Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2023-06-15 | Criteo | €40.0M | GDPR | France CNIL | France | consent | Failed to verify consent before processing data for personalized advertising.Failed to verify consent before processing data for personalized advertising. Articles: Art. 7, Art. 15, Art. 17, Art. 26 |
| 2020-10-01 | H&M Hennes & Mauritz Online Shop A.B. & Co. KG | €32.3M | GDPR | Data Protection Authority of Hamburg | Germany | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2024-09-03 | Clearview AI | €30.5M | GDPR | Netherlands AP | Netherlands | consent | Built illegal facial recognition database with Dutch citizens photos.Built illegal facial recognition database with Dutch citizens photos. Articles: Art. 5, Art. 6, Art. 9, Art. 14, Art. 27 |
| 2023-05-31 | Amazon | $30.8M | COPPA | FTC | United States | children | Alexa retained children voice recordings indefinitely ($25M). Ring employees acc...Alexa retained children voice recordings indefinitely ($25M). Ring employees accessed customer video feeds ($5.8M). |
| 2020-02-01 | TIM - Telecom Provider | €27.8M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-cooperation with Data Protection Authority | A huge fine of €27,8 million was issued to the Italian telecom company TIM. The ...A huge fine of €27,8 million was issued to the Italian telecom company TIM. The Italian Data Protection Authority (Garante) revealed that TIM was fined due to numerous unlawful data processing activities related to marketing and advertising, which included unsolicited promotional calls and prize competitions in which data subjects were entered without consent.One of the reasons for the large fine was the fact that the unlawful data processing activities involved several million individuals. One individual, for example, was called a total of 155 times in a month while TIM refused to add the affected individual on a no-call list even after several requests. The DPA determined that the company lacked control over the call centers and did not have adequate measures to add people to no-call lists.TIM also did not provide accurate and detailed enough privacy policies and data processing policies, and as such consumers were not efficiently informed about the data collected and processed. The company’s management of data breaches was also not efficient according to Garante.Besides the fine, Garante also imposed 20 corrective measures according to Art. 58(2) GDPR which prohibits TIM from processing marketing-related data of those individuals who have refused to receive promotional calls, individuals who asked to be blacklisted and individuals who are not clients of TIM.The company was also forbidden from using customer data collected from the “My Tim”, “Tim Personal” and “Tim Smart Kid” apps. Articles: Art. 58(2) GDPR |
| 2020-01-15 | TIM - Telecom Provider | €27.8M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-cooperation with Data Protection Authority | --Articles: Art. 58(2) GDPR |
| 2021-12-16 | Enel Energia S.p.A. | €26.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Various offences | --Articles: Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 130 (1), (2), (4) Codice della privacy |
| 2020-10-16 | British Airways | €22.0M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2020-10-30 | Marriott International, Inc | €20.4M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2022-02-10 | Clearview AI | €20.0M | GDPR | Italian Data Protection Authority (Garante) | Italy | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR |
| 2022-10-17 | Clearview AI | €20.0M | GDPR | French Data Protection Authority (CNIL) | France | Non-compliance with lawful basis for data processing | --Articles: Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 31 GDPR |
| 2022-05-23 | Clearview AI | €20.0M | GDPR | Greece HDPA | Greece | consent | Unlawful processing of biometric data through facial recognition without consent...Unlawful processing of biometric data through facial recognition without consent. Articles: Art. 5, Art. 6, Art. 9 |
| 2022-07-13 | Clearview AI | €20.0M | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR |
| 2022-03-09 | Clearview AI | €20.0M | GDPR | Italy Garante | Italy | consent | Facial recognition company unlawfully processed biometric data of people in Ital...Facial recognition company unlawfully processed biometric data of people in Italy. Articles: Art. 5, Art. 6, Art. 9, Art. 14, Art. 27 |
| 2023-06-05 | Microsoft | $20.0M | COPPA | FTC | United States | children | Collected personal information from children creating Xbox accounts without noti...Collected personal information from children creating Xbox accounts without notifying parents or obtaining consent. |
| 2025-01-15 | HoganWillig/Genshin Impact (Cognosphere) | $20.0M | COPPA | FTC | United States | children | Genshin Impact developer settled FTC charges of collecting data from children wi...Genshin Impact developer settled FTC charges of collecting data from children without consent. |
| 2019-10-23 | Austrian Post | €18.0M | GDPR | Austrian Data Protection Authority (DSB) | Austria | Non-compliance with lawful basis for data processing | The Austrian Post had sold detailed personal profiles of approximately three mil...The Austrian Post had sold detailed personal profiles of approximately three million Austrians to various companies and political parties. The profiles contained names, addresses, political predilections, and even intimate details. Articles: Art. 5 (1) a) GDPR, Art. 6 GDPR |
| 2022-03-15 | Meta Platforms | €17.0M | GDPR | Data Protection Authority of Ireland | Ireland | Failure to comply with data processing principles | --Articles: Art. 5 (2) GDPR, Art. 24 (1) GDPR |
| 2020-07-13 | Wind Tre S.p.A. | €16.7M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR. Art. 24 GDPR, Art. 25 GDPR |
| 2024-02-22 | Avast | $16.5M | FTC Act Section 5 | FTC | United States | consent | Antivirus company sold browsing data through subsidiary Jumpshot despite privacy...Antivirus company sold browsing data through subsidiary Jumpshot despite privacy promises. |
| 2019-10-30 | Deutsche Wohnen SE | €14.5M | GDPR | Data Protection Authority of Baden-Wuerttemberg | Germany | Failure to comply with data processing principles | The company collected data from multiple tenants without providing the option to...The company collected data from multiple tenants without providing the option to remove that data once it was no longer required. This led to the company retaining personal data of tenants for years (salary statements, social security insurances, health insurances, tax insurances, bank statements). The Berlin Data Commissioner issued a fine of €14,500,000. Articles: Art. 5 GDPR, Art. 25 GDPR |
| 2023-04-04 | TikTok | €14.5M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to comply with data processing principles | --Articles: Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR |
| 2020-11-12 | Vodafone Italia S.p.A | €12.3M | GDPR | Italian Data Protection Authority (Garante) | Italy | Multiple | --Articles: Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 15 (1) GDPR, Art. 16 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR |
| 2021-01-08 | notebooksbilliger.de | €10.4M | GDPR | Data Protection Authority of Niedersachsen | Germany | Failure to comply with data processing principles | --Articles: Art. 5 GDPR, Art. 6 GDPR |
| 2022-01-06 | €10.0M | GDPR | France CNIL | France | consent | Cookie consent mechanism did not allow users to refuse cookies as easily as acce...Cookie consent mechanism did not allow users to refuse cookies as easily as accepting them. Articles: Art. 82 |