Loading…
Loading…
Tracker
21 real AI enforcement actions by regulators worldwide, from the FTC and EU data protection authorities to the EEOC and US state attorneys general. Every case links to its primary source. Filter by regulator, jurisdiction, and outcome.
Maintained by AI Policy Desk. Spotted a missing or outdated case? Let us know.
Real-world enforcement actions — regulators worldwide are using existing and new powers against AI misuse. These cases show what violations look like in practice and what the consequences are.
Showing 21 of 21 cases · sorted by most recent
In a first for US AI enforcement, the FTC reopened and set aside its own 2024 consent order against Rytr, an AI writing tool the agency had charged with enabling fake reviews. The Commission found the original complaint did not satisfy the FTC Act's legal requirements and that the order unduly burdened AI innovation, citing the Trump administration's AI executive order and AI Action Plan.
Outcome: The 2024 Rytr consent order was vacated. The reversal signaled a lighter federal AI-enforcement posture: fraud and deception causing direct consumer harm remain enforceable, while orders seen as restricting AI capability face a more permissive environment.
The Australian Privacy Commissioner found Kmart's deployment of facial recognition in 28 stores (June 2020 – July 2022) — used to detect repeat refund fraud — was an unlawful and disproportionate intrusion on customers' privacy. Every customer who entered or approached a returns counter had their biometric data captured with no notification and no consent.
Outcome: Enforcement determination: Privacy Commissioner found Kmart violated the Privacy Act. No monetary penalty (the Act did not provide for fines at the time). Kmart was ordered to cease using FRT and to ensure adequate safeguards for any future biometric AI deployment.
The Massachusetts AG alleged that Earnest, a student-loan company, failed to mitigate the risk of disparate harm to Black, Hispanic, and non-citizen applicants and borrowers arising from its use of AI underwriting models, in violation of state consumer-protection and fair-lending law. Announced July 2025.
Outcome: $2.5M settlement. Earnest must develop and maintain a governance structure for its covered AI models, including written policies, risk assessments, bias testing, model inventories, documentation, and a dedicated oversight team.
Italy's Garante fined the developer of the AI companion chatbot Replika for operating without a valid legal basis for processing user data, failing to implement age verification to keep minors off the service, and not adequately informing users about what data was collected and why.
Outcome: €5 million fine against Luka Inc. The Garante also reserved the right to open a separate proceeding on the lawfulness of the generative AI system's processing across its full lifecycle. Follows the February 2023 suspension of Replika in Italy.
The FTC alleged Workado marketed its AI Content Detector as '98% accurate' at detecting AI-generated text, when that figure came from academic content only; on general writing the model's accuracy was about 53%. Workado used the 98% figure without its own substantiating studies.
Outcome: Consent order (proposed April 2025, finalized August 2025) bars Workado from making accuracy claims without competent and reliable evidence, requires it to retain supporting evidence and notify affected consumers, and imposes three years of annual compliance checks.
Following its 2023 temporary ban, Italy's Garante concluded its ChatGPT investigation and found OpenAI processed personal data to train ChatGPT without an adequate legal basis, breached transparency obligations, lacked sufficient age verification, and failed to notify the authority of its March 2023 data breach.
Outcome: €15 million fine. OpenAI was also ordered to run a six-month public-awareness campaign in Italian media explaining how it collects personal data and users' GDPR rights. OpenAI called the fine disproportionate and said it would appeal.
The FTC alleged IntelliVision made false or unsupported claims that its facial recognition software had one of the highest accuracy rates on the market and performed with zero gender or racial bias. In reality it lacked supporting evidence and had trained on images of roughly 100,000 individuals, not the 'millions' it claimed.
Outcome: Proposed consent order prohibits IntelliVision from misrepresenting the accuracy, efficacy, or bias performance of its facial recognition technology across genders, ethnicities, and skin tones unless it has competent and reliable testing to support the claims.
The FTC alleged Evolv deceptively advertised that its AI-powered Evolv Express scanners could detect all weapons and were more accurate than traditional metal detectors. Schools reported the scanners missed weapons and triggered frequent false alarms on harmless objects.
Outcome: Proposed consent order bars Evolv from making unsupported claims about its products' weapons-detection ability via AI, and requires it to let certain K-12 school customers (contracts signed April 2022–June 2023) cancel their multi-year contracts.
The newly established EU AI Office launched its first formal inquiry into GPAI model providers under Article 51 of the EU AI Act. The probe examines whether frontier model providers are complying with the Act's transparency and documentation requirements for general-purpose AI models, including copyright compliance summaries and technical documentation. This marks the first enforcement action under the EU AI Act and signals how the AI Office will interpret provider obligations.
Outcome: Ongoing investigation as of Q1 2026. No penalties imposed yet. The inquiry signals that the EU AI Office is actively monitoring GPAI model providers and is prepared to use its Article 101 powers (fines up to 3% of global turnover) for non-compliance with GPAI obligations.
Australia's Privacy Commissioner found Bunnings unlawfully deployed facial recognition technology across 63 of its hardware stores (November 2018 – November 2021), capturing biometric data of hundreds of thousands of shoppers without consent, without clear notice, and without a lawful basis under the Privacy Act.
Outcome: Enforcement determination requiring Bunnings to publish a statement disclosing its unlawful data collection. The determination was partially overturned on appeal in 2026 (Administrative Review Tribunal remitted certain grounds); the core finding of a Privacy Act breach was upheld.
The FTC's 'Operation AI Comply' brought simultaneous enforcement actions against five companies for deceptive AI claims. DoNotPay ($193K settlement) falsely claimed its AI was a 'robot lawyer'; Ascend Ecom charged consumers for AI-powered passive income businesses that did not deliver; Rytr ($50K settlement) sold a service capable of generating fake reviews at scale; NGL Labs collected children's data and used AI to send fake messages; Omni AI made false income claims about AI tools.
Outcome: Total of $2.5M+ in civil penalties and settlements across five cases. Orders prohibit deceptive marketing of AI capabilities and require clear disclosure of AI limitations.
In the first state attorney general settlement involving deceptive marketing of AI, the Texas AG alleged Pieces Technologies made false and misleading statements about the accuracy and safety of its generative AI, including misrepresenting the product's hallucination rate. The tool summarizes patient conditions and drafts clinical notes and had been deployed at four or more major Texas hospitals processing real-time patient data.
Outcome: No monetary penalty. The settlement requires Pieces to accurately disclose its products' accuracy and limitations, and to ensure hospital staff understand the extent to which they should or should not rely on the AI's outputs, with heightened requirements on future marketing.
The Irish DPC, acting as X Corp.'s EU lead supervisory authority, used emergency High Court powers for the first time ever to halt X's use of EU/EEA users' public posts to train its Grok AI chatbot. X had been collecting posts without user consent or adequate legal basis since May 2024.
Outcome: X permanently undertook to cease using EU/EEA user data for Grok AI training. Proceedings were struck out after X agreed to the binding court undertaking. The case marked the first use of the DPC's emergency injunctive powers and the first regulatory halt of an AI training program by an EU data protection authority.
The Dutch Data Protection Authority found Clearview AI built an illegal database of more than 30 billion facial images scraped from the internet, converting each into a unique biometric code, and processed Dutch residents' biometric data without any legal basis under the GDPR.
Outcome: €30.5 million fine (decision dated May 16, 2024) plus orders to cease the violations, with additional penalty payments of up to €5.1 million for non-compliance. Clearview did not contest the fine.
DoNotPay marketed itself as 'the world's first robot lawyer,' claiming its AI could help consumers fight corporations, protect privacy, and handle legal matters as well as a human attorney. The FTC found these claims were not substantiated — the AI had not been tested against human lawyers, and the company lacked evidence that the AI could perform the legal tasks it claimed.
Outcome: $193,000 settlement. DoNotPay is prohibited from making claims about AI legal capabilities without competent and reliable evidence substantiating the claim, and must provide refunds to subscribers who signed up based on the AI's legal capability marketing.
Rite Aid deployed facial recognition AI in hundreds of stores to flag suspected shoplifters. The system disproportionately misidentified people of color, women, and younger individuals as threats — causing them to be wrongly accused, followed, and publicly embarrassed in stores. Rite Aid failed to ensure the AI system was accurate and did not take reasonable steps to prevent misidentification harm.
Outcome: FTC banned Rite Aid from using AI facial recognition in retail settings for 5 years. Company required to delete all facial images collected, develop a comprehensive AI governance program, and implement meaningful accuracy testing before using any AI surveillance tool.
In the EEOC's first-ever AI hiring discrimination settlement, the agency alleged iTutorGroup programmed its recruiting software to automatically reject female applicants aged 55 or older and male applicants aged 60 or older, rejecting more than 200 qualified US-based applicants in violation of the Age Discrimination in Employment Act.
Outcome: $365,000 settlement paid to the rejected applicants. iTutorGroup must adopt anti-discrimination policies and complaint procedures covering the screening, hiring, and supervision of candidates.
Amazon retained children's voice recordings collected by Alexa indefinitely — even after parents requested deletion — in violation of the Children's Online Privacy Protection Act (COPPA). Amazon used the retained data to improve Alexa's AI models despite being told to delete it. A separate violation related to Ring doorbell cameras allowed employees and contractors to access private customer video footage.
Outcome: $25M civil penalty for the Alexa COPPA violations; $5.8M in disgorgement for the Ring privacy violations. Amazon was required to delete all children's data collected in violation of COPPA, prohibited from using that data for training AI, and required to implement a comprehensive children's data deletion program.
Italy's data protection authority temporarily banned ChatGPT from processing Italian users' data, citing GDPR violations: no lawful basis for mass collection of training data, no age verification to prevent minors from accessing the service, and failure to provide adequate transparency about data collection. OpenAI had 20 days to comply or face a permanent ban.
Outcome: ChatGPT was blocked for Italian users for approximately one month (March 31 – April 28, 2023). OpenAI resolved the ban by implementing an age verification mechanism, adding a GDPR privacy notice, and providing an opt-out mechanism for Italian users' data. The Garante later opened a separate formal investigation.
Clearview AI scraped billions of photos from the internet to build a facial recognition database sold to law enforcement. The UK ICO and French CNIL both found this violated data protection law: no lawful basis for collecting biometric data at scale, individuals had no knowledge their images were being used, and Clearview failed to respond adequately to data subject access requests.
Outcome: ICO fined Clearview £7.5M and ordered deletion of UK residents' data. CNIL fined Clearview €20M. Italy, Australia, Canada, and Greece also took enforcement action. Clearview was effectively banned from operating in Europe.
In the first application of South Korea's Personal Information Protection Act to an AI system, the PIPC found ScatterLab used roughly 9.4 billion KakaoTalk messages from 600,000 users of its other apps to train its 'Iruda' chatbot without explicit consent, exposed personal data on GitHub, and collected data of over 200,000 children under 14 without parental consent.
Outcome: KRW 103.3 million fine (about USD 93,000) plus corrective orders, across eight PIPA violations. Landmark case for AI training-data consent in Asia.
Each entry is a real, documented enforcement action involving artificial intelligence: a regulator, the company involved, what the AI system did wrong, the outcome (fine, settlement, order, or ban), and a link to the primary source so you can verify it. The dataset spans US federal agencies (FTC, EEOC), EU data protection authorities, US state attorneys general, and international regulators.
For the underlying laws these actions enforce, see the AI regulation tracker, and for the specifics of US enforcement see the FTC AI enforcement guide.
If you reference this dataset in a report, article, or client alert, use:
AI Policy Desk. “AI Enforcement Tracker.” aipolicydesk.com, aipolicydesk.com/ai-enforcement-tracker. Updated regularly.
To suggest a missing case or flag an error, use the contact page. Each case is verified against its primary source before inclusion.