Gartner Estimates U.S. States’ Privacy Fines Totaled $3.425 Billion in 2025; Trend Expected to Accelerate Through 2028

Gartner, Inc., a business and technology insights company, has estimated that U.S. states gave out $3.425 billion in privacy-related fines in 2025. Gartner estimated the total value of privacy-related fines assessed in the United States in 2025 by compiling and aggregating enforcement actions and statutory private rights of action associated with state and federal privacy laws.

In the U.S., more fines have been levied due to violations of privacy laws in 2025 than the last five years combined. This trend is expected to accelerate through 2028 (see Figure 1).

“Privacy laws across the U.S. have been in place long enough for Gartner to start seeing a trend of new amendments introducing fresh obligations. These new obligations are primarily focused on automated decision-making technologies,” said Nader Henein. VP Analyst at Gartner. “Regulators are also shifting their efforts away from spreading awareness to full-scale enforcement. This is increasingly becoming the standard in 2026 and beyond.”

U.S. State-by-State Privacy Law Adoption has Worldwide Implications

As AI adoption accelerates across enterprises, personal data has become central to both model training and inference. At the same time, privacy regulators, alongside a growing patchwork of state AI governance laws, are updating privacy frameworks to address automated decision-making technologies.

With much of the world’s data stored or administered by U.S.-registered companies, U.S. privacy laws not only affect U.S. citizens, but also impact the level of data protection received by individuals across the world.

Gartner research shows that 22 states in the U.S. have passed privacy legislation primarily aimed at consumer privacy rights. These laws cover more than 50% of the U.S. population. Another 24 states have proposed privacy legislation and are expected to pass their respective laws over the course of the coming five years. The only outliers are Kansas, Idaho, South Dakota and Wyoming, who have focused on more narrowly defined laws, such as protecting children online or protecting genetic data.

“This state-by-state progression is not uncommon,” said Henein. “For example, breach disclosure legislation crept across states over the course of 15 years, from California starting the trend in July 2003, to Alabama becoming the 50th state in March 2018 to pass breach disclosure legislation.”

With this in mind, CISOs and leaders responsible for privacy programs should:

• Perform critical reviews: Many organizations operating exclusively in the U.S. established a privacy program in 2020 and have since allowed it to atrophy. It is critically important to review the privacy program in light of the enforcement push to assess if it continues to provide adequate and defensible compliance.
• Focus on privacy user experience (UX): Most of the fines and violations levied are directly associated with shortcomings in one or more aspects of the privacy UX, such as subject rights, consent or privacy notices.

Gartner clients can learn more in Privacy Regulations — North America Overview.