The Biggest GDPR Fines and What Caused Them

See the biggest GDPR fines on record, ranked and explained: who got fined, how much, which authority, and the exact violation behind each number.


by Riad Us Salehin • 5 July 2026


Meta holds the record for the biggest GDPR fine ever. Ireland's Data Protection Commission issued the EUR 1.2 billion penalty in May 2023, for sending EU user data to the United States without adequate safeguards. Regulators have now issued over EUR 6.3 billion in GDPR fines across 3,195 cases.

A handful of causes produce almost every headline-sized fine, and most of them are avoidable basics. This article ranks the biggest fines by amount and groups them by the violation that caused each one. It also names what a site owner can actually do about it.

What Actually Triggers the Biggest GDPR Fines

Six causes produce nearly every fine over EUR 100 million. They are listed below.

  • Illegal international data transfers
  • No valid legal basis for ads and tracking
  • Failing to protect children's data
  • Weak security that leads to a breach
  • Transparency failures
  • Cookie banners that make rejecting harder than accepting

Regulators size a fine using a two-tier maximum: up to EUR 20 million or 4% of global turnover, whichever is higher. They then scale that ceiling to the violation's severity and the company's revenue.

One Reddit user who tracks GDPR enforcement summed up the pattern below.

It's never the complex legal stuff. It's always the obvious basics that nobody bothered to check.

Illegal International Data Transfers

Sending EU personal data to a country without an adequate legal transfer mechanism violates Article 46 of the GDPR. This single cause produced the three largest fines ever issued: Meta, TikTok, and Uber. The signal is a transfer to a country outside the EU, most often the United States or China. That transfer typically relies on standard contractual clauses without the extra technical safeguards the 2020 Schrems II ruling requires.

No Valid Legal Basis for Ads and Tracking

Article 6 of the GDPR requires a valid legal basis before processing personal data. Using "legitimate interest" or "contract" instead of freely given consent for ad targeting is the most common ground for a nine-figure fine. The signal is a company treating tracking as something users agreed to by using the service, rather than something they actively opted into.

Failing to Protect Children's Data

Regulators treat unsafe defaults for minors as an aggravating factor, not a UX choice. The signal is any setting that makes a child's account, contact information, or location public by default rather than private by default.

Weak Security That Leads to a Breach

Article 32 requires appropriate technical and organizational measures (TOMs) to protect personal data. A breach does not need to be a sophisticated hack. A design gap that lets data leak, or an old vulnerability nobody patched, both qualify. The signal is a lack of documented, tested security controls proportionate to the data being processed.

Getting the Cookie Banner Wrong

Article 4(11) requires consent to be as easy to refuse as to give. A banner with a one-click "Accept" button and a buried or multi-step "Reject" option is itself the violation, independent of any breach or transfer. This is the one category of fine on this page a cookie banner directly prevents.

The two-tier maximum under Article 83 caps at EUR 20 million or 4% of global annual turnover, whichever is higher. For the exact calculation and how regulators pick a number within that ceiling, see how GDPR fines are calculated.

The fines below are grouped by which of these causes triggered them, not ranked best to worst.

The Data-Transfer Fines: The Biggest of Them All

The three largest GDPR fines on record all involve EU personal data sent somewhere without adequate protection. Most of that data went to the United States or China, after the 2020 Schrems II ruling struck down the previous EU-US transfer framework.

CompanyFineYearAuthorityWhat it was forCurrent status
MetaEUR 1.2 billion2023Irish DPCUnlawful EU-to-US data transfers on standard contractual clausesMeta is appealing; fine stands pending appeal
AmazonEUR 746 million2021 decisionLuxembourg CNPDTargeted ads without valid consent (complaint-driven)Annulled on procedural grounds by the Court of Appeal in March 2026; violations confirmed; case remanded to the CNPD
TikTokEUR 530 million2025Irish DPCEEA-to-China data transfers plus a transparency failureSix-month compliance order; TikTok later admitted EEA data had in fact reached Chinese servers
UberEUR 290 million2024Dutch DPADrivers' sensitive data transferred to the US without safeguardsUber is contesting the fine
LinkedInEUR 310 million2024Irish DPCUnlawful legal basis for behavioral ad targetingIn force

Meta, EUR 1.2 Billion (2023): The Largest GDPR Fine Ever

Ireland's Data Protection Commission fined Meta Platforms Ireland EUR 1.2 billion on May 12, 2023. The violation was Article 46. Meta transferred EU users' Facebook data to the United States on standard contractual clauses that could not protect it from US surveillance law. The case traces back to Max Schrems' original 2013 complaint and the 2020 Schrems II ruling that struck down the prior EU-US Privacy Shield framework. Meta is appealing the decision, and the fine currently stands. A cookie banner would not have prevented this. The violation is about where data physically goes, not whether a visitor clicked accept.

TikTok, EUR 530 Million (2025): Sending EU Data to China

The Irish DPC fined TikTok Technology Limited EUR 530 million on May 2, 2025. The fine splits into EUR 485 million for unlawful transfers under Article 46(1) and EUR 45 million for a transparency failure under Article 13(1)(f). The DPC found TikTok could not verify that its supplementary safeguards protected EEA user data transferred to China to a level equivalent to EU protection. In April 2025, TikTok made a new disclosure to the DPC. A February 2025 discovery had shown that limited EEA user data was in fact stored on servers in China. That contradicted the evidence TikTok gave during the inquiry. The DPC ordered TikTok to suspend the transfers within six months of any appeal period ending. Not cookie-preventable: this is a data-location failure.

Uber, EUR 290 Million (2024): Driver Data Sent to the US

The Dutch Data Protection Authority fined Uber EUR 290 million on July 22, 2024. Uber transferred EU drivers' sensitive data to its US headquarters without adequate safeguards. That data included account details, taxi licenses, location, payment details, identity documents, and in some cases criminal and medical data. The violation ran for 27 months, from August 2021 to November 2023, when Uber joined the EU-US Data Privacy Framework. Uber is contesting the fine. The company argues its transfer process was compliant during a period of genuine legal uncertainty between the EU and US. Not cookie-preventable: an EU entity is still exposed for where its parent company stores the data.

The Advertising and Consent Fines

These fines punish tracking and ad targeting done without a valid, freely given legal basis, the category closest to what a cookie banner actually governs.

Amazon, EUR 746 Million (2021): Targeted Ads Without Valid Consent

Luxembourg's CNPD fined Amazon Europe Core EUR 746 million in 2021. The violation was running targeted advertising without valid consent, plus cookie and transparency failures. A complaint from the French advocacy group La Quadrature du Net, co-signed by more than 10,000 people, triggered the investigation rather than a regulator-initiated audit. In March 2025, Luxembourg's Administrative Court dismissed Amazon's first appeal and upheld the fine in full. Amazon escalated to the Court of Appeal. On March 12, 2026, that court annulled the fine on procedural grounds. It found the CNPD had not properly analyzed whether Amazon acted negligently. Nor had it considered whether a lesser corrective measure would have sufficed, a standard set by intervening EU court rulings. The Court of Appeal still confirmed the underlying finding: Amazon's reliance on "legitimate interest" for ad targeting was not a valid legal basis. The case now returns to the CNPD to reassess the fine under the corrected standard. Amazon does not currently owe the EUR 746 million. Partially cookie-preventable: the consent layer for ads is exactly what a compliant banner governs, though this specific ruling turned on legal basis, not banner mechanics.

Meta, EUR 390 Million (2023): The Wrong Legal Basis for Ad Targeting

Ireland's DPC fined Meta Platforms Ireland EUR 390 million on January 4, 2023. The violation was relying on a "contract" legal basis, instead of consent, to process data for behavioral advertising on Facebook and Instagram. You cannot bundle ad-tracking consent into a platform's terms of service. Targeted advertising needs its own valid, freely given basis. The fine remains in force, and Meta adjusted its EU legal basis for ads afterward. Partially cookie-preventable: this is a consent-for-ads failure.

LinkedIn, EUR 310 Million (2024): Behavioral Ads Without Consent

Ireland's DPC fined LinkedIn Ireland EUR 310 million on October 24, 2024. The violation was unlawful processing of member data for behavioral analysis and targeted advertising, citing both legal basis and transparency failures. A B2B platform is not exempt. Ad targeting built on member activity data still needs a lawful basis, just as it does on a consumer platform. The fine is in force. Partially cookie-preventable: the same consent-for-ads mechanism applies.

Google, EUR 50 Million (2019): The First Big-Tech GDPR Fine

France's CNIL fined Google LLC EUR 50 million on January 21, 2019. The violation was lacking valid consent for ad personalization, and burying consent information across multiple pages instead of presenting it clearly. This was the first large GDPR fine against a major tech company. It set an early precedent that consent has to be specific and easy to find, not buried in a settings maze. The fine remains in force. Partially cookie-preventable: consent clarity for ads is a banner and disclosure design problem.

The Children's Data Fines

Platforms serving minors get fined hardest for unsafe defaults, not for having the wrong intentions. A public-by-default setting for a child's account is treated as a fine-worthy design failure, not a configuration option.

Meta / Instagram, EUR 405 Million (2022): Teen Accounts Public by Default

Ireland's DPC fined Meta Platforms EUR 405 million on September 5, 2022. Instagram's business account feature had made teenage users' contact information public by default, including phone numbers and email addresses. The lesson: a "public by default" setting for a minor's data is a fine, not a product decision left to the user to reverse. The fine is in force. Not cookie-preventable: this is a default-settings and design failure.

TikTok, EUR 345 Million (2023): Default Settings That Failed Kids

Ireland's DPC fined TikTok Limited EUR 345 million on September 1, 2023. Three failures combined. Child accounts were public by default, and a "family pairing" feature did not verify the linked adult. Dark-pattern nudges also pushed children toward more visible sharing, alongside weak age verification. Regulators treat dark patterns aimed at children as an aggravating factor that raises the fine, not a neutral design choice. The fine is in force. Not cookie-preventable: this is a defaults and dark-pattern failure targeting minors specifically.

The Security and Data-Breach Fines

You can be fined for the design or security gap that allowed a breach to happen, even without a sophisticated attack. The headline number regulators first propose can also shrink substantially once a company responds.

Meta, EUR 265 Million (2022): The Facebook Data-Scraping Leak

Ireland's DPC fined Meta Platforms Ireland EUR 265 million on November 25, 2022. The violation was an Article 25 data-protection-by-design failure that let attackers scrape 533 million Facebook users' data in 2021. No single hack caused the leak. A design gap in how phone numbers could be matched to profiles did. The fine is in force. Not cookie-preventable: this is a technical design and security failure.

Meta, EUR 251 Million (2024): The 2018 Token Breach

Ireland's DPC fined Meta Platforms Ireland EUR 251 million on December 17, 2024, over the 2018 Facebook "View As" feature vulnerability. That vulnerability exposed access tokens for 29 million accounts. The inquiry took years to conclude, and the fine landed six years after the breach itself. A breach from years earlier can still produce a nine-figure fine once a regulator's investigation finishes. The fine is in force. Not cookie-preventable: this is a security and breach failure.

British Airways, GBP 20 Million (2020): A Breach and a Fine That Shrank

The UK's ICO fined British Airways GBP 20 million on October 16, 2020. The violation was inadequate security measures under Articles 5(1)(f) and 32, tied to a 2018 breach exposing roughly 400,000 customers' data. The ICO had originally proposed GBP 183.39 million a year earlier. After British Airways submitted representations, the ICO revised the base fine down to GBP 30 million. It then applied a further GBP 10 million in reductions. GBP 6 million reflected cooperation and mitigation, and GBP 4 million reflected the financial hardship of the COVID-19 pandemic. The final GBP 20 million remains the largest fine the ICO has ever issued. The lesson: the headline number a regulator first proposes is not the final number. Strong representations can cut it by 90%. Not cookie-preventable: this is a security and breach failure.

The Cookie and Dark-Pattern Fines (the Ones You Can Actually Prevent)

Unlike the transfer and breach fines above, these hit the exact layer a site owner controls directly: the cookie banner itself.

Google and Facebook, EUR 210 Million (2021): Making "Reject" Harder Than "Accept"

France's CNIL fined Google LLC EUR 150 million and Facebook Ireland EUR 60 million on December 31, 2021, a combined EUR 210 million. Both companies made accepting cookies a single click while rejecting them took several more. Google's reject flow required five or more actions. Facebook's reject option was buried and mislabeled. One Reddit user summarized the underlying rule bluntly:

A button being the wrong color. That was the violation.

The rule is stricter than color, though. Accepting and refusing cookies must take the same number of clicks. Both companies fixed their banners within the CNIL's three-month deadline, and the fines remain in force. Cookie-preventable: yes, directly. This is the exact failure a symmetrical accept-and-reject banner avoids.

Amazon France, EUR 35 Million (2020): Cookies Dropped Without Consent

France's CNIL fined Amazon Europe Core EUR 35 million on December 10, 2020, for placing advertising cookies on amazon.fr visitors' browsers before obtaining their consent. This is a separate case from Amazon's EUR 746 million Luxembourg fine above. A company can be fined for pre-consent cookies and for its ad-targeting legal basis in two entirely different proceedings. The fine remains in force. Cookie-preventable: yes, directly. Auto-blocking scripts until a visitor consents is what closes this gap.

One Note on the Newest Cookie Fines: ePrivacy, Not GDPR

The largest recent cookie penalties come under a different law, so they sit outside this GDPR ranking. On September 1, 2025, France's CNIL fined Google EUR 325 million and Shein EUR 150 million. Google's split runs EUR 200 million to Google LLC and EUR 125 million to Google Ireland. The case covered ads slipped between Gmail messages and cookies dropped at account creation without valid consent. These are ePrivacy fines under Article 82 of the French Data Protection Act, not Article 83 GDPR fines. Cookie consent is governed by the ePrivacy Directive rather than the GDPR itself. The mechanism, and the fix, is identical to the cases above: get affirmative consent before any tracking cookie fires.

It Is Not Only Big Tech: Smaller and Stranger Fines

Regulators fine small and mid-size organizations too, and the causes behind those fines are often mundane rather than legally complex. For the full running data on GDPR enforcement by sector, country, and year, see the GDPR enforcement by sector tracker.

  • WhatsApp, EUR 225 million (2021): Ireland's DPC raised this fine after an EDPB binding dispute-resolution decision, for transparency failures in how WhatsApp explained data sharing with Meta. A transparency gap alone, with no breach involved, reached nine figures.
  • H&M, EUR 35.3 million (2020): Germany's Hamburg DPA fined H&M for a service center that secretly logged employees' private lives, including health issues, family circumstances, and religious beliefs, in an internal database. GDPR protects employee data as much as customer data.
  • A small Austrian site, fine amount not centrally tracked (2022): An Austrian court found that loading Google Fonts directly from Google's servers, without visitor consent, transferred an IP address to the US and violated GDPR. Most sites still do this without realizing it.
  • A Spanish dental clinic, fine amount not centrally tracked: Spain's AEPD has fined small healthcare providers over cameras placed in treatment rooms without a valid basis, showing that a single-location business is not exempt from enforcement.
  • Clearview AI, roughly EUR 100 million combined across the EU (2024 to 2025): The Dutch DPA fined Clearview AI EUR 30.5 million in September 2024, Greece added EUR 20 million, and France, Italy, and Austria issued separate orders, for scraping faces to build a biometric database with no lawful basis. Clearview has no EU establishment and has largely not paid or complied. A fine is only as strong as a regulator's ability to enforce it against a company with no presence in the bloc.

One Reddit user who has watched these smaller cases put it plainly below.

Most big fines boil down to overconfidence and weak governance rather than genuinely complex GDPR questions.

US regulators run a parallel playbook against many of the same practices; see the CCPA enforcement cases for the American equivalent. Regulator fines are only one risk. Private cookie and pixel lawsuits target the same tracking-without-consent behavior through the courts, separately from any DPA action. That includes the Meta Pixel lawsuits and claims filed under California's CIPA wiretapping law.

What These Fines Teach You About Staying Off the List

Across these 17 fines, three lessons repeat regardless of company size or the specific violation.

  1. The biggest fines are transfers and breaches, but the most common and most preventable fines are consent and cookie failures. A handful of transfer cases produced the largest numbers on this page, but the cookie and ad-consent categories are the ones an ordinary site owner actually controls day to day.
  2. Enforcement follows a complaint, not an audit. Amazon's EUR 746 million case started with a complaint from a rights group, not a regulator-initiated inspection. Assuming nobody will notice is not a compliance strategy.
  3. Get the obvious basics right. A symmetrical one-click accept and reject, no trackers firing before consent, honest and specific transparency language, and a documented consent record cover most of what triggers a fine outside the transfer and breach categories.

How Consently Helps You Get the Consent Layer Right

Consently will not stop a data-transfer fine like Meta's or a breach fine like British Airways'. It does not make a site "GDPR compliant" as a blanket guarantee. What it does fix is the exact cookie and ad-consent layer behind the CNIL's Google, Facebook, and Amazon France cases above. That means a symmetrical banner with a one-click accept and a one-click reject. It also means auto-blocking that stops cookies, scripts, and iframes from firing until a visitor actually consents. Every consent choice is logged and exportable as your audit record if a regulator or a complaint ever asks for proof. For the full compliant-banner build, see Consently's GDPR cookie consent solution. Start free and set up a compliant consent layer today.

FAQs

What is the biggest GDPR fine ever?

The biggest GDPR fine ever is Meta's EUR 1.2 billion penalty from Ireland's Data Protection Commission in May 2023. The violation was transferring EU user data to the United States without adequate safeguards.

What is the maximum possible GDPR fine?

The GDPR caps fines at EUR 20 million or 4% of a company's global annual turnover, whichever is higher, for the most severe violations. Less severe violations cap at half that: EUR 10 million or 2% of turnover. Regulators pick a number inside that ceiling based on the violation's severity, duration, and the company's cooperation.

What causes the biggest GDPR fines?

Six causes drive nearly every fine over EUR 100 million. They are illegal transfers, no valid ad-consent basis, unsafe defaults for children, weak security, transparency failures, and hard-to-reject cookie banners. See the causes above for the full breakdown of each.

Can a small business be fined under the GDPR?

Yes. Regulators have fined a small Austrian site over Google Fonts and a Spanish dental clinic over unauthorized cameras. Authorities usually start with a warning, a reprimand, or a temporary processing ban before fining a small firm. First-time penalties often land in the thousands, not the millions. Size does not exempt any organization from enforcement.

Has anyone actually been fined under the GDPR?

Yes. The GDPR Enforcement Tracker lists 3,195 fines totaling over EUR 6.3 billion since 2018. Enforcement typically follows a specific complaint rather than a routine audit.

Are GDPR fines actually paid, or are they just appealed?

Yes, most are ultimately paid, though the largest are appealed and negotiated first. Amazon's EUR 746 million fine was annulled by a Luxembourg appeals court in March 2026 and sent back to the regulator. Uber and Meta are both appealing their transfer fines, and British Airways' proposed GBP 183.39 million shrank to GBP 20 million after representations. Others, like the CNIL's Google and Facebook cookie-banner fines, were paid, and the underlying practices were fixed within months. The money collected goes to the national regulator or the member state's treasury, not to affected users.

How do I avoid a GDPR fine on my own website?

Start with the consent and cookie layer, since it is the category you control directly. Use a symmetrical accept-and-reject banner, block trackers until a visitor consents, and keep a documented consent record. Check whether you need a cookie policy for your specific setup on do I need a cookie policy.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.