GDPR fines can reach EUR20 million or 4% of a company's total worldwide annual turnover, whichever is greater. Article 83 of the regulation sets that ceiling through a two-tier penalty system.
Below: how the two tiers work, the factors regulators weigh before setting an amount, and the biggest fines issued so far. Also covered: what actually lowers your own risk of becoming one of them.
What Are GDPR Fines?
GDPR fines are administrative penalties imposed on organizations that break the GDPR. EU and EEA data protection authorities issue them, as does the UK's ICO. They sit alongside warnings, reprimands, and orders to stop processing as the enforcement tools available under Article 83. Fines draw the most attention because the ceilings run into the billions.
Fines come from Article 83 of the GDPR. A national supervisory authority issues them, such as Ireland's Data Protection Commission (DPC) or France's CNIL. The regulation requires every penalty to be effective, proportionate, and dissuasive. That is why the amount varies enormously, from a EUR240 fine against a small hotel to a EUR1.2 billion fine against Meta.
Fines are not the only sanction available. A data protection authority can also order a company to stop processing or suspend an activity. It can require a specific fix without issuing a fine at all.
How Big Can a GDPR Fine Be? The Two-Tier Structure
GDPR fines scale in two tiers. The tier depends on which article was broken, not on company size.
| Tier | Maximum | Example violations | Example articles |
|---|---|---|---|
| Lower tier | Up to EUR10 million, or 2% of worldwide annual turnover, whichever is higher | Poor records, no data protection officer, late or failed breach notification, weak security measures | Articles 8, 11, 25 to 39, 42, 43 |
| Upper tier | Up to EUR20 million, or 4% of worldwide annual turnover, whichever is higher | Invalid consent, no lawful basis for processing, ignoring data subject rights, unlawful international transfers | Articles 5 to 7, 9, 12 to 22, 44 to 49 |
The "whichever is higher" clause explains why the ceiling grows so large for big companies. Four percent of a global tech company's annual revenue dwarfs EUR20 million. The flat EUR20 million cap is what actually applies to a smaller business with no meaningful international turnover.
The UK GDPR mirrors this exact two-tier structure in sterling. Its standard maximum is GBP8.7 million or 2%; its higher maximum is GBP17.5 million or 4%. The ICO enforces it instead of an EU authority.
Regulators increasingly apply one added detail. A 2025 Court of Justice of the EU ruling confirmed that companies inside a larger corporate group face a group-wide calculation. The turnover used for the percentage-based ceiling is the group's global turnover, not just the turnover of the specific entity that broke the rules.
How Are GDPR Fines Calculated? The Article 83 Factors
Regulators rarely impose the maximum fine. Article 83(2) requires each authority to weigh the violation against a fixed list of factors. Those factors decide whether to fine an organization at all, and how much.
The Article 83(2) factors are:
- Gravity and nature: what happened, how many people were affected, how sensitive their data was, and how long the problem lasted
- Intent: whether the violation was deliberate or the result of negligence
- Mitigation: what the organization did to reduce the harm once it was discovered
- Precautionary measures: how much technical and organizational preparation the organization had in place beforehand
- History: any past infringements, including under GDPR's predecessor law
- Cooperation: whether the organization worked with the regulator to find and fix the problem
- Data category: what type of personal data was involved
- Notification: whether the organization reported the problem to the regulator on its own
- Certification: whether the organization followed an approved code of conduct
- Financial benefit: any financial gain the organization made, or loss it avoided, because of the violation
The European Data Protection Board's own Guidelines 04/2022 set out a five-step method. Regulators use it to turn these factors into an actual number. In practice, self-reporting and a fast fix change the outcome.
A company that owns a problem early lands in a very different position than one that ignored a known risk. Good-faith, cooperative organizations tend to see lower fines, or no fine at all, for the same underlying mistake.
The Biggest GDPR Fines So Far
Data protection authorities have issued thousands of enforcement actions since 2018. The GDPR enforcement tracker counts 3,195 actions totaling more than EUR6.31 billion as of this writing.
| Company | Fine | Authority | Year | What it was for |
|---|---|---|---|---|
| Meta | EUR1.2 billion | Irish DPC | 2023 | Unlawful transfer of EU user data to the United States |
| Amazon | EUR746 million | Luxembourg CNPD | 2021 | Ad-targeting and tracking cookies without valid consent |
| TikTok | EUR530 million | Irish DPC | 2025 | Data transfers to China and transparency failures |
| Instagram (Meta) | EUR405 million | Irish DPC | 2022 | Children's data and public-by-default account settings |
| TikTok | EUR345 million | Irish DPC | 2023 | Children's data processing and default settings |
| Meta | EUR390 million | Irish DPC | 2023 | Forced consent and improper legal basis for ad processing |
| EUR310 million | Irish DPC | 2024 | Unlawful processing for behavioral analysis and targeted ads | |
| Uber | EUR290 million | Dutch DPA | 2024 | Inadequate security for transferring EU drivers' data to the US |
Meta's EUR1.2 billion penalty remains the largest single GDPR fine on record. The pattern across this table is consistent. The biggest fines cluster around invalid consent, unclear data transfers, and children's data, not obscure paperwork violations. Those are exactly the things an ordinary website touches every day through cookies, trackers, and account signup flows.
Cookie-Consent Fines: When Banners and Trackers Trigger Penalties
Getting cookie consent wrong has produced some of the most visible privacy fines to date. It is also the violation most relevant to an everyday website. On 10 December 2020, France's CNIL fined Google EUR100 million and Amazon Europe Core EUR35 million.
Google's fine split between Google LLC and Google Ireland. Both companies placed advertising cookies on visitors' devices before they consented, and both used a refusal mechanism that made declining harder than accepting.
The CNIL issued that specific pair of fines under French ePrivacy and cookie rules, not as a direct GDPR Article 83 penalty. The distinction matters for precision, not for risk. Invalid cookie consent separately breaches GDPR Articles 6 and 7, the rules on a lawful basis and valid consent. That breach sits in the GDPR's upper tier: up to EUR20 million or 4% of turnover.
Valid cookie consent has to meet specific GDPR cookie consent requirements before any tracker fires. Consent must come before the cookie loads. Refusing has to be as easy as accepting. Boxes cannot be pre-ticked, and only cookies the site strictly needs to function are exempt from asking at all.
Who Can Be Fined? (Including Small Businesses and US Companies)
Any organization that processes personal data belonging to people in the EU or EEA can face a GDPR fine, regardless of size or location. Article 3's extraterritorial reach puts a small business, a solo founder, and a US company with no EU office all in scope. The trigger is simple: offering goods or services to, or monitoring, people in the EU. The same test decides who needs to comply with GDPR in the first place.
Small businesses rarely see headline-sized fines. GDPR applies "from multi-nationals down to micro-enterprises," but the Article 83(2) factors reward good faith. Fines for small, first-time violations typically run in the thousands of euros, not the millions.
Some regulators issue a warning before moving to a fine at all, especially when the organization has a clear path to fixing the problem. Fines also scale to turnover, so a company with a small revenue base cannot be pushed toward the multi-million-euro ceiling for an ordinary compliance gap.
US companies face the same legal exposure but a harder enforcement path. A European authority can issue a fine against a US company with no EU presence. Actually collecting it depends on limited judicial cooperation between the US and the EU, and a US court can decline to enforce it.
That gap does not remove the risk. Reputational damage and loss of access to the EU market are real consequences even before a fine is ever collected. A US company serving Californians also faces separate CCPA fines under state law, on top of any GDPR exposure.
How to Reduce Your Risk of a GDPR Fine
The most controllable step is also the one regulators have repeatedly fined companies over: getting cookie and tracker consent right. It touches nearly every website.
- Map what personal data you collect and confirm you have a lawful basis under Article 6 for each use
- Get valid, prior consent for cookies and block non-essential cookies, scripts, and trackers until a visitor opts in
- Publish a clear, current privacy policy and cookie policy
- Respond to data subject requests, such as access and deletion, within the required time
- Keep records of consent and processing activity so you can prove compliance if asked
- Report an eligible data breach to your supervisory authority within 72 hours
- Apply basic security and data-protection-by-design practices to new features before launch
Working through the full compliance checklist takes more than a banner. For the complete process, see how to make your website GDPR compliant. This is general information, not legal advice, and it does not replace a legal review specific to your business.
How Consently Helps You Get Cookie Consent Right
Cookie consent is the single most fined, most controllable gap for an ordinary website. It is also the piece Consently is built to close. Consently shows a GDPR opt-in cookie banner and blocks non-essential cookies, scripts, and iframes from loading until a visitor actually consents. That is the exact failure mode behind the CNIL's cookie fines against Google and Amazon.
Consently's cookie scanner finds every cookie, script, and tracker running on your site, the same categories a regulator would flag during a review. Nothing loads silently before consent. Every consent choice is stored in a consent log you can export, giving you an audit trail if you ever need to demonstrate compliance.
Getting prior consent in place before trackers load is the fastest way to close the gap this article covers. Start free and connect your GDPR cookie consent solution in minutes. Consently's tools assist with compliance; they are not a substitute for legal advice.
FAQs
What is the maximum GDPR fine?
The maximum GDPR fine is EUR20 million or 4% of a company's total worldwide annual turnover, whichever is higher. That ceiling applies to the most serious violations, such as invalid consent or unlawful data transfers.
What is considered a GDPR violation?
A GDPR violation is any breach of the regulation. Common examples include collecting data without a lawful basis or valid consent, ignoring data subject rights, and failing to secure data adequately. Missing the 72-hour breach notification deadline and transferring data internationally without proper safeguards also count.
What is the biggest GDPR fine ever?
The largest GDPR fine on record is Meta's EUR1.2 billion penalty from Ireland's Data Protection Commission in 2023. Regulators issued it for transferring EU users' personal data to the United States without adequate safeguards.
Can a small business be fined under GDPR?
Yes, GDPR applies to organizations of every size. Fines scale to turnover, though, and regulators weigh good faith and cooperation heavily. Small businesses that fix issues quickly rarely see the headline-sized fines that hit large companies.
Can a US company be fined under GDPR?
Yes, if it offers goods or services to, or monitors, people in the EU, GDPR's extraterritorial reach under Article 3 applies. Enforcing that fine against a US company with no EU presence is harder because of limited cross-border judicial cooperation, but the legal exposure is real.
Can you be fined for not having a cookie banner?
You can be fined for loading non-essential cookies or trackers without valid, prior consent. A banner by itself is not the point. France's CNIL fined Google and Amazon specifically because trackers fired before visitors consented and refusing was harder than accepting.
How are GDPR fines different from UK GDPR fines?
The UK GDPR mirrors the EU's two-tier structure but in sterling. Its standard maximum is GBP8.7 million or 2% of global turnover; its higher maximum is GBP17.5 million or 4%. The ICO enforces it instead of an EU data protection authority.
Have any companies gone bankrupt from a GDPR fine?
Large monetary fines rarely bankrupt a company, since regulators typically target organizations that can absorb them. One small French company, Fidzup, ceased operating after a 2018 CNIL formal notice forced a costly compliance change. The company never recovered, though it faced a notice, not a large fine.

