Skip to content

Data Privacy fines

Collecting or using personal data without a valid legal basis.

Privacy is the single largest source of major tech penalties. Most cases turn on the same failure: processing personal data (for advertising, profiling, or transfer abroad) without valid consent or another lawful basis. In the EU this is enforced under the GDPR, chiefly by Ireland's Data Protection Commission and national authorities like France's CNIL; in the US it runs through the FTC and state attorneys general.

30 penalties · ≈ $14.6B imposed

30 penalties

Meta · 2019

Facebook's $5B FTC penalty after Cambridge Analytica

Paid

The FTC imposed a $5B penalty and sweeping new privacy restrictions after finding that Facebook deceived users about their ability to control personal data, in violation of a 2012 consent order. Third-party apps had harvested data on up to 87 million users in the Cambridge Analytica episode. It was the largest privacy penalty in history at the time.

FTC · US$5B

Google · 2025

Google's $1.375B Texas biometric and privacy settlement

Paid

Texas settled claims that Google unlawfully captured biometric data such as face and voice identifiers and made misleading claims about Incognito mode and location tracking. It is one of the largest single-state privacy settlements on record.

Texas AG · US (Texas)$1.4B

Meta · Facebook · 2023

Meta's record €1.2B GDPR fine over EU-US transfers

Under appeal

The Irish DPC fined Meta for continuing to transfer EU users' personal data to US servers after the Schrems II ruling, exposing that data to potential US surveillance without adequate safeguards. It is the largest GDPR fine ever issued.

DPC · Ireland / EU€1.2B$1.3B

Didi · 2022

Didi fined ¥8.03B in China over data-security violations

Final

The Cyberspace Administration of China imposed a sweeping penalty on Didi for extensive data-security and personal-information violations following a year-long investigation.

CAC · China¥8B$1.2B

Amazon · 2021

Amazon's record €746M GDPR fine (Luxembourg)

Under appeal

Luxembourg's CNPD fined Amazon for processing personal data for behavioural advertising without valid consent. It was the largest GDPR fine at the time and has been under appeal since.

CNPD · Luxembourg / EU€746M$806M

TikTok · 2025

TikTok fined €530M over EU-China data transfers

Final

The Irish DPC fined TikTok for unlawfully transferring EU users' data to China without ensuring equivalent protection, and for related transparency failures.

DPC · Ireland / EU€530M$572M

Meta · Instagram · 2022

Instagram fined €405M over children's data

Final

The DPC found that Instagram business accounts publicly exposed children's phone numbers and email addresses by default.

DPC · Ireland / EU€405M$437M

Meta · 2023

Meta fined €390M over the legal basis for ads

Final

The DPC found that Facebook (€210M) and Instagram (€180M) relied on a terms-of-service contract, rather than valid consent, to justify personalised advertising. The decision forced a change in how Meta seeks a legal basis for ads.

DPC · Ireland / EU€390M$421M

Google · 2022

Google's $391.5M location-tracking settlement

Paid

Forty US states settled claims that Google misled users into believing location tracking was off while it kept collecting location data through other settings such as Web & App Activity. It was the largest multistate privacy settlement at the time.

US States · US$391.5M

TikTok · 2023

TikTok fined €345M over children's default settings

Final

The Irish DPC found that TikTok set children's accounts to public by default and had weak age-assurance safeguards, exposing young users' content.

DPC · Ireland / EU€345M$372M

Google · Gmail · 2025

CNIL fines Google €325M over Gmail ads and cookies

Final

The CNIL's largest cookie penalty against Google covered advertising inserted directly into Gmail inboxes without consent, alongside continued cookie-consent failures.

CNIL · France€325M$351M

Microsoft · LinkedIn · 2024

LinkedIn fined €310M over behavioural advertising

Final

The Irish DPC found that LinkedIn, owned by Microsoft, processed members' personal data for behavioural advertising without a valid legal basis and without adequate transparency.

DPC · Ireland / EU€310M$335M

Uber · 2024

Uber fined €290M over EU driver-data transfers

Under appeal

The Dutch data-protection authority fined Uber for transferring EU drivers' personal data, including identity documents and criminal and health data, to the US without adequate safeguards.

AP · Netherlands / EU€290M$313M

Meta · Facebook · 2022

Meta fined €265M over data scraping

Final

The DPC found that design failures allowed the scraping of roughly 533 million users' phone numbers and personal details, which were later leaked online.

DPC · Ireland / EU€265M$286M

Meta · WhatsApp · 2021

WhatsApp fined €225M over transparency

Final

The DPC found that WhatsApp failed to properly explain to users and non-users how their data was processed and shared with other Meta companies.

DPC · Ireland / EU€225M$243M

Meta · 2025

Meta's €200M DMA fine over 'pay or consent'

Final

In one of the first Digital Markets Act fines, the Commission found that Meta's pay-or-consent model forced Facebook and Instagram users to either pay a subscription or accept full data combination for personalised ads, without a genuine less-data alternative. Meta adjusted the model after the decision.

EC · EU€200M$216M

Google · YouTube · 2019

YouTube's $170M COPPA settlement over children's data

Paid

The FTC and the New York Attorney General alleged that YouTube collected personal data from viewers of child-directed channels through cookies, without parental consent, and used it for targeted advertising. It was a record COPPA penalty at the time.

FTC · US$170M

Google · 2022

CNIL fines Google €150M over hard-to-refuse cookies

Final

The CNIL found that Google made refusing cookies far harder than accepting them, a dark-pattern design that did not amount to valid consent.

CNIL · France€150M$162M

Apple · 2025

Apple fined €150M over App Tracking Transparency

Final

France's competition authority found that Apple's App Tracking Transparency consent design over-burdened third-party apps while Apple's own advertising faced lighter requirements, an abuse of its dominant position.

Autorité · France€150M$162M

X (Twitter) · 2022

Twitter's $150M FTC penalty over 2FA phone numbers

Paid

The FTC and DOJ penalised Twitter, now X, for using phone numbers and email addresses collected for account security, such as two-factor authentication, to target advertising.

FTC · US$150M

Google · 2020

CNIL fines Google €100M over advertising cookies

Final

The CNIL fined Google for placing advertising cookies on users' devices without prior consent and without adequate information.

CNIL · France€100M$108M

Microsoft · Bing · 2022

CNIL fines Microsoft €60M over Bing cookies

Final

The CNIL fined Microsoft for depositing advertising cookies on bing.com without consent and for making it harder to refuse cookies than to accept them.

CNIL · France€60M$65M

Google · 2019

CNIL fines Google €50M over Android ad consent

Final

France's CNIL issued one of the first major GDPR fines, finding that Google lacked transparency and valid consent for ads personalisation during Android device setup.

CNIL · France€50M$54M

Amazon · 2020

CNIL fines Amazon €35M over advertising cookies

Final

The CNIL fined Amazon for placing advertising cookies on amazon.fr visitors' devices without consent or adequate information.

CNIL · France€35M$37.8M

Amazon · Alexa · 2023

Amazon's $25M Alexa settlement over children's recordings

Paid

The FTC settled claims that Amazon kept children's Alexa voice recordings indefinitely, against COPPA and parents' deletion requests.

FTC · US$25M

Google · 2012

Google's $22.5M FTC fine over Safari cookie tracking

Paid

The FTC penalised Google for circumventing Safari's default cookie-blocking to track users for advertising, despite telling those users they were protected. It was a record FTC civil penalty at the time.

FTC · US$22.5M

Meta · Facebook · 2022

Meta fined €17M over 2018 data breaches

Final

The DPC fined Meta over a series of twelve data breaches in 2018, finding it had failed to have appropriate technical and organisational measures in place.

DPC · Ireland / EU€17M$18.4M

OpenAI · ChatGPT · 2024

OpenAI's €15M ChatGPT fine, annulled in 2026

Annulled

Italy's Garante alleged that ChatGPT was trained on personal data without an adequate legal basis, failed transparency obligations, did not report a March 2023 breach, and lacked age verification for minors. In March 2026 the Court of Rome annulled the fine on procedural grounds, not because the practices were ruled lawful.

Garante · Italy€15M$16.2M

Meta · 2024

PIPC fines Meta KRW 21.6B over sensitive-data collection

Final

South Korea's PIPC fined Meta for collecting sensitive data, including religion, political views, and sexual orientation, on roughly 980,000 users for advertising without consent.

PIPC · South Korea₩21.6B$15M

Amazon · Ring · 2023

Amazon's $5.8M Ring settlement over camera access

Paid

The FTC settled claims that Ring employees and contractors improperly accessed customers' home camera videos, and that lax security allowed outside access.

FTC · US$5.8M