Privacy Enforcement Tracker
Every major public privacy enforcement action under CCPA (California), GDPR (EU/UK), and BIPA (Illinois biometric) in one canonical reference. Sourced from the California AG, CMS GDPR Enforcement Tracker, and court records. Totals: $1,022,975,000 CCPA + €5,756,200,000 GDPR + $1,046,500,000 BIPA.
CCPA Enforcement
27
$1,022,975,000 total
GDPR Fines (top 30)
37
€5,756,200,000 total
BIPA Settlements
8
$1,046,500,000 total
California CCPA & Privacy Enforcement
Sourced from the California Attorney General\u2019s Privacy Enforcement Actions page. Includes CCPA, CalOPPA, CMIA (medical), KOPIPA (student), and broader consumer-protection enforcement.
| Entity | Date | Settlement | Violation | Summary |
|---|---|---|---|---|
| Disney | 2026-02-11 | $2,750,000 | CCPA | Failed to effectuate opt-out of sale requests across Disney+, Hulu, and ESPN+ devices. |
| Jam City, Inc. | 2025-11-21 | $1,400,000 | CCPA | No opt-out methods in apps; shared children’s data without parental consent. |
| Illuminate Education | 2025-11-06 | $3,250,000 | KOPIPA / CA Privacy | 2021 data breach; failed security for student records. |
| Sling TV LLC | 2025-10-30 | $530,000 | CCPA | Confusing opt-out process; inadequate child privacy protections. |
| Healthline Media LLC | 2025-07-01 | $1,550,000 | CCPA | Largest CCPA settlement at time of resolution. Tracked health information and shared sensitive data without safeguards. |
| Tilting Point Media LLC | 2024-06-19 | $500,000 | CCPA / COPPA | Collected children’s data in mobile game without parental consent. |
| Blackbaud | 2024-06-13 | $6,750,000 | Consumer Protection | 2020 data breach; inadequate security measures. |
| DoorDash | 2024-02-21 | $375,000 | CCPA / CalOPPA | Sold customer data via marketing co-operative without notice or opt-out opportunity. First public CCPA enforcement targeting marketing co-op data sales. |
| 2023-09-14 | $93,000,000 | Consumer Protection | Location tracking without consumer consent for ad profiling. Multi-state settlement; CA portion. | |
| Kaiser Foundation Health Plan | 2023-09-08 | $49,000,000 | Privacy / Waste | Improperly disposed of medical waste and health records. |
| Sephora | 2022-08-24 | $1,200,000 | CCPA | First-ever public CCPA enforcement. Failed to disclose sales of personal information; ignored Global Privacy Control signals. |
| Glow, Inc. | 2020-09-17 | $250,000 | CMIA / Data Security | Reproductive-health app lacked basic security protections for sensitive user data. |
| Anthem Blue Cross Life and Health Insurance | 2020-09-30 | $8,690,000 | Consumer Protection | 2014 breach exposed data of 13.5 million Californians. |
| Equifax | 2019-07-22 | $600,000,000 | Consumer Protection | 2017 breach exposed 15 million Californians. Multi-state settlement; includes CA portion. |
| Premera Blue Cross | 2019-07-11 | $10,000,000 | Privacy Laws | 2014 phishing breach exposed 10.5 million consumers. |
| Aetna | 2019-01-30 | $935,000 | Medical Privacy | Mailing envelope revealed recipients’ HIV medication status. |
| Uber Technologies | 2018-09-26 | $148,000,000 | Data Breach / Security | 2016 data breach covered up for over one year. |
| Cottage Health System | 2017-11-22 | $2,000,000 | State / Federal Privacy | Failed safeguards for patient medical information. |
| Lenovo | 2017-09-05 | $3,500,000 | Consumer Protection | Pre-installed ad-injecting software compromised security. |
| Target | 2017-05-23 | $18,500,000 | Consumer Protection | 2013 POS breach compromised 40M+ payment cards. |
| Wells Fargo Bank | 2016-03-28 | $8,500,000 | CA Penal Code Privacy | Recorded customer calls without timely disclosure. |
| Houzz | 2015-10-02 | $175,000 | Privacy Laws | Recorded calls without notifying all parties. |
| Comcast | 2015-09-17 | $33,000,000 | Privacy Law | Posted unlisted phone numbers online. |
| Aaron’s, Inc. | 2014-10-13 | $28,400,000 | Consumer Protection | Installed spyware on rental computers. |
| Kaiser Foundation Hospitals (USB incident) | 2014-01-23 | $150,000 | Data Breach Notification | Delayed notifying employees of lost USB drive. |
| Citibank | 2013-08-28 | $420,000 | Data Security | Unencrypted website vulnerability exposed customer accounts. |
| Anthem Blue Cross | 2012-10-01 | $150,000 | Privacy Law | Social security numbers visible on mailing envelopes. |
GDPR Enforcement (Top 30 fines)
Top 30 largest GDPR fines issued by EU + UK data protection authorities. Sourced from CMS Law\u2019s GDPR Enforcement Tracker. Over 2,245 total fines have been issued under GDPR, totalling \u20ac5.65B+ cumulative as of 2026.
| Defendant | DPA | Country | Fine | Year | Violation |
|---|---|---|---|---|---|
| Meta Platforms Ireland | DPC | Ireland | €1,200,000,000 | 2023 | Unlawful data transfers of Facebook EU user data to the United States. |
| Amazon Europe Core | CNPD | Luxembourg | €746,000,000 | 2021 | Tracking user data without appropriate consent for targeted advertising. |
| TikTok | DPC | Ireland | €530,000,000 | 2024 | Transfers of EEA user data to China; inadequate transparency. |
| Instagram (Meta) | DPC | Ireland | €405,000,000 | 2022 | Processing children’s data without legal basis; minors’ contact info public by default. |
| Meta Platforms Ireland | DPC | Ireland | €390,000,000 | 2023 | Unclear legal basis for data processing; contract reliance instead of consent. |
| TikTok Limited | DPC | Ireland | €345,000,000 | 2023 | Collecting personal data of children under 13; automatically public profiles. |
| LinkedIn Ireland | DPC | Ireland | €310,000,000 | 2024 | Behavioural advertising based on personal data without valid legal basis. |
| Uber Technologies | AP | Netherlands | €290,000,000 | 2024 | Unlawful personal-data transfers of EU drivers to US servers. |
| Meta (Facebook) | DPC | Ireland | €265,000,000 | 2022 | Personal information dataset scraped and made publicly available. |
| WhatsApp Ireland | DPC | Ireland | €225,000,000 | 2021 | Unclear privacy policies; transparency failures on data usage. |
| Google LLC | CNIL | France | €90,000,000 | 2021 | Failing to provide easy cookie-refusal methods. |
| Google Ireland | CNIL | France | €60,000,000 | 2021 | Difficult cookie-refusal mechanisms on YouTube. |
| Facebook Ireland Ltd. | CNIL | France | €60,000,000 | 2021 | No simple methods to refuse cookies. |
| CRITEO | CNIL | France | €40,000,000 | 2023 | Failing to ensure opt-in consent; inadequate user-rights information. |
| H&M | HmbBfDI | Germany | €35,300,000 | 2020 | Excessive employee records; family, religion, and health information tracked. |
| TIM (Telecom Italia) | Garante | Italy | €27,800,000 | 2020 | Unlawful telemarketing calls; inadequate privacy policies. |
| Enel Energia | Garante | Italy | €26,500,000 | 2022 | Unlawful customer data use for telemarketing without consent. |
| Clearview AI | Garante | Italy | €20,000,000 | 2022 | Processing biometric and geolocation data without legal basis. |
| Clearview AI | CNIL | France | €20,000,000 | 2022 | Processing millions of personal data records; non-compliance with deletion orders. |
| Clearview AI | HDPA | Greece | €20,000,000 | 2022 | Collecting photos and selfies without consent. |
| Wind Tre | Garante | Italy | €16,700,000 | 2020 | Telemarketing calls and texts without consent; public data disclosure. |
| Meta Platforms Ireland | DPC | Ireland | €17,000,000 | 2022 | Inadequate technical measures for 2018 data breaches. |
| TikTok | ICO | United Kingdom | €14,500,000 | 2023 | Collecting data from children under 13 without parental consent. |
| Vodafone Italia | Garante | Italy | €12,250,000 | 2020 | Marketing calls without consent; continued contact after opt-out. |
| Eni Gas e Luce | Garante | Italy | €11,500,000 | 2019 | Customer data storage without legal basis; unsolicited telemarketing. |
| Google LLC | AEPD | Spain | €10,000,000 | 2022 | Unlawful EU citizen data transfers; complicated right-to-be-forgotten process. |
| Clearview AI Inc. | ICO | United Kingdom | €8,750,000 | 2022 | Collecting facial recognition images without lawful basis. |
| REWE International | DSB | Austria | €8,000,000 | 2022 | Loyalty program data collection without user consent. |
| Grindr | Datatilsynet | Norway | €6,300,000 | 2021 | Sharing sensitive personal data (sexual orientation) to advertisers without consent. |
| Cosmote Mobile Telecommunications | HDPA | Greece | €6,000,000 | 2022 | Data breach exposure; inadequate pseudonymization. |
| CaixaBank | AEPD | Spain | €6,000,000 | 2021 | Invalid consent methods; unlawful data transfers to third parties. |
| Meta Platforms Ireland (2018 breach) | DPC | Ireland | €251,000,000 | 2024 | 2018 data breach re-finalisation; improper breach notification and poor system design. |
| Meta (plaintext passwords) | DPC | Ireland | €91,000,000 | 2024 | Storing hundreds of millions of Facebook and Instagram user passwords in plaintext. |
| Enel Energia SpA | Garante | Italy | €79,100,000 | 2024 | Unlawful customer data acquisition by sales partners; inadequate security controls. |
| Google LLC | CNIL | France | €50,000,000 | 2019 | Lack of transparency and invalid consent for ad personalisation — first major GDPR fine against Big Tech. |
| Amazon France Logistique | CNIL | France | €32,000,000 | 2024 | Excessive worker monitoring system; unlawful retention of warehouse-worker productivity data. |
| Clearview AI | AP | Netherlands | €30,500,000 | 2024 | Illegal facial image scraping of Dutch residents without consent. |
BIPA Biometric Privacy Settlements
Notable settlements under Illinois\u2019 Biometric Information Privacy Act \u2014 the most consequential US biometric privacy law, featuring a private right of action with statutory damages of $1,000-$5,000 per violation.
| Defendant | Settlement | Year | Summary |
|---|---|---|---|
| Facebook (Meta) | $650,000,000 | 2020 | Facial recognition photo-tagging scanned Illinois users’ faces without BIPA written consent. |
| TikTok | $92,000,000 | 2021 | Unlawful collection of face and voice biometric data through the TikTok app. |
| $100,000,000 | 2022 | Google Photos face-grouping used face-recognition without explicit BIPA consent. | |
| BNSF Railway | $75,000,000 | 2023 | Truck-driver fingerprint scanning without BIPA disclosures. Original jury damages of $228M vacated on appeal; settled at $75M. |
| Clearview AI | $51,750,000 | 2024 | Class-action settlement structured as 23% equity stake in Clearview AI, valued at ~$51.75M based on $225M January 2024 valuation. |
| Snap (Snapchat) | $35,000,000 | 2023 | Snap filters and lens features alleged to scan facial biometrics without Illinois-user consent. |
| Shutterfly | $6,750,000 | 2022 | Facial recognition in photo-sharing service without BIPA written consent. |
| Six Flags | $36,000,000 | 2022 | Fingerprint scanning for season-pass entry without BIPA disclosures. |
Don\u2019t wait to be in a settlement
Remove your data proactively for $2
Use the same CCPA/GDPR deletion rights that drove these settlements. OfflistMe generates the requests; you send from your own inbox.
Start for $2 →FAQ
What is the largest CCPA settlement to date?+
As of April 2026, the largest publicly reported CCPA settlement is Healthline Media’s $1,550,000 settlement (July 2025) for tracking health information and sharing sensitive data without safeguards. The next-largest are Illuminate Education ($3.25M, combining KOPIPA/privacy violations), Disney ($2.75M), and Sephora ($1.2M, the first public CCPA enforcement).
What is the largest GDPR fine ever?+
Meta Platforms Ireland received the largest GDPR fine in history: €1.2 billion from the Irish Data Protection Commission in May 2023, for unlawful transfers of Facebook user data to the United States. Second-largest is Amazon Europe (€746M, Luxembourg, 2021).
Can individuals receive money from CCPA enforcement?+
Generally no — CCPA enforcement penalties go to the state. The private right of action under CCPA is narrow: only for data breaches involving non-encrypted personal information. For general CCPA violations, only the California AG and CPPA can sue. Most state privacy laws follow the same pattern.
Who can sue under BIPA?+
Illinois residents can sue directly under BIPA with statutory damages of $1,000 per negligent violation or $5,000 per intentional violation. This is why BIPA settlements are dramatically larger than CCPA or GDPR fines on a per-violation basis — each biometric scan can be counted separately.
Which countries issue the most GDPR fines?+
By total fine amount, Ireland leads (hosts most major US tech companies’ EU operations: Meta, TikTok, LinkedIn, WhatsApp, Google). By number of fines, Italy, Germany, and Spain are consistently among the most active enforcers, with Italy’s Garante notable for aggressive telemarketing enforcement.
Sources: California Attorney General Privacy Enforcement Actions \u00b7 CMS Law GDPR Enforcement Tracker. Settlement amounts reflect publicly reported figures; multi-state settlements may include California\u2019s share. Verified April 2026.