Privacy Violations

$10billioninprivacyviolations.And counting.

The companies that ignored data protection laws — and what it cost them. Every case below is a matter of public record.

20

Enforcement actions tracked

$5B

Largest single fine (Facebook FTC, 2019)

9

Countries

$10B+

Combined penalties tracked

Documented Cases

20 real violations. All on the public record.

Facebook
Facebook
2019

$5 Billion

FTC · US FederalUnited States

The largest privacy fine in US history. Facebook violated a 2012 FTC consent order through the Cambridge Analytica scandal, which harvested data from 87 million users without consent and used it to target political ads.

Invalid Consent
Read more
EQ
Equifax
2019

$700 Million

FTC · US FederalUnited States

A 2017 breach exposed the SSNs, birthdates, addresses, and credit card numbers of 147 million Americans — nearly half the US population. Equifax had failed to patch a known vulnerability for months despite multiple internal warnings.

Data Breach
Read more
Meta
Meta
2023

€1.2 Billion

EU · GDPRIreland

The largest GDPR fine ever issued. Meta systematically transferred European users' personal data to US servers without adequate legal protections — a structural violation affecting hundreds of millions of people.

Illegal Data Transfer
Read more
Amazon
Amazon
2021

€746 Million

EU · GDPRLuxembourg

Processed customer personal data for advertising without valid consent. Luxembourg's regulator found Amazon's entire cookie-based advertising operation lacked a lawful basis under GDPR.

Invalid Consent
Read more
Instagram
Instagram
2022

€405 Million

EU · GDPRIreland

Set minors' accounts to public by default, publicly exposing their phone numbers and email addresses. Millions of children were affected — their contact details visible to anyone on the platform.

Children's Data
Read more
TikTok
TikTok
2023

€345 Million

EU · GDPRIreland

Set children's profiles to public by default and processed minors' data without parental consent. A 'family pairing' feature allowed adults to control a child's account without adequate verification.

Children's Data
Read more
LinkedIn
LinkedIn
2024

€310 Million

EU · GDPRIreland

Processed member data for behavioural analysis and targeted advertising without a valid legal basis — mischaracterising its legal grounds as 'legitimate interests' and 'consent' that users never genuinely gave.

Invalid Consent
Read more
Uber
Uber
2024

€290 Million

EU · GDPRNetherlands

Transferred sensitive European driver data — including location records, photos, payment details, and trip history — to US servers without the safeguards required after the Schrems II ruling struck down the Privacy Shield.

Illegal Data Transfer
Read more
WhatsApp
WhatsApp
2021

€225 Million

EU · GDPRIreland

Failed to adequately explain how user data — and non-user contact data — was shared across the Meta group. GDPR transparency obligations were found to be structurally and systematically breached.

Lack of Transparency
Read more
YouTube
YouTube
2019

$170 Million

FTC · US FederalUnited States

YouTube illegally collected personal data from children under 13 without parental consent, violating COPPA. Ads were targeted at children using data that should never have been collected — across thousands of channels explicitly marketed to kids.

Children's Data
Read more
Google
Google
2022

€150 Million

EU · GDPRFrance

Made rejecting cookies significantly harder than accepting them — accept took one click, reject required multiple steps. GDPR requires consent withdrawal to be as easy as consent itself.

Invalid Consent
Read more
H&M
H&M
2020

€35.3 Million

EU · GDPRGermany

Systematically recorded employees' personal conversations after sick leave and holidays, secretly building profiles on their family situations, health conditions, and religious beliefs — for use in HR decisions.

Employee Surveillance
Read more
TM
T-Mobile
2024

$31.5 Million

FTC · US FederalUnited States

Suffered multiple preventable data breaches between 2021 and 2023 that exposed tens of millions of customers' data. The FTC found T-Mobile failed to implement basic security measures despite repeated warnings.

Data Breach
Read more
British Airways
British Airways
2020

£20 Million

UK · GDPRUnited Kingdom

A skimming attack harvested ~400,000 customers' personal and payment card data for over two months. The ICO found British Airways had poor security arrangements and insufficient controls to detect or stop the attack.

Data Breach
Read more
Marriott
Marriott
2020

£18.4 Million

UK · GDPRUnited Kingdom

The Starwood guest reservation system — acquired with the Marriott merger — had been compromised since 2014. By 2018, the breach had exposed 339 million guest records including passports and payment cards. The vulnerability went undetected for four years.

Data Breach
Read more
CV
Clearview AI
2022

£7.5 Million

UK · GDPRUnited Kingdom

Scraped billions of facial images from the internet without consent to build a commercial facial recognition database — no lawful basis, no transparency to individuals, and no way for people to find or delete their face data.

Invalid Consent
Read more
Apple
Apple
2022

€8 Million

EU · GDPRFrance

Dropped advertising tracking identifiers on iPhones without users' prior consent, using the same dark pattern as Google. France's CNIL found Apple enabled tracking by default via the App Store before users had the chance to object.

Invalid Consent
Read more
Twitter / X
Twitter / X
2022

€450,000

EU · GDPRIreland

Failed to notify the regulator within GDPR's mandatory 72-hour window after discovering a data breach, and failed to document the breach adequately in internal records — a process failure, not a security failure.

Data Breach
Read more
S
Sephora
2022

$1.2 Million

CCPA · CaliforniaUnited States

The first CCPA enforcement action ever. Sephora sold customer data to third-party ad networks without disclosing it as a 'sale' under CCPA, and ignored Do Not Sell signals sent by users through their browsers.

Invalid Consent
Read more
DoorDash
DoorDash
2024

$375,000

CCPA · CaliforniaUnited States

Sold customer personal data to a marketing cooperative without disclosing this to users or providing an opt-out. California found DoorDash violated CCPA's right to know and right to opt out of the sale of personal information.

Invalid Consent
Read more
India · DPDP Act 2023

India's violations are coming.

The Digital Personal Data Protection Act, 2023 is law. Enforcement rules are being finalised. When they land, Indian businesses face penalties of up to ₹250 crore (~€27M) per breach — with a total cap of ₹550 crore (~€60M) per incident.

1.4 billion people now have the right to access, correct, and erase their data. India will add its own rows to this table. The question is whether your organisation is ready before enforcement begins.

DPDP Act · Penalty Schedule

Failure to implement data security safeguards

₹250 crore

~€27M

Breach notification failure

₹200 crore

~€22M

Non-compliance with children's data obligations

₹200 crore

~€22M

Non-compliance with Data Principal rights

₹50 crore

~€5.4M

For businesses

Don't appear on this list.

Every violation above came from a fixable problem — bad consent flows, missing breach notifications, no data subject rights process. Conduit gives your organisation the infrastructure to get these right before a regulator comes calling.

FREQUENTLY ASKED

Privacy enforcement, answered.

What is the largest privacy fine ever issued?
The largest to date is Meta’s €1.2 billion GDPR fine, issued by Ireland’s Data Protection Commission in 2023 for unlawful EU–US transfers of personal data.
Who issues GDPR fines?
National data protection authorities — such as Ireland’s DPC and France’s CNIL — can fine organisations up to €20 million or 4% of global annual turnover, whichever is higher.
Can US companies be fined for privacy violations?
Yes. The FTC and state regulators such as California’s have issued significant penalties, and the CCPA allows civil penalties assessed per violation.
What commonly triggers privacy enforcement?
Frequent triggers include unlawful data transfers, missing or invalid consent, failure to honour data subject requests, inadequate security, and tracking users without proper disclosure.
How can companies avoid privacy fines?
Respond to data subject requests on time, keep consent and processing records, and retain audit evidence — the core compliance work that Privacy Conduit automates.