In 2023, GDPR issued the biggest historic fine so far – €1.2 billion to the company best known for operating giants like Facebook, Instagram, Threads, and WhatsApp – Meta. That’s around 30% of all GDPR fines combined.
However, while Meta holds even more fines, it’s not the only company that has suffered extreme losses due to non-compliance. In this article, you’ll see the top 5 companies with the biggest GDPR fines as well as some small business examples with penalties. You’ll also learn how to comply with GDPR so that your company doesn’t get penalized.
Ensure GDPR compliance and avoid fines by adopting a cookie consent banner, automatically collecting consent forms, and managing cookies with one app
Get TinyCookie todayWhat are GDPR fines?
In cases of GDPR violations, Data Protection Authorities (DPAs) can first issue a warning or reprimand, but only if website visitors haven’t been harmed in any way. If damage has been done or the warnings were ignored, there are two types of GDPR fines that can be imposed for different reasons.
First, a fine of up to €10 million (~$11 million), or 2% of the firm’s global annual revenue from the previous financial year (depending on which is bigger) can be issued for lesser violations. These include but are not limited to:
- Failure to appoint a Data Protection Officer (DPO)
- Failure to provide a lawful basis for data processing
- Failure to keep data processing records
Meanwhile, severe violations can lead to a fine of up to €20 million (~$22 million), or 4% of the firm’s global annual revenue from the previous financial year (depending on which one is higher). Some serious violations include but are not limited to:
- Failing to acquire user consent for data collection
- User rights violations, such as failure to delete or give access to personal data when requested
- Transferring data to third countries without following GDPR compliance
- Data breach
In extreme cases, GDPR penalties could result in jail time if companies willingly and intentionally ignore bans or requests to rectify their practices in accordance with GDPR.
Biggest GDPR fines in history
We scoured the internet and databases to identify the biggest GDPR fines in history since GDPR went into effect in 2018. Here’s a quick overview of our main findings:
- Meta – the biggest GDPR fine with €1.2 billion
- Amazon – €746 million
- TikTok – €345 million
- WhatsApp – €225 million
- Google – €90 million
- CRITEO – €40 million
- H&M – €35.25 million
- TIM – €27.8 million
- Enel Energia – €26.5 million
- British Airways – €22.4 million
- Marriott – €20.45 million
- Clearview AI – €20 million
You can continue reading to learn the exact reasons and circumstances under which each company received a GDPR fine. Let’s take a look at all of the company cases in detail:
1. Meta – €1.2 billion GDPR fine
Fine size | €1.2 billion |
Imposed by | Ireland |
Reason | Unprotected EU data transferring to third countries |
In May 2023, Meta, the American multinational technology conglomerate, received the biggest fine in the history of GDPR penalties – €1.2 billion.
The Irish Data Protection Commission (DPC) imposed the fine on Facebook because Meta transferred users' personal data to the US from July 16, 2020. The basis, according to the European Data Protection Board (EDPB), was standard contractual clauses.
However, this isn’t the first fine received by Meta. Here are a few other instances – all of these fines are some of the biggest GDPR penalties ever received by a company:
- In 2022, Meta received a €405 million fine due to unlawful processing of children’s personal data.
- In 2024, Meta received €390 million fine due to changing the legal basis of processing on Facebook and Instagram, creating a contract to force users to agree to most of its processing activities.
- In 2022, Meta received €265 million fine due to a data breach affecting over half a billion users.
2. Amazon – €746 million GDPR fine
Fine size | €746 million |
Imposed by | Luxembourg |
Reason | Failure to get user consent |
In July 2021, Amazon.com Inc. was hit with a €746 million, or around $832.8 million, GDPR fine. The investigation took place due to a complaint made by the French privacy rights group La Quadrature du Net together with 10,000 people as supporters.
The reason Amazon received one of the biggest fines in GDPR history is due to failure to acquire consent to use personal data for targeted advertising purposes.
Just like with Meta, this isn’t Amazon’s first strike. The company’s France Logistique, which manages Amazon’s warehouses in France, received a €32 million fine in 2023 because it implemented intrusive systems to monitor employee performance.
3. TikTok – €345 million GDPR fine
Fine size | €345 million |
Imposed by | Ireland |
Reason | Neglect in protecting children's privacy |
In 2023, the Data Protection Commission (DPC) hit TikTok with a €345 million GDPR fine for not protecting children’s privacy. Some of the infringements include:
- Child profiles being set to public by default.
- Any user that isn’t necessarily the guardian or parent was able to exploit the “Family Pairing” feature and pair devices with the child’s account.
- The platform failed to provide transparent information regarding data handling practices of child users.
4. WhatsApp – €225 million
Fine size | €225 million |
Imposed by | Ireland |
Reason | Failure to provide a lawful basis for processing |
In September 2021, the Data Privacy Commission issued a €225 million (around $251 million) GDPR fine to the WhatsApp instant messaging service.
The decision came when EDPB requested DPC to review and recalculate the initial €50 million fine. WhatsApp was charged for non-compliance with GDPR in terms of transparency and failure to ensure a lawful basis for processing user data.
5. Google – €90 million GDPR fine
Fine size | €90 million |
Imposed by | France |
Reason | Failure to guarantee easy consent withdrawal |
The biggest GDPR fine Google has received so far was €90 million to Google LLC in December 2021. The company didn’t allow YouTube users to withdraw cookie consent as easily as they could have accepted them.
The same day, Google Ireland was also issued a €60 million fine for the exact same reasons.
And that’s not the only GDPR fines Google has received – in January 2019 Google France got a €50 million fine. This penalty, according to EDPB, was issued for multiple violations, including failure to acquire consent for ad personalization, lack of transparency, and inadequate information.
Other companies with the biggest fines
Market giants like Meta, Amazon, TikTok, WhatsApp, and Google hold the fort with multiple biggest fines in GDPR history, but there are other businesses that don’t fall far behind. Here are a few examples:
- CRITEO. The online advertising company received a €40 million fine for failure to acquire user consent and ensure user rights.
- H&M. The multinational fashion retailer was issued a €35.25 million fine due to a technical error which exposed the company’s network drive, making it available to anyone for a few hours.
- TIM. The Italian telecommunications company received a €27.8 million GDPR fine for a variety of violations, such as excessive data collection, data breaches, failure to acquire consent, and more.
- Enel Energia. The multinational manufacturer of electricity and gas was issued a €26.5 million GDPR fine for inappropriate use of user data for telemarketing calls without consent.
- British Airways. The company received a €22.4 million fine due to a hacker attack which directed users to a fake website, resulting in over 400,000 customer data being stolen.
- Marriott. This hotel and resort company was issued a €20.45 million GDPR fine for a cyber attack which resulted in personal data exposure of over 339 million guests.
- Clearview AI. The facial recognition platform received a €20 million fine from DPAs of France, Italy, and Greece (each) due to a variety of reasons, particularly a lack of proper legal basis for processing.
Small businesses with GDPR fines
While the biggest fines ever were received by well-known companies around the globe, it’s important not to forget that small businesses aren’t immune to GDPR fines either.
In the GDPR fines database by the International Network of Privacy Law Professionals (INPLP) alone, there are over 300 fines listed that have been received by small or less-known businesses. Here are a few examples:
- Altius Insurance. The Altius insurance company received a €4,000 fine for sending unauthorized advertising SMS to non-customers.
- Futura Internationale. A midsized French company received a €500,000 fine for excessive data collection and failure to execute user rights.
- Kaufland. In 2020, the well-known German hypermarket chain in Slovakia got a €3,500 fine for “breach of the principle of transparency.”
- Primary school M.R.Štefánika. The primary school received a €6,000 fine for selling a CD with the school children singing and uploading videos on YouTube without parental consent.
- Kebab shop. In 2019, an unnamed kebab shop in Austria received a €1,500 fine by the Federal Administrative Court because of insufficient legal basis for data processing.
- Private Person – soccer coach. An unnamed person in Austria from the private sector received a €11,000 fine for not complying with the lawful basis for data processing.
How to comply with GDPR to avoid fines?
To avoid GDPR fines, you need to ensure that your business is handling EU citizen data according to the regulation. Here are the main requirements you should adopt:
- Add a cookie consent banner. Your website should always include a cookie consent banner like TinyCookie on Shopify – it ensures users can easily consent, manage cookie preferences, or deny consent which is a GDPR requirement.
- Store user consent forms. Under GDPR, collecting and securely storing consent forms is obligatory. Some cookie consent tools, including TinyCookie, automatically collect consent in one place for convenience.
- Generate a privacy policy. A GDPR-compliance privacy policy should include your contact information, reason for data collection on a legal basis, list of data collected and retention period, data sharing with third parties, user rights, and more. You can check out the official GDPR-provided privacy policy template to help you out.
- Include a cookie section. You can write a separate cookie policy or include a section about cookies in your existing privacy policy. Whichever approach you choose, you must include the full list of cookies used, their purpose, expiry date, instructions on how to withdraw consent, and user rights.
- Ensure data security. GDPR requires securing collected user data to prevent breaches and unauthorized access. This includes getting protection measures in place like employee IDs and assigning a DPO.
Conclusion
In 2024, Meta still holds the biggest GDPR fine to date – €1.2 billion for transferring data of European citizens to third countries (the US). Meanwhile, Amazon’s fine from 2021 holds second place, with €746 million due to not acquiring user consent for data processing.
But market giants aren’t the only ones getting fines – from private schools and hospitals to private people or kebab shops – no one is immune. GDPR fines can range anywhere from a few thousand euros to a few hundred thousand or more.
That’s why it’s important to make sure your company is compliant at all times – adopt a cookie consent banner like TinyCookie on Shopify and collect consent forms automatically. Ensure your website includes a GDPR-compliant privacy policy and cookie policy adopt security measures to protect data.
Frequently asked questions
GDPR fines depend on the severity of the violation. Less serious violations can cost a company up to €10 million or 2% of the firm’s global annual revenue from the previous year depending on which is bigger. More severe violations can go up to €20 million or 4% of the firm’s global annual revenue from the previous year also depending on which is higher.
As of August 26, 2024, there have been 2,433 GDPR fines issued around the world according to the GDPR Enforcement tracker.
GDPR insurability depends on the insurer’s policy. Since the court hasn’t yet included GDPR fines as uninsurable, whether the case is insurable can be decided by the insurer depending on the case facts. This can depend on several factors, such as whether the harm done is severe or intentional, whether the company profited from the violations, and so on.