GDPR Enforcement and Fines 2026: Business Categories, Top Cases, and Country

Table des matières

Key GDPR Fines Statistics (2026)
How to Categorise GDPR Fines: Sectors and Violations
Top GDPR Fines by Country: Who Issues the Biggest Penalties
Top 10 Biggest GDPR Fines of All Time
Why Ad Tech Dominates the Media, Telecoms and Broadcasting Sector
Biggest GDPR Fines in Ad Tech: The Complete List
How Many GDPR Fines Have Actually Been Paid?
5 Common Causes Behind Every Major Ad Tech GDPR Fine
How Ad Tech Failures Map to GDPR Violation Categories
GDPR Compliance Checklist for Ad Tech and Publishers
Where GDPR Ad Tech Enforcement Is Heading in 2026
Frequently Asked Questions About GDPR Fines
Key Takeaways: Why Consent Management Is Now Core Infrastructure
About UniConsent

Table des matières

Key GDPR Fines Statistics (2026)
How to Categorise GDPR Fines: Sectors and Violations
Top GDPR Fines by Country: Who Issues the Biggest Penalties
Top 10 Biggest GDPR Fines of All Time
Why Ad Tech Dominates the Media, Telecoms and Broadcasting Sector
Biggest GDPR Fines in Ad Tech: The Complete List
How Many GDPR Fines Have Actually Been Paid?
5 Common Causes Behind Every Major Ad Tech GDPR Fine
How Ad Tech Failures Map to GDPR Violation Categories
GDPR Compliance Checklist for Ad Tech and Publishers
Where GDPR Ad Tech Enforcement Is Heading in 2026
Frequently Asked Questions About GDPR Fines
Key Takeaways: Why Consent Management Is Now Core Infrastructure
About UniConsent

GDPR enforcement is no longer a theoretical risk that lives in a compliance deck. Based on publicly disclosed enforcement data, regulators across the EU and UK have issued more than 2,500 fines totalling over 7 billion euros since 2018, with approximately 1.2 billion euros of that issued in 2025 alone — and the curve is still climbing. The average fine sits at around 2.4 million euros, and that figure is held down, not up, by the long tail of small administrative penalties.

If you work anywhere near digital advertising, the more important number is this: the sector hit hardest, by both volume and value, is the one your business almost certainly sits inside.

This post unpacks two useful ways to categorise GDPR fines, looks at how ad tech fares within them, walks through the headline ad tech cases, and finishes with the patterns every marketer, publisher, and ad operations leader should be designing around. It is a long read, but the picture only makes sense when you see all of it at once.

Total GDPR fines issued since 2018: 7.1 billion euros across more than 2,500 fines.
GDPR fines issued in 2025: approximately 1.2 billion euros.
Largest GDPR fine ever: 1.2 billion euros against Meta Platforms Ireland (Irish DPC, May 2023) for unlawful EU-US data transfers.
Second-largest GDPR fine ever issued: 746 million euros against Amazon Europe Core (Luxembourg CNPD, July 2021) for ad targeting without valid consent. Note: this fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, though the underlying violations were upheld.
Largest GDPR fine of 2025: 530 million euros against TikTok (Irish DPC, May 2025) for unlawful EU-China data transfers.
Average GDPR fine: approximately 2.4 million euros.
Maximum GDPR fine: 20 million euros or 4% of global annual turnover, whichever is higher.
Country with the most GDPR fines by count: Spain, with nearly 1,000 fines since 2018.
Country with the most GDPR fines by total value: Ireland, with 4.04 billion euros in cumulative fines (around 57% of all GDPR fine value).
Most-fined business sector: Media, Telecoms and Broadcasting, accounting for around 70% of all corporate fine value.
Most common GDPR violation: insufficient legal basis for data processing — typically failing to obtain valid consent for behavioural advertising.
Daily personal data breach notifications across Europe: 443 (a 22% year-on-year increase).

There are two useful ways to sort GDPR fines, and both are worth keeping in mind when you are trying to read the enforcement landscape:

The business sector the fined organisation operates in (10 categories).
The type of GDPR violation the fine punishes (9 categories).

Most analyses look at one axis at a time. The interesting story is at the intersection — and ad tech sits at one of the hottest intersections on the map.

Media, Telecoms and Broadcasting
Industry and Commerce
Finance, Insurance and Consulting
Health Care
Public Sector and Education
Employment
Transportation and Energy
Accommodation and Hospitality
Real Estate
Individuals and Private Associations

Insufficient legal basis for data processing
Non-compliance with general data processing principles
Insufficient technical and organisational measures to ensure information security
Insufficient fulfilment of information obligations
Insufficient fulfilment of data subject rights
Insufficient cooperation with the supervisory authority
Insufficient data processing agreement
Insufficient fulfilment of data breach notification obligations
Insufficient involvement of the DPO

Two simple observations from the latest enforcement data:

Media, Telecoms and Broadcasting has been the most-fined sector for years running and now accounts for around 70% of all corporate fine value.
Insufficient legal basis for data processing is the single most frequent violation type across every sector.

Ad tech lives squarely inside the first and is the textbook example of the second. That is not a coincidence.

GDPR Fines by Country

The geography of GDPR enforcement is uneven — and not in the way most people expect. The country issuing the most fines is rarely the one issuing the biggest ones.

Ireland — 4.04 billion euros cumulative. By far the largest enforcer by total fine value, accounting for over half of all GDPR fines ever issued across Europe. Eight of the top ten largest GDPR fines in history were imposed by the Irish Data Protection Commission. Ireland's outsized role is structural: Meta, Google, TikTok, LinkedIn, Apple, and Microsoft all have their European headquarters in Dublin, which makes the DPC their lead supervisory authority under the GDPR's one-stop-shop mechanism.

France — over 1 billion euros cumulative. France overtook Luxembourg in 2025 to become the second-largest enforcer, the only country other than Ireland to have issued more than 1 billion euros in GDPR fines. CNIL has been the most aggressive regulator on cookie consent and ad-tech-specific issues, with the 325 million euro Google decision and 150 million euro Shein decision both landing in September 2025.

Luxembourg — historically third place, dominated by a single fine. Luxembourg's CNPD ranked third largely because of one decision: the 746 million euro fine against Amazon Europe Core in 2021 for processing personal data for advertising without proper consent. That fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, though the underlying violations were upheld and the case was sent back to the CNPD. Outside that fine, Luxembourg's enforcement activity is modest.

Italy — high volume and high value. Italy's Garante is one of the most active regulators in Europe, with hundreds of decisions and a particular focus on telecoms, AI services, and employment-related data processing. Recent activity includes the first European AI-related GDPR fines.

Netherlands — driven by the Uber decision. The Dutch DPA fined Uber 290 million euros in August 2024 for transferring driver data to the US without adequate safeguards. Outside that fine, the Netherlands' enforcement is steady but mid-sized.

Spain — the most fines by count, but smaller per fine. The Spanish AEPD has issued nearly 1,000 GDPR fines since 2018 — by far the highest volume of any European regulator — but the average penalty is small. Spain's pattern is high-frequency, distributed enforcement against organisations of every size, often for breaches involving consumer-facing data processing.

Germany — distributed across 16 state-level DPAs plus the federal BfDI. Germany's federated structure produces hundreds of fines, but the highest profile ones come from specific Lander (Hamburg's 35.3 million euro H&M fine, Berlin's deutsche Wohnen action). Average values sit in the mid-six figures.

United Kingdom — UK GDPR enforcement under the ICO. Cumulative fines under the UK GDPR remain in the tens of millions, with the largest being the 20 million pound British Airways data-breach fine. The Data (Use and Access) Act 2025 has now raised the maximum PECR fine from 500,000 pounds to 17.5 million pounds or 4% of global turnover — bringing UK cookie-consent enforcement into the same penalty range as the rest of Europe.

The headline takeaway: two countries — Ireland and France — account for around 70% of all GDPR fine value, while Spain and Italy account for the bulk of fines by sheer count. If you operate in Europe, your real exposure depends on where your processing sits on that map.

Top 10 Biggest GDPR Fines of All Time

The ten largest GDPR fines issued since the regulation came into force in May 2018, in descending order:

Rank	Company	Amount	Regulator	Date	Reason
1	Meta Platforms Ireland	1.2 billion euros	Irish DPC	May 2023	Unlawful EU-US data transfers
2	Amazon Europe Core	746 million euros	Luxembourg CNPD	July 2021	Ad targeting without valid consent
3	TikTok	530 million euros	Irish DPC	May 2025	Unlawful EU-China data transfers
4	Meta (Instagram)	405 million euros	Irish DPC	September 2022	Mishandling of children's data
5	Meta (Facebook + Instagram)	390 million euros	Irish DPC	January 2023	Invalid legal basis for behavioural ads
6	TikTok	345 million euros	Irish DPC	September 2023	Children's data processing failures
7	Google (LLC + Ireland)	325 million euros	French CNIL	September 2025	Gmail inbox ads + invalid signup consent
8	LinkedIn Ireland	310 million euros	Irish DPC	October 2024	Invalid legal basis for behavioural ads
9	Uber	290 million euros	Dutch AP	August 2024	Unlawful EU-US data transfers
10	Meta (Facebook)	265 million euros	Irish DPC	November 2022	Inadequate protection against data scraping

Eight of the ten largest GDPR fines have been issued by Ireland's Data Protection Commission, reflecting Dublin's role as the European headquarters for most large technology companies. Six of the ten largest fines relate to either international data transfers or invalid legal bases for advertising — the two enforcement themes that have defined the GDPR era.

Why Ad Tech Dominates the Media, Telecoms and Broadcasting Sector

"Media, Telecoms and Broadcasting" is a broad sector bucket that covers a lot of ground: telcos, ISPs, traditional media groups, streaming platforms, social networks, ad networks, DSPs, SSPs, DMPs, attribution vendors, and consent-adjacent infrastructure.

What unites the sector — and what makes it a magnet for regulators — is scale of personal data processing in the consumer-facing layer. B2C businesses are more likely to be investigated than B2B ones, simply because data subjects have the proximity, awareness, and motivation to file complaints. Add to that the constant pressure to innovate (real-time bidding, lookalike audiences, attention metrics, AI-driven targeting) and you get a sector where every product launch is also a potential regulatory test.

Inside this sector, ad tech is uniquely exposed for three structural reasons:

The data is the product. Profiling, identifiers, behavioural signals, and cross-site tracking are not side effects of the business model — they are the business model. That puts every processing activity in the regulatory spotlight by default.
The supply chain is opaque. Programmatic auctions involve dozens of parties per impression. Each is a potential controller or joint controller, each owes its own legal-basis story to data subjects, and any weak link in the chain becomes a liability for everyone upstream.
Consent is the only realistic legal basis for most of it. Targeted advertising rarely qualifies as "necessary for the performance of a contract." Legitimate interests is increasingly hard to defend after the European Court of Justice's reasoning in cases like Meta v. Bundeskartellamt. That leaves consent — and consent must be freely given, specific, informed, unambiguous, and demonstrably collected.

When any of those break, you end up in the enforcement record.

Below are the cases most often cited when ad tech professionals talk about GDPR enforcement. They split into two groups: pure-play ad tech companies, and Big Tech penalised specifically for ad-tech-related practices.

Criteo — 40 million euros (CNIL, France, 2023). The French regulator found that Criteo tracked browsing data via cookies set on partner sites without verifying that those partners had actually obtained valid consent. CNIL's testing showed that more than half of the partner sites sampled had not collected lawful consent. The fine landed not because Criteo's own consent banner failed, but because Criteo treated upstream consent as someone else's problem.

Vectaury and Teemo (CNIL, 2018-2019). Two early French CNIL formal notices (mise en demeure) against mobile location-data ad tech firms. Both were faulted for collecting precise location data through SDKs embedded in third-party apps without GDPR-grade consent. No monetary fines were imposed — both companies complied after receiving the notices — but the cases set the template that CNIL has used ever since: SDK vendors and partners share liability with the publishers integrating them.

Quantcast (Irish DPC, ongoing). Investigated after a Privacy International complaint over IAB-style consent pop-ups; the case has been a slow-burn signal that consent management infrastructure itself can be a target.

Optimove (Mobius Solutions Ltd) — 1 million euros (CNIL, December 2025). A UK-registered marketing technology processor, operating under the Optimove trade name, fined for retaining personal data of 46.9 million Deezer users after its contract ended, processing data outside the controller's instructions, and failing to keep records of processing activities. A small fine, but a notable one: it confirmed that processors handling EU user data sit fully inside GDPR obligations, and that "we were just the processor" is not a defence.

Google LLC — 50 million euros (CNIL, 2019). The first major GDPR fine. CNIL ruled that Google had not given users sufficiently clear, transparent information about ads personalisation, and that consent for personalised ads had not been validly obtained. Information was buried across multiple pages and required up to five or six clicks to surface.

Google + Amazon — 100 million euros and 35 million euros (CNIL, 2020). Both fined for placing advertising cookies on French users' devices before any consent had been collected. This pair of decisions effectively made "no cookies before consent" non-negotiable across the EU.

Google — 150 million euros + Facebook — 60 million euros (CNIL, January 2022). Issued under France's ePrivacy rules, this pair of decisions punished asymmetric cookie-rejection design. The regulator held that "reject all" had to be as easy to click as "accept all" — banner UX itself constituted the violation.

Google — 325 million euros (CNIL, September 2025). Split into 200 million euros against Google LLC and 125 million euros against Google Ireland. The decision covers two related practices: ads inserted between user emails in the "Promotions" and "Social" tabs of Gmail without prior consent, and invalid consent collection during Google account creation. The CNIL leaned on a 2021 CJEU ruling to hold that ads mimicking private communications constitute direct marketing — meaning prior consent is required, regardless of how the surface is framed.

Meta Platforms Ireland — 390 million euros (Irish DPC, 2023). The watershed legal-basis ruling. Meta had relied on "performance of a contract" as the legal basis for behavioural advertising on Facebook and Instagram. The Irish DPC, pushed by the EDPB, found that targeted advertising is not strictly necessary to deliver the service contract and therefore needs explicit consent. This ruling reshaped the legal-basis analysis for every social and ad platform operating in the EU.

Meta — 1.2 billion euros (Irish DPC, 2023). Not strictly an ad tech fine, but the largest GDPR penalty ever issued. It punished unlawful transfers of EU personal data to the United States — a signal that international transfers of data collected for advertising are themselves under scrutiny.

LinkedIn Ireland — 310 million euros (Irish DPC, 2024). Another legal-basis case. LinkedIn had argued that targeted advertising and analytics processing were necessary to perform its contract with users. The DPC disagreed and applied the Meta logic.

Shein — 150 million euros (CNIL, September 2025). Penalised for cookie practices that fell short of consent requirements — advertising cookies set on page-load before the user interacted with the banner, and "reject all" that did not actually stop tracking. Issued the same day as the 325 million euro Google decision. The case shows that the same playbook regulators built around Google in 2019-2020 is now being applied to fast-fashion and e-commerce players whose ad tech stacks are equally aggressive.

TikTok — 345 million euros (Irish DPC, September 2023) and 530 million euros (Irish DPC, May 2025). The first decision punished default-public settings and weak age controls for child users — children profiled by default. The second, the second-largest GDPR fine ever issued, concerned EU user data accessed from China without adequate safeguards. Both touch on ad-related processing.

Yahoo (CNIL). Sanctioned for advertising cookies set on its sites in conditions similar to the Google/Amazon 2020 decisions — proof that the cookie-consent precedents apply to every publisher running ad inventory, not just the giants.

If you total just the ad-tech-driven fines on this list, you are approaching 5 billion euros — well over half of all GDPR fines ever issued, attributable to a single category of processing.

GDPR Fines Issued vs Actually Paid

Here is a number that does not make it into most "biggest GDPR fines" articles: of the 4.04 billion euros in fines issued by Ireland's Data Protection Commission since 2018, only around 20 million euros has actually been collected. That is roughly 0.5%.

The rest is suspended, under appeal, or working its way through years of European litigation. Almost every headline fine on the list above is being contested — and the appeals are not cosmetic. They are designed to push enforcement into a slow lane while the practical operating environment continues unchanged.

A snapshot of the appeal status of the major cases:

Meta — 1.2 billion euros (2023, transfers). Under appeal. Meta has called the fine "unjustified"; payment is suspended pending the outcome.
Amazon — 746 million euros (2021, ad targeting). Annulled by the Luxembourg Administrative Court in March 2026 on procedural grounds, though the court confirmed most underlying GDPR violations. The case has been sent back to the CNPD for a fresh analysis.
TikTok — 530 million euros (May 2025, transfers). Appealed. The Irish High Court granted a stay in November 2025, allowing data transfers to continue while the case is heard.
Meta — 405 million euros (2022, Instagram children's data). Under appeal in the Irish High Court.
Meta — 390 million euros (January 2023, ad legal basis). Under appeal.
Google — 325 million euros (September 2025, Gmail ads + signup consent). Too recent for a final outcome; Google's response so far is consistent with previous appeals.
LinkedIn — 310 million euros (October 2024, behavioural ads legal basis). Microsoft set aside 425 million dollars for the case before the decision landed, suggesting the parent company expects to pay rather than litigate the entire amount away.
TikTok — 345 million euros (September 2023, children's data). Disputed at the time; current appeal status unclear.
Shein — 150 million euros (September 2025, cookies). Shein has announced its intention to appeal.
Criteo — 40 million euros (June 2023, partner consent). Originally proposed at 60 million euros by the CNIL rapporteur, reduced to 40 million in the final CNIL decision. Criteo appealed but the Conseil d'Etat upheld the fine in March 2026. Considered settled.

The lesson for compliance teams is not that fines are toothless. It is that the operational consequences land long before any cheque is written. Meta had to localise EU data processing infrastructure. TikTok had to redesign its data-access controls for European users. LinkedIn rewrote its consent flows within three months of the DPC ruling. Companies appeal the headline number, but they almost always implement the corrective orders.

For most organisations — those without the legal budget to drag a regulator through the European Court of Justice — the appeal route is not realistic. The fine is the fine, and the operational impact arrives immediately.

5 Common Causes of Ad Tech GDPR Fines

Read the decisions side by side and the same five failure modes keep appearing. None of them are exotic. All of them are addressable.

1. Wrong Legal Basis for Targeted Advertising

This is the violation the regulators care about most, and the one that produces the largest fines. "Contract necessity" and "legitimate interests" do not stretch to cover behavioural advertising or cross-site tracking. After the Meta and LinkedIn rulings, the practical answer for almost every ad use case is consent, properly collected.

The Google, Amazon, Yahoo, and Shein decisions all turn on the same technical fact: tracking technologies fired before the user clicked anything. If your tag manager loads ad pixels on page-load, you already have the violation; everything after that is mitigation theatre.

"Accept all" big and green; "reject all" buried two clicks deep in grey text. Regulators now treat banner UX as part of the consent itself. If rejecting is harder than accepting, the consent is not freely given.

Criteo's 40 million euro fine is the cautionary tale. Receiving consent strings from upstream partners is not the same as having a defensible record that lawful consent was actually collected. Vendors are increasingly expected to perform some level of due diligence on their partners' consent collection — not just trust the signal.

Article 13/14 transparency obligations look procedural until you read the Google 2019 decision. Splitting privacy information across multiple pages, hiding processing purposes, or using vague language about "advertising partners" has been ruled insufficient repeatedly. Users need to be told who is processing what for which specific purpose, in a place they can actually find.

If you cross-reference the failure modes above against the nine official violation categories, the pattern is striking:

Failure mode	Primary violation category
Wrong legal basis	Insufficient legal basis for data processing
Cookies before consent	Insufficient legal basis + non-compliance with general principles
Dark-pattern banners	Insufficient legal basis (consent not freely given)
Unverified downstream consent	Insufficient legal basis + insufficient data processing agreement
Information gaps	Insufficient fulfilment of information obligations

Three of the nine official violation categories absorb essentially all ad-tech enforcement risk. Two of them — legal basis and information obligations — are downstream of one piece of infrastructure: the consent management layer.

That is why CMPs like UniConsent have moved from a "nice to have" into the centre of the privacy stack. The regulators are not punishing the existence of advertising. They are punishing the absence of a defensible consent record and the gap between what users were told and what was actually done with their data.

If you are running a publisher, a brand, or an ad tech vendor inside the EU/UK, the enforcement record points to a small, concrete checklist. None of these are speculative — every item maps directly to a fine that has already been issued.

Default to consent, not legitimate interests, for any processing that touches advertising. The legal-basis question is essentially settled.
Block all non-essential tags until consent is collected. UniConsent gates tag execution on consent signals, so no tracking fires before the user has acted. This includes analytics in jurisdictions where it has been treated as ad-adjacent (France, Austria, Italy on Google Analytics).
Make rejecting as easy as accepting. One click, equal prominence, no friction.
Record consent in a way you can replay under audit. Timestamp, scope, version of the banner, version of the vendor list. Without a defensible record, you do not have consent — you have a hope. UniConsent's Consent Audit Trail stores every consent event with full context, queryable in real time.
Audit downstream partners. If you are passing TCF strings or any consent signal to vendors, you carry some responsibility for the legitimacy of that signal. Periodic compliance checks on partners are no longer optional. UniConsent's cookie scanner and consent data validator help verify that your site's actual behaviour matches your consent configuration.
Invest in the information layer. A clean, single-source privacy notice that names purposes and partners reduces exposure to the most common "transparency failure" rulings.
Treat international transfers as a separate compliance domain. The 1.2 billion euro Meta transfer fine and the 530 million euro TikTok transfer fine both involve data that moved through advertising infrastructure. Standard contractual clauses are not a finish line.

A modern consent management platform like UniConsent sits at the centre of most of these. It is the one piece of software whose explicit job is to produce a defensible consent record, enforce it across tags, and give the legal team something to point at when a regulator asks the simple, hard question: prove that your users said yes.

A few patterns are worth watching as enforcement activity accumulates:

Average fine sizes in Media, Telecoms and Broadcasting are still rising. The headline cases pull the mean upward, but the median is climbing too. Smaller players are no longer flying under the radar.
More regulators, more activity. Spain alone has issued well over 900 fines. Italy, Romania, and Germany each sit in the hundreds. Enforcement is no longer concentrated in a handful of "tough" DPAs — every member state is now meaningfully active.
The DSA is now adding a second penalty layer. In December 2025, the European Commission issued its first Digital Services Act fine — 120 million euros against X — covering deceptive verification design, an inadequate ad repository, and researcher access failures. Ad tech now sits inside two enforcement regimes that do not always coordinate.
AI Act enforcement begins in August 2026. High-risk AI system rules take effect mid-year, with penalties up to 35 million euros or 7% of global turnover. AI-driven targeting, audience modelling, and bidding optimisation will all need to be re-examined under the new framework.
AI processing is already being folded into existing GDPR enforcement. Italy's Garante is treating large-model training data and chatbot personalisation under the same legal-basis lens it has applied to ad tech for years. Expect ad-tech-style enforcement to spread to AI-driven personalisation as it matures.
Cookie-banner challenges are decentralising. noyb-style coordinated complaints have produced hundreds of decisions across multiple member states. Banner design is now an enforcement target in its own right.

For ad tech, the through-line is consistent: regulators are not trying to abolish targeted advertising, they are trying to make it conditional on real, demonstrable, user-controlled consent. The companies that will compound advantage in this environment are the ones that treat consent infrastructure as core platform engineering — not as a banner sitting on top of an otherwise unchanged stack. UniConsent provides that infrastructure out of the box, with built-in support for IAB TCF, Google Consent Mode, and GPP.

The maximum GDPR fine is 20 million euros or 4% of an organisation's global annual turnover, whichever is higher. This applies to serious violations such as breaches of data subject rights, unlawful processing, or non-compliance with the core GDPR principles. Lower-tier procedural violations are capped at 10 million euros or 2% of global turnover.

The largest GDPR fine ever issued is 1.2 billion euros, imposed on Meta Platforms Ireland by the Irish Data Protection Commission in May 2023 for unlawfully transferring personal data of European users to the United States without adequate safeguards.

Spain has issued the most GDPR fines by count, with nearly 1,000 fines since 2018. Ireland has issued the most by total value, with 4.04 billion euros in cumulative fines — around 57% of all GDPR fine value across Europe.

The average GDPR fine across all jurisdictions since 2018 is approximately 2.4 million euros. The median is significantly lower because a small number of very large fines against Big Tech pull the average up.

Most major GDPR fines are under appeal at any given time. Of the 4.04 billion euros in fines issued by Ireland's Data Protection Commission, only around 20 million euros has been collected — about 0.5%. However, even unpaid fines force operational changes. Companies appeal the headline number but typically implement the corrective orders attached to the decision.

The most common GDPR violation triggering fines is "insufficient legal basis for data processing," typically failing to obtain valid consent for activities like behavioural advertising or data sharing with third parties. The second most frequent is "non-compliance with general data processing principles" (Article 5), which produces the highest average fines.

GDPR fines are calculated using ten factors set out in Article 83(2), including the nature and gravity of the violation, the number of data subjects affected, the duration of the breach, the company's size and turnover, intentionality, mitigation measures taken, prior infringements, and cooperation with the supervisory authority.

Yes. Under Article 3(2) GDPR, the regulation applies to any organisation processing the personal data of EU residents, regardless of where the company is based. Recent fines against TikTok (Chinese-owned), Clearview AI (US-based), and Uber (US-based) confirm the GDPR's extraterritorial reach.

Media, Telecoms and Broadcasting is the most-fined sector and has been for the past several years, accounting for around 70% of all corporate GDPR fine value. The sector is broadly defined and includes telcos, social networks, streaming services, and the ad tech ecosystem. Industry and Commerce is second, lifted heavily by the 746 million euro Amazon fine.

Ireland's Data Protection Commission is the largest enforcer by total fine value (4.04 billion euros cumulative), followed by France's CNIL (over 1 billion euros) and Luxembourg's CNPD. Ireland's outsized role is structural: most major technology companies have their European headquarters there, making the DPC their lead supervisory authority under the GDPR's one-stop-shop mechanism.

GDPR fines are issued for breaches of the General Data Protection Regulation, with maximum penalties of 20 million euros or 4% of global turnover. ePrivacy fines are issued under national implementations of the EU ePrivacy Directive, which specifically governs cookies, electronic communications, and direct marketing. Several headline "GDPR fines" — including the 150 million euro Shein fine and parts of the Google decisions — are technically ePrivacy fines under Article 82 of the French Data Protection Act, not the GDPR itself. Both regimes target the same underlying issues and are often enforced by the same authority.

The enforcement data tells one consistent story across every sector and every violation type, but ad tech is where the story is loudest. Of the ten sector categories, ad tech sits in the most-fined one. Of the nine violation categories, three of them absorb almost all ad-tech enforcement, and two of those three depend on the quality of your consent management.

If you operate in this space, the practical implication is simple. Consent is not a banner. It is a system that records who said yes to what, enforces those choices across every tag and partner, surfaces the right information at the right moment, and produces an audit trail when a regulator asks. Companies that build that system stay out of the enforcement record. Companies that do not eventually become a case study in it.

The 7+ billion euros already on the board is, in that sense, less a warning than a price list. The question every ad-funded business needs to answer is whether it would rather invest in consent infrastructure now, or pay for it later in a CNIL or Irish DPC press release.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform serving tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post-GDPR. Contact us to know more: hello@uniconsent.com