State attorney General enforcement

Privacy, Security + AI Enforcement Report

january – april 2026

Overview

This report covers State AG enforcement activity in privacy, cybersecurity, and artificial intelligence through April 2026, drawing on 307 tracked enforcement activities — including regulatory investigations and actions, regulator sweeps, and stated regulator enforcement priorities.*

The regulatory landscape for privacy, information security, and AI is no longer a slow-moving tide — it is a wave, and it is accelerating. State attorneys general (AG) and dedicated privacy regulators (e.g., CalPrivacy) have emerged as one of the most consequential and nimble forces in the enforcement ecosystem, moving faster than federal regulators, responding to constituent pressure, and increasingly coordinating across state lines to pursue companies whose data practices fall short of evolving legal standards.

For legal practitioners and privacy professionals, keeping pace with this enforcement activity is no longer a matter of periodic check-ins or annual reviews – it demands near real-time awareness of where regulators are looking, what conduct they are targeting, and how their theories of liability are evolving. That is precisely what this tracker is built to deliver: a living, continuously updated intelligence resource that ingests state AG settlements and enforcement actions as they happen, and identifies emerging trends before they become widespread. Using this report and more significantly the five years of underlying data we have collected and curated, we can help our clients proactively reduce their regulatory risk and ready them in the event they need to respond to AG investigations or actions.

This inaugural report sets the foundation, providing a historical lens on AG privacy, information security, and AI enforcement activity from 2020 to the present. The numbers show significantly accelerating state AG growth starting in 2022 and continuing to present. If current patterns hold through the end of 2026, we are on pace to see approximately 130 AG enforcement actions this year alone, more than quadruple the 31 recorded in 2022. Will this trend continue? What factors are influencing enforcement activities? With the advent of AI and even more demand for data, are we also in the midst of or entering a materially more risky regulatory enforcement environment?

These are the core questions we are exploring with our AG tracker — we will do so using both the data we’ve gathered and aggregated in this report using AI and our vast AG and privacy compliance experience our team has obtained over decades.

Key Findings

+52%

YOY Enforcement Growth

43

2026 Actions YTD

12

AI Actions in 2026 YTD

$195.8M

Non-Outlier Settlement Baseline

Analysis + Guidance

Insights + Trends

Learn what the data tells us

Decorative cords

Response + Defense

How to respond when it happens

digital graphic with a deep blue background featuring neon-blue horizontal and diagonal light trails, clusters of small glowing blue and yellow dots resembling data points, and a single smooth yellow curve sweeping from the lower left to the upper right, evoking high-speed data flow

Compliance Corner

What to do proactively

*Action counts in this report (307) exclude 7 pre-2020 actions and 37 North Carolina robocall actions filed on August 7, 2025 as part of a single, coordinated VoIP provider sweep. These Communications Privacy actions, while valid enforcement activity, would disproportionately skew state ranking and trend data. Including these actions, the total dataset contains 351 enforcement actions. Settlement figures also exclude the pre-2020 actions; all North Carolina robocall actions carried $0 settlements.