State attorney General enforcement
Privacy, Security + AI Enforcement Report
january – april 2026
Overview
This report covers State AG enforcement activity in privacy, cybersecurity, and artificial intelligence through April 2026, drawing on 307 tracked enforcement activities — including regulatory investigations and actions, regulator sweeps, and stated regulator enforcement priorities.*
Enforcement activities tracked in this report include formal regulatory investigations and actions (e.g., CIDs, consent orders, lawsuits, settlements), regulator sweeps (coordinated multi-target or multi-state enforcement campaigns), and stated regulator enforcement priorities (published guidance, advisories, and formal policy announcements signaling intended enforcement focus areas).
The Acceleration of AG Enforcement Activity since 2022
The regulatory landscape for privacy, information security, and AI is no longer a slow-moving tide — it is a wave, and it is accelerating. State attorneys general (AG) and dedicated privacy regulators (e.g., CalPrivacy) have emerged as one of the most consequential and nimble forces in the enforcement ecosystem, moving faster than federal regulators, responding to constituent pressure, and increasingly coordinating across state lines to pursue companies whose data practices fall short of evolving legal standards.
For legal practitioners and privacy professionals, keeping pace with this enforcement activity is no longer a matter of periodic check-ins or annual reviews – it demands near real-time awareness of where regulators are looking, what conduct they are targeting, and how their theories of liability are evolving. That is precisely what this tracker is built to deliver: a living, continuously updated intelligence resource that ingests state AG settlements and enforcement actions as they happen, and identifies emerging trends before they become widespread. Using this report and more significantly the five years of underlying data we have collected and curated, we can help our clients proactively reduce their regulatory risk and ready them in the event they need to respond to AG investigations or actions.
This inaugural report sets the foundation, providing a historical lens on AG privacy, information security, and AI enforcement activity from 2020 to the present. The numbers show significantly accelerating state AG growth starting in 2022 and continuing to present. If current patterns hold through the end of 2026, we are on pace to see approximately 130 AG enforcement actions this year alone, more than quadruple the 31 recorded in 2022. Will this trend continue? What factors are influencing enforcement activities? With the advent of AI and even more demand for data, are we also in the midst of or entering a materially more risky regulatory enforcement environment?
These are the core questions we are exploring with our AG tracker — we will do so using both the data we’ve gathered and aggregated in this report using AI and our vast AG and privacy compliance experience our team has obtained over decades.
Key Findings
+52%
YOY Enforcement Growth
43
2026 Actions YTD
12
AI Actions in 2026 YTD
$195.8M
Non-Outlier Settlement Baseline
Analysis + Guidance
Insights + Trends
Response + Defense
Compliance Corner
The complete dataset, settlement analysis, and compliance guidance in a single PDF.
*Action counts in this report (307) exclude 7 pre-2020 actions and 37 North Carolina robocall actions filed on August 7, 2025 as part of a single, coordinated VoIP provider sweep. These Communications Privacy actions, while valid enforcement activity, would disproportionately skew state ranking and trend data. Including these actions, the total dataset contains 351 enforcement actions. Settlement figures also exclude the pre-2020 actions; all North Carolina robocall actions carried $0 settlements.



