies
Average and median reveal the gap between headlines and typical exposure
All Settlements (n=69)
Average
$80.6M
Median
$1.25M
64× gap between mean and median — driven by 12 outlier settlements (≥$40M each)
Excluding Outliers (n=57)
Average
$4.2M
Median
$632K
This is the realistic enforcement baseline for most companies
Why this matters: The 64× gap between the all-in average ($80.6M) and the all-in median ($1.25M) shows how dramatically a handful of mega-settlements against two major technology companies and a credit reporting agency distort the picture. For the typical company facing AG enforcement, a median settlement of $632,500 (excluding outliers) is a far more relevant planning number than the headline-grabbing billion-dollar figures.
06
Industry Targets

Industry classification based on NAICS sector codes assigned to each defendant in the dataset.

Actions by Industry (NAICS Sector)
Top 10 industries by enforcement action volume
Information / Tech
113
Finance & Insurance
37
Professional Services
24
Public Administration
20
Retail Trade
17
Healthcare
11
Admin / Support Services
8
Manufacturing
5
Wholesale Trade
6
Hospitality
2
Settlement Statistics by Industry (Excl. Outliers)
Average and median settlements by NAICS sector · Industries with 2+ settlements
IndustryActions w/ $AverageMedianTotal
Finance & Insurance11$9.4M$3.0M$103.4M
Information / Tech10$5.1M$765K$51.3M
Admin / Support Services5$4.2M$50K$21.2M
Real Estate2$3.9M$3.9M$7.8M
Retail Trade9$3.3M$400K$29.9M
Professional Services6$2.0M$350K$12.1M
Healthcare8$1.2M$498K$9.5M
Wholesale Trade3$950K$500K$2.9M
Sorted by average settlement amount · Outlier settlements (≥$40M) excluded to show typical exposure
07
Privacy Focus

Privacy enforcement actions during the current reporting period (January–April 2026). 27 of 43 period actions (63%) are Privacy-related — the dominant enforcement category by volume. Full list in Appendix A →

Privacy Actions
27
Jan–Apr 2026 · 63% of period total
All-Time Privacy
203
64.6% of all 314 actions
YoY Trend
+59%
2024 (41) → 2025 (65)
Top Tag
Children's Data
10 tags this period · 78 all-time
Emerging Enforcement Themes
Period L3 tag distribution — Privacy enforcement areas active in Jan–Apr 2026
10 Children's / Minor Data
10 Data Governance
10 Notice / Transparency
6 Consumer Rights
5 Platform Data Practices
5 Data Sharing / Sale
4 Financial / Identity Data
4 Connected Devices / IoT
2 Data Brokers
2 Genetic / Health Data
08
Information Security Focus

Cybersecurity enforcement actions during the current reporting period (January–April 2026). While only 4 actions this period, they signal expanding scrutiny of security program adequacy beyond traditional data breach response. Full list in Appendix A →

Cyber Actions
4
Jan–Apr 2026 · 9% of period total
All-Time Cyber
75
23.9% of all 314 actions
YoY Trend
+33%
2024 (15) → 2025 (20)
Top Tag
Security Program
3 of 4 period actions cite deficiencies

Proactive Program Scrutiny

3 of 4 cybersecurity actions this period target security program deficiencies without a preceding breach — a departure from the historically breach-driven enforcement model. These actions signal AG willingness to challenge security adequacy of consumer technology products proactively.  This will likely increase as companies are required to certify security compliance under the CCPA.

IoT & Critical Infrastructure

AG enforcement has extended into connected device and network infrastructure security — territory traditionally occupied by federal regulators. Tags include critical infrastructure/OT, governance/board oversight, and third-party vendor security.

09
AI Focus

Artificial intelligence enforcement actions during the current reporting period (January–April 2026). With 12 actions — already approaching 2025's full-year total of 14 — AI is the fastest-growing enforcement category. Full list in Appendix A →

AI Actions
12
Jan–Apr 2026 · 28% of period total
All-Time AI
36
11.5% of all 314 actions
YoY Trend
+56%
2024 (9) → 2025 (14)
2026 Pace
~36
On track to nearly triple 2025
Regulator Sweeps & Stated Priorities
Published guidance, advisories, and AG coalition statements signaling AI enforcement priorities
DateState / CoalitionAction
Apr 2OregonAI governance / risk management guidance, AI transparency
Mar 3142-State AG CoalitionLetter to Congress backing AI chatbot safety / warning labels for social media platforms
Mar 24New MexicoAI governance priorities — government/law enforcement AI focus
Mar 17PennsylvaniaConsumer-facing AI chatbot safety guidance
Mar 12PennsylvaniaAI transparency, synthetic media/deepfake enforcement priorities
Feb 27PennsylvaniaAI governance, deceptive AI practices enforcement framework
Jan 15New MexicoAI industry guidance — governance, synthetic media, fraud
Jan 13ArkansasAI governance / risk management priorities

Massive Multistate Coalitions

The three largest coalitions in the entire dataset are all AI actions from this period, including coalitions involving  57, 42 and 35 states and territories.  AG offices are using coalition size as a force multiplier to signal unified enforcement intent on AI.

Synthetic Media & Deepfakes

4 of 12 AI actions this period involve synthetic media, provenance, or labeling — making it the second most common AI tag after governance. A multi-stake action against a social media company and multiple state guidance documents target AI-generated content without adequate disclosure.

State Frameworks Proliferating

7 of 12 AI actions are published guidance, advisories, or enforcement framework announcements — AGs are building the enforcement playbook in real time. Pennsylvania alone issued 4 AI-related enforcement signals this period.

10
Insights & Trends

Analytical observations from the current dataset (314 actions through April 2026).*

AI Enforcement Accelerating

AI actions grew from 9 in 2024 to 14 in 2025 (+56%). 2026 already has 12 through April — pacing well above full-year 2025. AI Governance and Deceptive AI Practices are the leading enforcement theories.

Multistate Coalitions Growing

83 actions (26%) involve 5+ state AGs acting in concert. Multistate actions have grown from 3 in 2020 to 31 in 2025, representing a 10x increase in coordinated enforcement.

Privacy Dominates Enforcement

Privacy actions represent 203 of 314 total actions (64.6%), dwarfing Cybersecurity (23.9%) and AI (11.5%). Within Privacy, Children's Data (78 tags), Notice/Transparency (70), and Platform Data Practices (60) are the highest-volume enforcement areas.

11
Response & Defense Dynamics

How enforcement actions unfold, how companies respond, and what defense strategies the data reveals. This section tracks resolution patterns, multistate coordination mechanics, and the practical realities of AG investigations.

Resolution Patterns
How tracked enforcement activities resolve · 25.9% of investigations & actions involve monetary settlement
314 activities* Investigation (no monetary) 197 (62.7%) Monetary Settlement 69 (22.0%) Stated Priorities 31 (9.9%) Regulator Sweeps 17 (5.4%)
Why this matters: The dominant resolution path is an investigation or action that closes without a monetary settlement — often via consent order, injunctive relief, or non-financial agreement. Companies that focus only on dollar exposure miss the operational cost of injunctive remediation, which can span years.
Settlement Velocity
Annual count of actions resolved with monetary settlement · Indicates pace of resolution activity
0 10 20 520202202110202212202318202420202522026* Monetary Settlements by Year of Action Initiation 2025 marks peak settlement velocity — 20 actions resolved with monetary outcomes
Note on methodology: The dataset captures action initiation dates and monetary outcomes but not closure dates, so a strict "duration to resolution" metric isn’t computable. This chart instead shows the year-over-year pace of monetary settlements, which is the best available proxy for resolution velocity and signals where AG enforcement is converting from investigation to outcome.

CID Response Strategy

A Civil Investigative Demand is the first — and often most consequential — inflection point in AG enforcement. Early decisions on scope objections, privilege assertions, and the framing of voluntary submissions shape the trajectory of the entire investigation. The data suggests companies that engage substantively in the CID phase — using regulatory intelligence to anticipate the AG’s theory of the case, narrow overbroad demands, and offer credible compliance narratives — are more likely to resolve matters without a formal action or with significantly narrowed injunctive relief. Conversely, reactive or formulaic CID responses tend to harden AG positions and expand the scope of subsequent enforcement. Practical strategy includes assessing multistate exposure early (CIDs frequently coordinate across jurisdictions), preserving evidence and legal hold posture, and treating the CID as a vehicle for a strategic dialogue rather than a discovery exchange.

Multistate Defense Coordination

With 83 multistate actions in the dataset,  companies must prepare for coordinated investigations. Lead AG dynamics and achieving global resolution are critical defense considerations.

Settlement Economics

The median non-outlier settlement creates meaningful but manageable exposure. 74% of investigations & actions result in no monetary payment, suggesting that compliance posture and early engagement significantly affect outcomes. The real cost often lies in injunctive relief and ongoing compliance obligations.

12
Compliance Corner

Practical takeaways from the data.

Review AI Governance Frameworks

With 26 AI enforcement actions in 2025–2026 alone, companies deploying generative AI, automated decision-making, or consumer-facing AI assistants should audit compliance against emerging AG enforcement theories — particularly AI transparency, deceptive practices, and synthetic media labeling.

Audit Children's Data Practices

Children's/Minor Data appears in 80 actions across the dataset. Platform safety, COPPA-adjacent practices, and social media data collection remain top enforcement priorities. A 57-state AG coalition signals the broadest coordinated action yet on AI safety for minors.

Monitor Data Broker & Adtech Exposure

Data broker/aggregation tags appear in 21 actions, with adtech/tracking in 19 more. New state registration requirements and data sharing enforcement are expanding scope. Companies should assess whether their data practices trigger broker classification.

Prepare for Multistate Inquiries

27% of enforcement actions involve 5+ states. Companies receiving a CID from one AG should anticipate multistate interest. Develop response playbooks for coordinated investigations — the average multistate coalition in 2025–2026 involves increasingly larger groups of participating offices.

A
Appendix A — List of AG Actions

All 43 enforcement activities filed January–April 2026, organized by type.

Investigations & Actions (27)
Generic entity descriptions for regulatory investigations, enforcement actions, consent orders, and lawsuits against business defendants
DateEntity TypeCategoryLead StateStatesSettlement
Apr 24Online Prediction MarketsPrivacyMaryland1
Apr 23IndividualsPrivacyNevada1
Apr 21Data Broker (Settlement)PrivacyAlabama1
Apr 21Video Game ProviderPrivacyAlabama1
Apr 10AI CompanyAIDelaware1
Mar 31Social Media CompanyPrivacyConnecticut4
Mar 31Communications CompanyCyberConnecticut2$515,000
Mar 23Genetic Testing CompanyPrivacySouth Dakota1
Mar 12Two JuvenilesPrivacyPennsylvania1
Mar 3Sports Streaming PlatformPrivacyCalifornia1
Feb 27Automotive ManufacturerPrivacyCalifornia1
Feb 27AI CompanyAIPennsylvania1
Feb 26Consumer Electronics ManufacturerPrivacyTexas1
Feb 20Online Retailer (Fast Fashion)PrivacyTexas1
Feb 19Consumer Electronics ManufacturerCyberWest Virginia1
Feb 19IoT / Security Camera ManufacturerCyberTexas1
Feb 18Drone ManufacturerPrivacyTexas1
Feb 17Network Equipment ManufacturerCyberTexas1
Feb 17Social Media CompaniesPrivacyOklahoma1
Feb 11Media & Entertainment CompanyPrivacyCalifornia1
Feb 4Industry Trade AssociationPrivacyTennessee1
Feb 2Pharmaceutical CompaniesPrivacyConnecticut1
Jan 14AI CompanyAICalifornia36
Jan 8AI Company (Chatbot Provider)AIKentucky57
Jan 8Grocery Delivery PlatformPrivacyNew York1
Jan 8Data BrokerPrivacyCalifornia1$45,000
Jan 1Industry Trade AssociationPrivacyVirginia1
Stated Regulator Enforcement Priorities (12)
Published guidance, advisories, AG coalition letters, and enforcement framework announcements
DateJurisdiction / DescriptionCategoryLead State
Apr 16Alabama — Privacy enforcement prioritiesPrivacyAlabama
Apr 2Oregon — AI governance / risk management guidanceAIOregon
Mar 3142-State AG Coalition — Letter to Congress backing social media warning labels / AI chatbot safetyAIConnecticut
Mar 24New Mexico — AI governance priorities (government/law enforcement AI)AINew Mexico
Mar 17Pennsylvania — Consumer-facing AI chatbot safety guidanceAIPennsylvania
Mar 16Ohio — Privacy enforcement priorities (notice/transparency, data governance)PrivacyOhio
Mar 12Pennsylvania — AI transparency / synthetic media enforcement frameworkAIPennsylvania
Feb 27Pennsylvania — AI governance / deceptive AI practices enforcement prioritiesAIPennsylvania
Feb 26Oklahoma — AG statement on DOJ request for voter data (financial/identity data)PrivacyOklahoma
Feb 19Pennsylvania — Email marketing / CAN-SPAM enforcement guidancePrivacyPennsylvania
Jan 15New Mexico — AI industry guidance (governance, synthetic media, fraud)AINew Mexico
Jan 13Arkansas — AI governance / risk management prioritiesAIArkansas
Regulator Sweeps (4)
Coordinated, industry-wide enforcement campaigns
DateTarget / DescriptionCategoryLead State
Mar 2South Carolina — Unnamed privacy investigations (2 actions)PrivacySouth Carolina
Jan 13New York — Data broker industry sweepPrivacyNew York
Jan 1Oregon — Global Privacy Control compliance sweepPrivacyOregon
*Action counts in this report (314) exclude 37 North Carolina robocall enforcement actions filed on August 7, 2025 as part of a single coordinated VoIP provider sweep. These Communications Privacy actions, while valid enforcement activity, would disproportionately skew state ranking and trend data. Including these actions, the total dataset contains 351 enforcement actions. Settlement figures are unaffected (all excluded actions carried $0 settlements).
Troutman Pepper Locke|State AG Privacy, Security & AI Enforcement Report
Edition 1  |  January–April 2026  |  314 actions through April 30, 2026*  |  troutman.com