Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of personal information found within its database to a third party after an individual has opted-out as “one” violation. A regulator might argue, however, that a separate violation was committed for each data subject whose information was sold to the third party. Ultimately, courts will have to determine whether one act, that might have occurred multiple times, constitutes a single violation or multiple violations. The following chart compares the regulator that is authorized to bring enforcement actions, as well as the civil penalties that the regulator may seek: