Privacy

US Privacy Laws in 2025: The Complete Guide with Real Cases & Fines

Sarah Kim

December 22, 2025

15 min read

A comprehensive guide to state and federal privacy laws in the United States, featuring real enforcement actions, landmark fines, and practical privacy protection strategies.

Introduction

2025 marks a pivotal year for privacy in the United States. With 20 states now having comprehensive privacy laws and regulators issuing record-breaking fines, the landscape has fundamentally shifted. While Congress continues to struggle with federal privacy legislation, state attorneys general and the FTC have made it abundantly clear: privacy violations will be punished.

This guide covers the current state of US privacy law, real enforcement cases with actual fines, and practical steps you can take to protect your personal information.

┌─────────────────────────────────────────────────────────────────┐
│                US PRIVACY LAW LANDSCAPE 2025                    │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   ┌─────────────┐    ┌─────────────┐    ┌─────────────┐        │
│   │  20 STATES  │    │   NO FED    │    │   RECORD    │        │
│   │  WITH LAWS  │    │    LAW      │    │   FINES     │        │
│   └─────────────┘    └─────────────┘    └─────────────┘        │
│                                                                 │
│   California leads     APRA failed      $1.4B Meta Texas       │
│   with strictest       in Congress      settlement (2024)      │
│   enforcement          (2024)                                  │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

The State Privacy Law Explosion

20 States and Counting

As of 2025, twenty US states have enacted comprehensive consumer data privacy laws. Here's the complete breakdown:

STATE PRIVACY LAWS BY YEAR
═══════════════════════════════════════════════════════════════

2018 │ California (CCPA)
     │
2021 │ Virginia (VCDPA)
     │
2023 │ Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)
     │ Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas
     │
2024 │ New Hampshire, New Jersey, Kentucky, Maryland,
     │ Minnesota, Nebraska, Rhode Island
     │
2025 │ 8 new laws taking effect:
     │ • Jan 1: Iowa (ICDPA)
     │ • Jan 15: New Jersey (NJDPA)
     │ • Jul 1: Tennessee (TIPA)
     │ • Oct 1: Maryland (MODPA)
     │ • + Delaware, Minnesota, Nebraska, New Hampshire

═══════════════════════════════════════════════════════════════

California: The Gold Standard

California's CCPA/CPRA remains the most comprehensive and strictly enforced privacy law in the nation:

Right	Description
Right to Know	Access what data companies collect about you
Right to Delete	Request deletion of your personal information
Right to Opt-Out	Stop companies from selling/sharing your data
Right to Correct	Fix inaccurate personal information
Right to Limit	Restrict use of sensitive personal information
Right to Non-Discrimination	No penalties for exercising your rights

Notable State Laws

Maryland Online Data Privacy Act (MODPA) - Taking effect October 2025, widely considered the most consumer-friendly law enacted to date.

Oregon Consumer Privacy Act (OCPA) - One of the strongest laws, with robust protections for biometric, sensitive, and children's data, and fewer exemptions than other state laws.

Texas Data Privacy and Security Act (TDPSA) - Notable for aggressive enforcement against Chinese-affiliated companies in 2025.

Real Enforcement Actions: 2025's Biggest Cases

The message from regulators is clear: privacy violations result in real consequences. Here are the landmark cases that defined 2025:

California Privacy Protection Agency (CPPA) Actions

┌─────────────────────────────────────────────────────────────┐
│              CPPA ENFORCEMENT ACTIONS 2025                  │
├──────────────────────┬──────────────┬───────────────────────┤
│      COMPANY         │    FINE      │      VIOLATION        │
├──────────────────────┼──────────────┼───────────────────────┤
│ Tractor Supply Co.   │  $1,350,000  │ Opt-out failures,     │
│ (Sept 2025)          │   LARGEST    │ job applicant rights  │
├──────────────────────┼──────────────┼───────────────────────┤
│ American Honda       │   $632,500   │ Excessive data for    │
│ (March 2025)         │              │ privacy requests      │
├──────────────────────┼──────────────┼───────────────────────┤
│ Todd Snyder          │   $345,178   │ Misconfigured         │
│ (May 2025)           │              │ opt-out system        │
└──────────────────────┴──────────────┴───────────────────────┘

Case Study: Tractor Supply Company ($1.35M)

In September 2025, the CPPA issued its largest fine ever against Tractor Supply Company, the nation's largest rural lifestyle retailer with over 2,500 stores. The company violated California law by:

•Failing to provide an effective opt-out mechanism for data selling/sharing

•Not notifying California consumers (including job applicants) of their privacy rights

•Inadequate privacy policy disclosures

This case marked the first enforcement action addressing job applicant privacy rights.

Case Study: American Honda ($632,500)

Honda's March 2025 fine represented the CPPA's first enforcement action against a non-data broker. Violations included:

•Requiring excessive information from consumers making privacy requests

•Failing to separate opt-out requests from other request types

•Lacking proper contracts with third-party advertising companies

California Attorney General Actions

Healthline Media ($1.55 Million - Record AG Settlement)

In July 2025, the California Attorney General announced a record-setting $1.55 million settlement with Healthline Media. The investigation found Healthline:

•Failed to allow consumers to opt out of targeted advertising

•Shared health data with third parties without CCPA-mandated protections

•Exposed data suggesting serious health conditions without proper safeguards

This case is particularly significant because health-related browsing data received heightened scrutiny.

Jam City ($1.4 Million)

The mobile gaming company agreed to pay $1.4 million for:

•Failing to provide opt-out methods in mobile gaming apps

•Inadequate privacy protections for children

The $1.4 Billion Elephant: Meta vs. Texas

The largest US privacy settlement in history occurred in 2024 when Meta paid $1.4 billion to the Texas Attorney General for unlawful collection of biometric data. This case involved:

•Unauthorized capture of facial recognition data

•Violations of Texas's Capture or Use of Biometric Identifier Act

•Years of data collection without proper consent

┌─────────────────────────────────────────────────────────────┐
│            LARGEST US PRIVACY SETTLEMENTS                   │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│   $1,400,000,000  │████████████████████████████│ Meta/TX   │
│                   │                            │ (2024)    │
│                                                             │
│      $52,000,000  │██                          │ Marriott  │
│                   │                            │ (2024)    │
│                                                             │
│       $1,550,000  │                            │ Healthline│
│                   │                            │ (2025)    │
│                                                             │
│       $1,400,000  │                            │ Jam City  │
│                   │                            │ (2025)    │
│                                                             │
│       $1,350,000  │                            │ Tractor   │
│                   │                            │ Supply    │
└─────────────────────────────────────────────────────────────┘

Connecticut's First Enforcement

In July 2025, Connecticut Attorney General William Tong announced an $85,000 settlement with TicketNetwork — the first monetary penalty under the Connecticut Data Privacy Act (CTDPA).

Multi-State Enforcement Collaboration

On September 9, 2025, the CPPA joined with California, Colorado, and Connecticut Attorneys General to announce an investigative sweep targeting companies' noncompliance with Global Privacy Control (GPC) — the opt-out preference signal that browsers can send to websites.

FTC Enforcement: Federal Action Without Federal Law

While Congress failed to pass comprehensive privacy legislation, the Federal Trade Commission remained active:

Major Data Broker Crackdown

The FTC announced four significant settlements against data brokers for unlawful collection and sale of precise location information:

•X-Mode

•InMarket Media

•Mobilewalla

•Gravy Analytics

These settlements prohibited selling or sharing sensitive location data, particularly data revealing visits to healthcare facilities, religious sites, and other sensitive locations.

Notable FTC Settlements

Marriott ($52 Million - October 2024)

Hotel giant Marriott agreed to pay $52 million to 50 US states following a multi-year data breach affecting 131.5 million American customers. The investigation examined:

•Breach of Starwood guest reservation database

•Inadequate security measures

•Delayed customer notification

Blackbaud (February 2024)

The FTC reached a settlement after Blackbaud's inadequate security allowed hackers to access personal data of millions, including Social Security and bank account numbers. The FTC criticized Blackbaud for:

•Waiting nearly two months to inform customers

•Misleading customers about the extent of data theft

•Knowing hackers obtained sensitive information while claiming otherwise

Avast (February 2024)

The FTC settled with Avast over deceptive data collection practices. The key finding: "Web browsing data is sensitive. Full stop." The company sold consumers' re-identifiable browsing data for advertising despite offering privacy-focused antivirus software.

The Failed Federal Privacy Push

American Privacy Rights Act (APRA) - So Close, Yet So Far

In April 2024, a bipartisan draft of the American Privacy Rights Act offered hope for federal privacy legislation. Senate Commerce Committee Chair Maria Cantwell and House Energy & Commerce Committee Chair Cathy McMorris Rodgers jointly released the bill.

APRA'S JOURNEY
═══════════════════════════════════════════════════════════════

April 2024     │ Bipartisan draft released
               │
June 25, 2024  │ Introduced as H.R. 8818
               │
June 27, 2024  │ Markup scheduled... then CANCELED
               │     └─► Republican leaders signal opposition
               │
Jan 2025       │ 118th Congress adjourns - bill EXPIRES
               │
Oct 2025       │ NOT reintroduced in 119th Congress

═══════════════════════════════════════════════════════════════

Why Federal Privacy Legislation Keeps Failing

Two main sticking points prevent federal consensus:

1**Preemption**: A federal law would replace state laws, including California's stronger protections. California lawmakers strongly oppose this.

2**Private Right of Action**: Should individuals be able to sue companies directly, or only through state attorneys general?

The previous attempt, the American Data Privacy and Protection Act (ADPPA), passed the House Committee 53-2 but then-Speaker Nancy Pelosi never called it for a floor vote to protect California's interests.

What This Means for You

Your Rights Under State Privacy Laws

If you live in a state with a privacy law, you likely have:

┌─────────────────────────────────────────────────────────────┐
│                    YOUR PRIVACY RIGHTS                      │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ✓ ACCESS     │ See what data companies have about you     │
│               │                                             │
│  ✓ DELETE     │ Request removal of your personal data      │
│               │                                             │
│  ✓ OPT-OUT    │ Stop sale/sharing of your information      │
│               │                                             │
│  ✓ CORRECT    │ Fix inaccurate information                 │
│               │                                             │
│  ✓ PORTABILITY│ Get your data in a usable format           │
│               │                                             │
└─────────────────────────────────────────────────────────────┘

Practical Steps to Protect Your Privacy

1. Use Global Privacy Control (GPC)

Enable GPC in your browser — it automatically sends opt-out signals to websites. Regulators are actively investigating companies that ignore GPC signals.

2. Exercise Your Rights

Look for "Do Not Sell My Personal Information" links on websites. Under CCPA, companies must honor these requests within 45 days.

3. Use Temporary Email Services

Services like Tempo help you:

•Avoid data collection when signing up for new services

•Prevent your real email from being sold to data brokers

•Reduce your digital footprint

•Test services without commitment

4. Audit Your Data

Request your data from major companies:

•Google: google.com/takeout

•Facebook: Download Your Information

•Amazon: Request My Data

5. Review App Permissions

Regularly check which apps have access to:

•Location data

•Contacts

•Camera/microphone

•Health information

Looking Ahead: 2026 and Beyond

What to Expect

•More state laws: Indiana's law takes effect January 2026

•Increased enforcement: Regulators are learning and fining more

•AI privacy concerns: New rules around AI data use are coming

•Children's privacy: Stricter COPPA enforcement expected

The Bottom Line

The US privacy landscape is complex but increasingly protective. While we wait for federal legislation, state laws provide meaningful rights. The enforcement actions of 2024-2025 prove that regulators are serious about holding companies accountable.

Your privacy is your right. Exercise it.

---

*Sources: IAPP US State Privacy Legislation Tracker, California Privacy Protection Agency, FTC Privacy and Security Enforcement, Texas Attorney General Office, Connecticut Attorney General Office*