Privacy Enforcement Tracker

The California Privacy Protection Agency (CPPA) fined Ford Motor Company $375,703 for adding unnecessary friction to the consumer opt-out process. Ford required consumers to verify their email address before their opt-out requests would be processed — those who did not click the confirmation link had their requests ignored. This was CalPrivacy's second enforcement action stemming from its connected vehicles investigative sweep. Ford must process all previously unfulfilled opt-out requests, provide compliant opt-out submission methods, audit tracking technologies on its website, and ensure proper handling of opt-out preference signals.

The California Privacy Protection Agency (CPPA) issued a $1.10 million fine against PlayOn Sports, whose GoFan platform sells digital tickets for approximately 1,400 California schools. PlayOn used tracking technologies to deliver targeted ads to ticketholders without providing a sufficient opt-out mechanism, instead directing users to third-party ad industry tools rather than operating its own opt-out. This is the first CPPA enforcement action addressing student privacy violations.

California Attorney General Rob Bonta secured the largest CCPA settlement in state history — $2.75 million against Disney for failing to fully effectuate consumer opt-out requests across all streaming services and devices linked to their Disney accounts. When consumers opted out on one Disney streaming app, the opt-out did not carry across to other Disney platforms like Hulu or ESPN+.

Massachusetts AG and Connecticut AG jointly settled with Comstar, an ambulance billing vendor, for $515,000 ($415,000 to MA, $100,000 to CT) following a 2022 ransomware attack that exposed the personal and medical information of 585,621 individuals. The company failed to conduct adequate risk assessments and maintain reasonable data security practices. Settlement requires Comstar to implement a comprehensive information security program, appoint a CISO, and maintain compliance documentation.

The CPPA's Data Broker Enforcement Strike Force fined Rickenbacher Data LLC (d/b/a Datamasters) $45,000 for failing to register as a data broker under the California Delete Act (SB 362). Datamasters bought and resold names, addresses, phone numbers, and email addresses of millions of people with health conditions including Alzheimer's disease and drug addiction for targeted advertising. The company was also ordered to stop selling all Californians' personal information.

The CPPA fined S&P Global, Inc. $62,600 for failing to register as a data broker under the California Delete Act (SB 362). The New York-based provider of data and technology failed to register due to an administrative error. After discovering the error, the company promptly registered and agreed to implement procedures to ensure ongoing compliance with California's data broker registration requirements.

California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, a mobile gaming company, for CCPA violations including lacking opt-out mechanisms in 20 of 21 apps and selling personal information of minors aged 13-16 without obtaining required affirmative authorization.

The California Privacy Protection Agency (CPPA) issued its largest monetary penalty to date — $1.35 million against Tractor Supply Company for failing to properly notify consumers and job applicants of their privacy rights, failing to maintain adequate service provider agreements, and failing to provide effective opt-out mechanisms.

Connecticut Attorney General William Tong announced the state's first enforcement action under the Connecticut Data Privacy Act (CTDPA) — an $85,000 settlement with TicketNetwork, Inc., a Connecticut-based online ticket marketplace. The AG found that TicketNetwork's privacy notice was "largely unreadable," lacked required consumer data rights disclosures, and had misconfigured or inoperable opt-out mechanisms. The company had been given multiple notices to cure since November 2023 but failed to fully remediate.

California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media LLC for violating the CCPA by failing to honor opt-out requests and improperly sharing consumer data with third parties.

Texas Attorney General Ken Paxton secured a $1.375 billion settlement with Google related to data privacy rights of Texans. The settlement addressed unauthorized collection and use of personal data, marking the second billion-dollar privacy settlement for Texas.

Texas Attorney General Ken Paxton filed the first-ever enforcement action under a state comprehensive data privacy law, suing Allstate and its subsidiary Arity for collecting and selling the driving behavior data of over 45 million Americans. Arity paid app developers (GasBuddy, Fuel Rewards, Routely) to embed tracking SDKs that collected precise geolocation data without consumer notice or consent. The data was used to build a "driving behavior database" sold to insurance companies to justify premium increases. The AG is seeking over $1 million in penalties ($7,500 per TDPSA violation, $10,000 per Data Broker Law violation). Case is ongoing.

Texas Attorney General Ken Paxton secured a record $1.4 billion settlement with Meta for running facial recognition on photos uploaded to Facebook without user consent, violating the Texas Capture or Use of Biometric Identifier Act (CUBI). This is the largest privacy settlement ever obtained by a single state.

NGL Labs settled for $5 million for collecting personal data from children under 13, using dark patterns to lure young users, and marketing a paid subscription feature using fake messages that appeared to come from real people.

Telehealth firm Cerebral was fined $7 million for sharing sensitive health data of nearly 3.2 million users with third parties for advertising purposes and for making it difficult to cancel subscriptions.

The FTC settled with InMarket Media, prohibiting the data aggregator from selling or licensing precise location data. InMarket tracked consumers' locations to serve targeted advertising without informed consent.

The FTC banned data broker X-Mode Social (now Outlogic) from sharing or selling sensitive location data, marking the first FTC action to prohibit a data broker from selling sensitive location data.

The FTC banned Rite Aid from using facial recognition technology for five years after the company's surveillance system falsely flagged consumers, disproportionately impacting people of color.

Mobile game developer Tilting Point Media settled for $500,000 for collecting personal information from children under 13 playing its games without parental consent.

The FTC sued data broker Kochava for selling geolocation data that could be used to track people to sensitive locations such as reproductive health clinics, places of worship, and domestic violence shelters. Ongoing litigation.

Amazon settled for $25 million for retaining children's voice recordings and geolocation data from Alexa indefinitely, even after parents requested deletion, violating COPPA.

Amazon's Ring subsidiary paid $5.8 million to settle claims that it allowed employees and contractors to access consumers' private videos and failed to implement adequate security measures.

Easy Healthcare, maker of the Premom fertility app, was fined for sharing users' sensitive health data with third-party analytics and marketing companies including AppsFlyer, Umeng, and Google without consent.

DoorDash was fined for selling consumers' personal information to a marketing cooperative without providing notice or an opportunity to opt out of the sale.

Epic Games paid $275 million for COPPA violations related to Fortnite, collecting personal information from children without parental consent, and using dark patterns to trick players into making unintended purchases.

Sephora settled with the California AG for $1.2 million for failing to disclose it was selling consumers' personal information, failing to process opt-out requests via Global Privacy Control (GPC), and failing to cure violations within 30 days.

OpenX, a programmatic advertising company, paid $2 million for collecting personal information from children under 13 and for collecting geolocation data from users who opted out.

Zoom settled a class action for $85 million related to privacy and security issues including sharing user data with Facebook, Google, and LinkedIn, and falsely claiming end-to-end encryption.

Google and YouTube paid $170 million to settle allegations of collecting personal information from children under 13 without parental consent, violating COPPA. This was a joint FTC and New York AG enforcement action.