5 Biggest GDPR Fines to Date [2023 Update]

• GDPR fines are one of the strongest enforcement levers available to privacy regulators in the EU.

• Privacy fines have more than doubled in the last three years and the three largest fines combined total over $1.5 billion.

• The five biggest GDPR fines were levied on Amazon, Instagram, WhatsApp, Google, and Google Ireland.

• This post explores why these GDPR fines were levied, how they could have been addressed, and best practices for avoiding fines in the future.

5 biggest GDPR fines to date

• Amazon — $877 million

• Instagram — $400 million

• WhatsApp — $266 million

• Google — $102 million + $68 million

• Facebook — $60 million

How to avoid GDPR fines in 2023

• Publish a comprehensive privacy policy

• Ensure valid collection of consent

• Ensure security for sensitive data

• Practice data minimization

• Process employee data only when necessary

GDPR fines increased 120% between March 2018 and March 2021, according to a report by legal firm CMS.

And 2021 saw some of the biggest privacy fines yet. Amazon, WhatsApp, and Google were slapped with fines that together totaled over $1.3 billion.

It varies from case-to-case, but the most common triggers for GDPR fines are:

• Insufficient legal basis for data processing

• Failure to sufficiently ensure information security

• Non-compliance with general data processing principles

• Insufficient fulfillment of data subjects’ rights

Essentially, companies are being fined for collecting and processing consumer data when they shouldn’t be, failing to protect consumer data, and generally flouting the mandates laid out by the GDPR.

We’ll dive a little deeper into the three largest fines to date below.

In their July 2021 earnings report, Amazon revealed a €746 fine levied by the Luxembourg National Commission for Data Protection (CNDP)––the largest GDPR fine to date by far.

Though the exact details of Amazon’s violation are still fuzzy, the original complaint cites a lack of “free consent.”

Three months after receiving the fine, Amazon officially filed for appeal, which is why details on the case aren’t yet publicly available. However, what little we know is still telling.

GDPR Article 4 states consent must be “freely given, informed, and unambiguous,” so any fine citing invalid consent indicates that one or more of those requirements was not met.

The 2021 fine was actually Amazon’s second consent related fine. In 2020, they received a $42M fine from CNIL, France’s privacy watchdog, for placing cookies without user consent. Dropping cookies without consent is a clear violation.

However, privacy watchdogs throughout Europe have also cracked down on deceptive cookie consent practices. In early 2021, Google and Facebook both received multi-million dollar fines for employing dark patterns i.e. designing consent interfaces in a way that coerces users into accepting cookies. Only providing an ‘Accept all’ button is one example of a common dark pattern.

Without more detail it’s difficult to say exactly what Amazon could have done to avoid this massive fine. However, strictly adhering to the GDPR’s consent guidelines by ensuring user consent is freely given, specific, informed, and unambiguous would be a good start.

In Sept 2022, Irish data protection authorities fined Instagram a record-breaking €405 million ($402M)—the second larger GDPR fine ever.

Ireland's Data Protection Commission (DPC) started their investigation in 2020, focusing on Instagram users aged 13-17 who were able to open Instagram business accounts. The issue being that Instagram business account are defaulted to "public," so can be viewed by anyone and allowed user's phone numbers and emails to be published publicly.

GDPR requires abundantly transparent communications about privacy policies for services that target minors. It also has clear requirements around privacy by design and defaulting to the highest levels or privacy, especially as it relates to children's data online.

Though Instagram reportedly plans to dispute the penalty, the DPC is currently involved in at least six other investigations into Meta-owned companies.

In Sept 2021, WhatsApp received the third largest GDPR fine to date from Ireland’s Data Privacy Commission (DPC). The €225M penalty was levied for failing to include “legitimate interests” for data processing in their company privacy policy.

Companies under the GDPR must be transparent about how user data is gathered and shared, and are required to provide this information on their website in an easily accessible privacy policy.

According to the ruling, WhatsApp failed to:

• Provide necessary privacy information to WhatsApp users

• Provide information about how WhatsApp users’ contacts’ data is processed

• Make important privacy information easily available

WhatsApp is appealing the fine, but other organizations can still take important lessons from this penalty. First and foremost––providing clear, easily accessible privacy information is crucial.

Forcing a user to click through multiple layers of linked documents, or including long blocks of text that relay little meaningful information are both grounds for fines.

It’s also important that your privacy policy includes detailed information about how and why data is being processed, including your legal basis for processing, data recipients (as well as categories of data recipients), retention periods, and more.

Finding and documenting this level of detail is time-consuming, but glossing over aspects of your data processing operations can result in significant penalties.

Google’s 2021 GDPR fine came in two parts––a €90 million fine for Google LLC and a €60 million fine for Google Ireland. Both fines were levied on the same day for the same reasons.

The key difference is that the Google Ireland fine was in regards to the google.fr domain, whereas Google LLC was fined for violations on the google.com domain.

CNIL's investigated focused on cookie violations on Google-owned video streaming platform Youtube, as well as on main Google search engine.

The privacy regulator concluded that Google was using non-compliant cookie consent mechanisms, which made it too difficult for users to refuse cookie collection on both Youtube and Google Search.

According to France’s privacy watchdog CNIL, Youtube users only had to click once to accept cookies, whereas refusing cookies took multiple clicks.

CNIL’s complaint stated that Google purposefully made the consent mechanisms more complex to push consumers to accept cookies––a clear violation of the GDPR’s requirement that companies provide equally simple ways to opt into or out of data collection.

Similar to Google's 2021 fine, Facebook received a €60 million GDPR fine for failing to give users way to refuse cookies as easily as they could accept them. Users had to go through several clicks when refusing cookies, whereas accepting them only required clicking one button.

More than that, the button to reject cookies was labeled "Accept cookies" and was located at the bottom of the second screen in the consent interface. Regulators made the case that this made rejecting cookies and unnecessarily difficult and confusing process—a clear violation of GDPR Article 4, which states consent must be "freely given, specific, informed and unambiguous."

2021 saw a slew of record breaking GDPR fines and 2022 showed no sign of slowing down.

In January 2022, Google Ireland and Google LLC received a combined fine of $170M, while France’s CNIL slapped Facebook with a $68M fine for failing to obtain valid user consent.

Then on March 17, 2022, Facebook received yet another fine––this time levied by Ireland’s Data Protection Commission––for failing to show they could protect user’s data.

It’s clear GDPR fines are here to stay and, though all the largest fines have been levied on tech giants, it’s not just large companies who should be concerned.

Check out the GDPR enforcement tracker for a complete list of GDPR fines, many of which were dealt to smaller organizations.

To avoid hefty fines and support users’ data rights, organizations should take the following steps.

Privacy policies are an important compliance tool. Not only are they explicitly required, they also give users the information they need to successfully exercise their data rights.

Make sure your policy addresses the full scope of operations. Outline what information you will collect, keep, and share with third parties and provide a way for consumers to submit data subject access requests.

Remember, the policy should be straightforward, transparent, and easy for users to find and access. Don’t underestimate the importance of this piece.

If GDPR regulators feel your privacy policy is unnecessarily complex, difficult to access, or attempting to hide information i.e. making users click through multiple embedded links to find the information they need––that is grounds for a fine.

Under GDPR, consent must be “freely given, informed, and unambiguous.”

Attempting to influence or trick users into accepting cookies is viewed as a violation. Even something seemingly innocuous, like providing an ‘Accept all’ button but not a ‘Reject all’ button, can be considered a dark pattern.

According to European privacy watchdog NOYB, dark patterns “get more than 90% of users to click the “accept” button while industry statistics show that only 3% actually want to agree.”

In March 2022, NOYB sent 270 website owners draft complaints about deceptive cookie banners, with the aim of encouraging website owners to redesign their banners with GDPR guidelines in mind.

Though the initial foray was draft complaints, NOYB Chairman Max Schrems stated:

“We want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce users’ rights.”

So what should you do as an organization?

Provide three different buttons upfront: Accept all, Reject all, and Show purposes. That way consumers can provide valid consent upfront, and your organization won’t be open to a dark patterns accusation.

Regulatory agencies place the responsibility for protecting user data on data controllers and processors i.e. the businesses who are collecting and using user data.

This means businesses must take steps, not only to ensure data security, but also to provide accessible documentation about their security measures.

Use up-to-date cybersecurity measures such as identity and access management (IDAM), third-party regulation, and end-to-end encryption for sensitive data.

Effective IDAM places limits on who has access to sensitive data, giving people only what they need to do their job correctly. Third-party regulation means vetting third-party processors appropriately and drawing up clear, comprehensive contracts around how data is processed and secured.

Data breaches are another important consideration. For businesses that process large quantities of user data, security breaches can mean sensitive consumer information has been compromised.

Both known and suspected breaches must be reported within 72 hours in order to avoid GDPR fines.

That’s why it’s also recommended that organizations document and socialize an incident response plan throughout the company, so everyone knows what’s expected and how to respond in the event of potential security breach.

Data minimization is a core GDPR principle, so companies should take steps to holistically limit the data they collect and process throughout the organization.

GDPR Article 5 states that:

Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)

What does this mean in practice? The UK’s Information Commissioner’s Office (ICO) provides helpful clarification on this topic:

• Adequate – sufficient to fulfill your stated purpose;

• Relevant – has a clear link to that purpose; and

• Limited to what is necessary – you do not hold more than you need for that purpose.

In practical terms, data minimization is more of a framework for considering how and why your organization collects data. That said, outlining, documenting, and circulating data minimization best practices throughout your organization can go a long way.

IAPP offers further resources on applying data minimization.

One fairly simple way to strengthen your GDPR compliance is to limit the amount of data you collect on your employees.

When collecting internal data from employees, employers do not need explicit consent. However, they must be able to make an argument for ‘legitimate interest,’ which can be more difficult than it sounds.

In 2021, German retailer notebooksbilliger.de received a €10.4 million fine for failing to provide a valid legal basis for monitoring employees using CCTV cameras.

By monitoring employees in break rooms, warehouses, and point of sales, regulators argued the retailer overstepped what could be considered a legitimate interest.

Regulators also felt notebooksbilliger.de had violated data minimization principles by keeping the recorded footage for over 60 days.

Despite not requiring consent, processing employee data has clear pitfalls––so best practice is to minimize that form of processing wherever possible.

Our mission is to make it simple for companies to give their users control of their data by encoding privacy across their tech stack.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent with Transcend Consent, or seamlessly generate Records of Processing Activity (ROPA) for GDPR compliance with Data Mapping.

Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.