This report covers State AG enforcement activity in privacy, cybersecurity, and artificial intelligence through April 2026, drawing on 314 tracked enforcement activities — including regulatory investigations and actions, regulator sweeps, and stated regulator enforcement priorities.*
2025 saw 99 actions — up 52% over 2024's 65. At current pace, 2026 projects to ~135.
See Historical Overview →43 actions filed Jan–Apr 2026, including major AI enforcement and multistate coalitions.
See Period in Review →AI enforcement continues its surge: 14 actions in 2025 (up 56% from 9 in 2024), with 12 already in 2026 through April.
See Category Breakdown →Excluding mega-settlements, 57 actions produced $241.1M — the real enforcement cost baseline for most companies.
See Settlement Analysis →AI enforcement acceleration, multistate coalition expansion, and Privacy as the dominant enforcement vector.
Read Analysis →Resolution patterns, multistate defense coordination, and practical response considerations.
Read Defense Dynamics →AI governance, children's data audits, data broker monitoring, and multistate preparedness.
Read Guidance →Cumulative enforcement trends since the dataset's earliest entries. Action volume, category distribution, geographic concentration, and year-over-year momentum.
New enforcement actions filed during the current reporting period (January–April 2026).
Three-level enforcement taxonomy with a one-to-one relationship between categories. Each L3 tag belongs to exactly one L2 subcategory under one L1 category. Click any category or subcategory to expand.
Financial outcomes of AG enforcement. 69 of 266 investigations & actions (25.9%) resulted in monetary settlements.* Outlier settlements are defined as those ≥$40M (12 actions, 96% of total settlement dollars) and are analyzed separately to reveal the typical enforcement baseline.
Industry classification based on NAICS sector codes assigned to each defendant in the dataset.
| Industry | Actions w/ $ | Average | Median | Total |
|---|---|---|---|---|
| Finance & Insurance | 11 | $9.4M | $3.0M | $103.4M |
| Information / Tech | 10 | $5.1M | $765K | $51.3M |
| Admin / Support Services | 5 | $4.2M | $50K | $21.2M |
| Real Estate | 2 | $3.9M | $3.9M | $7.8M |
| Retail Trade | 9 | $3.3M | $400K | $29.9M |
| Professional Services | 6 | $2.0M | $350K | $12.1M |
| Healthcare | 8 | $1.2M | $498K | $9.5M |
| Wholesale Trade | 3 | $950K | $500K | $2.9M |
Privacy enforcement actions during the current reporting period (January–April 2026). 27 of 43 period actions (63%) are Privacy-related — the dominant enforcement category by volume. Full list in Appendix A →
Cybersecurity enforcement actions during the current reporting period (January–April 2026). While only 4 actions this period, they signal expanding scrutiny of security program adequacy beyond traditional data breach response. Full list in Appendix A →
3 of 4 cybersecurity actions this period target security program deficiencies without a preceding breach — a departure from the historically breach-driven enforcement model. These actions signal AG willingness to challenge security adequacy of consumer technology products proactively. This will likely increase as companies are required to certify security compliance under the CCPA.
AG enforcement has extended into connected device and network infrastructure security — territory traditionally occupied by federal regulators. Tags include critical infrastructure/OT, governance/board oversight, and third-party vendor security.
Artificial intelligence enforcement actions during the current reporting period (January–April 2026). With 12 actions — already approaching 2025's full-year total of 14 — AI is the fastest-growing enforcement category. Full list in Appendix A →
| Date | State / Coalition | Action |
|---|---|---|
| Apr 2 | Oregon | AI governance / risk management guidance, AI transparency |
| Mar 31 | 42-State AG Coalition | Letter to Congress backing AI chatbot safety / warning labels for social media platforms |
| Mar 24 | New Mexico | AI governance priorities — government/law enforcement AI focus |
| Mar 17 | Pennsylvania | Consumer-facing AI chatbot safety guidance |
| Mar 12 | Pennsylvania | AI transparency, synthetic media/deepfake enforcement priorities |
| Feb 27 | Pennsylvania | AI governance, deceptive AI practices enforcement framework |
| Jan 15 | New Mexico | AI industry guidance — governance, synthetic media, fraud |
| Jan 13 | Arkansas | AI governance / risk management priorities |
The three largest coalitions in the entire dataset are all AI actions from this period, including coalitions involving 57, 42 and 35 states and territories. AG offices are using coalition size as a force multiplier to signal unified enforcement intent on AI.
4 of 12 AI actions this period involve synthetic media, provenance, or labeling — making it the second most common AI tag after governance. A multi-stake action against a social media company and multiple state guidance documents target AI-generated content without adequate disclosure.
7 of 12 AI actions are published guidance, advisories, or enforcement framework announcements — AGs are building the enforcement playbook in real time. Pennsylvania alone issued 4 AI-related enforcement signals this period.
Analytical observations from the current dataset (314 actions through April 2026).*
AI actions grew from 9 in 2024 to 14 in 2025 (+56%). 2026 already has 12 through April — pacing well above full-year 2025. AI Governance and Deceptive AI Practices are the leading enforcement theories.
83 actions (26%) involve 5+ state AGs acting in concert. Multistate actions have grown from 3 in 2020 to 31 in 2025, representing a 10x increase in coordinated enforcement.
Privacy actions represent 203 of 314 total actions (64.6%), dwarfing Cybersecurity (23.9%) and AI (11.5%). Within Privacy, Children's Data (78 tags), Notice/Transparency (70), and Platform Data Practices (60) are the highest-volume enforcement areas.
How enforcement actions unfold, how companies respond, and what defense strategies the data reveals. This section tracks resolution patterns, multistate coordination mechanics, and the practical realities of AG investigations.
A Civil Investigative Demand is the first — and often most consequential — inflection point in AG enforcement. Early decisions on scope objections, privilege assertions, and the framing of voluntary submissions shape the trajectory of the entire investigation. The data suggests companies that engage substantively in the CID phase — using regulatory intelligence to anticipate the AG’s theory of the case, narrow overbroad demands, and offer credible compliance narratives — are more likely to resolve matters without a formal action or with significantly narrowed injunctive relief. Conversely, reactive or formulaic CID responses tend to harden AG positions and expand the scope of subsequent enforcement. Practical strategy includes assessing multistate exposure early (CIDs frequently coordinate across jurisdictions), preserving evidence and legal hold posture, and treating the CID as a vehicle for a strategic dialogue rather than a discovery exchange.
With 83 multistate actions in the dataset, companies must prepare for coordinated investigations. Lead AG dynamics and achieving global resolution are critical defense considerations.
The median non-outlier settlement creates meaningful but manageable exposure. 74% of investigations & actions result in no monetary payment, suggesting that compliance posture and early engagement significantly affect outcomes. The real cost often lies in injunctive relief and ongoing compliance obligations.
Practical takeaways from the data.
With 26 AI enforcement actions in 2025–2026 alone, companies deploying generative AI, automated decision-making, or consumer-facing AI assistants should audit compliance against emerging AG enforcement theories — particularly AI transparency, deceptive practices, and synthetic media labeling.
Children's/Minor Data appears in 80 actions across the dataset. Platform safety, COPPA-adjacent practices, and social media data collection remain top enforcement priorities. A 57-state AG coalition signals the broadest coordinated action yet on AI safety for minors.
Data broker/aggregation tags appear in 21 actions, with adtech/tracking in 19 more. New state registration requirements and data sharing enforcement are expanding scope. Companies should assess whether their data practices trigger broker classification.
27% of enforcement actions involve 5+ states. Companies receiving a CID from one AG should anticipate multistate interest. Develop response playbooks for coordinated investigations — the average multistate coalition in 2025–2026 involves increasingly larger groups of participating offices.
All 43 enforcement activities filed January–April 2026, organized by type.
| Date | Entity Type | Category | Lead State | States | Settlement |
|---|---|---|---|---|---|
| Apr 24 | Online Prediction Markets | Privacy | Maryland | 1 | — |
| Apr 23 | Individuals | Privacy | Nevada | 1 | — |
| Apr 21 | Data Broker (Settlement) | Privacy | Alabama | 1 | — |
| Apr 21 | Video Game Provider | Privacy | Alabama | 1 | — |
| Apr 10 | AI Company | AI | Delaware | 1 | — |
| Mar 31 | Social Media Company | Privacy | Connecticut | 4 | — |
| Mar 31 | Communications Company | Cyber | Connecticut | 2 | $515,000 |
| Mar 23 | Genetic Testing Company | Privacy | South Dakota | 1 | — |
| Mar 12 | Two Juveniles | Privacy | Pennsylvania | 1 | — |
| Mar 3 | Sports Streaming Platform | Privacy | California | 1 | — |
| Feb 27 | Automotive Manufacturer | Privacy | California | 1 | — |
| Feb 27 | AI Company | AI | Pennsylvania | 1 | — |
| Feb 26 | Consumer Electronics Manufacturer | Privacy | Texas | 1 | — |
| Feb 20 | Online Retailer (Fast Fashion) | Privacy | Texas | 1 | — |
| Feb 19 | Consumer Electronics Manufacturer | Cyber | West Virginia | 1 | — |
| Feb 19 | IoT / Security Camera Manufacturer | Cyber | Texas | 1 | — |
| Feb 18 | Drone Manufacturer | Privacy | Texas | 1 | — |
| Feb 17 | Network Equipment Manufacturer | Cyber | Texas | 1 | — |
| Feb 17 | Social Media Companies | Privacy | Oklahoma | 1 | — |
| Feb 11 | Media & Entertainment Company | Privacy | California | 1 | — |
| Feb 4 | Industry Trade Association | Privacy | Tennessee | 1 | — |
| Feb 2 | Pharmaceutical Companies | Privacy | Connecticut | 1 | — |
| Jan 14 | AI Company | AI | California | 36 | — |
| Jan 8 | AI Company (Chatbot Provider) | AI | Kentucky | 57 | — |
| Jan 8 | Grocery Delivery Platform | Privacy | New York | 1 | — |
| Jan 8 | Data Broker | Privacy | California | 1 | $45,000 |
| Jan 1 | Industry Trade Association | Privacy | Virginia | 1 | — |
| Date | Jurisdiction / Description | Category | Lead State |
|---|---|---|---|
| Apr 16 | Alabama — Privacy enforcement priorities | Privacy | Alabama |
| Apr 2 | Oregon — AI governance / risk management guidance | AI | Oregon |
| Mar 31 | 42-State AG Coalition — Letter to Congress backing social media warning labels / AI chatbot safety | AI | Connecticut |
| Mar 24 | New Mexico — AI governance priorities (government/law enforcement AI) | AI | New Mexico |
| Mar 17 | Pennsylvania — Consumer-facing AI chatbot safety guidance | AI | Pennsylvania |
| Mar 16 | Ohio — Privacy enforcement priorities (notice/transparency, data governance) | Privacy | Ohio |
| Mar 12 | Pennsylvania — AI transparency / synthetic media enforcement framework | AI | Pennsylvania |
| Feb 27 | Pennsylvania — AI governance / deceptive AI practices enforcement priorities | AI | Pennsylvania |
| Feb 26 | Oklahoma — AG statement on DOJ request for voter data (financial/identity data) | Privacy | Oklahoma |
| Feb 19 | Pennsylvania — Email marketing / CAN-SPAM enforcement guidance | Privacy | Pennsylvania |
| Jan 15 | New Mexico — AI industry guidance (governance, synthetic media, fraud) | AI | New Mexico |
| Jan 13 | Arkansas — AI governance / risk management priorities | AI | Arkansas |
| Date | Target / Description | Category | Lead State |
|---|---|---|---|
| Mar 2 | South Carolina — Unnamed privacy investigations (2 actions) | Privacy | South Carolina |
| Jan 13 | New York — Data broker industry sweep | Privacy | New York |
| Jan 1 | Oregon — Global Privacy Control compliance sweep | Privacy | Oregon |