Quick answer: In 2025 and 2026, EU data protection authorities issued over €1.2 billion in GDPR fines annually. The most common violations were unlawful data processing, insufficient consent mechanisms, and inadequate security measures. Here are the largest fines and the lessons every website owner should learn from them.
Largest GDPR Fines in 2025–2026
| Company | Fine | DPA | Violation | Year |
|---|---|---|---|---|
| Meta (Facebook) | €1.2 billion | Ireland DPC | Unlawful EU-US data transfers | 2023 (upheld 2025) |
| Meta (Instagram) | €405 million | Ireland DPC | Children's data processing | 2023 |
| Amazon Europe | €746 million | Luxembourg CNPD | Advertising targeting without consent | 2021 (enforced 2025) |
| TikTok | €345 million | Ireland DPC | Children's privacy violations | 2024 |
| Criteo | €40 million | CNIL (France) | Tracking without valid consent | 2024 |
| Clearview AI | €20 million | Multiple DPAs | Biometric data processing without basis | 2025 |
| Uber | €10 million | Dutch DPA | Insufficient transparency on data transfers | 2025 |
| Deutsche Wohnen | €14.5 million | Berlin DPA | Excessive data retention | 2024 (upheld 2025) |
What Violations Trigger the Biggest Fines?
An analysis of all GDPR enforcement actions shows clear patterns. These categories account for over 80% of total fine value:
| Violation Type | % of Fines | Typical Fine Range |
|---|---|---|
| Insufficient legal basis for processing | 34% | €50K – €1.2B |
| Unlawful international data transfers | 20% | €100K – €1.2B |
| Insufficient security measures | 18% | €10K – €50M |
| Non-compliance with data subject rights | 15% | €5K – €20M |
| Cookie consent violations | 8% | €10K – €150M |
| Insufficient transparency | 5% | €5K – €10M |
Lessons for Website Owners
1. Cookie Consent Is Not Optional
The CNIL's €40 million fine against Criteo specifically targeted tracking users without valid consent. If your website loads Google Analytics, Facebook Pixel, or any advertising tracker before the user clicks "Accept," you are making the same violation that led to a €40 million fine.
Fix: Implement a compliant cookie consent banner with equal "Accept" and "Reject" options.
2. Data Transfers Require Proper Safeguards
Meta's record €1.2 billion fine was entirely about transferring EU data to the US without adequate protections. Any website using US-based services (Google Analytics, Cloudflare, AWS, Mailchimp) must have Standard Contractual Clauses or rely on the EU-US Data Privacy Framework.
3. Children's Data Is a Multiplier
Both Meta (€405M) and TikTok (€345M) received massive fines because children were involved. If your website can be accessed by users under 16, GDPR imposes stricter requirements for consent and data minimization. Read our COPPA guide for details.
4. Security Breaches Trigger Automatic Scrutiny
GDPR requires 72-hour breach notification. But fines for breaches often stem from inadequate prevention: missing encryption, weak authentication, unpatched systems.Proper security headers are your first line of defense.
How Can Small Businesses Avoid Fines?
While headline fines target large companies, small businesses are not exempt. In 2025, the average GDPR fine for SMEs was approximately €50,000. The most effective prevention strategy:
- Run a free compliance scan — PrivacyChecker audits your site in 60 seconds
- Fix cookie consent first — it's the most commonly audited area
- Update your privacy policy — use our GDPR checklist
- Monitor continuously — set up drift detection
GDPR Fine Trends: What to Expect in 2026
- AI enforcement begins: The EU AI Act compliance deadlines in 2026 will create a new wave of enforcement against AI chatbots on websites
- Cookie enforcement intensifies: The European Commission's proposed "one-click reject" regulation will simplify enforcement against non-compliant banners
- Cross-border transfers remain hot: Despite the EU-US Data Privacy Framework, challenges continue and transfers to non-adequate countries face increased scrutiny
- Data breach fines rising: Daily breach notifications rose 22% in 2025, and DPAs are increasingly issuing fines for preventable breaches
Frequently Asked Questions
What is the maximum GDPR fine?
The maximum fine under GDPR is €20 million or 4% of annual global turnover, whichever is higher. For large tech companies, this means fines in the hundreds of millions. The largest single fine to date is Meta's €1.2 billion penalty for unlawful data transfers.
Can small businesses receive GDPR fines?
Yes. GDPR applies to organizations of all sizes. While regulators typically focus on larger companies, DPAs have fined small businesses for violations like missing privacy policies, processing data without consent, and failing to respond to data subject requests. Fines for small businesses typically range from €5,000 to €100,000.
How do I know if my website is at risk?
The easiest way is to run a free privacy compliance scan. It checks the most commonly fined violations: cookie consent, tracker loading, privacy policy gaps, and security header issues.