Privacy enforcement has drastically increased since last year across US states, with regulators imposing millions of dollars in penalties, launching hundreds of investigations, and coordinating multi-state enforcement sweeps. Big and small alike, businesses are being targeted for issues ranging from user tracking and selling of user data without consent to failing to avoid third-party privacy violations. What’s even more interesting about his wave of enforcement is the consistent violation patterns that appear again and again.
Let us have a look at these patterns and try to figure out how businesses can avoid them and preserve user trust in a strict enforcement environment.
Writing a privacy policy is certainly much easier than translating it into business operations. The moving parts to be managed to actually enforce these policies in the organization are often either too complicated or too unpredictable. Therefore, following patterns emerge more consistently, inviting enforcement actions:
The problem isn’t that businesses don’t have opt-out buttons. It’s that those buttons don’t actually work. Opt-out buttons get built once and are rarely stress-tested again. Every time a new ad-tech partner is added, a site is redesigned, or a third-party script gets updated, the suppression logic can quietly break, and nobody notices because the button still looks like it works.
Honoring GPC requires a separate layer of configuration. The Consent Management Platforms need to be set up to read the incoming browser signal, map it to an opt-out state, and then communicate that state to every downstream tag, pixel, and third-party script running on your site. That configuration is not automatic. It has to be deliberately built and tested.
Regulators are increasingly targeting designs that are deliberately confusing for users to avoid violating their privacy. This one is often less about intent and more about incentives. The team designing the consent interface is usually the same team measured on conversion rates and user engagement. The result is that opt-out flows accumulate extra steps, unnecessary fields, and confusing layouts, not necessarily through malice, but because no one is explicitly responsible for making them equally easy.
Legal teams inherit contract templates that were written before purpose limitation was a real enforcement priority, and those templates don’t get revisited unless something forces the issue. Ad-tech vendors have little incentive to push for restrictive language, and procurement teams are focused on getting the deal done. The result is contracts full of “any business purpose” clauses that made sense as boilerplate five years ago and now represent a direct CCPA violation, still sitting in place because nobody flagged them during renewal.
Most businesses calibrated their age-related obligations to COPPA’s under-13 standard and never updated that thinking when state privacy laws raised the bar to 16. It’s a classic case of compliance being built around the rule that existed at the time, without a process for revisiting it as the legal landscape shifts. Similarly, sensitive data categories like health and geolocation get collected through standard product flows without anyone explicitly asking whether the consent mechanism in place is strong enough for that specific category of data.
Privacy notice failures appear in nearly every enforcement action in this period, often as a secondary violation that compounds others. Common issues include notices that list rights for other states but omit the user’s own state, notices that haven’t been updated annually as required, and notices that don’t cover employees and job applicants. The problem is that businesses are dynamic. New data flows get added, new vendors come on board, and new state laws take effect. The notice doesn’t automatically update with any of it.
Data gets collected for one reason and then made available internally for others because that’s just how data platforms work — once it’s in the warehouse, it’s accessible. Purpose limitation requires actively restricting what downstream teams can do with data they can technically access, and most data governance programs aren’t built with that level of control.
Perhaps the most operationally important finding of the period: the size of the penalty often had less to do with the severity of the violation than with how the company responded when regulators made contact. When a regulator makes contact, the default response in many companies is to route the inquiry to legal, investigate internally before saying anything, and avoid admitting problems until they’re fully resolved. That instinct, which makes sense in litigation, backfires badly in the regulatory context, where candor and demonstrated remediation carry real weight.
What ties all of these violations together is a single recurring gap: the distance between what a privacy program is supposed to do and what it actually does. Here’s how businesses can avoid these gaps:
The enforcement actions of 2025 and 2026 suggest that regulators now have the coordination infrastructure, the technical tools, and the institutional appetite to indefinitely sustain an aggressive pace in privacy enforcement. The businesses that come out of this period in good shape won’t be the ones that hired the most lawyers. They’ll be the ones who closed the gap between policy and practice. Businesses that treat compliance as an engineering problem rather than a documentation exercise are the ones that won’t be reading about themselves in the next enforcement report.