Largest GDPR Fines in 2025: Lessons for Website Owners
Analysis of the largest GDPR fines issued to date, most common violation types, how fines are calculated under Art. 83, and practical lessons for website owners of all sizes.
Since the GDPR came into force in May 2018, European Data Protection Authorities have collectively issued fines exceeding 4.5 billion EUR. The trajectory is clear: fines are getting larger, enforcement is getting more systematic, and no organization — from tech giants to small businesses — is immune.
This article examines the largest GDPR fines on record, identifies the most common violation patterns, explains how fines are calculated, and draws practical lessons that website owners of any size can apply to reduce their risk.
Top 10 Largest GDPR Fines
| Rank | Organization | Fine (EUR) | DPA | Year | Primary Violation |
|---|---|---|---|---|---|
| 1 | Meta (Facebook) | 1,200,000,000 | DPC Ireland | 2023 | International data transfers to US without adequate safeguards |
| 2 | Amazon Europe | 746,000,000 | CNPD Luxembourg | 2021 | Non-compliant advertising targeting system |
| 3 | Meta (Instagram) | 405,000,000 | DPC Ireland | 2022 | Processing children’s data, public-by-default profiles |
| 4 | Meta (Facebook) | 390,000,000 | DPC Ireland | 2023 | Forcing consent via terms of service for behavioral ads |
| 5 | Meta (WhatsApp) | 225,000,000 | DPC Ireland | 2021 | Transparency failures in privacy policy |
| 6 | Clearview AI | 20,000,000 | CNIL France | 2022 | Unlawful facial recognition database |
| 7 | Clearview AI | 20,000,000 | Garante Italy | 2022 | Same — unlawful biometric data processing |
| 8 | Criteo | 40,000,000 | CNIL France | 2023 | Tracking without valid consent, insufficient information |
| 9 | TikTok | 345,000,000 | DPC Ireland | 2023 | Children’s privacy, transparency, default settings |
| 10 | Uber | 290,000,000 | AP Netherlands | 2024 | Transferring driver data to US without adequate safeguards |
What These Fines Tell Us
Three patterns dominate the top enforcement actions:
-
International data transfers: The Schrems II fallout continues. Transferring personal data to countries without an adequacy decision — particularly the US before the Data Privacy Framework — remains the highest-risk activity.
-
Consent and transparency failures: Forced consent, bundled consent, opaque privacy policies, and tracking without valid opt-in are consistently penalized.
-
Children’s data: DPAs are increasingly focused on services used by minors, especially regarding default privacy settings and age verification.
Most Common Violation Types
While the headline fines involve tech giants, the vast majority of GDPR enforcement actions target much smaller organizations for more mundane violations.
Violation Categories by Frequency
| Violation Type | Share of Total Fines | Typical Fine Range |
|---|---|---|
| Insufficient legal basis for processing | ~25% | 5,000 - 50,000,000 EUR |
| Insufficient technical/organizational measures | ~20% | 10,000 - 10,000,000 EUR |
| Non-compliance with data subject rights | ~15% | 5,000 - 5,000,000 EUR |
| Insufficient transparency / privacy policy | ~12% | 2,000 - 1,000,000 EUR |
| Data breach notification failures | ~10% | 5,000 - 500,000 EUR |
| Unlawful data transfer | ~8% | 10,000 - 1,200,000,000 EUR |
| Insufficient consent mechanism | ~5% | 2,000 - 40,000,000 EUR |
| Other (DPO, DPIA, records) | ~5% | 1,000 - 200,000 EUR |
Website-Specific Violations
For website operators specifically, the most common triggers for enforcement are:
- Cookie tracking without consent: Installing analytics or marketing cookies before the user opts in. CNIL has been particularly aggressive, issuing fines to organizations of all sizes for this violation.
- Invalid cookie banners: Dark patterns, missing reject options, pre-ticked boxes. Multiple DPAs have issued guidance and fines specifically targeting non-compliant banners.
- Missing or incomplete privacy policies: Failing to disclose all processing activities, data recipients, or data transfer destinations as required by Articles 13/14.
- Google Fonts loaded from Google servers: Following the landmark LG Munich ruling, loading Google Fonts remotely without consent has triggered a wave of complaints and enforcement actions.
- Insecure data handling: Missing HTTPS, inadequate access controls, or exposed personal data.
How GDPR Fines Are Calculated
Article 83 GDPR sets out the framework for determining fine amounts. The maximum penalties are:
- Up to 10,000,000 EUR or 2% of global annual turnover (whichever is higher) for violations of obligations related to data controllers, processors, certification bodies, and monitoring bodies.
- Up to 20,000,000 EUR or 4% of global annual turnover (whichever is higher) for violations of basic processing principles, data subject rights, and international transfer rules.
Factors DPAs Consider
Article 83(2) lists the factors that influence the actual fine amount:
| Factor | Increases Fine | Decreases Fine |
|---|---|---|
| Nature, gravity, duration | Large-scale, long-duration | Limited scope, short duration |
| Intentional vs. negligent | Intentional or reckless | Negligent, first-time |
| Mitigation measures | None taken after discovery | Proactive remediation |
| Previous violations | History of non-compliance | Clean record |
| Cooperation with DPA | Obstruction or delays | Full, proactive cooperation |
| Categories of data | Special categories (health, biometric) | Standard personal data |
| How DPA learned of violation | Complaint, media report | Self-reported |
| Prior corrective measures | Ignored previous warnings | Implemented prior guidance |
The EDPB Fine Calculation Guidelines
In 2023, the EDPB published Guidelines 04/2022 harmonizing fine calculation across DPAs. The five-step methodology is:
- Identify the processing operations and applicable GDPR provisions violated
- Determine the starting amount based on turnover and severity classification
- Adjust for aggravating or mitigating circumstances (Art. 83(2) factors)
- Apply the legal maximum (ensure the fine does not exceed the cap)
- Assess effectiveness, proportionality, and dissuasiveness
Small Business Risks
The perception that GDPR enforcement only targets large corporations is demonstrably false. DPAs across Europe regularly fine small and medium enterprises.
Typical Small Business Fines
| Country | Typical SME Fine Range | Common Violation |
|---|---|---|
| Germany | 5,000 - 50,000 EUR | Unauthorized email marketing, missing consent |
| France | 5,000 - 150,000 EUR | Cookie tracking without consent |
| Spain | 2,000 - 60,000 EUR | Unlawful video surveillance, marketing without consent |
| Italy | 10,000 - 100,000 EUR | Excessive data collection, transparency failures |
| Netherlands | 5,000 - 50,000 EUR | Insufficient security measures |
The Hidden Cost Beyond Fines
Fines are only one component of the cost of non-compliance:
- Legal fees: Responding to a DPA investigation typically costs 10,000-50,000 EUR in legal counsel
- Remediation costs: Implementing required changes under pressure and scrutiny
- Reputation damage: Public disclosure of enforcement actions erodes customer trust
- Lost business: B2B clients increasingly require proof of GDPR compliance
- Serial complaints: GDPR “bounty hunters” file mass complaints against non-compliant websites, creating ongoing administrative burden
DPA Enforcement Trends
Cross-Border Cooperation
The EDPB’s one-stop-shop mechanism has been criticized for slow cross-border case handling, but coordination is improving. The proposed Procedural Regulation (COM/2023/348) will further streamline cooperation between lead and concerned supervisory authorities.
Technology-Specific Scrutiny
DPAs are increasingly deploying automated scanning tools to identify non-compliant websites at scale. CNIL, for example, has conducted systematic audits of cookie consent implementations across thousands of French websites.
Complaint-Driven Enforcement
Individuals and advocacy organizations (such as noyb) continue to file strategic complaints targeting common violations. These complaint-driven cases often result in precedent-setting decisions that affect entire industries.
How to Minimize Your Risk
Immediate Actions
- Audit your cookie consent: Ensure opt-in before any non-essential cookies are set, with a reject option equally prominent as accept.
- Review your privacy policy: Verify it covers all Art. 13/14 mandatory disclosures, including every third-party service.
- Check international transfers: Map where your data flows. If any processor is outside the EEA, ensure SCCs or another mechanism is in place.
- Self-host fonts and assets: Do not load Google Fonts, Bootstrap CDN, or similar resources from third-party servers without consent.
- Implement security basics: HTTPS, security headers, access controls, regular updates.
Ongoing Practices
- Run regular compliance scans (weekly minimum for active websites)
- Document your processing activities (Art. 30 records)
- Train staff on data protection principles
- Respond to data subject requests within the 30-day deadline
- Report breaches within 72 hours
- Monitor DPA enforcement decisions in your jurisdiction for evolving expectations
- Review and update your privacy policy quarterly, or after any technology change
What Happens During a DPA Investigation
Understanding the enforcement process helps you prepare:
- Trigger: A complaint is filed, a breach is reported, or the DPA initiates a sector-wide audit
- Information request: The DPA sends a formal questionnaire requesting documentation (processing records, DPIAs, consent mechanisms, data flow maps)
- Assessment: The DPA evaluates your documentation and may conduct on-site or remote inspections
- Preliminary findings: You receive a draft decision with an opportunity to respond
- Final decision: The DPA issues its decision, which may include corrective measures, a reprimand, or a fine
- Appeal: You have the right to appeal to the courts within the deadlines set by national law
The entire process can take 6 to 24 months. During this period, legal costs accumulate regardless of the outcome. Prevention through proactive compliance is invariably cheaper than remediation under regulatory scrutiny.
Compliance Checklist
- All data processing activities have a documented lawful basis
- Cookie consent is opt-in with equal reject/accept prominence
- Privacy policy contains all Art. 13/14 mandatory disclosures
- No third-party fonts or scripts loaded without consent
- International data transfers are covered by appropriate safeguards
- Art. 30 Records of Processing Activities are maintained
- Data breach response procedure is documented
- Data subject request handling process is in place (30-day deadline)
- Security measures are adequate (HTTPS, headers, access controls)
- Regular compliance scans are scheduled
Protect Your Business With Compliso
Compliso’s automated scanner checks your website against 30 compliance criteria — covering cookies, trackers, security headers, legal texts, and accessibility. Weekly scans catch regressions before a DPA or complainant does.
Combined with the cookie banner (GDPR-compliant by design, with Google Consent Mode v2 built in) and the privacy policy generator, Compliso gives you a complete compliance toolkit.
Scan your website now to identify risks, or start your free account for continuous monitoring.
Make your website GDPR-compliant?
Compliso automatically checks your website for cookies, trackers, dark patterns, and accessibility issues.