October 7, 2022

Volume XII, Number 280


October 06, 2022

Subscribe to Latest Legal News and Analysis

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

State privacy comparison: What are the penalties for violation the state privacy statutes?

Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of personal information found within its database to a third party after an individual has opted-out as “one” violation. A regulator might argue, however, that a separate violation was committed for each data subject whose information was sold to the third party. Ultimately, courts will have to determine whether one act, that might have occurred multiple times, constitutes a single violation or multiple violations. The following chart compares the regulator that is authorized to bring enforcement actions, as well as the civil penalties that the regulator may seek:


  Enforcement agency.  Which agency is authorized to enforce the statute. Civil penalty authorized per violation.  What is the maximum civil penalty permitted per violation? Enhanced civil penalty for intentional acts.  What is the maximum civil penalty permitted per violation if the act was intentional?

California 2022


Attorney Genera[1]

Up to $2,500[7]


Up to $7,500[13]


California 2023


California Privacy Protection Agency or Attorney General[2] Up to $2,500[8]

Up to $7,500[14]


Colorado 2023


Attorney General or District Attorneys[3]

Up to $2,000[9]

($500,000 maximum for related violations)


Conn. 2023


Attorney General[4] Up to $5,000[10] N/A

Utah 2023


Attorney General[5] Up to $7,500[11] N/A

Virginia 2023


Attorney General[6] Up to $7,500[12] N/A


1. Cal. Civ. Code §1798.155(b) (West 2020).

2. Cal. Civ. Code § 1798.199.90(a) (West 2021) (authorizing the attorney general to bring enforcement actions); § 1798.199.55 – 75 (authorizing CPPA to bring enforcement actions).

3. C.R.S. § 6-1-1311(1)(a).

4. Connecticut Substitute Bill No. 6 at § 11(a).

5. Utah Code Ann. §13-61-402.

6. Va. Code § 59.1-580(A).

7. Cal. Civ. Code § 1798.155(b) (West 2020).

8. Cal. Civ. Code § 1798.199.90 (West 2021).

9 .C.R.S. § 6-1-1311(c).

10 .Connecticut Substitute Bill No. 6 at § 11(e).

11. Utah Code Ann. §13-61-402(3)(d).

12. Va. Code § 59.1-580(B).

13. Cal. Civ. Code § 1798.155(b) (West 2020).

14 Cal. Civ. Code § 1798.199.90 (West 2021).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 153

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...