Privacy and Data Security Enforcement: Where Regulators Struck Hardest in 2025

Federal and state regulators in the US remain active and trending toward escalated privacy, cybersecurity, and data governance enforcement by launching investigations and heavy monetary penalties, expanded injunctive relief, and aggressive corrective action mandates across financial services, healthcare, technology, and other sectors.

Among the federal agencies bringing the most enforcement actions, Health & Human Services (HHS) ranks as the highest volume of investigations focused on HIPAA Security Rule violations, ransomware attack handling, risk analysis failures, and other similar violations.  The Federal Trade Commission remains focused on children’s privacy, data misuse, and surveillance monetization.  And the Securities and Exchange Commission focused on cyber incident disclosures and internal control failures by publicly-traded companies.

At the state level, California is the most active in terms of volume and aggressive enforcement of California’s Consumer Privacy Act by both the Attorney General and the newly-minted California Privacy Protection Agency (CPPA).  Other states actively enforcing privacy and data security include New York and Texas with Texas finalizing a $1.375 billion settlement with a global search engine provider over privacy claims from lawsuits centered around company’s handling of geolocation data, incognito browsing activities, and biometric identifiers including voiceprints and facial records.

Industries facing the most enforcement scrutiny are healthcare, financial services, insurance, and EdTech.  Among the top violations cited are inadequate security controls, insufficient vendor management protocols, failure to conduct adequate privacy risk assessments, and delayed breach notification.  In most cases, companies subjected to these enforcement actions neglected to sufficiently invest in maintaining adequate privacy and data security controls.

These enforcement trends forecast an overall regulatory effort to balance innovation with accountability — ensuring that technological progress serves the public interest without eroding privacy or safety. With consumer data being collected, stored and used in ways never before imagined, and train the artificial intelligence systems of tomorrow, the legal and regulatory enforcement climate for consumer data is also expected to become extraordinarily robust and complex.  Companies must, therefore, go above and beyond to ensure data is being captured, stored, used, and protected responsibly.

Our Enforcement Summary Report is intended to help companies stay up to date on the new remedies and enforcement actions emerging from the wide range of federal and state agencies that regulate consumer data and privacy. Equipped with a solid understanding of recent enforcement actions, companies can better stay ahead of any new trends and areas of enforcement focus, and work with their legal partners to prioritize risks and build forward-thinking data-privacy policies.

For access to our U.S. Privacy and Security Enforcement Report, click here.