“Regulators are shifting their efforts away from awareness to full scale enforcement,” Gartner’s analysis concluded — a shift that played out in dollars and investigations across the United States in 2025.
Gartner: $3.45 billion in privacy fines in 2025, larger than the prior five years combined
Research and advisory firm Gartner reported that U.S. states issued $3.45 billion in privacy-related fines in 2025 — a total the firm says exceeds the sum of the previous five years. Gartner attributes the surge to stronger state laws, interstate enforcement coordination, and renewed scrutiny of how AI and automation use personal data. The firm’s analysis adds that the pattern marks a move from education and guidance toward “full scale enforcement,” and forecasts that trend persisting into 2026 and the subsequent two years.
California’s enforcement turns on after years of dormancy
The California Consumer Privacy Act’s consumer privacy provisions went live in 2023, but enforcement was initially muted. In 2025 that changed dramatically. Gartner’s Nader Heinen, a data protection and AI analyst and co-author of the research, said the California Privacy Protection Agency used the law to pursue violations across a broad swath of industries — “not just large conglomerates, but smaller and mid-sized companies in tech, the auto industry, and consumer products, including off-the-shelf goods and apparel.”
Heinen said the long gap between enactment and sustained enforcement allowed some organizations to relax privacy controls. “Unfortunately what happens when so much time passes between the legislation and starting enforcement regularly, is a lot of organizations let their privacy program atrophy,” he said, and those compliance gaps helped make 2025 a “harsh” year for companies that “weren’t paying attention.”
Ten states form the Consortium of Privacy Regulators to coordinate cross-border cases
States have moved beyond single-state actions. Last year ten states formed the Consortium of Privacy Regulators, pledging to coordinate investigations and enforcement of common privacy laws — particularly around access, deletion, and preventing the sale of personal information. Gartner highlights this kind of interstate partnership as a key factor in concentrating resources and pursuing violators whose operations cross state lines.
AI, automated decision-making, and the shifting target of privacy rules
Beyond traditional data-protection frameworks, states have updated laws to address harms tied to automated decision-making and AI. State regulators are especially focused on how personal data is used to train AI systems and how those systems make inferences about people. Gartner expects fines to continue rising as regulators and legislators build legal infrastructure to confront AI-related privacy risks.
Heinen framed the political and social drivers behind that push: “You have to put yourself in the position of these state legislatures. Their constituencies – the voting public – is telling them we’re worried about AI. AI anxiety is a thing. Everybody’s worried about whether AI is going to take their job or impact their capacity to find a job, so they want to see legislation in place to protect them.”
What this means for technologists, policymakers, and consumers
- Technologists and security teams: Expect enforcement attention on how datasets are collected and used to train models. Gartner’s findings point to greater scrutiny of data practices supporting automated decision-making and inferences — a focal point for forthcoming investigations and penalties.
- Policymakers and regulators: States are currently the engines of enforcement and legal development. The Consortium of Privacy Regulators and California’s stepped-up actions show how subnational bodies are coordinating rules and penalties, and Gartner expects states to keep leading on privacy in the AI era.
- Consumers and businesses: Consumers gain more active enforcement protecting access, deletion, and restrictions on data sales; businesses — including smaller and mid-sized firms — face heightened risk and fines if compliance programs have atrophied since passage of modern privacy laws.
Tensions between state-led enforcement and federal proposals are already visible. This past month House Republicans unveiled a bill that would preempt tougher state laws like California’s. Tom Kemp, executive director of the California Privacy Protection Agency, wrote to House Energy and Commerce Chair Brett Guthrie to oppose the measure, warning it would provide “a ceiling” for Americans’ data privacy protections rather than a “floor” on which to build, and arguing that “Preemption would strip away important existing state privacy provisions that protect tens of millions of Americans now.”
The record fines of 2025 close a chapter in which regulators largely used guidance and restraint, and begin another in which enforcement, interstate cooperation, and AI-era privacy questions will shape corporate behavior. Whether Congress will move to preempt state rules — and how states will respond if it does — remains the immediate policy fault line; Gartner’s analysis suggests regulators have only just begun to recalibrate the balance between education and enforcement.
https://cyberscoop.com/privacy-companies-hit-with-record-fines-2025-gartner/




