Privacy Enforcement Tracker
Every major public privacy enforcement action in one canonical reference, 26 FTC / CFPB / FCC / state-AG data-broker cases (each with a dedicated detail page citing the government press release), plus 27 California CCPA settlements, the 37 largest GDPR fines, and 8 BIPA biometric settlements. Sourced from ftc.gov, oag.ca.gov, CMS GDPR Enforcement Tracker, and court records. Totals: $5,836,890,000 federal + $1,022,975,000 CCPA + €5,756,200,000 GDPR + $1,046,500,000 BIPA.
FTC / CFPB / FCC / State AG
26
$5,836,890,000 total
CCPA Enforcement
27
$1,022,975,000 total
GDPR Fines (top 30)
37
€5,756,200,000 total
BIPA Settlements
8
$1,046,500,000 total
FTC, CFPB, FCC, and State AG Data-Privacy Enforcement
Curated federal and multi-state data-privacy enforcement cases. Each row links to a detail page with key facts, injunctive terms, statute citations, and direct links to the primary-source government press release and consent order. Sources: ftc.gov, consumerfinance.gov, fcc.gov, state AG press releases.
| Respondent | Agency | Date | Settlement | Summary |
|---|---|---|---|---|
| Avast Limited | FTC | 2024-02-22 | $16,500,000 | Avast, a popular antivirus vendor, sold consumers’ browsing data through its Jumpshot subsidiary without adequate notice or consent despite marketing its products as privacy-protecting. |
| X-Mode Social, Inc. | FTC | 2024-01-09 | Injunctive | First-ever FTC order prohibiting a data broker from selling sensitive location data. X-Mode / Outlogic sold precise geolocation that could identify consumers’ visits to medical, reproductive-health, religious, and military locations. |
| InMarket Media, LLC | FTC | 2024-01-18 | Injunctive | InMarket collected precise location data from at least 100 million devices, combined it with sensitive categories (religion, health), and sold it for advertising without adequate consumer consent. |
| Kochava, Inc. | FTC | 2022-08-29 | Injunctive | First FTC lawsuit targeting a data broker for selling precise location data. FTC alleges Kochava sold geolocation tracing visits to reproductive-health clinics, addiction recovery centers, and places of worship. |
| BetterHelp, Inc. | FTC | 2023-03-02 | $7,800,000 | Online counseling platform BetterHelp shared sensitive mental-health information of ~7 million consumers with Facebook, Snapchat, Pinterest, and Criteo for targeted advertising, despite promises it would not. |
| GoodRx Holdings, Inc. | FTC | 2023-02-01 | $1,500,000 | Prescription drug discount platform GoodRx shared users’ prescription medication lists and personal health information with Facebook, Google, and other advertising companies. |
| Rite Aid Corporation | FTC | 2023-12-19 | Injunctive | Rite Aid deployed facial recognition technology in hundreds of stores that falsely identified consumers, disproportionately people of color and women, as shoplifters. |
| Facebook, Inc. | FTC | 2019-07-24 | $5,000,000,000 | Largest-ever FTC civil penalty. Facebook paid $5 billion and accepted a 20-year consent order after the Cambridge Analytica incident and related privacy failures violated its 2012 FTC order. |
| Equifax, Inc. | multi-state | 2019-07-22 | $575,000,000 | Equifax, one of the three US consumer credit bureaus, agreed to pay up to $700 million in connection with its 2017 breach that exposed personal information of ~147 million Americans. |
| Cerebral, Inc. | FTC | 2024-04-15 | $7,000,000 | Online mental-health service Cerebral disclosed sensitive patient information to third parties including LinkedIn, Snapchat, and TikTok and used dark patterns to make canceling subscriptions difficult. |
| Easy Healthcare Corporation (Premom) | FTC | 2023-05-17 | $200,000 | Fertility-tracking app Premom shared sensitive reproductive-health information, including pregnancy status, with AppsFlyer, Google, and Chinese firms without disclosure. |
| Flo Health, Inc. | FTC | 2021-01-13 | Injunctive | Menstruation and fertility tracker Flo Health shared app-users’ pregnancy intent and period-cycle data with Facebook, Google, and analytics firms despite assurances of privacy. |
| Amazon.com, Inc. | FTC | 2023-05-31 | $25,000,000 | Amazon kept children’s Alexa voice recordings indefinitely, used them to train its algorithms, and ignored parents’ deletion requests, violating COPPA. |
| Ring LLC | FTC | 2023-05-31 | $5,800,000 | Ring let employees and contractors access customer video footage and failed to implement basic security controls, allowing attackers to hijack thousands of customer cameras. |
| Vizio, Inc. | FTC | 2017-02-06 | $2,200,000 | Vizio installed tracking software on 11 million smart TVs that captured viewing data second-by-second and sold it, including linked demographic profiles, to advertisers without consumer knowledge. |
| Drizly, LLC | FTC | 2022-10-24 | Injunctive | Online alcohol-delivery platform Drizly exposed the personal data of about 2.5 million consumers in a 2020 breach after ignoring known security flaws. Precedent-setting case imposing personal obligations on the CEO. |
| Chegg, Inc. | FTC | 2022-10-31 | Injunctive | Online education company Chegg suffered four data breaches affecting ~40 million consumers and employees due to repeatedly inadequate security practices. |
| Residual Pumpkin Entity, LLC (formerly CafePress) | FTC | 2022-06-23 | $500,000 | CafePress ignored a 2019 data breach, failed to notify 22 million users, and then falsely claimed to reset passwords that it was actually leaving unchanged. |
| Twitter, Inc. | FTC | 2022-05-25 | $150,000,000 | Twitter used phone numbers and email addresses collected for account security to target advertising, the same practice that was supposed to end under its 2011 FTC order. |
| Sephora USA, Inc. | state-AG | 2022-08-24 | $1,200,000 | First-ever public CCPA enforcement settlement. Sephora failed to disclose that it was selling personal information and did not honor Global Privacy Control opt-out signals. |
| DoorDash, Inc. | state-AG | 2024-02-21 | $375,000 | First public enforcement action targeting a company’s participation in a marketing co-operative. DoorDash sold personal information via a marketing exchange without notifying consumers or providing an opt-out. |
| Healthline Media LLC | state-AG | 2025-07-01 | $1,550,000 | Health-information publisher Healthline shared article-reading data indicating users’ specific health conditions with advertisers without honoring opt-outs. Largest CCPA settlement at time of resolution. |
| Disney Entertainment and Sports, LLC | state-AG | 2026-02-11 | $2,750,000 | Largest CCPA settlement to date. Disney’s Disney+, Hulu, and ESPN+ apps did not honor opt-out-of-sale requests across all of a user’s devices and did not protect children’s data. |
| T-Mobile USA, Inc. | FCC | 2024-09-30 | $31,500,000 | T-Mobile settled with the FCC over multiple data breaches that collectively exposed information of 76 million customers between 2021 and 2023. |
| Musical.ly (TikTok) | FTC | 2019-02-27 | $5,700,000 | Largest COPPA penalty at the time. Musical.ly (now TikTok) collected personal information from children under 13 without parental consent. |
| 23andMe Holding Co. | multi-state | 2025-06-02 | $2,315,000 | Genetic-testing company 23andMe suffered a credential-stuffing breach exposing genetic and ancestral data of 6.9 million users. UK ICO imposed a £2.31M penalty; US multi-state actions followed. |
California CCPA & Privacy Enforcement
Sourced from the California Attorney General’s Privacy Enforcement Actions page. Includes CCPA, CalOPPA, CMIA (medical), KOPIPA (student), and broader consumer-protection enforcement.
| Entity | Date | Settlement | Violation | Summary |
|---|---|---|---|---|
| Disney | 2026-02-11 | $2,750,000 | CCPA | Failed to effectuate opt-out of sale requests across Disney+, Hulu, and ESPN+ devices. |
| Jam City, Inc. | 2025-11-21 | $1,400,000 | CCPA | No opt-out methods in apps; shared children’s data without parental consent. |
| Illuminate Education | 2025-11-06 | $3,250,000 | KOPIPA / CA Privacy | 2021 data breach; failed security for student records. |
| Sling TV LLC | 2025-10-30 | $530,000 | CCPA | Confusing opt-out process; inadequate child privacy protections. |
| Healthline Media LLC | 2025-07-01 | $1,550,000 | CCPA | Tracked health information and shared sensitive data without safeguards. |
| Tilting Point Media LLC | 2024-06-19 | $500,000 | CCPA / COPPA | Collected children’s data in mobile game without parental consent. |
| Blackbaud | 2024-06-13 | $6,750,000 | Consumer Protection | 2020 data breach; inadequate security measures. |
| DoorDash | 2024-02-21 | $375,000 | CCPA / CalOPPA | Sold customer data via marketing co-operative without notice or opt-out opportunity. First public CCPA enforcement targeting marketing co-op data sales. |
| 2023-09-14 | $93,000,000 | Consumer Protection | Location tracking without consumer consent for ad profiling. Multi-state settlement; CA portion. | |
| Kaiser Foundation Health Plan | 2023-09-08 | $49,000,000 | Privacy / Waste | Improperly disposed of medical waste and health records. |
| Sephora | 2022-08-24 | $1,200,000 | CCPA | First-ever public CCPA enforcement. Failed to disclose sales of personal information; ignored Global Privacy Control signals. |
| Glow, Inc. | 2020-09-17 | $250,000 | CMIA / Data Security | Reproductive-health app lacked basic security protections for sensitive user data. |
| Anthem Blue Cross Life and Health Insurance | 2020-09-30 | $8,690,000 | Consumer Protection | 2014 breach exposed data of 13.5 million Californians. |
| Equifax | 2019-07-22 | $600,000,000 | Consumer Protection | 2017 breach exposed 15 million Californians. Multi-state settlement; includes CA portion. |
| Premera Blue Cross | 2019-07-11 | $10,000,000 | Privacy Laws | 2014 phishing breach exposed 10.5 million consumers. |
| Aetna | 2019-01-30 | $935,000 | Medical Privacy | Mailing envelope revealed recipients’ HIV medication status. |
| Uber Technologies | 2018-09-26 | $148,000,000 | Data Breach / Security | 2016 data breach covered up for over one year. |
| Cottage Health System | 2017-11-22 | $2,000,000 | State / Federal Privacy | Failed safeguards for patient medical information. |
| Lenovo | 2017-09-05 | $3,500,000 | Consumer Protection | Pre-installed ad-injecting software compromised security. |
| Target | 2017-05-23 | $18,500,000 | Consumer Protection | 2013 POS breach compromised 40M+ payment cards. |
| Wells Fargo Bank | 2016-03-28 | $8,500,000 | CA Penal Code Privacy | Recorded customer calls without timely disclosure. |
| Houzz | 2015-10-02 | $175,000 | Privacy Laws | Recorded calls without notifying all parties. |
| Comcast | 2015-09-17 | $33,000,000 | Privacy Law | Posted unlisted phone numbers online. |
| Aaron’s, Inc. | 2014-10-13 | $28,400,000 | Consumer Protection | Installed spyware on rental computers. |
| Kaiser Foundation Hospitals (USB incident) | 2014-01-23 | $150,000 | Data Breach Notification | Delayed notifying employees of lost USB drive. |
| Citibank | 2013-08-28 | $420,000 | Data Security | Unencrypted website vulnerability exposed customer accounts. |
| Anthem Blue Cross | 2012-10-01 | $150,000 | Privacy Law | Social security numbers visible on mailing envelopes. |
GDPR Enforcement (Top 30 fines)
Top 30 largest GDPR fines issued by EU + UK data protection authorities. Sourced from CMS Law’s GDPR Enforcement Tracker. Over 2,245 total fines have been issued under GDPR, totalling €5.65B+ cumulative as of 2026.
| Defendant | DPA | Country | Fine | Year | Violation |
|---|---|---|---|---|---|
| Meta Platforms Ireland | DPC | Ireland | €1,200,000,000 | 2023 | Unlawful data transfers of Facebook EU user data to the United States. |
| Amazon Europe Core | CNPD | Luxembourg | €746,000,000 | 2021 | Tracking user data without appropriate consent for targeted advertising. |
| TikTok | DPC | Ireland | €530,000,000 | 2024 | Transfers of EEA user data to China; inadequate transparency. |
| Instagram (Meta) | DPC | Ireland | €405,000,000 | 2022 | Processing children’s data without legal basis; minors’ contact info public by default. |
| Meta Platforms Ireland | DPC | Ireland | €390,000,000 | 2023 | Unclear legal basis for data processing; contract reliance instead of consent. |
| TikTok Limited | DPC | Ireland | €345,000,000 | 2023 | Collecting personal data of children under 13; automatically public profiles. |
| LinkedIn Ireland | DPC | Ireland | €310,000,000 | 2024 | Behavioural advertising based on personal data without valid legal basis. |
| Uber Technologies | AP | Netherlands | €290,000,000 | 2024 | Unlawful personal-data transfers of EU drivers to US servers. |
| Meta (Facebook) | DPC | Ireland | €265,000,000 | 2022 | Personal information dataset scraped and made publicly available. |
| WhatsApp Ireland | DPC | Ireland | €225,000,000 | 2021 | Unclear privacy policies; transparency failures on data usage. |
| Google LLC | CNIL | France | €90,000,000 | 2021 | Failing to provide easy cookie-refusal methods. |
| Google Ireland | CNIL | France | €60,000,000 | 2021 | Difficult cookie-refusal mechanisms on YouTube. |
| Facebook Ireland Ltd. | CNIL | France | €60,000,000 | 2021 | No simple methods to refuse cookies. |
| CRITEO | CNIL | France | €40,000,000 | 2023 | Failing to ensure opt-in consent; inadequate user-rights information. |
| H&M | HmbBfDI | Germany | €35,300,000 | 2020 | Excessive employee records; family, religion, and health information tracked. |
| TIM (Telecom Italia) | Garante | Italy | €27,800,000 | 2020 | Unlawful telemarketing calls; inadequate privacy policies. |
| Enel Energia | Garante | Italy | €26,500,000 | 2022 | Unlawful customer data use for telemarketing without consent. |
| Clearview AI | Garante | Italy | €20,000,000 | 2022 | Processing biometric and geolocation data without legal basis. |
| Clearview AI | CNIL | France | €20,000,000 | 2022 | Processing millions of personal data records; non-compliance with deletion orders. |
| Clearview AI | HDPA | Greece | €20,000,000 | 2022 | Collecting photos and selfies without consent. |
| Wind Tre | Garante | Italy | €16,700,000 | 2020 | Telemarketing calls and texts without consent; public data disclosure. |
| Meta Platforms Ireland | DPC | Ireland | €17,000,000 | 2022 | Inadequate technical measures for 2018 data breaches. |
| TikTok | ICO | United Kingdom | €14,500,000 | 2023 | Collecting data from children under 13 without parental consent. |
| Vodafone Italia | Garante | Italy | €12,250,000 | 2020 | Marketing calls without consent; continued contact after opt-out. |
| Eni Gas e Luce | Garante | Italy | €11,500,000 | 2019 | Customer data storage without legal basis; unsolicited telemarketing. |
| Google LLC | AEPD | Spain | €10,000,000 | 2022 | Unlawful EU citizen data transfers; complicated right-to-be-forgotten process. |
| Clearview AI Inc. | ICO | United Kingdom | €8,750,000 | 2022 | Collecting facial recognition images without lawful basis. |
| REWE International | DSB | Austria | €8,000,000 | 2022 | Loyalty program data collection without user consent. |
| Grindr | Datatilsynet | Norway | €6,300,000 | 2021 | Sharing sensitive personal data (sexual orientation) to advertisers without consent. |
| Cosmote Mobile Telecommunications | HDPA | Greece | €6,000,000 | 2022 | Data breach exposure; inadequate pseudonymization. |
| CaixaBank | AEPD | Spain | €6,000,000 | 2021 | Invalid consent methods; unlawful data transfers to third parties. |
| Meta Platforms Ireland (2018 breach) | DPC | Ireland | €251,000,000 | 2024 | 2018 data breach re-finalisation; improper breach notification and poor system design. |
| Meta (plaintext passwords) | DPC | Ireland | €91,000,000 | 2024 | Storing hundreds of millions of Facebook and Instagram user passwords in plaintext. |
| Enel Energia SpA | Garante | Italy | €79,100,000 | 2024 | Unlawful customer data acquisition by sales partners; inadequate security controls. |
| Google LLC | CNIL | France | €50,000,000 | 2019 | Lack of transparency and invalid consent for ad personalisation — first major GDPR fine against Big Tech. |
| Amazon France Logistique | CNIL | France | €32,000,000 | 2024 | Excessive worker monitoring system; unlawful retention of warehouse-worker productivity data. |
| Clearview AI | AP | Netherlands | €30,500,000 | 2024 | Illegal facial image scraping of Dutch residents without consent. |
BIPA Biometric Privacy Settlements
Notable settlements under Illinois’ Biometric Information Privacy Act — the most consequential US biometric privacy law, featuring a private right of action with statutory damages of $1,000-$5,000 per violation.
| Defendant | Settlement | Year | Summary |
|---|---|---|---|
| Facebook (Meta) | $650,000,000 | 2020 | Facial recognition photo-tagging scanned Illinois users’ faces without BIPA written consent. |
| TikTok | $92,000,000 | 2021 | Unlawful collection of face and voice biometric data through the TikTok app. |
| $100,000,000 | 2022 | Google Photos face-grouping used face-recognition without explicit BIPA consent. | |
| BNSF Railway | $75,000,000 | 2023 | Truck-driver fingerprint scanning without BIPA disclosures. Original jury damages of $228M vacated on appeal; settled at $75M. |
| Clearview AI | $51,750,000 | 2024 | Class-action settlement structured as 23% equity stake in Clearview AI, valued at ~$51.75M based on $225M January 2024 valuation. |
| Snap (Snapchat) | $35,000,000 | 2023 | Snap filters and lens features alleged to scan facial biometrics without Illinois-user consent. |
| Shutterfly | $6,750,000 | 2022 | Facial recognition in photo-sharing service without BIPA written consent. |
| Six Flags | $36,000,000 | 2022 | Fingerprint scanning for season-pass entry without BIPA disclosures. |
Don’t wait to be in a settlement
Remove your data proactively for $7
Use the same CCPA/GDPR deletion rights that drove these settlements. OfflistMe generates the requests; you send from your own inbox.
Start for $7 →FAQ
What is the largest CCPA settlement to date?+
As of April 2026, the largest publicly reported pure-CCPA settlement is Disney’s $2,750,000 settlement (February 2026) for failing to honor opt-out of sale requests across Disney+, Hulu, and ESPN+. The next-largest are Illuminate Education ($3.25M, KOPIPA/CA Privacy — student-data breach), Healthline Media ($1.55M, CCPA — sharing sensitive health data without safeguards), and Sephora ($1.2M, CCPA — the first public CCPA enforcement, for ignoring Global Privacy Control signals).
What is the largest GDPR fine ever?+
Meta Platforms Ireland received the largest GDPR fine in history: €1.2 billion from the Irish Data Protection Commission in May 2023, for unlawful transfers of Facebook user data to the United States. Second-largest is Amazon Europe (€746M, Luxembourg, 2021).
Can individuals receive money from CCPA enforcement?+
Generally no — CCPA enforcement penalties go to the state. The private right of action under CCPA is narrow: only for data breaches involving non-encrypted personal information. For general CCPA violations, only the California AG and CPPA can sue. Most state privacy laws follow the same pattern.
Who can sue under BIPA?+
Illinois residents can sue directly under BIPA with statutory damages of $1,000 per negligent violation or $5,000 per intentional violation. This is why BIPA settlements are dramatically larger than CCPA or GDPR fines on a per-violation basis — each biometric scan can be counted separately.
Which countries issue the most GDPR fines?+
By total fine amount, Ireland leads (hosts most major US tech companies’ EU operations: Meta, TikTok, LinkedIn, WhatsApp, Google). By number of fines, Italy, Germany, and Spain are consistently among the most active enforcers, with Italy’s Garante notable for aggressive telemarketing enforcement.
Sources: California Attorney General Privacy Enforcement Actions · CMS Law GDPR Enforcement Tracker. Settlement amounts reflect publicly reported figures; multi-state settlements may include California’s share. Verified April 2026.