State Privacy Law Penalties and Fines: Complete 2026 Guide
What Are the Penalties for Violating State Privacy Laws?
US state privacy laws carry real financial consequences. In Q1 2026 alone, California regulators issued over $4 million in fines across three enforcement actions. And California is no longer the only state with teeth — Texas, Connecticut, Oregon, and others are actively investigating violations and building enforcement capacity.
This guide breaks down the penalty structures across all 20 state privacy laws, shows you what recent enforcement looks like in practice, and explains how to minimize your risk.
Penalty Amounts by State
Every state privacy law establishes per-violation penalties enforced by the state Attorney General (or, in California’s case, also the CPPA). Here’s how they compare:
| State | Max Penalty Per Violation | Cure Period | Enforcer |
|---|---|---|---|
| California (CCPA/CPRA) | $2,500 standard / $7,500 intentional or involving minors | None (eliminated) | AG + CPPA |
| Virginia (VCDPA) | $7,500 | 60 days | AG |
| Colorado (CPA) | $20,000 (under CCPA provisions) | 60 days (sunsets Jan 2025) | AG |
| Connecticut (CTDPA) | $5,000 (CUTPA penalties) | 60 days (sunsets Dec 2024) | AG |
| Utah (UCPA) | $7,500 | 30 days | AG |
| Texas (TDPSA) | $25,000 | 30 days | AG |
| Oregon (OCPA) | $7,500 | None (expired Jan 2026) | AG |
| Montana (MCDPA) | $7,500 | 60 days | AG |
| Delaware (DPDPA) | $10,000 | 60 days (sunsets Dec 2025) | AG |
| Iowa (ICDPA) | $7,500 | 90 days | AG |
| Nebraska (NDPA) | $7,500 | 30 days | AG |
| New Hampshire (NHPA) | $10,000 | 60 days | AG |
| New Jersey (NJDPA) | $10,000 first / $20,000 subsequent | 30 days | AG |
| Tennessee (TIPA) | $15,000 | 60 days | AG |
| Minnesota (MCDPA) | $7,500 | 30 days | AG |
| Maryland (MODPA) | $10,000 first / $25,000 subsequent | 60 days | AG |
| Indiana (ICDPA) | $7,500 | 30 days | AG |
| Kentucky (KCDPA) | $7,500 | 30 days | AG |
| Rhode Island (RIDTPPA) | $10,000 | None | AG |
| Oklahoma (OKCDPA) | $7,500 | 30 days | AG |
Key takeaway: Penalties are assessed per violation, which typically means per affected consumer per violation. A single compliance failure affecting thousands of consumers can quickly escalate into millions of dollars.
Real Enforcement Cases: What Fines Actually Look Like
Understanding the penalty ranges on paper is one thing — seeing how regulators actually apply them tells the real story. Visit our Enforcement Actions Tracker for the complete database. Here are the most notable cases from early 2026:
Disney — $2.75 Million (February 2026)
The Walt Disney Company settled a CCPA class action for $2.75 million related to data collection and sharing practices across its digital properties. The case alleged Disney failed to provide adequate notice of data collection and did not honor opt-out requests consistently across its streaming and theme park platforms.
PlayOn Sports — $1.1 Million (March 2026)
The CPPA fined PlayOn Sports $1.1 million for CCPA violations involving student data. PlayOn’s GoFan digital ticketing platform, used by roughly 1,400 California schools, required students to agree to tracking before they could access their purchased tickets. The CPPA found this constituted an illegal dark pattern that coerced consent and used student data for targeted advertising.
Ford Motor Company — $375,703 (March 2026)
Ford was fined for adding unnecessary friction to the opt-out process by requiring email verification before consumers could exercise their right to opt out. The CPPA ruled that requiring email confirmation created an unlawful barrier to opt-out rights under CCPA regulations.
Comstar — Multi-State Settlement (Q1 2026)
In a landmark multi-state action, Comstar settled privacy violations with attorneys general from multiple states simultaneously, setting a precedent for coordinated enforcement. This signals that businesses can expect enforcement pressure from multiple states at once for the same conduct.
Which States Are Most Aggressive?
Not all states enforce with equal intensity. Here’s the current enforcement landscape:
- California — By far the most active, with the dedicated CPPA and the AG’s office both pursuing cases. California has issued millions in fines and doesn’t offer a cure period.
- Texas — Attorney General Ken Paxton has been aggressive on data privacy. Texas has the highest per-violation penalty at $25,000 and has pursued major cases including a $1.4 billion settlement with Meta over biometric data.
- Connecticut — Actively conducting GPC enforcement sweeps alongside California and Colorado.
- Oregon — Eliminated its cure period in January 2026, signaling a shift toward active enforcement.
- Colorado — Participating in multi-state GPC compliance checks and building enforcement capacity.
Cure Periods: Your Window to Fix Issues
Many states offer a “cure period” — a window of time after notification of a violation during which you can fix the issue and avoid penalties. However, these windows are shrinking:
- California eliminated its cure period entirely.
- Oregon’s cure period expired January 1, 2026.
- Colorado’s cure period sunset in January 2025.
- Connecticut’s cure period was removed via SB 1295 amendments.
- Delaware’s cure period sunset in December 2025.
- Rhode Island never had one.
The trend is unmistakable: cure periods are being eliminated across the board. Waiting for a violation notice before addressing compliance gaps is an increasingly dangerous strategy.
How to Minimize Your Penalty Risk
- Know which laws apply to you — Use our Privacy Law Calculator to check your exposure across all 20 states.
- Implement GPC compliance — GPC non-compliance is the most common enforcement trigger in 2026. Use our GPC Compliance Checker to verify your status.
- Eliminate dark patterns — Don’t make it harder to opt out than to opt in. The CPPA specifically targets interfaces that discourage consumers from exercising their rights.
- Handle consumer requests promptly — Respond within 45 days, verify identity without friction, and document everything.
- Conduct data protection assessments — Required in many states for high-risk processing activities. Having documented assessments demonstrates good faith.
- Review vendor agreements — Ensure your data processing agreements with third parties include proper privacy protections and flow-down requirements.
- Train your team — The employees who interact with consumer data or handle requests must understand their obligations.
- Monitor deadlines — New requirements and cure period expirations happen regularly. Track them with our Compliance Deadlines Calendar.
Private Right of Action: Can Consumers Sue You Directly?
Most state privacy laws do not grant a private right of action — only the Attorney General (or CPPA in California) can bring enforcement actions. However, California is the major exception: the CCPA allows private lawsuits for data breaches involving non-encrypted or non-redacted personal information, with statutory damages of $100 to $750 per consumer per incident. This means a breach affecting 100,000 California consumers could expose you to $10–$75 million in statutory damages alone, before actual damages.
The Bottom Line
State privacy law penalties are real, growing, and increasingly coordinated across state lines. The era of warnings and gentle nudges is ending as cure periods expire and enforcement budgets expand. The businesses that fare best are those that treat compliance as a continuous process rather than a one-time project. Start by understanding your obligations with our Privacy Law Calculator, then work through the relevant state compliance checklists to close any gaps before regulators come calling.
This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.