Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,014 fines found
Total: $6.2B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2022-02-10 | Clearview AI | €20.0M | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR |
| 2022-05-23 | Clearview AI | €20.0M | GDPR | Greece HDPA | Greece | consent | Unlawful processing of biometric data through facial recognition without consent...Unlawful processing of biometric data through facial recognition without consent. Articles: Art. 5, Art. 6, Art. 9 |
| 2022-07-13 | Clearview AI | €20.0M | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR |
| 2022-03-09 | Clearview AI | €20.0M | GDPR | Italy Garante | Italy | consent | Facial recognition company unlawfully processed biometric data of people in Ital...Facial recognition company unlawfully processed biometric data of people in Italy. Articles: Art. 5, Art. 6, Art. 9, Art. 14, Art. 27 |
| 2022-10-17 | Clearview AI | €20.0M | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 31 GDPR |
| 2023-06-05 | Microsoft | $20.0M | COPPA | FTC | United States | children | Collected personal information from children creating Xbox accounts without noti...Collected personal information from children creating Xbox accounts without notifying parents or obtaining consent. |
| 2025-01-15 | HoganWillig/Genshin Impact (Cognosphere) | $20.0M | COPPA | FTC | United States | children | Genshin Impact developer settled FTC charges of collecting data from children wi...Genshin Impact developer settled FTC charges of collecting data from children without consent. |
| 2019-10-23 | Austrian Post | €18.0M | GDPR | Austrian Data Protection Authority (DSB) | Austria | Non-compliance with lawful basis for data processing | The Austrian Post had sold detailed personal profiles of approximately three mil...The Austrian Post had sold detailed personal profiles of approximately three million Austrians to various companies and political parties. The profiles contained names, addresses, political predilections, and even intimate details. Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR |
| 2022-03-15 | Meta Platforms | €17.0M | GDPR | Data Protection Authority of Ireland | Ireland | Failure to comply with data processing principles | --Articles: Art. 5 (2) GDPR, Art. 24 (1) GDPR |
| 2020-07-13 | Wind Tre S.p.A. | €16.7M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR. Art. 24 GDPR, Art. 25 GDPR |
| 2024-02-22 | Avast | $16.5M | FTC Act Section 5 | FTC | United States | consent | Antivirus company sold browsing data through subsidiary Jumpshot despite privacy...Antivirus company sold browsing data through subsidiary Jumpshot despite privacy promises. |
| 2019-10-30 | Deutsche Wohnen SE | €14.5M | GDPR | Data Protection Authority of Baden-Wuerttemberg | Germany | Failure to comply with data processing principles | The company collected data from multiple tenants without providing the option to...The company collected data from multiple tenants without providing the option to remove that data once it was no longer required. This led to the company retaining personal data of tenants for years (salary statements, social security insurances, health insurances, tax insurances, bank statements). The Berlin Data Commissioner issued a fine of €14,500,000. Articles: Art. 5 GDPR, Art. 25 GDPR |
| 2023-04-04 | TikTok | €14.5M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR |
| 2020-11-12 | Vodafone Italia S.p.A | €12.3M | GDPR | Italian Data Protection Authority (Garante) | Italy | Multiple | --Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 15 (1) GDPR, Art. 16 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR |
| 2021-01-08 | notebooksbilliger.de | €10.4M | GDPR | Data Protection Authority of Niedersachsen | Germany | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2022-01-06 | €10.0M | GDPR | France CNIL | France | consent | Cookie consent mechanism did not allow users to refuse cookies as easily as acce...Cookie consent mechanism did not allow users to refuse cookies as easily as accepting them. Articles: Art. 82 | |
| 2022-05-18 | €10.0M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR, Art. 17 GDPR | |
| 2019-12-09 | 1&1 Telecom GmbH | €9.6M | GDPR | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | Germany | Failure to implement sufficient measures to ensure information security | --Articles: <a href="https://www.privacy-regulation.eu/en/32.htm">Art. 32 GDPR</a> |
| 2019-12-09 | 1&1 Telecom GmbH | €9.6M | GDPR | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | Germany | Failure to implement sufficient measures to ensure information security | The telecom company 1&1 Telecom GmbH was fined with €9,550,000 after it cam...The telecom company 1&1 Telecom GmbH was fined with €9,550,000 after it came to light that sensitive customer information could be obtained by phone by anyone by just telling a client’s name and date of birth. This could have permitted anyone to obtain the personal information of any customer in case they knew their name and date of birth. The BfDI considered that the company failed to implement the necessary technical measures to ensure the protection of personal data. The BfDI further revealed that the fine was intended to be much larger but was eventually decreased due to the cooperation of the company during the investigation. Articles: Art. 32 GDPR |
| 2021-09-28 | Austrian Post | €9.5M | GDPR | Austrian Data Protection Authority (DSB) | Austria | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2025-12-01 | Disney | $10.0M | COPPA | FTC | United States | children | Failed to manage YouTube channels used by children in compliance with COPPA. |
| 2022-05-18 | Clearview AI | €9.0M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 22 GDPR, Art. 35 GDPR |
| 2019-12-11 | Eni Gas e Luce | €8.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| 2020-01-17 | Eni Gas e Luce | €8.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | The Italian Data Protection Authority (Garante) imposed two fines of €11,5 milli...The Italian Data Protection Authority (Garante) imposed two fines of €11,5 million total on Eni Gas and Luce because of the unlawful processing of personal data during an advertising campaign as well as for the activation of unsolicited contracts. This first fine of €8,5 million was issued for the unlawful processing of personal data in the context of a marketing campaign. The company made promotional calls without the consent of the contacted people and refused to acknowledge people’s wishes to be added onto a “do not contact” list. The company also did not provide an opt-out procedure for these unsolicited calls. The DPA also determined that the company lacked sufficient technical and organizational measures to protect users’ personal data. Data was also processed longer than the allowed retention period. According to the DPA, some data was also collected from third party entities that did not have consent from the data subjects to disclose that data. Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| 2022-01-14 | REWE International AG | €8.0M | GDPR | Austrian Data Protection Authority (DSB) | Austria | Various offences | --Articles: Art. 5 (1) c) GDPR, others |