February 17, 2026 EU confirmed
X (Twitter) · €120m: first major fine under the Digital Services Act (DSA)
The European Commission fined X (formerly Twitter) €120 million for violations of the Digital Services Act (DSA). The decision sanctioned three breaches: lack of transparency in its ad library, failure to provide researchers the data access the rule requires, and deceiving users with the verification mark (the 'verified' mark which, per the Commission, does not actually verify accounts). It is one of the first major sanctions under the DSA, the European regime regulating content and transparency of large platforms, distinct from the DMA (which regulates competition). The same day, the Commission announced it had accepted binding commitments from TikTok on the transparency of its ad repository, without imposing a fine, stressing that its priority objective is compliance, not punishment.
September 2, 2021 IE confirmed
WhatsApp · €225m for lack of transparency (the EDPB forced quadrupling the initial fine)
Ireland's Data Protection Commission (DPC) fined WhatsApp €225 million for failing to transparently inform users and non-users about how it processed their data. The case illustrates the weight of the European Data Protection Board (EDPB): the DPC had initially proposed a fine of some €50 million, but the EDPB's dispute-resolution mechanism forced Ireland to recalculate it upward to €225 million. It is relevant for the buyer because it shows the local authority does not always have the final word on the amount, and that the European body can toughen sanctions.
January 19, 2023 IE confirmed
WhatsApp · €5.5m over the same improper legal basis for data processing
Ireland's Data Protection Commission (DPC) fined WhatsApp €5.5 million, in the same doctrinal line as the €390 million Meta sanction two weeks earlier: the company could not base data processing for service improvement and security on 'contractual necessity' rather than users' consent. The case, also originating in NOYB complaints, reinforces the European authority's standard on the limits of the 'contractual basis' as a justification for processing personal data in digital services.
August 26, 2024 NL confirmed
Uber · €290m for transferring European drivers' data to the US
The Netherlands' data-protection authority (AP) fined Uber €290 million for transferring European drivers' personal data to the United States without adequate safeguards over a period of more than two years, following the invalidation of the Privacy Shield. It is one of the largest sanctions imposed by the Dutch authority and ranks among the ten largest under the GDPR.
September 1, 2025 US confirmed
Tractor Supply · $1.35m: largest fine by California's privacy agency (CPPA)
California's Privacy Protection Agency (CPPA) —distinct from the attorney general— reached its largest sanction to date, $1.35 million, with Tractor Supply Company. The case turned on a 'Do Not Sell My Data' mechanism that did not work: the company did not honour opt-out requests submitted by web form, did not honour browser privacy signals (Global Privacy Control), and its privacy notice did not inform of CCPA rights. The CPPA, which began issuing public decisions in 2024, has hundreds of ongoing investigations and since January 2026 requires mandatory cybersecurity audits.
January 15, 2020 IT confirmed
TIM · €27.8m for aggressive marketing and improper handling of customer data
Italy's data-protection authority (Garante) fined the telecoms operator TIM €27.8 million for multiple GDPR breaches related to customer-data processing: excessive advertising calls without recipients' proper consent, poor consent management, outdated contact lists and other aggressive marketing practices affecting millions of people. It is one of the Garante's largest sanctions and a reference on the limits of telemarketing and consent management in the telecoms sector.
May 2, 2025 IE confirmed
TikTok · €530m for data transfers to China and lack of transparency
Ireland's Data Protection Commission (DPC) fined TikTok €530 million (some $601 million) for breaching the GDPR regarding transfers of European users' data to China and for lack of transparency. It is the third-largest GDPR sanction in history, behind only Amazon (€746m) and Meta (€1.2bn). The decision cited breaches of Articles 13(1)(f) and 46(1). TikTok announced it would appeal the decision.
September 1, 2023 IE confirmed
TikTok · €345m over children's privacy (accounts public by default)
Ireland's Data Protection Commission (DPC) fined TikTok €345 million for breaching the GDPR in the processing of minors' data during 2020: minors' accounts were set to public by default, allowing anyone to view and comment on their videos, and there were shortcomings in age verification and the 'Family Pairing' feature. The decision cited breaches of several articles (fairness, data minimisation, privacy by design). The DPC issued a reprimand and ordered the practices corrected within three months.
April 4, 2023 GB confirmed
TikTok · £12.7m in the UK for misuse of children's data (reduced from £27m)
The UK ICO fined TikTok £12.7 million for breaching the UK GDPR between 2018 and 2020, mainly for failing to protect children's privacy: it provided services to up to 1.4 million British children under 13 without parental consent (despite its own terms prohibiting it), did not explain understandably how it used their data, and did not process data lawfully, fairly and transparently (Arts. 5, 8, 12). The fine was reduced from the £27 million initially proposed because the ICO decided not to pursue the charge over special-category data use. It is the ICO's third-largest fine, after British Airways and Marriott. TikTok disagreed and considered appealing the amount.
July 6, 2023 BR confirmed
Telekall Infoservice · BRL 14,400: the first fine in history under Brazil's LGPD
Brazil's National Data Protection Authority (ANPD) imposed its first-ever sanction under the LGPD on Telekall Infoservice, a small telemarketing company, with fines totalling 14,400 reais (some $3,000). The case arose from a data-breach proceeding: the company offered data of thousands of São Paulo citizens to political candidates for mass campaign transmission in 2020. The ANPD found a lack of legal basis for processing (Art. 7), no data-protection officer (Art. 41) and obstruction of the investigation. The amount is symbolic —the LGPD allows fines of up to 50 million reais per infraction— given it is a small company, but the decision set a precedent: the ANPD sanctions regardless of company size. It is not final and may be appealed.
April 7, 2025 SG confirmed
Singapore Data Hub · SGD 17,500: Singapore's PDPC sanctions a breach of 689,000 people
Singapore's Personal Data Protection Commission (PDPC) ordered Singapore Data Hub to pay a SGD 17,500 fine for breaching its protection obligation under the PDPA: a breach exfiltrated personal data of 689,000 people, likely posted on a hacking forum. The investigation found the affected servers were publicly accessible, ran outdated operating systems and lacked security testing. The case illustrates two things for the buyer: that enforcement in Southeast Asia is active but low in amount, and that PDPA fines are moderate compared to European ones, relevant regulatory context for assessing risk by region.
September 3, 2025 FR confirmed
Shein · €150m for cookies: CNIL extends its offensive to fast-commerce
The same day it sanctioned Google, France's CNIL fined the fast-commerce platform Shein €150 million for violations concerning cookie consent. The sanction illustrates that CNIL's cookie offensive is not limited to large US tech, but reaches e-commerce giants from other geographies. For Shein, privacy fines are relatively new, in a 2024-2025 context of growing regulatory scrutiny, though much of it has focused more on consumer protection than pure privacy.
August 24, 2022 US confirmed
Sephora · $1.2m: California AG's first major CCPA settlement
California's attorney general reached a $1.2 million settlement with Sephora, the first major enforcement case under the California Consumer Privacy Act (CCPA). The AG found Sephora sold customers' personal data without disclosing it, did not process opt-out requests sent via browser privacy signals, and did not cure the violations within the cure period. It set the early standard that sharing data with third parties for advertising counts as a 'sale' under the CCPA.
December 22, 2022 FR confirmed
Microsoft · €60m for Bing cookies (harder refusal and an anti-fraud cookie without consent)
France's CNIL fined Microsoft €60 million over its Bing search engine's cookies: it was easier to accept than to refuse them, and a cookie meant to fight ad fraud was also deposited without the user's consent or knowledge. Microsoft was found in breach of Article 82 of the French law, letting the CNIL act directly despite the company's regional HQ being in Ireland. The amount was based on the number of affected people and the profit from the system. It is another piece of the French cookie offensive, this time over one more big US tech company.
June 5, 2023 US confirmed
Microsoft (Xbox) · $20m for collecting minors' data on Xbox Live without consent
Microsoft agreed to pay $20 million and update its privacy protocols to settle FTC charges for violating children's privacy law (COPPA) with its Xbox Live service: it collected minors' personal information during sign-up without obtaining parental consent or properly informing them, and retained that data. It is part of a series of FTC actions in 2022-2023 focused on protecting minors' data in gaming services and voice assistants, a clear regulatory focus of the period.
April 23, 2025 EU confirmed
Meta · €200m for the 'consent or pay' model under the DMA
The European Commission fined Meta €200 million (case DMA.100055) for breaching Article 5(2) of the Digital Markets Act with its 'consent or pay' model on Facebook and Instagram between March and November 2024: the Commission found Meta did not offer users an equivalent alternative using less personal data, depriving them of a free choice over the combination of their data. As Meta stopped offering that model and the new one is under review, no cease order was issued. For context on the amount, the Commission had fined Meta €797 million the prior year for an antitrust breach lasting some 7 years. Meta announced an appeal.
November 1, 2025 ES confirmed
Meta · €479m via the courts: a Madrid court rules for 87 media companies
A Madrid court ordered Meta to pay €479 million after ruling for 87 Spanish media companies that argued the company's data practices gave it an unfair advantage in the online advertising market. The court found Meta processed user data unlawfully: when the GDPR took effect in 2018, Meta switched the legal basis for data collection from 'user consent' to 'contractual necessity', a justification regulators rejected. It is a notable case because the sanction comes via civil litigation (a competitors' lawsuit), not a data-protection authority, illustrating a distinct exposure route for platforms.
May 22, 2023 IE confirmed
Meta · €1.2bn for data transfers to the US (the largest GDPR fine in history)
Ireland's Data Protection Commission (DPC) fined Meta Platforms €1.2 billion for transferring personal data of EU Facebook users to the United States without adequate safeguards, breaching the EU Court of Justice's Schrems II ruling that invalidated the Privacy Shield framework. Beyond the fine, Meta was ordered to cease the transfers and correct its practices within five months. It is the largest GDPR sanction ever imposed. Meta immediately announced its intention to appeal, arguing it had operated within the available legal framework and trusting that a new EU-US adequacy agreement would resolve the underlying issue.
January 4, 2023 IE confirmed
Meta · €390m for basing personalised ads on 'contract' rather than consent
Ireland's Data Protection Commission (DPC) fined Meta €390 million (€210 million for Facebook and €180 million for Instagram) after three complaints by Max Schrems' NOYB organisation. The DPC concluded Meta could not base personalised advertising on 'contractual necessity' —a clause in its terms of service— instead of obtaining users' consent. It is a doctrinally decisive case: it challenged Meta's advertising business model in the EU and forced it to seek a different legal basis for targeted advertising. It is part of the Irish DPC's long series of sanctions against Meta. The same week, the DPC added a €5.5 million fine on WhatsApp over the same matter.
September 27, 2024 IE confirmed
Meta · €91m for storing user passwords in plain text
Ireland's Data Protection Commission (DPC) fined Meta €91 million after an investigation into a 2019 incident in which the company stored social-media users' passwords in unencrypted format (plain text) on its internal systems. The DPC concluded Meta breached the GDPR obligations to notify the breach and to apply adequate technical measures to ensure data security. It is a reference case on the basic security of credential storage and adds to the Irish DPC's long series of sanctions on Meta, which together exceed €3 billion.
November 25, 2022 IE confirmed
Meta (Facebook) · €265m after user data was found on a hacking forum
Ireland's Data Protection Commission (DPC) fined Meta €265 million after personal data of Facebook users appeared on an online hacking forum. The authority concluded that Meta had not applied adequate technical and organisational measures to protect the data against the scraping that led to the leak, breaching the obligations of data protection by design and by default.
September 5, 2022 IE confirmed
Instagram (Meta) · €405m over the processing of minors' data
Ireland's Data Protection Commission (DPC) fined Meta €405 million over the handling of minors' data on Instagram, in particular for allowing teenage accounts to display email addresses and phone numbers on business accounts, and for setting minor users' accounts to public by default. It is one of the largest sanctions for the protection of minors' data under the GDPR.
December 31, 2021 FR confirmed
Facebook (Meta) · €60m for a confusing, misleading cookie-refusal button
The same day it sanctioned Google, France's CNIL fined Facebook Ireland €60 million for requiring several clicks to refuse cookies on facebook.com, versus a single click to accept them. The refusal button was at the bottom of a second page and, confusingly, was labelled 'Accept cookies'. As with Google, the sanction was based on the ePrivacy Directive and the number of affected users. Together with the cookie cases, it illustrates CNIL's systematic offensive against dark patterns in consent.
July 24, 2019 US confirmed
Meta (Facebook) · $5bn: the largest privacy penalty in US history (FTC)
The US Federal Trade Commission (FTC) imposed on Facebook a record $5 billion penalty to settle charges that the company had violated a 2012 FTC order by deceiving users about their ability to control the privacy of their data, in the context of the Cambridge Analytica scandal (the consultancy that harvested data from millions of users for psychological profiles used in political advertising in the 2016 elections). It is, by far, the largest privacy penalty ever imposed in the US and one of the largest in the world. Beyond the amount, the 20-year order restructured the company's privacy governance. Facebook recorded it in its accounts and did not appeal.
December 23, 2022 US confirmed
Meta · $725m: the largest privacy class-action settlement in US history
Meta agreed to pay $725 million to settle a class-action lawsuit arising from the Cambridge Analytica scandal, brought by Facebook users. It is the largest privacy class-action settlement in US history —greater than any individual state authority's sanction— and illustrates an enforcement mechanism distinct from the regulatory one: private class actions, which scale with the number of affected people without requiring a regulator to act first. It complements the $5 billion FTC settlement over the same facts: the same conduct generated both regulatory and civil exposure.
November 5, 2024 KR confirmed
Meta · ₩21.6bn (~$15m) in Korea for collecting sensitive data of 980,000 users
South Korea's PIPC fined Meta 21.62 billion won (some $15 million) after a four-year investigation (2018-2022) concluding the company illegally collected sensitive information from about 980,000 Facebook users —including political and religious beliefs and sexual orientation— and shared it with thousands of advertisers. The PIPC also noted Meta failed to implement basic security protocols, such as blocking dormant accounts, and unjustifiably refused users access to their data. Alongside the fine, it issued a corrective order. Meta said it would 'carefully review' the decision.
October 15, 2021 CN confirmed
Meituan · ¥3.442bn (~$541m) for the same platform-exclusivity practice
China's SAMR fined Meituan, the country's largest food-delivery platform, 3.442 billion yuan (some $541 million), 3% of its 2020 sales, for abuse of dominance through the same 'pick one of two' practice: it barred restaurants from operating simultaneously on competing platforms. It was the third major tech company sanctioned for this conduct after Alibaba and Sherpa's. Together with Alibaba, Meituan accounted for 92% of the 23.6 billion yuan in antitrust fines China imposed in 2021, a more than 50-fold increase over 2020.
October 30, 2020 GB confirmed
Marriott · £18.4m for the breach of 339 million records (reduced from ~£99m)
The UK ICO fined Marriott International £18.4 million for failing to protect its customers' data: the breach compromised about 339 million guest records, including seven million UK residents, with names, emails, phone numbers, passport numbers, arrival/departure data, VIP status and loyalty numbers. As with British Airways, the ICO had initially proposed a much larger fine (~£99 million) which it reduced by over 81% after the company's representations and the withdrawal of certain charges. It is the ICO's second-largest fine for a breach, behind British Airways.
October 22, 2024 IE confirmed
LinkedIn · €310m for behavioural analysis and targeted advertising
Ireland's Data Protection Commission (DPC) fined LinkedIn Ireland €310 million for the unlawful processing of user data for behavioural analysis and targeted advertising. The case originated in a complaint by the French organisation La Quadrature du Net. The decision challenged the legal basis on which LinkedIn processed data for advertising purposes.
October 1, 2020 DE confirmed
H&M · €35.3m for employee surveillance: largest GDPR fine for workplace data
Hamburg's Data Protection Commissioner (Germany) fined the fashion chain H&M €35.3 million for extensive employee surveillance at its Nuremberg service centre. Investigators found the company kept excessive and intrusive records on its workforce, including details about their families, religions, illnesses, holidays, medical symptoms and diagnoses. After a technical error, that data became accessible across the company network for a few hours, which exposed the case. It is the largest GDPR fine ever imposed for employee surveillance and a reference on the limits of workplace monitoring.
December 13, 2021 NO confirmed
Grindr · ~NOK 65m in Norway for sharing data with third parties without consent (Norwegian DPA's largest fine)
Norway's data-protection authority (Datatilsynet) fined Grindr, the US dating app, for sending users' personal data to third parties for advertising without valid consent. The authority found Grindr deliberately 'sold' personal data —including the fact of being a user of an app aimed at the LGBTQ community, a especially sensitive datum— and that the transactions breached the GDPR. It was the largest fine ever imposed by the Norwegian DPA, deeming the breaches 'grave'. The initial amount was higher but was reduced after Grindr cited a tight financial situation: another example of how the outcome modulates the final figure.
June 27, 2017 EU confirmed
Google · €2.42bn for Google Shopping (upheld by the CJEU in 2024, appeals exhausted)
The European Commission fined Google €2.42 billion for favouring its own comparison-shopping service (Google Shopping) in its search engine's general results, to the detriment of rival comparison services. It was the first of the EU's three major antitrust fines against Google. The case ran through every instance: in September 2024, the EU Court of Justice (the bloc's supreme court) rejected Google's final appeal, exhausting all appeals and leaving the fine final and definitive. It is an example of the opposite extreme to annulled fines: here the outcome, after seven years of litigation, fully confirmed the sanction.
July 18, 2018 EU confirmed
Google · €4.34bn for Android (antitrust record; reduced to €4.125bn on appeal)
The European Commission fined Google a record €4.34 billion for using its Android operating system to consolidate its search engine's dominance: it forced manufacturers to pre-install Google Search and Chrome alongside the Play store, paid them to pre-install only Google Search, and barred them from using rival Android versions. It is a textbook case of why the outcome matters: in 2022 the General Court confirmed the decision in essence but reduced the fine to €4.125 billion, partly disagreeing on the reasoning about revenue-sharing agreements. Google appealed to the CJEU, whose advocate general recommended dismissing the appeal. It remains the largest antitrust fine in EU history.
September 5, 2025 EU confirmed
Google · €2.95bn for its ad-tech (with recidivism aggravation, +60%)
The European Commission fined Google €2.95 billion for abusive practices in its online advertising technology (ad-tech), favouring its own ad-intermediation services. It is the second-largest antitrust fine ever imposed on Google. A detail relevant to the buyer: since Google had already been sanctioned in 2017, 2018 and 2019, its conduct was classified as recidivism, which raised the amount by 60%. It illustrates how a prior sanctions history aggravates later fines.
March 20, 2019 EU confirmed
Google · €1.49bn for AdSense (restrictions on competitors' advertising)
The European Commission fined Google €1.49 billion for abusing its dominant position in search advertising: it prevented website owners using its AdSense product from displaying search ads from Google's competitors. It is the third of the EU's major antitrust fines against Google, which together total some €8.25 billion. Google appealed it.
December 31, 2021 FR confirmed
Google LLC · €90m for YouTube cookies (part of the combined €150m sanction)
Within the combined €150 million sanction France's CNIL imposed on Google on 31 December 2021, €90 million corresponded specifically to Google LLC for youtube.com's cookies: users could not refuse cookies as easily as they accepted them. The CNIL gave Google three months to change the look and functioning of its cookie banner under a daily penalty. It is recorded separately from the Google Ireland tranche to reflect the exact attribution by entity, a level of detail relevant for compliance analysis.
September 3, 2025 FR confirmed
Google · €325m for cookies and Gmail ads: the French CNIL's largest fine
France's data-protection authority (CNIL) fined Google €325 million (some $381 million) for displaying ads between users' emails in Gmail without their consent and for placing tracking cookies on new accounts during sign-up. It is the largest fine in CNIL's history, which had already sanctioned Google with €50 million in 2019 and with cookie fines in 2020 and 2021. The decision results from several investigations between 2022 and 2023, and reflects CNIL's persistence in enforcing cookie-consent rules.
December 31, 2021 FR confirmed
Google · €150m for making cookie refusal hard on google.fr and YouTube
France's CNIL fined Google €150 million (€90 million to Google LLC and €60 million to Google Ireland) for not letting users of google.fr and youtube.com refuse cookies as easily as they could accept them: accepting took a single click, while refusing required at least five separate actions. The CNIL also issued an injunction to fix it within three months under a €100,000-per-day penalty. Google complied by adding a refusal button, and the CNIL closed the injunction in July 2023. It is a key case on 'dark patterns' in cookie banners, governed by the ePrivacy Directive (not the GDPR's one-stop-shop mechanism).
January 21, 2019 FR confirmed
Google · €50m: CNIL's first major GDPR fine (transparency and ad consent)
France's CNIL imposed a €50 million fine on Google LLC, following a series of complaints by the organisations NOYB and La Quadrature du Net filed in the first days of the GDPR's application. The CNIL concluded Google did not provide sufficiently transparent and accessible information about how it processed data to personalise advertising, and that the consent obtained was not valid (neither specific nor unambiguous). It was the CNIL's first major GDPR fine and one of the new regime's first significant sanctions in Europe, marking the start of serious enforcement against big tech.
November 14, 2022 US confirmed
Google · $391.5m: record settlement with 40 state attorneys general over location tracking
Google agreed to a $391.5 million settlement with a bloc of 40 US state attorneys general over deceptive location-tracking practices: the investigation found the company kept collecting users' location even when they believed they had turned it off. It was, at the time, the largest multistate privacy settlement in US history and an example of the country's most powerful enforcement mechanism absent a federal law: coordinated action by state attorneys general. The settlement included obligations for greater transparency about location tracking.
September 14, 2022 KR confirmed
Google · ₩69.2bn (~$50m) in South Korea: the country's largest data fine
South Korea's Personal Information Protection Commission (PIPC) fined Google 69.2 billion won (some $50 million) for collecting users' behavioural data from websites via tracking tools, without obtaining consent through sufficiently clear disclosures and using 'dark patterns' that left the 'agree' option as default while hiding alternatives. It was, alongside Meta's the same day, the country's first sanction on behavioural-data collection for personalised advertising, and the largest privacy fine ever imposed in South Korea. Google expressed disagreement and willingness to litigate.
January 1, 2026 US confirmed
General Motors · $12.75m: California AG record under the CCPA
California's attorney general reached a record $12.75 million settlement with General Motors for violations of the California Consumer Privacy Act (CCPA) concerning data minimisation and purpose limitation —in essence, collecting and sharing more driver data than necessary and for unauthorised purposes. It is the California AG's largest CCPA sanction to date, surpassing the prior case, and reflects US regulators' growing focus on connected-vehicle data. US state privacy fines totalled $3.425 billion in 2025, nearly double 2024.
July 22, 2019 US confirmed
Equifax · up to $700m for the 2017 data breach (FTC + states + CFPB)
The credit-reporting agency Equifax agreed to pay up to $700 million to consumers and US state and federal authorities to settle claims arising from its 2017 data breach, which exposed the personal information of about 147 million people. The settlement combined action by the FTC, the Consumer Financial Protection Bureau (CFPB) and all 50 states. It is one of the largest data-breach settlements in the US and illustrates the US model of coordinated enforcement across multiple authorities absent a single federal privacy law.
December 19, 2022 US confirmed
Epic Games (Fortnite) · $520m: FTC record for children's privacy and dark patterns
The FTC announced two settlements with Epic Games, maker of Fortnite, totalling $520 million. The first, $275 million, for violating children's privacy law (COPPA) by collecting data from under-13s without parental consent: the largest penalty ever obtained by the FTC for breaching one of its rules. The second, $245 million in consumer refunds, for using 'dark patterns' (deceptive designs) that led players into unintentional purchases: the FTC's largest refund in a gaming action. The FTC for the first time added heightened privacy obligations for 13-17-year-old teens and the first-ever charges over public-by-default privacy settings. Epic accepted the settlement without confirming or denying the allegations.
February 8, 2024 IT confirmed
Enel Energia · €79.1m for unlawful telemarketing with illegally obtained customer lists
Italy's data-protection authority (Garante) fined Enel Energia €79.1 million after an investigation by the Guardia di Finanza revealed the company had unlawfully acquired 978 contracts from four firms using illegal customer lists, without implementing adequate security measures in its customer-management system. The Garante deemed the breaches serious given the number of affected individuals and Enel's role. It is one of the largest GDPR fines outside the pure tech sector and an example of the Italian focus on abusive telemarketing.
February 1, 2026 US confirmed
Disney · $2.75m with California AG over opt-out signals
California's attorney general reached a $2.75 million settlement with Disney for failing to honour users' opt-out signals under the CCPA. It was at the time the California AG's largest settlement, before being surpassed by General Motors'. The case illustrates the most common US enforcement pattern: moderate but frequent fines focused on specific failures such as not honouring opt-out requests or browser privacy signals (GPC).
July 21, 2022 CN confirmed
Didi · ¥8bn (~$1.2bn): Asia's largest data fine, imposed by China
The Cyberspace Administration of China (CAC) fined the ride-hailing company Didi 8 billion yuan (some $1.2 billion) after a year-long investigation into data-security violations described as of an 'egregious nature'. The CAC found Didi stored in plain text the identity information of more than 57 million drivers and analysed passenger data without their knowledge, including photos and facial-recognition data, over seven years since June 2015. The fine equals more than 4% of the company's annual revenue. Didi accepted the decision. It is the largest data-protection sanction imposed in Asia and one of the largest in the world.
June 15, 2023 FR confirmed
Criteo · €40m (reduced from €60m) for ad-tracking without consent
France's CNIL sanctioned the online advertising company Criteo for multiple GDPR breaches tied to its ad-tracking activity: it deployed trackers without valid consent, did not inform clearly in its privacy policy, and did not enable adequate procedures for users to exercise their rights (access, consent withdrawal, erasure). The initially proposed fine was €60 million, but it was reduced to €40 million in 2023 after the final assessment of the five breaches. It is another example of how the announced and final amounts can differ.
September 3, 2024 NL confirmed
Clearview AI · €30.5m in the Netherlands: the largest in the European chain of fines on the company
The Dutch data-protection authority (AP) fined Clearview AI €30.5 million for multiple GDPR breaches, after confirming its database —some 50 billion facial images scraped from the internet— contained images of Dutch citizens collected without a legal basis and with transparency failings. It is the largest in the chain of sanctions Clearview has received in Europe. The AP added a further fine of up to €5.1 million for continued non-compliance (the total could reach €35.6 million) and announced it was considering pursuing the directors personally. Clearview argued it has no establishment or customers in the EU and deemed the decision unenforceable; the AP countered that the GDPR applies extraterritorially. The case illustrates the real limit of enforcement: a large fine that may prove uncollectable.
September 2, 2021 GB confirmed
Clearview AI · £7.5m in the UK for facial recognition (later overturned on appeal)
The UK data-protection authority (ICO) fined Clearview AI £7.5 million for scraping images of UK people from the internet without their knowledge for its facial-recognition database. However, this case is a textbook example of why the 'outcome' matters so much: in October 2023, a UK appeal tribunal overturned the fine, finding Clearview's activity fell outside the ICO's jurisdiction because the company served foreign security agencies. It is a reminder that an announced fine does not equal a collected fine, and that the real cost of non-compliance is only known at the end of the process.
March 9, 2022 IT confirmed
Clearview AI · €20m for facial recognition without legal basis in Italy
Italy's data-protection authority (Garante) fined Clearview AI €20 million for processing the biometric data of people in Italy without a legal basis, through the mass scraping of facial images from the internet for its facial-recognition system. Beyond the fine, it ordered the deletion of data of people on Italian territory and banned further collection and processing. It is a reference case on the application of the GDPR to biometrics and facial recognition. Clearview has received similar sanctions in other European countries.
July 13, 2022 GR confirmed
Clearview AI · €20m in Greece: the Greek authority's largest fine on a private company
Greece's data-protection authority (HDPA) fined Clearview AI €20 million for violating the principles of lawfulness and transparency (Art. 5(1)(a) and (2), 6, 9 GDPR) and its information obligations (Arts. 12, 14, 15, 27). It also ordered the company to satisfy the complainant's access request, banned it from collecting and processing data of people on Greek territory and ordered it to delete those already gathered. It is the largest fine the Greek authority has imposed on a private company. Per later reporting, Greece deliberately imposed the maximum sanction for its symbolic weight, without really expecting to collect it, given Clearview has no presence in the country.
October 19, 2022 FR confirmed
Clearview AI · €20m in France: CNIL imposes the maximum fine for facial recognition
France's CNIL imposed on Clearview AI the maximum possible fine under Article 83 of the GDPR, €20 million, for unlawful data processing (Art. 6), failing to respect individuals' rights (Arts. 12, 15, 17) and lack of cooperation with the authority (Art. 31). The CNIL had ordered Clearview in November 2021 to cease collecting data of people on French territory, but the company did not respond to the formal notice. Beyond the fine, the CNIL ordered it to cease collection and delete the data already gathered, with a €100,000-per-day penalty for delay. It is one of the four major European sanctions in a chain against the same company.
January 13, 2021 ES confirmed
CaixaBank · €6m from the AEPD: one of the largest GDPR bank fines in Spain
Spain's Data Protection Agency (AEPD) fined CaixaBank €6 million for breaches concerning the processing of personal data: inadequate legal bases for processing, lack of valid consent and insufficient information about how customers' data was processed. At the time it was one of the largest fines imposed by the AEPD —one of Europe's most active authorities by number of sanctions— and a reference on data processing in the financial sector.
October 16, 2020 GB confirmed
British Airways · £20m for a 2018 breach (reduced from £183m proposed)
The UK authority (ICO) fined British Airways £20 million for a 2018 cyberattack that compromised personal and financial data of about 400,000-500,000 customers; the investigation concluded the airline lacked basic security measures such as multi-factor authentication. The case is a textbook example of the value of the 'outcome' field: the ICO had announced in July 2019 an intent to fine £183 million (1.5% of BA's global turnover), but after the company's representations and consideration of mitigating factors —including the pandemic's impact— the final fine was reduced by nearly 90%. Even so, it remains the ICO's largest fine for a data breach. It illustrates that the announced and collected amounts can differ radically.
October 8, 2025 AU confirmed
Australian Clinical Labs · first court judgment under Australia's Privacy Act
Australia's Federal Court delivered, on 8 October 2025, the first judgment applying the penalty provisions of Australia's Privacy Act 1988 (Australian Information Commissioner v Australian Clinical Labs Limited, FCA 1224). It is the first time an Australian court has examined Australian Privacy Principle 11 (security of personal information), the breach-notification obligations and the law's penalty regime. Under the regime in force at the time of the events, the maximum was AUD 2.22 million per contravention. The case marks the real start of judicial privacy enforcement in Australia, where the regulator (OAIC) is also pursuing Medibank and Optus over massive breaches affecting more than 9.5 million people each. The 2022 and 2024 reforms sharply raised the maxima for serious or repeated breaches.
April 23, 2025 EU confirmed
Apple · €500m: the first DMA fine in history, for restrictions on developers
The European Commission fined Apple €500 million (case DMA.100109) for breaching the anti-steering obligation of Article 5(4) of the Digital Markets Act: Apple did not sufficiently allow developers to inform users about alternative purchase options outside the App Store. Together with Meta the same day, it is the first sanction in history under the DMA. Beyond the fine, the Commission ordered the technical and commercial restrictions removed within 60 days. Apple accused the Commission of 'unfairly targeting' the company and announced an appeal.
July 16, 2021 LU confirmed
Amazon · €746m for targeted advertising without valid consent
Luxembourg's National Commission for Data Protection (CNPD) fined Amazon Europe €746 million following a series of 10,000 complaints filed by the French group La Quadrature du Net. The authority found Amazon displayed targeted advertising without obtaining proper user consent or offering a means to opt out of that tracking. It was the largest GDPR fine until Meta surpassed it in 2023. Amazon maintained there was no data breach or exposure of customer information, cooperated with the investigation but disagreed with the findings and appealed in 2024, arguing the regulator gave it no chance to change its practices before sanctioning.
May 31, 2023 US confirmed
Amazon (Alexa) · $25m for indefinitely retaining children's voice data
The FTC and the US Department of Justice ordered Amazon to pay $25 million for violating children's privacy law (COPPA) with its Alexa voice assistant. More than 800,000 minors had their own Alexa profiles; Amazon retained their voice recordings and geolocation indefinitely —even when parents asked to delete them— to train and improve its algorithm. The FTC was blunt: 'machine learning is no excuse to break the law'. The settlement required Amazon to delete minors' inactive accounts and barred it from using that data to create or improve products. The same day, the FTC announced a separate action against Amazon over employee access to its Ring camera data.
April 10, 2021 CN confirmed
Alibaba · ¥18.2bn (~$2.8bn): China's antitrust record for 'pick one of two'
China's State Administration for Market Regulation (SAMR) imposed on Alibaba a record fine of 18.228 billion yuan (some $2.8 billion) after a swift investigation started in December 2020. The SAMR concluded Alibaba coerced merchants to sell exclusively on its platform —the practice known in China as 'pick one of two'— harming competitors, sellers and consumers. The fine equalled 4% of Alibaba's 2019 sales in China and tripled the prior record (the $975 million on Qualcomm in 2015). It marked the start of the antitrust-enforcement era over Chinese platforms, within Beijing's regulatory shift over its tech giants.
