Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,014 fines found
Total: $6.2B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2021-09-02 | Meta Platforms | €225.0M | GDPR | Data Protection Authority of Ireland | Ireland | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) a) |
| 2021-09-02 | Meta Platforms | €225.0M | GDPR | Ireland DPC | Ireland | consent | Lack of transparency about data sharing with Facebook.Lack of transparency about data sharing with Facebook. Articles: Art. 5(1)(a), Art. 12, Art. 13, Art. 14 |
| 2019-09-04 | $170.0M | COPPA | FTC | United States | children | YouTube illegally collected personal information from children without parental ...YouTube illegally collected personal information from children without parental consent, targeting ads to viewers of child-directed channels. | |
| 2025-09-01 | SHEIN | €150.0M | GDPR | France CNIL | France | consent | Placing cookies without consent and non-functional opt-outs.Placing cookies without consent and non-functional opt-outs. Articles: Art. 5, Art. 6 |
| 2025-09-01 | SHEIN | €150.0M | GDPR | France CNIL | France | consent | Placing cookies without consent and non-functional opt-outs.Placing cookies without consent and non-functional opt-outs. Articles: Art. 5, Art. 6 |
| 2025-09-01 | €125.0M | GDPR | France CNIL | France | consent | Cookie consent failures at account creation.Cookie consent failures at account creation. Articles: Art. 5, Art. 6 | |
| 2025-09-01 | €125.0M | GDPR | France CNIL | France | consent | Cookie consent failures at account creation.Cookie consent failures at account creation. Articles: Art. 5, Art. 6 | |
| 2021-12-31 | €90.0M | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 82 loi Informatique et Libertes | |
| 2021-12-31 | €60.0M | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 82 loi Informatique et Libertes | |
| 2021-12-31 | Meta Platforms | €60.0M | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 82 loi Informatique et Libertes |
| 2019-01-21 | €50.0M | GDPR | French Data Protection Authority (CNIL) | France | Several | --Articles: Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 GDPR, Art. 5 GDPR | |
| 2019-01-21 | €50.0M | GDPR | French Data Protection Authority (CNIL) | France | Several | The French NGO “La Quadrature du Net” and the Austrian organization “None Of You...The French NGO “La Quadrature du Net” and the Austrian organization “None Of Your Business” complained about the creation of a Google account related to the configuration of the Android system in a mobile phone. A fine of 50 million euros was issued because the following principles were not observed: the principle of transparency (Art. 5 GDPR), the sufficiency of information (Art.13 / 14 GDPR), and the presence of legal basis (Art. 6 GDPR). Articles: Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 GDPR, Art. 5 GDPR | |
| 2024-02-01 | Blackbaud | $49.5M | FTC Act Section 5 | FTC | United States | data_breach | Cloud software company settled with FTC and 49 state AGs after 2020 data breach. |
| 2025-01-15 | Vodafone Germany | €45.0M | GDPR | Germany BfDI | Germany | data_breach | Vendor security failures and inadequate data controls.Vendor security failures and inadequate data controls. Articles: Art. 32 |
| 2025-01-01 | Vodafone Germany | €45.0M | GDPR | Germany BfDI | Germany | data_breach | Vendor security failures and inadequate data controls.Vendor security failures and inadequate data controls. Articles: Art. 32 |
| 2023-06-15 | Criteo | €40.0M | GDPR | France CNIL | France | consent | Failed to verify consent before processing data for personalized advertising.Failed to verify consent before processing data for personalized advertising. Articles: Art. 7, Art. 15, Art. 17, Art. 26 |
| 2023-06-15 | Criteo | €40.0M | GDPR | France CNIL | France | consent | Ad-tech company failed to verify consent before processing data for personalized...Ad-tech company failed to verify consent before processing data for personalized advertising. Articles: Art. 7, Art. 15, Art. 17, Art. 26 |
| 2020-10-01 | H&M Hennes & Mauritz Online Shop A.B. & Co. KG | €32.3M | GDPR | Data Protection Authority of Hamburg | Germany | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2024-09-03 | Clearview AI | €30.5M | GDPR | Netherlands AP | Netherlands | consent | Built illegal facial recognition database with Dutch citizens photos.Built illegal facial recognition database with Dutch citizens photos. Articles: Art. 5, Art. 6, Art. 9, Art. 14, Art. 27 |
| 2023-05-31 | Amazon | $30.8M | COPPA | FTC | United States | children | Alexa retained children voice recordings indefinitely ($25M). Ring employees acc...Alexa retained children voice recordings indefinitely ($25M). Ring employees accessed customer video feeds ($5.8M). |
| 2020-02-01 | TIM - Telecom Provider | €27.8M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-cooperation with Data Protection Authority | A huge fine of €27,8 million was issued to the Italian telecom company TIM. The ...A huge fine of €27,8 million was issued to the Italian telecom company TIM. The Italian Data Protection Authority (Garante) revealed that TIM was fined due to numerous unlawful data processing activities related to marketing and advertising, which included unsolicited promotional calls and prize competitions in which data subjects were entered without consent.One of the reasons for the large fine was the fact that the unlawful data processing activities involved several million individuals. One individual, for example, was called a total of 155 times in a month while TIM refused to add the affected individual on a no-call list even after several requests. The DPA determined that the company lacked control over the call centers and did not have adequate measures to add people to no-call lists.TIM also did not provide accurate and detailed enough privacy policies and data processing policies, and as such consumers were not efficiently informed about the data collected and processed. The company’s management of data breaches was also not efficient according to Garante.Besides the fine, Garante also imposed 20 corrective measures according to Art. 58(2) GDPR which prohibits TIM from processing marketing-related data of those individuals who have refused to receive promotional calls, individuals who asked to be blacklisted and individuals who are not clients of TIM.The company was also forbidden from using customer data collected from the “My Tim”, “Tim Personal” and “Tim Smart Kid” apps. Articles: Art. 58(2) GDPR |
| 2020-01-15 | TIM - Telecom Provider | €27.8M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-cooperation with Data Protection Authority | --Articles: Art. 58(2) GDPR |
| 2021-12-16 | Enel Energia S.p.A. | €26.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Various offences | --Articles: Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 130 (1), (2), (4) Codice della privacy |
| 2020-10-16 | British Airways | €22.0M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2020-10-30 | Marriott International, Inc | €20.4M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |