What the data shows
The directory currently tracks 60 penalties totalling roughly $54.1B (excluding annulled cases) across 10 companies and 20 regulators. Amounts below use the USD approximation at the time of each decision. Annulled penalties are excluded from every total.
Total imposed by company
By violation category
Privacy and antitrust dominate. Nearly every major penalty reduces to one of three failures: collecting or using personal data without a valid legal basis, abusing platform dominance to disadvantage rivals, or deceiving consumers through dark patterns and hidden behaviour.
By year
The billion-euro era begins with the GDPR (2018) and the Digital Markets Act (2023 onward). The single largest line, the 2016 Apple tax recovery, is a state-aid case rather than a fine; see the methodology.
By jurisdiction
The EU is the primary enforcer. Ireland's Data Protection Commission and the European Commission account for the majority of the largest penalties, with US federal and state actions close behind.
The pattern beneath the numbers
Read as a security and identity practitioner rather than a headline-watcher, the record is remarkably consistent. The recurring root cause is not a single bad actor but a business model: personal data collected by default, a legal basis assembled after the fact, and consent flows engineered to produce a “yes.” The biometric settlements in Texas and Illinois, the GDPR transfer fines, and the cookie-consent penalties are variations on the same theme.
The second pattern is that fines rarely change behaviour on their own. Independent analyses estimate that the 2025 penalties across Apple, Alphabet, Meta, and Amazon amount to roughly a month of their combined free cash flow. Structural remedies, such as the DMA's conduct rules or forced unbundling, move the needle more than the euros do.
If you build or buy customer-identity and privacy systems, these cases are a checklist of what regulators now treat as unlawful by design. That is the throughline in the CIAM Compass and the cybersecurity research on guptadeepak.com.
Want the raw data? Every figure here comes from the public JSON dataset, or export a filtered CSV from the directory.