Enforcement of data privacy obligations across the United States has accelerated sharply. Federal agencies and a growing roster of state-level regulators are imposing substantial penalties on companies that mishandle personal data. International businesses with even limited consumer-facing activity in the US are now squarely in the enforcement spotlight – regardless of where those businesses are incorporated or headquartered.
Data protection enforcement in the United States operates through a layered system of federal agencies, state attorneys general, and sector-specific regulators. The Federal Trade Commission remains the primary federal authority, pursuing enforcement actions under its unfair and deceptive practices mandate. While state privacy legislation. now enacted in well over a dozen states. creates direct compliance obligations for data controllers and data processors handling personal data of residents in those states. Companies that fail to meet consent mechanism requirements, maintain adequate data transfer safeguards, or respond to consumer rights requests within prescribed deadlines face civil penalties, injunctive orders, and mandatory audits.
This alert sets out which regulatory developments are most significant for international businesses, which companies fall within scope, and the immediate steps required to reduce exposure.
What has changed and when it takes effect
Several converging developments have reshaped the enforcement environment in 2025 and early 2026.
First, state comprehensive privacy statutes in Texas, Indiana, Montana, Tennessee, and several other states have moved from a transitional grace period into active enforcement. Regulators in these states are now issuing civil investigative demands and initiating formal proceedings. The deadlines for initial compliance passed during 2024 and 2025; companies still operating under interim policies are exposed.
Second, the Federal Trade Commission has intensified its focus on companies that use personal data for profiling, targeted advertising, and automated decision-making. Recent enforcement actions signal that inadequate or deceptive consent mechanism disclosures – particularly where a company's stated data practices differ from its actual ones – are treated as unfair or deceptive conduct. This line of enforcement does not require a data breach to trigger liability.
Third, the Securities and Exchange Commission (SEC) has reinforced its position that material cybersecurity incidents – and failures in data governance disclosures – can give rise to securities law violations. Publicly listed companies and their advisers must now treat data protection failures as a potential securities compliance matter, not merely an IT or privacy issue.
Fourth, federal court decisions have refined the standard for standing in consumer data class actions. Plaintiffs in a US District Court now more readily satisfy injury-in-fact requirements following certain circuit court developments. This has opened the door to a higher volume of private litigation running in parallel with regulatory proceedings.
Companies operating under GDPR compliance programmes should not assume those programmes satisfy US requirements. The US regulatory system does not recognise GDPR compliance as a safe harbour. Data transfer mechanisms that satisfy EU standards – such as Standard Contractual Clauses – do not automatically meet US domestic data handling rules.
Who is affected and which thresholds apply
The most immediate exposure falls on companies that meet any of the following criteria under one or more state privacy laws:
- Processing personal data of a threshold number of state residents annually – thresholds differ by state but are frequently set at 100,000 consumers or lower for sensitive data categories
- Deriving a defined share of annual revenue from the sale of personal data
- Operating targeted advertising programmes directed at residents of states with active enforcement regimes
- Handling sensitive data categories, including health information, biometric data, precise geolocation, or financial data
- Providing services to other businesses as a data processor under written data processing agreements
International companies structured as a Delaware LLC or other US entity – and those operating without a US legal presence but directing commercial activity toward US consumers – both fall within scope. The absence of a US physical office does not remove the obligation.
Companies subject to sector-specific federal legislation governing health data, financial data, or children's data face additional and often stricter requirements. Those layers of obligation run concurrently with state privacy law – not instead of it.
Disputes between companies and regulators, or between companies and consumers, increasingly proceed through JAMS or AAA arbitration where contractual arbitration clauses apply. However, state attorneys general are not bound by those clauses and may pursue enforcement independently in state court or before a DPA-equivalent state agency.
To receive an expert assessment of your company's data protection exposure in the United States, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Companies with US data exposure should treat the following as priority items requiring completion within the next 60 to 90 days.
Map your data flows against current state thresholds. Identify which states' residents appear in your consumer or user data. Cross-reference that against the processing thresholds in each active state statute. Many international companies discover they exceed thresholds in multiple states simultaneously.
Audit your consent mechanism disclosures. Verify that your privacy notices accurately describe what data you collect, how you use it, with whom you share it, and what rights consumers may exercise. Discrepancies between stated and actual practices are the most common trigger for FTC enforcement. Update cookie banners and privacy notices to reflect current practices – not aspirational ones.
Review data processor contracts. If you act as a data processor for US-based clients, your contracts must satisfy state-specific requirements for processor agreements. Several state statutes specify mandatory contractual terms that differ from GDPR processor agreement requirements. A processor agreement valid under European data protection law may be non-compliant under US privacy legislation.
Establish a consumer rights response process. State privacy laws grant consumers rights to access, correct, delete, and in some cases port their data. Response deadlines are typically 45 days, with a single extension permitted. Companies without a documented intake and response workflow face the highest risk of enforcement for procedural non-compliance.
Assess your data transfer arrangements. If your US operations transfer personal data to entities outside the United States. including to a parent company. Affiliated processor. Alternatively, cloud provider. verify that your data transfer documentation satisfies both US contractual requirements and any applicable obligations in the receiving jurisdiction. Cross-border data transfer exposure is one of the most frequently overlooked risk areas for internationally structured businesses.
Companies that have invested in AI and technology compliance in the United States should also assess whether their automated systems trigger additional data protection obligations. particularly where those systems process sensitive data or make consequential decisions about individuals. For a broader view of the US data protection legal regime and the services available to international clients, visit our dedicated data protection practice page for the United States. Parallel developments in Latin America are covered in our alert on data protection enforcement in Brazil.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international companies in managing US regulatory exposure – from consent mechanism audits and data processor contract reviews to regulatory response strategy and cross-border data transfer compliance. As a law firm advising on lawyer united-states and law firm united-states engagements, we combine Portuguese civil law expertise with English common law tradition to deliver cross-border data protection solutions. Our attorneys have advised on data protection and privacy matters across both civil law and common law systems, and the firm's common law heritage directly supports engagement with US enforcement proceedings and private litigation. To discuss your company's current exposure under US data protection and privacy legislation, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.