Data Privacy fines
Collecting or using personal data without a valid legal basis.
Privacy is the single largest source of major tech penalties. Most cases turn on the same failure: processing personal data (for advertising, profiling, or transfer abroad) without valid consent or another lawful basis. In the EU this is enforced under the GDPR, chiefly by Ireland's Data Protection Commission and national authorities like France's CNIL; in the US it runs through the FTC and state attorneys general.
30 penalties · ≈ $14.6B imposed
30 penalties
Meta · 2019
Facebook's $5B FTC penalty after Cambridge Analytica
The FTC imposed a $5B penalty and sweeping new privacy restrictions after finding that Facebook deceived users about their ability to control personal data, in violation of a 2012 consent order. Third-party apps had harvested data on up to 87 million users in the Cambridge Analytica episode. It was the largest privacy penalty in history at the time.
Google · 2025
Google's $1.375B Texas biometric and privacy settlement
Texas settled claims that Google unlawfully captured biometric data such as face and voice identifiers and made misleading claims about Incognito mode and location tracking. It is one of the largest single-state privacy settlements on record.
Meta · Facebook · 2023
Meta's record €1.2B GDPR fine over EU-US transfers
The Irish DPC fined Meta for continuing to transfer EU users' personal data to US servers after the Schrems II ruling, exposing that data to potential US surveillance without adequate safeguards. It is the largest GDPR fine ever issued.
Didi · 2022
Didi fined ¥8.03B in China over data-security violations
The Cyberspace Administration of China imposed a sweeping penalty on Didi for extensive data-security and personal-information violations following a year-long investigation.
Amazon · 2021
Amazon's record €746M GDPR fine (Luxembourg)
Luxembourg's CNPD fined Amazon for processing personal data for behavioural advertising without valid consent. It was the largest GDPR fine at the time and has been under appeal since.
TikTok · 2025
TikTok fined €530M over EU-China data transfers
The Irish DPC fined TikTok for unlawfully transferring EU users' data to China without ensuring equivalent protection, and for related transparency failures.
Meta · Instagram · 2022
Instagram fined €405M over children's data
The DPC found that Instagram business accounts publicly exposed children's phone numbers and email addresses by default.
Meta · 2023
Meta fined €390M over the legal basis for ads
The DPC found that Facebook (€210M) and Instagram (€180M) relied on a terms-of-service contract, rather than valid consent, to justify personalised advertising. The decision forced a change in how Meta seeks a legal basis for ads.
Google · 2022
Google's $391.5M location-tracking settlement
Forty US states settled claims that Google misled users into believing location tracking was off while it kept collecting location data through other settings such as Web & App Activity. It was the largest multistate privacy settlement at the time.
TikTok · 2023
TikTok fined €345M over children's default settings
The Irish DPC found that TikTok set children's accounts to public by default and had weak age-assurance safeguards, exposing young users' content.
Google · Gmail · 2025
CNIL fines Google €325M over Gmail ads and cookies
The CNIL's largest cookie penalty against Google covered advertising inserted directly into Gmail inboxes without consent, alongside continued cookie-consent failures.
Microsoft · LinkedIn · 2024
LinkedIn fined €310M over behavioural advertising
The Irish DPC found that LinkedIn, owned by Microsoft, processed members' personal data for behavioural advertising without a valid legal basis and without adequate transparency.
Uber · 2024
Uber fined €290M over EU driver-data transfers
The Dutch data-protection authority fined Uber for transferring EU drivers' personal data, including identity documents and criminal and health data, to the US without adequate safeguards.
Meta · Facebook · 2022
Meta fined €265M over data scraping
The DPC found that design failures allowed the scraping of roughly 533 million users' phone numbers and personal details, which were later leaked online.
Meta · WhatsApp · 2021
WhatsApp fined €225M over transparency
The DPC found that WhatsApp failed to properly explain to users and non-users how their data was processed and shared with other Meta companies.
Meta · 2025
Meta's €200M DMA fine over 'pay or consent'
In one of the first Digital Markets Act fines, the Commission found that Meta's pay-or-consent model forced Facebook and Instagram users to either pay a subscription or accept full data combination for personalised ads, without a genuine less-data alternative. Meta adjusted the model after the decision.
Google · YouTube · 2019
YouTube's $170M COPPA settlement over children's data
The FTC and the New York Attorney General alleged that YouTube collected personal data from viewers of child-directed channels through cookies, without parental consent, and used it for targeted advertising. It was a record COPPA penalty at the time.
Google · 2022
CNIL fines Google €150M over hard-to-refuse cookies
The CNIL found that Google made refusing cookies far harder than accepting them, a dark-pattern design that did not amount to valid consent.
Apple · 2025
Apple fined €150M over App Tracking Transparency
France's competition authority found that Apple's App Tracking Transparency consent design over-burdened third-party apps while Apple's own advertising faced lighter requirements, an abuse of its dominant position.
X (Twitter) · 2022
Twitter's $150M FTC penalty over 2FA phone numbers
The FTC and DOJ penalised Twitter, now X, for using phone numbers and email addresses collected for account security, such as two-factor authentication, to target advertising.
Google · 2020
CNIL fines Google €100M over advertising cookies
The CNIL fined Google for placing advertising cookies on users' devices without prior consent and without adequate information.
Microsoft · Bing · 2022
CNIL fines Microsoft €60M over Bing cookies
The CNIL fined Microsoft for depositing advertising cookies on bing.com without consent and for making it harder to refuse cookies than to accept them.
Google · 2019
CNIL fines Google €50M over Android ad consent
France's CNIL issued one of the first major GDPR fines, finding that Google lacked transparency and valid consent for ads personalisation during Android device setup.
Amazon · 2020
CNIL fines Amazon €35M over advertising cookies
The CNIL fined Amazon for placing advertising cookies on amazon.fr visitors' devices without consent or adequate information.
Amazon · Alexa · 2023
Amazon's $25M Alexa settlement over children's recordings
The FTC settled claims that Amazon kept children's Alexa voice recordings indefinitely, against COPPA and parents' deletion requests.
Google · 2012
Google's $22.5M FTC fine over Safari cookie tracking
The FTC penalised Google for circumventing Safari's default cookie-blocking to track users for advertising, despite telling those users they were protected. It was a record FTC civil penalty at the time.
Meta · Facebook · 2022
Meta fined €17M over 2018 data breaches
The DPC fined Meta over a series of twelve data breaches in 2018, finding it had failed to have appropriate technical and organisational measures in place.
OpenAI · ChatGPT · 2024
OpenAI's €15M ChatGPT fine, annulled in 2026
Italy's Garante alleged that ChatGPT was trained on personal data without an adequate legal basis, failed transparency obligations, did not report a March 2023 breach, and lacked age verification for minors. In March 2026 the Court of Rome annulled the fine on procedural grounds, not because the practices were ruled lawful.
Meta · 2024
PIPC fines Meta KRW 21.6B over sensitive-data collection
South Korea's PIPC fined Meta for collecting sensitive data, including religion, political views, and sexual orientation, on roughly 980,000 users for advertising without consent.
Amazon · Ring · 2023
Amazon's $5.8M Ring settlement over camera access
The FTC settled claims that Ring employees and contractors improperly accessed customers' home camera videos, and that lax security allowed outside access.