Global AI enforcement.
Every case that matters.

Outcome

5-year ban on facial recognition deployment

Key finding

Rite Aid deployed facial recognition in 200+ stores that falsely flagged shoppers — disproportionately women and people of colour — as shoplifters. AI was used without adequate accuracy testing, bias evaluation, or safeguards.

Outcome

Cease collection and delete Australian data

Key finding

Clearview AI collected facial images of Australians from public internet sources without consent, breaching the Privacy Act. "Publicly available" is not a consent substitute. Extraterritorial jurisdiction confirmed on appeal.

Outcome

Temporary ban 30 March – 28 April 2023; €15M fine and six-month public awareness campaign ordered December 2024 (first GDPR fine for a generative AI company; OpenAI appealing)

Key finding

ChatGPT lacked adequate lawful basis for training data collection, no effective age verification, and inaccurate hallucinated personal data about real individuals. Set the EU DPA enforcement template adopted by France, Spain, and Ireland.

Outcome

ICO found Facewatch data processing breached data protection law; required overhaul of practices

Key finding

Southern Co-op deployed LFR in 35 stores without adequate lawful basis. The legitimate interests test failed — privacy intrusion was disproportionate. DPIA was inadequate. Established that retail LFR faces an extremely high justification bar under UK GDPR.

Outcome

Class action lawsuit filed November 2023 alleging nH Predict was used to deny Medicare Advantage post-acute care claims. Senate Permanent Subcommittee on Investigations report "Refusal of Recovery" (October 21, 2024) found UnitedHealth's post-acute services denial rate increased from 8.7% to 22.7% (2019-2022); skilled nursing denial rate increased ninefold. CMS issued February 2024 guidance clarifying algorithms cannot solely dictate coverage decisions. Litigation ongoing.

Key finding

Federal court (March 2026) ordered broad discovery into UnitedHealth's AI claims process. UnitedHealth disputes that nH Predict makes coverage decisions, claiming it only informs providers. Plaintiffs allege the tool effectively replaced physician judgment.

Outcome

€20 million fine

Key finding

CNIL found Clearview collected and processed biometric data of French residents without legal basis. Maximum GDPR fine imposed. Established that biometric scraping from the internet violates GDPR regardless of public availability.

Outcome

$25 million civil penalty

Key finding

Amazon's Alexa retained children's voice recordings in violation of COPPA after parents requested deletion, and used children's data to train AI models. FTC found Amazon's data retention policies prioritised AI training over children's privacy.

Outcome

$5B FTC privacy settlement (2019); $650M Illinois BIPA facial recognition settlement (2021); feature shutdown globally November 2021

Key finding

The FTC's $5 billion 2019 settlement included concerns about deceptive facial recognition consent practices. A separate $650M Illinois BIPA class action settlement in 2021 resolved biometric privacy claims. Meta shut down its Tag Suggestions facial recognition feature globally in November 2021, deleting over 1 billion face templates.

Outcome

Investigation opened; provisional measures considered

Key finding

Following Italy's ChatGPT action, Spain's DPA opened its own investigation into OpenAI's lawful basis for training data collection and personal data accuracy in ChatGPT outputs.

Outcome

Two parallel Medicaid algorithm cases. K.W. v Armstrong (Idaho, March 2016): federal district court struck down state's in-home support formula for adults with developmental disabilities, finding it relied on unreliable data and violated due process. Arkansas ADHS v Ledgerwood (Arkansas, 2017): state court issued injunction against Arkansas DHS's use of the RUGs algorithm without notice-and-comment rulemaking. Both established that government must disclose algorithmic decision logic and provide meaningful explanations.

Key finding

These cases are foundational precedents for due process challenges to automated government decisions. Plaintiffs in both cases were people with disabilities whose Medicaid in-home care hours were drastically cut by undisclosed algorithms.

Outcome

Privacy breach found — cease and desist order, mandatory public statement. No fine imposed (cooperation noted). ART affirmed transparency breaches, set aside consent breach finding.

Key finding

Bunnings used facial recognition technology across 63 NSW and Victoria stores between November 2018 and November 2021, capturing biometric data from likely hundreds of thousands of shoppers without consent or adequate notification. Commissioner Kind found breaches of APP 1 (governance), APP 3 (sensitive information collection without consent) and APP 5 (notification). On 4 February 2026, the Administrative Review Tribunal affirmed the APP 1 and APP 5 findings but set aside the APP 3 breach, accepting Bunnings could rely on a permitted general situation exemption for the purpose of preventing retail crime and protecting staff. Bunnings faced a maximum fine of $50 million but avoided it due to cooperation and good intent. The case is a landmark precedent for biometric AI governance in Australian retail.

Outcome

Upper Tribunal upheld ICO jurisdiction on 3 of 4 grounds — overturned 2023 FTT decision. Case remitted to FTT for substantive hearing. Clearview appealing to Court of Appeal.

Key finding

In May 2022, the ICO fined Clearview AI £7,552,800 for scraping billions of images of UK residents from the internet to build a facial recognition database sold to law enforcement. Clearview appealed; in October 2023 the First-tier Tribunal found the ICO lacked jurisdiction because Clearview served foreign law enforcement. On 7 October 2025, the Upper Tribunal reversed that decision ([2025] UKUT 319 (AAC)), finding UK GDPR applies extraterritorially and that "behavioural monitoring" includes passive automated collection of data for potential future profiling. ICO jurisdiction was reinstated. The case is a landmark authority on the extraterritorial reach of UK GDPR and the definition of behavioural monitoring. Clearview has no UK assets, making practical enforcement uncertain. As of December 2025, Clearview has been granted permission to appeal to the Court of Appeal.

Outcome

Settlement — $193,000 fine, mandatory consumer notifications, prohibited from making unsubstantiated capability claims

Key finding

DoNotPay marketed itself as "the world's first robot lawyer" and claimed its AI could handle legal matters as effectively as human lawyers, including drafting contracts, fighting parking tickets, and representing users in small claims court. The FTC alleged these claims were false and unsubstantiated — the AI could not deliver on its "robot lawyer" promises. The case is part of Operation AI Comply, the FTC's September 2024 enforcement sweep targeting companies using AI hype or AI tools in deceptive ways. It establishes that "AI washing" — overstating AI capabilities — violates Section 5 of the FTC Act. DoNotPay was required to notify affected customers and is prohibited from making misleading capability claims.

Outcome

Settlement — banned from making unsubstantiated AI detection capability claims; K-12 school customers given right to cancel contracts

Key finding

Evolv Technology sold AI-powered weapons detection systems to schools, transit authorities, and venues, claiming its technology could accurately distinguish weapons from harmless personal items at high sensitivity. Schools reported the systems failed to detect weapons and triggered frequent false alarms on benign objects. The FTC alleged Evolv's statements about its AI and sensor technology were materially false. The December 2024 settlement prohibits Evolv from making unsubstantiated performance claims and requires it to allow K-12 school customers to cancel contracts. The case signals that AI capability claims in safety-critical contexts face heightened FTC scrutiny, particularly where false claims could endanger children.

Outcome

Settlement — permanent ban on marketing business opportunities; $18M judgment (largely suspended due to inability to pay)

Key finding

Air AI marketed a "conversational AI" platform as capable of replacing human customer service representatives, and sold business opportunity packages to entrepreneurs promising they would "earn back tens of thousands of dollars within 30 days" and potentially millions. The FTC alleged Air AI bilked entrepreneurs and small businesses out of approximately $19 million through false earnings claims and a refund guarantee that was rarely honoured. The March 2026 settlement permanently bans the operators from marketing business opportunities and from making unsubstantiated earnings or performance claims. The case is part of the FTC's ongoing Operation AI Comply sweep and targets the highest-risk AI marketing claim category: earnings promises tied to AI capabilities.

Outcome

First US state AG settlement against a generative AI healthcare company — terms included corrective disclosures and conduct remediation

Key finding

On 18 September 2024, the Texas Attorney General announced a first-of-its-kind settlement against Pieces Technologies, a generative AI company providing AI tools to hospital systems, for allegedly making deceptive and misleading statements about the accuracy and safety of its AI products. Pieces marketed its AI as capable of performing clinical tasks at high levels of accuracy that the AG alleged were not substantiated. Texas pursued the action under the Deceptive Trade Practices Act. The settlement is significant as the first US state attorney general enforcement action specifically targeting false capability claims by a generative AI company operating in a healthcare setting, and it preceded similar FTC actions by one week.

Outcome

Class action proceeding — discovery compelled March 2026; trial date to be set

Key finding

Medicare Advantage members and their families filed a class action alleging UnitedHealthcare used an AI tool called nH Predict (developed by Optum subsidiary naviHealth) to deny post-acute care claims based on population-level algorithms rather than individual clinical circumstances — overriding physicians' recommendations. The complaint alleges approximately 90% of denials were overturned on appeal. On 13 February 2025 (Case No. 0:23-cv-03514, D. Minn.), the court denied UnitedHealth's motion to dismiss, allowing breach of contract and implied good faith claims to proceed. On 9 March 2026, a federal magistrate judge ordered UnitedHealth to produce broad discovery — internal documents on nH Predict's implementation, use, and outcomes. The case is the leading US litigation on AI-driven healthcare coverage denials and is shaping expectations for the forthcoming CMS rules on Medicare Advantage AI use.

Outcome

Enforcement stayed April 2026. DOJ joined as plaintiff April 24. Replacement bill SB 189 passed Colorado legislature May 2026.

Key finding

On 9 April 2026, Elon Musk's xAI filed suit in the US District Court for Colorado (Case No. 1:26-cv-01515) seeking to block Colorado's SB 24-205 — the first comprehensive US state AI law — from taking effect. xAI alleged the law violates the First Amendment (compelled speech, content-based restrictions), the Commerce Clause (regulating out-of-state actors), and due process (vagueness). On 24 April 2026, the US Department of Justice intervened on xAI's side — the first time the federal government has sought to invalidate a state AI law. A magistrate judge stayed enforcement on 27 April 2026. The Colorado legislature subsequently passed replacement bill SB 189, scaling back the law to a notice-and-disclosure framework. The case defines the legal limits of state AI regulation and the federal government's posture under the Trump administration toward state AI laws.