Enforcement

On this topic page you can find the IAPP’s collection of coverage, analysis and resources related to privacy enforcement. The IAPP Resource Center also includes the “Global Privacy and Data Protection Enforcement Database,” which is a a collection of enforcement actions from all over the world.

Featured Resources

EDPB launches coordinated enforcement on role of DPOs

The EDPB announced its 2023 coordinated enforcement action will focus on the designation and position of DPOs. In this second initiative under the Coordinated Enforcement Framework, 26 DPA’s will seek to gauge whether DPOs have the organizational position required by Articles 37-39 of the GDPR and the resources needed to conduct their work.
Read More

EU enforcement: One-stop shop

This article breaks down the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s one-stop shop mechanisms.
Read More

EU enforcement: Legal bases and transparency

This article breaks down the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s legal bases and transparency requirements.
Read More


Latest News and Resources

The process behind the EDPB’s coordinated enforcement framework

Last September, the European Data Protection Board announced it will focus coordinated enforcement on data protection officer appointments. Starting mid-March 2023, and for about a year after, European data protection authorities will prioritize joint actions focusing on the position of DPOs, with activities ranging from awareness raising and information gathering to enforcement sweeps and joint investigations. The DPO function is an integral part of EU General Data Protection Regulation compli... Read More

Meta's EU data transfer case faces Article 65 dispute resolution mechanism

The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision. Politico reporter Vincent Manancourt originally broke the news, which was then confirmed by the DPC in an email to The Privacy Advisor. "We haven't been able to resolve the objections raised on our draft decision and have to trigg... Read More

EDPB’s Meta decisions explained: Resolving the adtech dispute

Original broadcast date: Jan. 19, 2023 In this LinkedIn Live event, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, joins EDPB Head of the Secretariat Isabelle Vereecken and EDPB Head of Activity for Legal Coordination Carolina Foglia for a discussion on what the EDPB's Meta decisions mean from the regulators’ perspective and what is now expected of those engaged in behavioral advertising across the EU. Watch the full recording on LinkedIn. Access the IAPP's Linked... Read More

10 takeaways from the Irish DPC decisions on Meta

Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised d... Read More

Irish DPC, EDPB Meta decisions raise complex, fundamental questions

As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more. The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding de... Read More

‘Pen testing’ your privacy program: Steps to test your privacy compliance before the onset of litigation or enforcement actions
(IAPP, January 2023)
Consequences of the CJEU preliminary ruling on public company registers
(IAPP, January 2023)
Unpacking DPC Ireland’s Meta decisions: AdTech and beyond
(IAPP, January 2023)
Breaking down enforcement of Meta’s legal basis for personalized ads
(IAPP, January 2023)
Irish DPC fines Meta 390M euros over legal basis for personalized ads
(IAPP, January 2023)
Takeaways from Epic Games settlement: Teen privacy arrives at the FTC
(IAPP, December 2022)
Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data
(IAPP, October 2022)
Web Conference: Lessons from the First CCPA Enforcement Settlement: GPC and Beyond
(IAPP, October 2022)
New York Attorney General James on protecting consumer privacy, enforcement and possible federal legislation
(IAPP, September 2022)
EDPB to focus coordinated enforcement on DPO appointments
(IAPP, September 2022)
CCPA enforcement action: A case study at the intersection of privacy and marketing
(IAPP, September 2022)
California attorney general announces first CCPA enforcement action
(IAPP, August 2022)
European Commission files report on Law Enforcement Directive
(IAPP, July 2022)
State attorneys general secure $8M data breach settlement
(IAPP, July 2022)
Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?
(IAPP, July 2022)
Roe v. Wade’s overturn: The impact on data protection and law enforcement
(IAPP, July 2022)
Google Analytics enforcement fallout: ‘Cry and pray’
(IAPP, June 2022)
10 years after: The EU’s ‘crunch time’ on GDPR enforcement
(IAPP, June 2022)
Authorities collaborate on EU GDPR investigation
(IAPP, June 2022)
A look behind the EDPB’s move to enhance enforcement cooperation
(IAPP, May 2022)
Colorado attorney general details his CPA enforcement priorities at IAPP GPS22
(IAPP, April 2022)
Hidden privacy lessons in the FTC’s CafePress security enforcement
(IAPP, March 2022)
Top 5 operational impacts of China’s PIPL — Part 4: Penalties and enforcement mechanisms
(IAPP, March 2022)
Greek DPA issues largest fine yet
(IAPP, March 2022)
What do the Google Analytics enforcement cases mean for privacy compliance?
(IAPP, February 2022)
LinkedIn Live: ‘Data Transfer Enforcement, Risk and Compliance: What You Need to Know Now’
(IAPP, February 2022)
Dodging the one-stop shop
(IAPP, February 2022)
CNIL is latest authority to rule Google Analytics violates GDPR
(IAPP, February 2022)
Why US-based companies should care about the Norway DPA’s interpretation of GDPR consent
(IAPP, February 2022)
Fines, flossing and films — The importance of storytelling to privacy hygiene
(IAPP, February 2022)
Fines, flossing and films — The importance of storytelling to privacy hygiene
(IAPP, February 2022)
The Austrian Google Analytics decision: The race is on
(IAPP, February 2022)
OAIC’s Facebook privacy claims can proceed
(IAPP, February 2022)
Increased fines for Australian data breaches useful but not structurally changing in nature
(IAPP, February 2022)
Greek DPA issues multi-million euro fines against largest cell provider
(IAPP, February 2022)
State attorneys general sue Google with ‘dark patterns’ claims
(IAPP, January 2022)
Upcoming year to be ‘complex’ in privacy
(IAPP, January 2022)
FTC Chair Lina Khan opens up on tech enforcement
(IAPP, January 2022)
EDPS sanctions Parliament over data transfers, cookie consent
(IAPP, January 2022)
CNIL’s ePrivacy fines reveal potential enforcement trend
(IAPP, January 2022)
A deeper look at CNIL’s cookies enforcement
(IAPP, January 2022)
Details emerge on appeal of WhatsApp’s 225M euro GDPR fine
(IAPP, January 2022)
EDPS discusses current, future state of GDPR enforcement
(IAPP, January 2022)
Infographic: FTC Privacy Rulemaking – The Steps to Get There
(IAPP, December 2021)
ICO opens consultation on regulatory powers
(IAPP, December 2021)
FTC considering privacy, AI rulemaking for 2022
(IAPP, December 2021)
China bans apps over PIPL, DSL violations
(IAPP, December 2021)
The way the third-party cookie crumbles: Part 1 – EU and UK developments
(IAPP, December 2021)
Status of the California Privacy Protection Agency’s work
(IAPP, December 2021)
CNIL issues guidance on use of third-party cookie alternatives
(IAPP, November 2021)
CIPL Discussion Paper: GDPR Enforcement Cooperation and the One-Stop-Shop Learning from the First Three Years
(CIPL, August 2021)
Insights into the Future of Data Protection Enforcement: Regulatory Strategies of European Data Protection Authorities for 2021-2022
(Future of Privacy Forum, June 2021)
Web Conference: The State of Privacy: State Attorney General Enforcement Updates
(IAPP, April 2021)
Infographic: CCPA Enforcement
(IAPP, May 2020)
View More Resources

Fines and Penalties

Turkey's KVKK fines TikTok TL1.75M for insufficient data protections

Turkey’s data protection authority, the Kişisel Verileri Koruma Kurumu, fined TikTok 1.75 million liralar for insufficiently protecting users from unlawful data processing, Reuters reports. The KVKK said the fine resulted from TikTok “not taking all necessary measures to ensure the appropriate level of security to prevent unlawful processing of personal data.” It also said the platform should update the texts of its privacy and cookies policies to meet the country’s regulations.Full Story... Read More

FTC fines online counselor $7.8M, halts sensitive data sharing

The U.S. Federal Trade Commission announced a proposed order against online counseling service BetterHelp over alleged improper data sharing for advertising purposes. The agency ordered a USD7.8 million payout to affected customers while banning the service from conducting further data sharing that leads to nonconsensual use for third-party advertising campaigns. BetterHelp allegedly sent mental health data to various platforms, including Facebook and Snapchat. The proposed order marks the first... Read More

The Economist pays $9.5M to settle class-action lawsuit for selling subscriber information

The Economist agreed to a settlement in a Michigan class-action lawsuit, in which it was alleged the magazine sold subscriber information to third parties without their consent, Top Class Actions reports. The class is comprised of Michigan residents who subscribed to The Economist in either print or digital form between Feb. 4, 2015 and July 30, 2016. Plaintiffs alleged the sale of their subscription information without their consent violated the state Preservation of Personal Privacy Act. Under... Read More

South Korea's PIPC fines Meta for exceeding data minimization standards

South Korea’s data protection authority, the Personal Information Protection Commission, fined Meta 6.6 million won “for allegedly disadvantaging its customers refusing to provide personal information,” Yonhap News reports. The PIPC investigated Meta on the basis it blocked users from Facebook and Instagram reportedly for refusing “to provide their behavioral information, or a record of their activities on other online sites.” Per the PIPC’s ruling, it found the personal information Meta sought ... Read More

OCR announces $1.25M HIPAA Security Rule settlement

The U.S. Health and Human Services Office for Civil Rights reached a $1.25 million settlement with Arizona-based health care provider Banner Health Affiliated Covered Entities over alleged violations of the Health Insurance Portability and Accountability Act Security Rule. The settlement resolves 2016 claims related to a hack and subsequent data breach that affected the protected health information of 2.81 million individuals. The settlement also includes two years of monitoring and corrective m... Read More

ICO fines former automotive services employee for stealing data
(IAPP, February 2023)
CNIL hits app developer with 3M euro fine
(IAPP, January 2023)
CNIL fines TikTok 5M euros over cookie consent
(IAPP, January 2023)
Google agrees to $23M settlement over search query claims
(IAPP, January 2023)
CNIL fines Apple 8M euros over consent settings
(IAPP, January 2023)
DC attorney general reaches $9.5M location privacy settlement with Google
(IAPP, January 2023)
Irish DPC fines Meta 390M euros over legal basis for personalized ads
(IAPP, January 2023)
Facebook agrees to $725M settlement over Cambridge Analytica suit
(IAPP, January 2023)
CNIL issues 60M euro cookie fine to Microsoft
(IAPP, January 2023)
FTC, video game maker reach $520M COPPA settlement
(IAPP, December 2022)
ACMA fines cryptocurrency exchange for spam emails
(IAPP, December 2022)
CNIL fines phone company 300,000 euros
(IAPP, December 2022)
CJEU upholds 225M euro WhatsApp fine
(IAPP, December 2022)
Garante fines Clubhouse owner 2M euros
(IAPP, December 2022)
Garante fines perfume chain 1.4M euros
(IAPP, November 2022)
CNIL fines software company 800K euros for GDPR violations
(IAPP, November 2022)
New York’s DFS reaches $4.5M settlement with health insurance provider
(IAPP, October 2022)
ICO fined construction company 4.4M GBP fine over employee privacy violations
(IAPP, October 2022)
CNIL fines Clearview AI 20M euros
(IAPP, October 2022)
Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data
(IAPP, October 2022)
Online retailer agrees to pay $1.9M in penalties following data breach
(IAPP, October 2022)
Dutch court fines Florida-based company 75K euros for webcam monitoring
(IAPP, October 2022)
ICO fines catalog retailer for misusing customers’ personal information
(IAPP, October 2022)
Arizona attorney general reaches $85M location privacy settlement
(IAPP, October 2022)
Google to pay settlement to Illinois residents for BIPA violations
(IAPP, September 2022)
Financial institutions to pay $1.8B fine for use of unauthorized messaging services
(IAPP, September 2022)
Berlin DPA imposes 525K euro fine over DPO violation
(IAPP, September 2022)
SEC fines Morgan Stanley $35M over alleged data protection, deletion issues
(IAPP, September 2022)
South Korea’s PIPC issues KRW 100B in Big Tech fines
(IAPP, September 2022)
CNIL issues 250K euro fine over data security, retention violations
(IAPP, September 2022)
Irish DPC issues 405M euro children’s privacy fine against Instagram
(IAPP, September 2022)
OCR issues $300,640 fine over HIPAA Privacy Rule violations
(IAPP, August 2022)
Brazil’s Senacon fines Facebook 6.6M reals over Cambridge Analytica
(IAPP, August 2022)
Google to pay AU$60M fine to Australian Competition and Consumer Commission
(IAPP, August 2022)
US cafeteria technology services company settles class-action lawsuit
(IAPP, August 2022)
Lower Saxony data protection commissioner fines bank 900K euros
(IAPP, August 2022)
CFPB fines bank $37.5M for personal data exploitation
(IAPP, July 2022)
Federal judge approves $92M TikTok class-action settlement
(IAPP, July 2022)
Russian court fines companies 22M rubles over data localization claims
(IAPP, July 2022)
Fintech app settles class-action lawsuit for $58M
(IAPP, July 2022)
Danish DPA fines law firm 500K kroner over data security issues
(IAPP, July 2022)
OCR issues HIPAA fines totaling $646K
(IAPP, July 2022)
Greek DPA fines Clearview AI 20M euros, bans data collection, processing
(IAPP, July 2022)
Robinhood settles class-action lawsuit related to data breach
(IAPP, July 2022)
Norway DPA issues fines to consumer goods chain, Parliament
(IAPP, June 2022)
French Council of State upholds Amazon’s 35M euro cookie fine
(IAPP, June 2022)
Carnival Cruise Line pays $1.25M settlement in 46-state breach lawsuit
(IAPP, June 2022)
Russian court fines Google 15M rubles for failing to localize Russian citizens’ data
(IAPP, June 2022)
Insurance company settles biometric class-action lawsuit for $4M
(IAPP, June 2022)
Judge approves $6M settlement against plasma clinic for BIPA violation
(IAPP, June 2022)
Meta faces large fine from DPC over children’s privacy violations on Instagram
(IAPP, May 2022)
Belgian DPA fines press group 50,000 euros over cookie violations
(IAPP, May 2022)
FTC fines Twitter $150M for deceptive data collection
(IAPP, May 2022)
ICO lowers Clearview AI fine to 7.55M GBP
(IAPP, May 2022)
Italy’s DPA fines Uber 4.2M euros for data processing violations
(IAPP, May 2022)
Medical supply company reaches $9.76M settlement over 2019 data breach
(IAPP, May 2022)
AEPD hands Google 10M euro GDPR fine
(IAPP, May 2022)
Dutch DPA fines Ministry of Foreign Affairs 565K euros for GDPR violations
(IAPP, May 2022)
Judge approves $85M settlement in class-action lawsuit against Zoom
(IAPP, April 2022)
Dutch DPA issues its highest fine
(IAPP, April 2022)
Danish DPA fines bank DKK 10M for GDPR violations and other enforcement actions
(IAPP, April 2022)
UK ICO fines consulting company for sending thousands of spam texts
(IAPP, March 2022)
Swedish DPA fines bank for EU GDPR violations
(IAPP, March 2022)
ICO announces 405K GBP in telemarketing fines
(IAPP, March 2022)
Irish DPC fines Meta 17M euros over 2018 data breaches
(IAPP, March 2022)
Italian DPA fines Clearview AI 20M euros
(IAPP, March 2022)
Dutch DPA imposes 525,000 euro penalty
(IAPP, February 2022)
Meta to pay $90M over Facebook user-tracking claims
(IAPP, February 2022)
Kronos agrees to $15M settlement for violating Illinois’ BIPA
(IAPP, February 2022)
Illinois McDonald’s restaurants to pay $50M settlement over lack of biometric disclosures
(IAPP, February 2022)
Belgian DPA fines IAB Europe 250K euros over consent framework GDPR violations
(IAPP, February 2022)
French Council of State validates CNIL fines against Google for cookie violations
(IAPP, January 2022)
Garante issues 26.5M euro GDPR fine
(IAPP, January 2022)
Fines for GDPR violations rise to $1.25 billion, research finds
(IAPP, January 2022)
Portugal’s NDPC fines municipality 1.25M euros
(IAPP, January 2022)
Accellion reaches $8.1 million agreement in data breach class-action lawsuit
(IAPP, January 2022)
Lead generation company to pay $1.5M over sale, use of consumer data
(IAPP, January 2022)
US appeals court upholds Google’s $13 million settlement with privacy groups
(IAPP, January 2022)
CNIL proposes ePrivacy fines totaling 210M euros
(IAPP, January 2022)
CNIL fines mobile telephone operator, finance company over alleged GDPR violations
(IAPP, January 2022)
Details emerge on appeal of WhatsApp’s 225M euro GDPR fine
(IAPP, January 2022)
Investment management company reaches $125M settlement over SEC charges
(IAPP, January 2022)
Luxembourg administrative court suspends 746M euro GDPR fine
(IAPP, December 2021)
FTC, DOJ fine background report provider $21M for deceiving consumers
(IAPP, December 2021)
Financial firm reaches $201M settlement in 2019 data breach lawsuit
(IAPP, December 2021)
Ad platform, FTC reach $2M settlement over COPPA allegations
(IAPP, December 2021)
Dutch DPA fines tax authority 2.75M euros
(IAPP, December 2021)
ICO hits Clearview AI with 17M GBP fine notice
(IAPP, November 2021)
Italy’s antitrust regulator fines Google, Apple 10M euros
(IAPP, November 2021)
View More Resources