Privacy Enforcement Roundup: Q1 2026 — Over $4M in Fines and a New Multi-State Trend

Q1 2026: A Record-Setting Quarter for Privacy Enforcement

The first quarter of 2026 has been the most active period for US state privacy enforcement since comprehensive privacy laws began taking effect. Between January and March 2026, regulators imposed over $4.6 million in fines across multiple enforcement actions — with California's CPPA leading the charge and multi-state cooperation emerging as a new enforcement model.

Here is a complete roundup of every major enforcement action from Q1 2026, along with lessons for businesses navigating compliance.

California CPPA Enforcement Actions

Disney — $2.75 Million (February 2026)

The California Privacy Protection Agency (CPPA) fined a major streaming company $2.75 million for consumer opt-out missteps — the largest CCPA enforcement settlement to date. The company failed to properly process consumer requests to opt out of the sale and sharing of their personal information, and did not adequately honor Global Privacy Control signals on its streaming platforms.

Key takeaway: Businesses must ensure that their opt-out mechanisms actually stop data flows to third parties, not just record a preference. The CPPA specifically found that the company continued sharing data with advertising partners even after consumers had exercised their opt-out rights.

Ford Motor Company — $375,703 (March 2026)

The CPPA fined Ford for adding unnecessary friction to the consumer opt-out process. Ford required consumers to verify their email address before processing their opt-out requests — those who did not click a confirmation link had their requests silently ignored. This was the second enforcement action from the CPPA's connected vehicles investigative sweep.

Key takeaway: Opt-out requests should not require identity verification. Adding extra steps that discourage consumers from completing the opt-out process — even something as simple as an email confirmation — can constitute a dark pattern violation.

PlayOn Sports — $1.1 Million (March 2026)

PlayOn Sports was fined $1.1 million for violations related to the collection and sharing of personal information, including failing to provide adequate notice and opt-out rights to consumers whose data was being used for advertising purposes.

Key takeaway: Companies that monetize user data through advertising must provide clear disclosure and easy-to-use opt-out mechanisms, regardless of the size of the company or the nature of the platform.

S&P Global — $62,600 (January 2026)

The CPPA fined S&P Global for failing to register as a data broker under the California Delete Act (SB 362). The company failed to register due to an administrative error and promptly complied after discovering the oversight.

Key takeaway: Data broker registration is a strict liability obligation in California. Businesses should proactively determine whether they qualify as data brokers and register before the deadline, as the CPPA has shown it will fine even companies that fix their status quickly.

Multi-State Enforcement: A New Model

Comstar — $515,000 (January 2026)

In a significant multi-state action, the Massachusetts and Connecticut Attorneys General jointly settled with Comstar, an ambulance billing vendor, for $515,000 ($415,000 to Massachusetts, $100,000 to Connecticut). The settlement followed a 2022 ransomware attack that exposed the personal and medical information of 585,621 individuals, including social security numbers, driver's license numbers, financial account details, and medical records.

The AGs found that Comstar failed to conduct adequate risk assessments, implement reasonable data security measures, and maintain proper incident response procedures. As part of the settlement, Comstar must implement a comprehensive information security program, appoint a CISO, and submit regular compliance reports.

Key takeaway: Multi-state coordination between AGs is a growing trend. When a data breach affects residents of multiple states, businesses should expect enforcement actions from multiple jurisdictions. The Comstar settlement also shows that even relatively small companies face significant penalties for inadequate data security.

Enforcement Trends to Watch

1. Opt-Out Compliance Is the #1 Priority

Three of the four CPPA actions in Q1 2026 involved opt-out violations. Regulators are specifically checking whether businesses honor GPC signals, whether opt-out links are present and functional, and whether the data flows actually stop after an opt-out is exercised. Use our GPC Compliance Checker to assess your obligations.

2. Connected Vehicles Are Under Scrutiny

The Ford enforcement was the second action from the CPPA's connected vehicles sweep (the first was a $5.5M fine against a car manufacturer in late 2025). Companies that collect data through connected cars, IoT devices, and mobile apps should expect continued regulatory attention.

3. Multi-State AG Cooperation Is Accelerating

The Comstar settlement involved two state AGs working in tandem. The GPC enforcement sweep involved three states (California, Colorado, Connecticut). Expect this pattern to expand as more states build enforcement capacity under their new privacy laws.

4. Data Broker Registration Is Actively Enforced

The S&P Global fine signals that the CPPA is proactively auditing data broker registration compliance. With new data broker registration requirements taking effect in California, Oregon, Vermont, and Texas, businesses should verify their registration status immediately.

How to Protect Your Business

1. Audit your opt-out mechanisms — test them quarterly. Make sure GPC signals are detected and honored, and that data sharing actually stops when a consumer opts out.
2. Check your data broker status — if you collect and sell consumer data, you may need to register in multiple states.
3. Implement reasonable data security — the Comstar case shows that basic security failures (inadequate risk assessments, missing incident response plans) trigger enforcement even under breach notification laws.
4. Document everything — maintain records of your compliance efforts, privacy policy updates, data processing agreements, and DSAR responses.
5. Use our tools — run your business through the privacy law calculator to see which laws apply, and check the enforcement tracker for the latest actions.

View all enforcement actions on our penalties tracker, and use the state law comparison tool to understand how enforcement mechanisms differ across states.

Last updated: March 28, 2026.