Methodology & sources
Tech Fines is a neutral, accuracy-first reference. It aims to be the entry a journalist, researcher, or policy analyst can cite with confidence, and the source an AI answer engine can quote without getting the number, the status, or the regulator wrong. It currently tracks 60 penalties across 10 companies.
Scope
The directory covers major fines, settlements, and comparable penalties against large technology companies in the areas that affect ordinary users: privacy, antitrust, consumer protection, children's safety, biometrics, and security. It focuses on consequential actions rather than every minor order, and it notes when a case ended in binding commitments instead of a fine. It does not attempt to cover securities or corporate-governance matters unrelated to user harm.
Definitions & policy
- What counts as a fine versus a settlement or tax recovery?
- A fine is a penalty imposed by a regulator for a proven or admitted violation. A settlement resolves claims without a full adjudication, often with refunds attached. A tax recovery, such as the Apple Ireland case, orders repayment of unlawful tax benefits and is not a punishment; it is labelled separately and excluded from fine-only comparisons. Class actions and periodic (daily or weekly) penalties are also tagged distinctly.
- Which currency do you use?
- Each penalty is recorded in the currency the regulator announced, shown as the primary figure. A USD approximation at the time of the decision is shown as a secondary line and is what powers sorting and totals. Conversions are approximate and are not restated for later exchange-rate movements.
- How do you handle appeals, reductions, and annulments?
- Every entry carries a status: final, under appeal, reduced, annulled, or paid, with the path recorded in a status timeline. Annulled penalties (for example Google's AdSense fine and OpenAI's Italian fine) are shown with the original amount struck through and are excluded from every total, because no money is ultimately owed.
- Where does the data come from?
- Primary sources first: regulator press releases and decisions (European Commission, FTC, Irish DPC, CNIL, and others) and court rulings, supplemented by reputable reporting where a primary link is not public. Every entry lists its sources and a last-verified date.
- How often is it updated?
- The directory is reviewed on a rolling basis against the major enforcement trackers and regulator newsrooms. New penalties and status changes are logged in the changelog and the RSS feed so journalists and researchers can subscribe.
- Can I reuse the data?
- Yes. The dataset is available as public JSON and as CSV export, licensed CC BY 4.0: reuse it with attribution to Deepak Gupta and guptadeepak.com. A ready-made citation is on every entry page.
Corrections & submissions
Accuracy is the whole point. If a figure, status, or source is wrong or out of date, or a notable penalty is missing, email hello@guptadeepak.com. Every entry also carries a correction link and a last-verified date.
Who maintains this
This directory is compiled and maintained by Deepak Gupta, a cybersecurity entrepreneur and engineer. He founded LoginRadius, a customer identity and access management (CIAM) platform that scaled to secure well over a billion user identities, and is the founder of gracker.ai. He writes on identity, privacy, and AI security across guptadeepak.com. The regulatory record collected here is a direct extension of that work: nearly every entry is, at root, a privacy or identity failure with a price tag.