Higher fines, age assurance on California's agenda; enforcement to ramp up in other states

U.S. state privacy enforcers speaking at the IAPP Global Summit 2026 indicated an uptick in their respective activities is coming this year as the California Privacy Protection Agency and state attorneys general continue to work collaboratively.

Enforcement priorities with the most immediate and consequential impacts are expected out of California, where CalPrivacy is considering its options on higher fines attached to California Consumer Privacy Act settlements while the attorney general's office hinted it may soon begin a rulemaking on age assurance and parental consent under the Protecting Our Kids from Social Media Addiction Act. Attorneys general in Connecticut, Delaware and Indiana also highlighted expected priorities to Summit attendees.

CalPrivacy started rolling out CCPA penalties last year, with the agency's first-ever CCPA fine in March 2025. Additionally, fines under the Delete Act began in November 2024. The five CCPA settlements reached by the agency to date resulted in less than USD4 million in total fines while several data broker registration fines each brought five-figure penalties.

"I do think that fines under the CCPA could become a cost of doing business if they're not higher," CalPrivacy Deputy Director of Enforcement Michael Macko said. "And I think as we mature and grow as an agency, one aspect of that is ensuring that fines are appropriate. I do think that's an area to watch for us."

The situation extends to the attorney general's office, which shares CCPA enforcement with CalPrivacy. The office issued more CCPA fines, but none have been more than USD2.75 million. California Supervising Deputy Attorney General Stacey Schesser, CIPP/US, CIPM, who joined Macko on the Summit panel, did not indicate whether the Department of Justice is considering increased fines.

Higher fines may coincide with a broader CalPrivacy enforcement agenda. Macko acknowledged the agency spent considerable time on user opt-out violations over the course of 2025, but more emphasis and attention could be put toward how companies apply necessity and proportionality principles. He called data minimization and purpose limitation "fundamental" to the CCPA.

"You have the (EU General Data Protection Regulation), which is classically principle based. You have the Securities Act in the U.S. from the 1930s that has been principle based," he said. "California privacy law has many of these principles. ... A priority for us going forward is making sure when we look at opt outs and other aspects of California law, are we also looking at data minimization? Are we asking the right questions about purpose limitation? And that does vary a lot based on facts."

On the California attorney general's plate

Schesser indicated the official kickoff to the Department of Justice's age assurance rulemaking could start "pretty soon" after the attorney general's office considered stakeholder comments from a 5 Nov. public meeting.

The children's social media law prohibits platforms from producing "addictive feeds" to minors under age 18. Covered entities can avoid violations by proving they had no actual knowledge about a minors' age or by obtaining verifiable parental consent. The law was due to take effect 1 Jan. 2025 before litigation by NetChoice delayed enforcement.

Age verification provisions in the law take force 1 Jan. 2027, leaving the attorney general to promulgate rules for verification obligations in the lead up.

Schesser said lessons from stakeholder comments and the rulemaking process could be shared with the office for Connecticut Attorney General William Tong, who joined Gov. Ned Lamont, D-Conn., to introduce a social media restrictions bill this year that includes draft provisions on addictive design.

She also mentioned potential updates to come on Attorney General Rob Bonta's ongoing investigation into nonconsensual explicit deepfakes allegedly produced by social platform X's artificial intelligence chatbot, Grok. Surveillance pricing is also on the office's radar after Bonta and Schesser launched a January sweep, with Schesser noting at Summit the purpose limitation angle of pricing schemes is their focus.

Schesser added the office is shifting its privacy enforcement focus from "facial compliance" to "ways everyday consumers are being impacted by certain data practices.

"We're trying to think more critically about potential harms, and with that, we are going deeper in both the technology and how the technology is used," she said. "That may shift a lot the work that we're doing in terms of what resolutions are going to look like."

What's top of mind in other states?

Connecticut Deputy Associate Attorney General, Chief of Privacy and Data Security Section Michele Lucan, CIPP/US, CIPM, FIP, pointed to her office's Connecticut Data Privacy Act enforcement report for a window into its 2026 workload.

The report, released in February, offered a full rundown of 2025 actions under the comprehensive law that included details into open cases. Among the disclosures, which did not name company names, was note of an active probe into a major AI chatbot's CTDPA compliance.

"I don't think this should be surprising," Lucan said. "I know we've all seen the reports of really serious harms related to chatbots, and especially with kids."

State Sen. James Maroney, D-Conn., previously announced Connecticut lawmakers would use the 2026 legislative session to explore chatbot issues, including child interactions and chat history retention.

Lucan noted new CTDPA provisions on AI will also be in at the forefront of the attorney general's enforcement agenda. Those provisions include more requirements around AI training data transparency and new consumer rights to contest profiling decisions.

"It shouldn't be a surprise if we're looking at privacy notices with a new twist of trying to find out if the (AI transparency) provision is being complied with," she said.

Attorneys general in Delaware and Indiana only had enforcement authority under their respective comprehensive privacy laws when they came online 1 Jan. following multi-year transition windows after enactment. The privacy units in both offices have been preparing to hit the ground running during the transition, monitoring potential areas of early emphasis and cross-checking other state consumer protection law violations against their new privacy statute.

"I expect transparency to be a significant theme," Indiana Attorney General's Office Assistant Section Chief for Data Privacy and Identity Theft Unit Jennifer Van Dame, CIPP/US, said. "What I generally say is give your privacy policy to your mom. If she can't understand it then you might have a problem, because we view transparency as requiring everyday consumers, not just lawyers, what you're saying and to exercise their rights easily."

Indiana's statute contains a 30-day cure provision, which will create a difference in standard settlements versus those with fines attached to them.

Delaware's attorney general is working under a similar enforcement situation with a 60-day cure period, but that provision sunsets 31 Dec., opening up the potential for settlements with financial penalties. Delaware Deputy Attorney General John Eakins said the office will approach initial enforcement activities with an eye toward "moving beyond just what a privacy notice says and actually looking at how the business is operationalizing data flows."

"When we're sending out letters and inquiries, we're asking more questions about how your organization is structured. When is the chief executive or board of directors reviewing privacy practices," Eakins added. "Really bringing in accountability and ensuring that we have an expectation that most businesses intend to follow the law. But in order to do that, you need to have buy-in from senior executive leadership."