Skip to content

What the data shows

The directory currently tracks 60 penalties totalling roughly $54.1B (excluding annulled cases) across 10 companies and 20 regulators. Amounts below use the USD approximation at the time of each decision. Annulled penalties are excluded from every total.

Total imposed by company

Apple
$17.8B
Google
$15.5B
Meta
$10.8B
Amazon
$4.6B
Microsoft
$2.8B
Didi
$1.2B
TikTok
$944M
Uber
$313M
X (Twitter)
$150M

By violation category

Antitrust
$20.1B
Privacy
$14.6B
Tax
$14B
Deception
$3.9B
Biometrics
$3.4B
Dark patterns
$3.2B
Security
$1.5B
Children
$1B
Content
$358M

Privacy and antitrust dominate. Nearly every major penalty reduces to one of three failures: collecting or using personal data without a valid legal basis, abusing platform dominance to disadvantage rivals, or deceiving consumers through dark patterns and hidden behaviour.

By year

2004
$537M
2006
$303M
2008
$929M
2012
$22.5M
2013
$606M
2016
$14B
2017
$2.6B
2018
$4.5B
2019
$5.2B
2020
$1.2B
2021
$3.9B
2022
$3.4B
2023
$2.8B
2024
$4.9B
2025
$9.2B

The billion-euro era begins with the GDPR (2018) and the Digital Markets Act (2023 onward). The single largest line, the 2016 Apple tax recovery, is a state-aid case rather than a fine; see the methodology.

By jurisdiction

European Union
$30.6B
United States
$13B
Ireland
$4B
France
$2.1B
Italy
$1.2B
China
$1.2B
Luxembourg
$806M
Netherlands
$367M
Russia
$358M
India
$274M
South Korea
$192M

The EU is the primary enforcer. Ireland's Data Protection Commission and the European Commission account for the majority of the largest penalties, with US federal and state actions close behind.

The pattern beneath the numbers

Read as a security and identity practitioner rather than a headline-watcher, the record is remarkably consistent. The recurring root cause is not a single bad actor but a business model: personal data collected by default, a legal basis assembled after the fact, and consent flows engineered to produce a “yes.” The biometric settlements in Texas and Illinois, the GDPR transfer fines, and the cookie-consent penalties are variations on the same theme.

The second pattern is that fines rarely change behaviour on their own. Independent analyses estimate that the 2025 penalties across Apple, Alphabet, Meta, and Amazon amount to roughly a month of their combined free cash flow. Structural remedies, such as the DMA's conduct rules or forced unbundling, move the needle more than the euros do.

If you build or buy customer-identity and privacy systems, these cases are a checklist of what regulators now treat as unlawful by design. That is the throughline in the CIAM Compass and the cybersecurity research on guptadeepak.com.

Want the raw data? Every figure here comes from the public JSON dataset, or export a filtered CSV from the directory.