Search Privacy Fines
Browse and filter privacy enforcement fines worldwide.
2,028 fines found
Total: $8.1B
| Date | Company | Fine | Regulation | Authority | Country | Type | Summary |
|---|---|---|---|---|---|---|---|
| 2022-01-06 | €10.0M | GDPR | France CNIL | France | consent | Cookie consent mechanism did not allow users to refuse cookies as easily as acce...Cookie consent mechanism did not allow users to refuse cookies as easily as accepting them. Articles: Art. 82 | |
| 2019-12-09 | 1&1 Telecom GmbH | €9.6M | GDPR | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | Germany | Failure to implement sufficient measures to ensure information security | --Articles: <a href="https://www.privacy-regulation.eu/en/32.htm">Art. 32 GDPR</a> |
| 2019-12-09 | 1&1 Telecom GmbH | €9.6M | GDPR | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | Germany | Failure to implement sufficient measures to ensure information security | The telecom company 1&1 Telecom GmbH was fined with €9,550,000 after it cam...The telecom company 1&1 Telecom GmbH was fined with €9,550,000 after it came to light that sensitive customer information could be obtained by phone by anyone by just telling a client’s name and date of birth. This could have permitted anyone to obtain the personal information of any customer in case they knew their name and date of birth. The BfDI considered that the company failed to implement the necessary technical measures to ensure the protection of personal data. The BfDI further revealed that the fine was intended to be much larger but was eventually decreased due to the cooperation of the company during the investigation. Articles: Art. 32 GDPR |
| 2021-09-28 | Austrian Post | €9.5M | GDPR | Austrian Data Protection Authority (DSB) | Austria | Failure to implement sufficient measures to ensure information security | --Articles: Art. 32 GDPR |
| 2025-12-01 | Disney | $10.0M | COPPA | FTC | United States | children | Failed to manage YouTube channels used by children in compliance with COPPA. |
| 2022-05-18 | Clearview AI | €9.0M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to comply with data processing principles | --Articles: Art. 5 (1) a), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 22 GDPR, Art. 35 GDPR |
| 2020-01-17 | Eni Gas e Luce | €8.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | The Italian Data Protection Authority (Garante) imposed two fines of €11,5 milli...The Italian Data Protection Authority (Garante) imposed two fines of €11,5 million total on Eni Gas and Luce because of the unlawful processing of personal data during an advertising campaign as well as for the activation of unsolicited contracts. This first fine of €8,5 million was issued for the unlawful processing of personal data in the context of a marketing campaign. The company made promotional calls without the consent of the contacted people and refused to acknowledge people’s wishes to be added onto a “do not contact” list. The company also did not provide an opt-out procedure for these unsolicited calls. The DPA also determined that the company lacked sufficient technical and organizational measures to protect users’ personal data. Data was also processed longer than the allowed retention period. According to the DPA, some data was also collected from third party entities that did not have consent from the data subjects to disclose that data. Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| 2019-12-11 | Eni Gas e Luce | €8.5M | GDPR | Italian Data Protection Authority (Garante) | Italy | Non-compliance with lawful basis for data processing | --Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR |
| 2022-01-14 | REWE International AG | €8.0M | GDPR | Austrian Data Protection Authority (DSB) | Austria | Various offences | --Articles: Art. 5 (1) c) GDPR, others |
| 2023-03-02 | BetterHelp | $7.8M | FTC Act Section 5 | FTC | United States | consent | Online therapy service shared health data with advertisers including Facebook an...Online therapy service shared health data with advertisers including Facebook and Snapchat. |
| 2020-03-11 | €7.0M | GDPR | Data Protection Authority of Sweden | Sweden | Failure to comply with data processing principles | Google was fined with €7,000,000 by the Swedish Data Protection Authority due to...Google was fined with €7,000,000 by the Swedish Data Protection Authority due to failing to adequately comply with its obligations regarding the right of data subjects to have their search results removed from Google search. The Data Protection Authority of Sweden had already completed an investigation on Google in 2017 where it investigated how the company dealt with individuals’ requests to be removed from search results. At that time, the Data Protection Authority instructed Google to be more pro-active in executing these removal requests. In 2018 the Authority initialed a further investigation after it was reported that Google did not remove search results related to individuals even after the earlier instructions in 2017 to do so. The Authority also questioned Google’s practice of informing website owners about which search results Google had removed, specifically which link (search result) has been removed and who was behind the removal request. Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR | |
| 2021-12-13 | Grindr LLC | €6.3M | GDPR | Norwegian Supervisory Authority (Datatilsynet) | Norway | Failure to comply with data processing principles | --Articles: Art. 6 (1) GDPR, Art. 9 (1) GDPR |
| 2025-01-01 | Poczta Polska | €6.3M | GDPR | Poland UODO | Poland | other | Illegal processing of 30M citizens' data |
| 2021-01-13 | Caixabank S.A. | €6.0M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR |
| 2022-01-27 | Cosmote Mobile Telecommunications S.A. | €6.0M | GDPR | Hellenic Data Protection Authority (HDPA) | Greece | Non-compliance with lawful basis for data processing | --Articles: Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 (1) GDPR, Art. 26 GDPR, Art. 28 GDPR, Art. 35 (7) GDPR |
| 2023-01-19 | Meta Platforms | €5.5M | GDPR | Data Protection Authority of Ireland | Ireland | Non-compliance with lawful basis for data processing | --Articles: Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR |
| 2022-01-12 | Meta Platforms | €5.5M | GDPR | Ireland DPC | Ireland | consent | WhatsApp fined for transparency failures in processing user data.WhatsApp fined for transparency failures in processing user data. Articles: Art. 5(1)(a), Art. 12, Art. 13 |
| 2019-02-27 | TikTok | $5.7M | COPPA | FTC | United States | children | Musical.ly (now TikTok) collected personal information from children under 13 wi...Musical.ly (now TikTok) collected personal information from children under 13 without parental consent. |
| 2025-09-15 | Dun & Bradstreet/Duns | $5.7M | FTC Act Section 5 | FTC | United States | data_broker | Data broker settlement for unfair and deceptive practices in selling consumer da...Data broker settlement for unfair and deceptive practices in selling consumer data. |
| 2022-10-17 | Clearview AI | €5.3M | GDPR | France CNIL | France | consent | Unlawful collection and use of biometric data of French residents.Unlawful collection and use of biometric data of French residents. Articles: Art. 6, Art. 9 |
| 2023-05-10 | Clearview AI | €5.2M | GDPR | French Data Protection Authority (CNIL) | France | Unknown | --Articles: Unknown |
| 2024-12-01 | Telegram | €5.1M | GDPR | France CNIL | France | consent | Multiple GDPR violations including failure to appoint representative.Multiple GDPR violations including failure to appoint representative. Articles: Art. 5, Art. 27 |
| 2024-12-01 | Telegram | €5.1M | GDPR | France CNIL | France | consent | Multiple GDPR violations including failure to appoint EU representative.Multiple GDPR violations including failure to appoint EU representative. Articles: Art. 5, Art. 27 |
| 2022-10-19 | Interserve Group Limited | €5.0M | GDPR | Information Commissioner (ICO) | United Kingdom | Failure to comply with data processing principles | --Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR |
| 2020-12-11 | Banco Bilbao Vizcaya Argentaria, S.A. | €5.0M | GDPR | Spanish Data Protection Authority (AEPD) | Spain | Failure to comply with data processing principles | --Articles: Art. 6 GDPR, Art. 13 GDPR |