Data privacy regulators around the world imposed a combined $4.5 billion in fines during 2025, the highest total since the European Union’s General Data Protection Regulation took effect in 2018, according to a report by law firm DLA Piper published in January 2026.

European data protection authorities accounted for $2.4 billion of the total, with Ireland’s Data Protection Commission and Luxembourg’s Commission nationale pour la protection des donnees issuing the largest individual penalties against major technology companies.

Meta was fined 1.2 billion euros by the Irish DPC in May 2023 for transferring European user data to servers in the United States without adequate legal safeguards, a penalty that set a new record for GDPR enforcement at the time.

Which Companies Have Faced the Largest Penalties

Meta, Amazon, Google, and TikTok have collectively received more than $3 billion in GDPR fines since 2018, making them the most penalized companies under European privacy law, according to GDPR enforcement tracker Privacy Affairs.

Amazon was fined 746 million euros by Luxembourg’s regulator in 2021 for advertising targeting practices that the authority found violated GDPR consent rules.

Google’s Irish entity was fined 90 million euros in 2022 for failing to provide users with a straightforward way to refuse cookies on YouTube, violating rules on user consent for tracking.

TikTok’s European subsidiary received fines totaling over 400 million euros between 2022 and 2025, covering children’s data protection failures, data transfers to China, and transparency deficiencies.

Privacy Laws Are Expanding Beyond Europe

Nineteen US states had enacted comprehensive consumer data privacy laws as of January 2026, according to the International Association of Privacy Professionals’ state privacy law tracker. California, Virginia, Colorado, Connecticut, Texas, and Florida were among the first to do so.

California’s Privacy Protection Agency began issuing fines in 2023 under the California Privacy Rights Act, which expanded the original California Consumer Privacy Act with stronger enforcement mechanisms and opt-out rights for consumers.

Brazil’s Lei Geral de Proteção de Dados, which mirrors the GDPR in structure, has been enforced by the Autoridade Nacional de Proteção de Dados since 2021. The agency issued its first significant fine in 2023 and has increased enforcement activity each year since.

India enacted a Digital Personal Data Protection Act in 2023, with implementing regulations expected to take effect by mid-2026. The law covers processing of personal data of Indian residents regardless of where the processing occurs.

What Triggers the Largest Penalties

Analysis of enforcement records shows that the highest fines consistently involve three categories of violation: unlawful data transfers to third countries without adequate safeguards, failures of user consent for advertising and tracking, and inadequate protection of children’s data.

Cross-border data transfers have drawn particular attention since the Court of Justice of the European Union struck down the EU-US Privacy Shield framework in 2020, creating uncertainty about the legal basis for data flows between Europe and the United States.

Children’s data violations have resulted in large fines against platforms that failed to verify user ages and continued to profile and target advertising at minors. TikTok and YouTube have each faced penalties in this category.

How Companies Are Responding

Large technology companies have significantly expanded their privacy and data governance teams since 2020. Google, Microsoft, and Meta each employ hundreds of privacy professionals globally in roles that did not exist a decade ago.

Privacy by design, the practice of building data protection into products from the initial development stage rather than adding it after launch, has moved from a regulatory recommendation to a practical business requirement at major firms.

Data localization, which involves storing data from a particular jurisdiction within that jurisdiction’s borders, has become a common strategy for companies seeking to reduce cross-border transfer risk.

Legal teams are using automated data mapping tools to track where personal data flows across corporate systems, a function that was previously handled manually and is now too complex for human tracking alone.

These compliance pressures intersect with broader AI regulation. The EU AI Act enforcement timeline adds a further layer of obligation for companies deploying automated systems that process personal data.

What Small and Medium Businesses Face

Data protection authorities have historically focused enforcement on large companies, but smaller businesses are increasingly receiving fines for basic compliance failures such as inadequate privacy notices, missing cookie consent mechanisms, and insecure data handling practices.

The UK Information Commissioner’s Office issued over 250 enforcement notices and fines against organizations of all sizes in 2025, including several small and medium enterprises that had collected customer data without proper legal bases.

Small businesses operating websites that serve European users are required to comply with GDPR regardless of their size or location. Ignorance of the law is not accepted as a defense in enforcement proceedings.

Companies in the gaming and entertainment sectors face particular scrutiny given the volume of user data collected. Our coverage of mobile gaming’s $100 billion revenue milestone includes a section on loot box regulation and app store legal challenges that intersect with data and consumer protection law.

Frequently Asked Questions

What is the maximum fine under GDPR?

The maximum fine under GDPR is 20 million euros or 4 percent of a company’s total global annual turnover in the preceding financial year, whichever is higher. The higher tier applies to the most serious violations.

Are US companies subject to GDPR?

Yes. Any company that processes personal data of individuals in the European Union, regardless of where the company is based, is subject to GDPR. Many US technology companies have been fined under its provisions.