The Era of Big Privacy Enforcement
For most of the internet's history, data privacy violations were met with strongly worded letters from regulators, consent decrees that required no admission of wrongdoing, and fines so small that they were easily absorbed as a cost of doing business.
That era is ending. The past several years have seen a dramatic escalation in the size and frequency of data privacy enforcement actions, driven by new legal frameworks (CCPA, CPRA, state biometric laws), more aggressive use of existing FTC authority, and regulators emboldened by landmark European GDPR enforcement.
The numbers have gotten big enough to get board-level attention at major corporations — which is precisely the point.
The Landmark FTC Actions
Meta/Facebook — $5 Billion (2019): The largest consumer protection penalty in FTC history. The FTC found that Facebook had violated a 2012 consent decree by allowing Cambridge Analytica and other third parties to access user data without adequate consent. The $5 billion figure was unprecedented — and still criticized by many as insufficient given Facebook's revenue at the time (approximately $70 billion annually).
Google/YouTube — $170 Million (2019): Settlement between Google, YouTube, and the FTC (plus the New York AG) for COPPA violations. YouTube's systems showed targeted advertising to children based on their viewing behavior — a clear COPPA violation given that YouTube had been making $100+ million annually from children's content.
Epic Games — $520 Million (2022): The maker of Fortnite paid $275 million in FTC penalties for COPPA violations (collecting data from children without parental consent) and an additional $245 million in consumer refunds for charges made through dark patterns — the largest gaming-related privacy/consumer protection settlement in history.
Amazon — $25 Million (2023): FTC penalty for Amazon's Alexa service retaining children's voice recordings indefinitely, in violation of COPPA, and for overriding parents' deletion requests. Additionally, Amazon's Ring home security division paid $5.8 million for allowing employees and contractors to access customers' videos without proper authorization.
State-Level Enforcement
As comprehensive state privacy laws have come into force, state attorneys general and dedicated privacy agencies have begun active enforcement:
California AG — Sephora (2022): The first major CCPA enforcement action resulted in a $1.2 million penalty against beauty retailer Sephora for failing to disclose that it was selling consumers' personal information through advertising technologies and failing to honor Global Privacy Control signals. The case established that advertising networks constitute "sale" under CCPA and that GPC must be honored.
California AG — DoorDash, Others (ongoing): The California AG has continued enforcement actions against companies that failed to implement adequate opt-out mechanisms or honor consumer requests under CCPA.
Texas AG — Data Broker Actions (2023–2024): Texas brought enforcement actions against data brokers and advertising technology companies under the Texas Data Privacy and Security Act, signaling that even non-California states are actively enforcing their privacy laws.
CPPA (California Privacy Protection Agency): The CPPA, now fully operational as a dedicated privacy enforcement agency, has opened multiple investigations and enforcement proceedings. Its first official enforcement actions under CPRA are expected to set important precedents for future cases.
Biometric Law Enforcement: The BIPA Effect
Illinois' Biometric Information Privacy Act (BIPA) deserves special mention because, unlike most privacy laws, it has a private right of action — meaning individuals can sue companies directly without waiting for government enforcement. This has generated enormous settlement amounts:
Meta/Facebook — $650 Million (2021): Settlement of a class action lawsuit alleging that Facebook's photo tagging feature violated BIPA by collecting facial geometry data without explicit consent. The $650 million settlement went to Illinois Facebook users.
Google — $100 Million (2022): Settlement of BIPA claims related to Google Photos' facial recognition features.
Amazon — $25 Million (2021): Settlement of BIPA claims over Amazon Photos' facial recognition in Illinois.
TikTok — $92 Million (2021): BIPA class action settlement over face recognition features used in the app.
The cumulative effect of BIPA litigation has effectively stopped most consumer-facing biometric data collection by major tech companies in Illinois — demonstrating the powerful deterrent effect of private rights of action.
What Enforcement Trends Tell Us
Several important patterns emerge from analyzing recent enforcement actions:
Children's data is the highest priority: Both the FTC and state attorneys general have consistently prioritized COPPA violations and children's privacy above other enforcement areas. The financial penalties for children's data violations have been the largest across the board.
Dark patterns are increasingly pursued independently: Regulators are no longer treating dark patterns as mere symptoms of other violations — they're pursuing them as standalone violations. The Epic Games case ($245 million specifically for dark patterns) is a landmark here.
Advertising technology is under intensive scrutiny: The Sephora case established a key precedent: sharing data with advertising networks constitutes "sale" under CCPA. This dramatically expands the universe of businesses that are technically "selling" data — including most websites using Google or Meta advertising tools.
Repeat violations multiply penalties: Companies that have previously been subject to FTC consent decrees (like Facebook's 2012 consent decree) face dramatically larger penalties for subsequent violations — as the $5 billion Facebook fine demonstrated.
The era of small fines is over: Early GDPR fines in Europe were also small — the enforcement machinery needed time to develop. We are entering a similar maturation phase in U.S. privacy enforcement, and the trend is clearly toward larger and more frequent enforcement actions.