The companies that ignored data protection laws — and what it cost them. Every case below is a matter of public record.
20
Enforcement actions tracked
$5B
Largest single fine (Facebook FTC, 2019)
9
Countries
$10B+
Combined penalties tracked
$5 Billion
The largest privacy fine in US history. Facebook violated a 2012 FTC consent order through the Cambridge Analytica scandal, which harvested data from 87 million users without consent and used it to target political ads.
$700 Million
A 2017 breach exposed the SSNs, birthdates, addresses, and credit card numbers of 147 million Americans — nearly half the US population. Equifax had failed to patch a known vulnerability for months despite multiple internal warnings.
€1.2 Billion
The largest GDPR fine ever issued. Meta systematically transferred European users' personal data to US servers without adequate legal protections — a structural violation affecting hundreds of millions of people.
€746 Million
Processed customer personal data for advertising without valid consent. Luxembourg's regulator found Amazon's entire cookie-based advertising operation lacked a lawful basis under GDPR.
€405 Million
Set minors' accounts to public by default, publicly exposing their phone numbers and email addresses. Millions of children were affected — their contact details visible to anyone on the platform.
€345 Million
Set children's profiles to public by default and processed minors' data without parental consent. A 'family pairing' feature allowed adults to control a child's account without adequate verification.
€310 Million
Processed member data for behavioural analysis and targeted advertising without a valid legal basis — mischaracterising its legal grounds as 'legitimate interests' and 'consent' that users never genuinely gave.
€290 Million
Transferred sensitive European driver data — including location records, photos, payment details, and trip history — to US servers without the safeguards required after the Schrems II ruling struck down the Privacy Shield.
€225 Million
Failed to adequately explain how user data — and non-user contact data — was shared across the Meta group. GDPR transparency obligations were found to be structurally and systematically breached.
$170 Million
YouTube illegally collected personal data from children under 13 without parental consent, violating COPPA. Ads were targeted at children using data that should never have been collected — across thousands of channels explicitly marketed to kids.
€150 Million
Made rejecting cookies significantly harder than accepting them — accept took one click, reject required multiple steps. GDPR requires consent withdrawal to be as easy as consent itself.
€35.3 Million
Systematically recorded employees' personal conversations after sick leave and holidays, secretly building profiles on their family situations, health conditions, and religious beliefs — for use in HR decisions.
$31.5 Million
Suffered multiple preventable data breaches between 2021 and 2023 that exposed tens of millions of customers' data. The FTC found T-Mobile failed to implement basic security measures despite repeated warnings.
£20 Million
A skimming attack harvested ~400,000 customers' personal and payment card data for over two months. The ICO found British Airways had poor security arrangements and insufficient controls to detect or stop the attack.
£18.4 Million
The Starwood guest reservation system — acquired with the Marriott merger — had been compromised since 2014. By 2018, the breach had exposed 339 million guest records including passports and payment cards. The vulnerability went undetected for four years.
£7.5 Million
Scraped billions of facial images from the internet without consent to build a commercial facial recognition database — no lawful basis, no transparency to individuals, and no way for people to find or delete their face data.
€8 Million
Dropped advertising tracking identifiers on iPhones without users' prior consent, using the same dark pattern as Google. France's CNIL found Apple enabled tracking by default via the App Store before users had the chance to object.
€450,000
Failed to notify the regulator within GDPR's mandatory 72-hour window after discovering a data breach, and failed to document the breach adequately in internal records — a process failure, not a security failure.
$1.2 Million
The first CCPA enforcement action ever. Sephora sold customer data to third-party ad networks without disclosing it as a 'sale' under CCPA, and ignored Do Not Sell signals sent by users through their browsers.
$375,000
Sold customer personal data to a marketing cooperative without disclosing this to users or providing an opt-out. California found DoorDash violated CCPA's right to know and right to opt out of the sale of personal information.
The Digital Personal Data Protection Act, 2023 is law. Enforcement rules are being finalised. When they land, Indian businesses face penalties of up to ₹250 crore (~€27M) per breach — with a total cap of ₹550 crore (~€60M) per incident.
1.4 billion people now have the right to access, correct, and erase their data. India will add its own rows to this table. The question is whether your organisation is ready before enforcement begins.
DPDP Act · Penalty Schedule
Failure to implement data security safeguards
₹250 crore
~€27M
Breach notification failure
₹200 crore
~€22M
Non-compliance with children's data obligations
₹200 crore
~€22M
Non-compliance with Data Principal rights
₹50 crore
~€5.4M
Every violation above came from a fixable problem — bad consent flows, missing breach notifications, no data subject rights process. Conduit gives your organisation the infrastructure to get these right before a regulator comes calling.
FREQUENTLY ASKED