Enforcement

On this topic page you can find the IAPP’s collection of coverage, analysis and resources related to privacy enforcement. The IAPP Resource Center also includes the “Global Privacy and Data Protection Enforcement Database,” which is a a collection of enforcement actions from all over the world.

Featured Resources

Lessons from First CCPA Settlement

In this web conference, panelists discuss, the Sephora Enforcement case, what the new requirements are and how they applies to businesses and what does the post-cookie consent and preference approach looks like.
Read More

NY AG on enforcement

New York attorney general Letitia James spoke with The Privacy Advisor about the recent Dobbs ruling by the U.S. Supreme Court and her work to date on enforcing privacy laws.
Read More

Google Analytics enforcement fallout

Three EU privacy authorities determined Google Analytics unlawfully transfers data to the United States, leaving companies with little to no alternatives. This article explores details the recent decisions and their impact on companies using the common internet data analysis tool.
Read More


Latest News and Resources

Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data

On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation. This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece. The decision of the HDPA was issued following a complaint filed by civil nonprofit organization Ho... Read More

EDPB to focus coordinated enforcement on DPO appointments

The European Data Protection Board announced its next coordinated enforcement action will focus on the data protection officer designations. The 22 supervisory authorities across the European Economic Area, along with the European Data Protection Supervisor, will launch investigations into yet-to-be-determined aspects of DPO requirements under the EU General Data Protection Regulation. The EDPB said the individual actions will be "bundled and analysed, generating deeper insight into the topic an... Read More

CCPA enforcement action: A case study at the intersection of privacy and marketing

Beauty retailer Sephora was fined $1.2 million by California Attorney General Rob Bonta and is the first-ever California Consumer Privacy Act enforcement action. At the heart of the matter is Sephora allegedly misrepresenting its actions to California consumers (saying that it did not sell consumer personal information despite the fact it engaged in targeted advertising, thereby “selling” data to third-party companies) and failing to provide for or recognize global opt-outs “including … the Glob... Read More

California attorney general announces first CCPA enforcement action

There's been plenty of bark with California Consumer Privacy Act enforcement since the law entered into force January 2020 and now the bite has arrived. California Attorney General Rob Bonta announced the first enforcement action under the CCPA, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions. According to the attorney general's office, Sephora's violation specifically concerned the failures to inform individuals about the sale... Read More

LinkedIn Live: 'Data Transfer Enforcement, Risk and Compliance: What You Need to Know Now'

Published: February 2022 In this LinkedIn Live event, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, Future of Privacy Forum Vice President Gabriela Zanfir-Fortuna, Bird & Bird Partner Ruth Boardman and American University Senior Project Director Alex Joel, CIPP/G, provide an in-depth discussion on what organizations should know about recent enforcement actions, ongoing investigations and current compliance options as we await a diplomatic solution. To view this... Read More

PDPC: Guide on Active Enforcement
(PDPC, October 2022)
European Commission files report on Law Enforcement Directive
(IAPP, July 2022)
State attorneys general secure $8M data breach settlement
(IAPP, July 2022)
Sanctions under EU GDPR and recent data regulations: A case of double jeopardy?
(IAPP, July 2022)
Roe v. Wade’s overturn: The impact on data protection and law enforcement
(IAPP, July 2022)
10 years after: The EU’s ‘crunch time’ on GDPR enforcement
(IAPP, June 2022)
Authorities collaborate on EU GDPR investigation
(IAPP, June 2022)
A look behind the EDPB’s move to enhance enforcement cooperation
(IAPP, May 2022)
Colorado attorney general details his CPA enforcement priorities at IAPP GPS22
(IAPP, April 2022)
Hidden privacy lessons in the FTC’s CafePress security enforcement
(IAPP, March 2022)
Top 5 operational impacts of China’s PIPL — Part 4: Penalties and enforcement mechanisms
(IAPP, March 2022)
Greek DPA issues largest fine yet
(IAPP, March 2022)
What do the Google Analytics enforcement cases mean for privacy compliance?
(IAPP, February 2022)
Dodging the one-stop shop
(IAPP, February 2022)
CNIL is latest authority to rule Google Analytics violates GDPR
(IAPP, February 2022)
Why US-based companies should care about the Norway DPA’s interpretation of GDPR consent
(IAPP, February 2022)
Fines, flossing and films — The importance of storytelling to privacy hygiene
(IAPP, February 2022)
Fines, flossing and films — The importance of storytelling to privacy hygiene
(IAPP, February 2022)
The Austrian Google Analytics decision: The race is on
(IAPP, February 2022)
OAIC’s Facebook privacy claims can proceed
(IAPP, February 2022)
Increased fines for Australian data breaches useful but not structurally changing in nature
(IAPP, February 2022)
Greek DPA issues multi-million euro fines against largest cell provider
(IAPP, February 2022)
State attorneys general sue Google with ‘dark patterns’ claims
(IAPP, January 2022)
Upcoming year to be ‘complex’ in privacy
(IAPP, January 2022)
FTC Chair Lina Khan opens up on tech enforcement
(IAPP, January 2022)
EDPS sanctions Parliament over data transfers, cookie consent
(IAPP, January 2022)
CNIL’s ePrivacy fines reveal potential enforcement trend
(IAPP, January 2022)
A deeper look at CNIL’s cookies enforcement
(IAPP, January 2022)
Details emerge on appeal of WhatsApp’s 225M euro GDPR fine
(IAPP, January 2022)
EDPS discusses current, future state of GDPR enforcement
(IAPP, January 2022)
Infographic: FTC Privacy Rulemaking – The Steps to Get There
(IAPP, December 2021)
ICO opens consultation on regulatory powers
(IAPP, December 2021)
FTC considering privacy, AI rulemaking for 2022
(IAPP, December 2021)
China bans apps over PIPL, DSL violations
(IAPP, December 2021)
The way the third-party cookie crumbles: Part 1 – EU and UK developments
(IAPP, December 2021)
Status of the California Privacy Protection Agency’s work
(IAPP, December 2021)
CNIL issues guidance on use of third-party cookie alternatives
(IAPP, November 2021)
CIPL Discussion Paper: GDPR Enforcement Cooperation and the One-Stop-Shop Learning from the First Three Years
(CIPL, August 2021)
Insights into the Future of Data Protection Enforcement: Regulatory Strategies of European Data Protection Authorities for 2021-2022
(Future of Privacy Forum, June 2021)
Web Conference: The State of Privacy: State Attorney General Enforcement Updates
(IAPP, April 2021)
EDPS Infographic — EDPS Enforcement Powers
(EDPS, January 2021)
HHS: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
(HHS, January 2021)
Bloomberg Law: Lessons Learned from Key GDPR Enforcement Cases
(Bloomberg Law, August 2020)
Infographic: CCPA Enforcement
(IAPP, May 2020)
Web Conference: CCPA — One Year from Enforcement
(IAPP, May 2019)
View More Resources

Fines and Penalties

CNIL fines Clearview AI 20M euros

France's data protection authority, the Commission nationale de l'informatique et des libertés, issued a 20 million euro fine to Clearview AI for alleged breaches of the EU General Data Protection Regulation. The CNIL began an investigation into a complaint regarding Clearview's facial recognition database and data processing practices in May 2021. The regulator handed down a formal notice to remedy alleged violations in November 2021 that Clearview did not reply to. With the fine, the CNIL also... Read More

Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data

On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation. This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece. The decision of the HDPA was issued following a complaint filed by civil nonprofit organization Ho... Read More

Online retailer agrees to pay $1.9M in penalties following data breach

Zoetop, owner of online fashion retailers SHEIN and ROMWE, will pay $1.9 million in penalties to the state of New York following a 2018 data breach that impacted more than 800,000 New Yorkers, state Attorney General Letitia James announced. Under the agreement, Zoetop will also strengthen cybersecurity measures, including hashing customer passwords and implementing network monitoring and incident response policies with timely investigations, consumer notice and password resets. James said the ag... Read More

Dutch court fines Florida-based company 75K euros for webcam monitoring

A Dutch court ordered a Florida-based software development company to pay 75,000 euros to a former employee who refused to leave their webcam on, NL Times reports. The Netherlands resident who worked for Chetu's Rijswijk branch said the company’s screen-sharing and webcam workday requirements were “an invasion” of privacy and violated data privacy regulations. “Instruction to leave the camera on is contrary to the employee’s right to respect for his private life,” the court said.Full Story... Read More

ICO fines catalog retailer for misusing customers' personal information

The U.K. Information Commissioner’s Office fined catalog retailer Easylife 1.48 million GBP for using personal information of nearly 150,000 customers to target them with advertisements. Easylife, which sells household goods, was fined 1.35 million GPB for predicting customers’ medical conditions using their data without consent and targeting them with “health-related products." The company also received an additional fine of 130,000 GPB for making more than 1.3 million “predatory direct marketi... Read More

Arizona attorney general reaches $85M location privacy settlement
(IAPP, October 2022)
Google to pay settlement to Illinois residents for BIPA violations
(IAPP, September 2022)
Financial institutions to pay $1.8B fine for use of unauthorized messaging services
(IAPP, September 2022)
Berlin DPA imposes 525K euro fine over DPO violation
(IAPP, September 2022)
SEC fines Morgan Stanley $35M over alleged data protection, deletion issues
(IAPP, September 2022)
South Korea’s PIPC issues KRW 100B in Big Tech fines
(IAPP, September 2022)
CNIL issues 250K euro fine over data security, retention violations
(IAPP, September 2022)
Irish DPC issues 405M euro children’s privacy fine against Instagram
(IAPP, September 2022)
OCR issues $300,640 fine over HIPAA Privacy Rule violations
(IAPP, August 2022)
Brazil’s Senacon fines Facebook 6.6M reals over Cambridge Analytica
(IAPP, August 2022)
Google to pay AU$60M fine to Australian Competition and Consumer Commission
(IAPP, August 2022)
US cafeteria technology services company settles class-action lawsuit
(IAPP, August 2022)
Lower Saxony data protection commissioner fines bank 900K euros
(IAPP, August 2022)
CFPB fines bank $37.5M for personal data exploitation
(IAPP, July 2022)
Federal judge approves $92M TikTok class-action settlement
(IAPP, July 2022)
Russian court fines companies 22M rubles over data localization claims
(IAPP, July 2022)
Fintech app settles class-action lawsuit for $58M
(IAPP, July 2022)
Danish DPA fines law firm 500K kroner over data security issues
(IAPP, July 2022)
OCR issues HIPAA fines totaling $646K
(IAPP, July 2022)
Greek DPA fines Clearview AI 20M euros, bans data collection, processing
(IAPP, July 2022)
Robinhood settles class-action lawsuit related to data breach
(IAPP, July 2022)
Norway DPA issues fines to consumer goods chain, Parliament
(IAPP, June 2022)
French Council of State upholds Amazon’s 35M euro cookie fine
(IAPP, June 2022)
Carnival Cruise Line pays $1.25M settlement in 46-state breach lawsuit
(IAPP, June 2022)
Russian court fines Google 15M rubles for failing to localize Russian citizens’ data
(IAPP, June 2022)
Insurance company settles biometric class-action lawsuit for $4M
(IAPP, June 2022)
Judge approves $6M settlement against plasma clinic for BIPA violation
(IAPP, June 2022)
Meta faces large fine from DPC over children’s privacy violations on Instagram
(IAPP, May 2022)
Belgian DPA fines press group 50,000 euros over cookie violations
(IAPP, May 2022)
FTC fines Twitter $150M for deceptive data collection
(IAPP, May 2022)
ICO lowers Clearview AI fine to 7.55M GBP
(IAPP, May 2022)
Italy’s DPA fines Uber 4.2M euros for data processing violations
(IAPP, May 2022)
Medical supply company reaches $9.76M settlement over 2019 data breach
(IAPP, May 2022)
AEPD hands Google 10M euro GDPR fine
(IAPP, May 2022)
Dutch DPA fines Ministry of Foreign Affairs 565K euros for GDPR violations
(IAPP, May 2022)
Judge approves $85M settlement in class-action lawsuit against Zoom
(IAPP, April 2022)
Dutch DPA issues its highest fine
(IAPP, April 2022)
Danish DPA fines bank DKK 10M for GDPR violations and other enforcement actions
(IAPP, April 2022)
UK ICO fines consulting company for sending thousands of spam texts
(IAPP, March 2022)
Swedish DPA fines bank for EU GDPR violations
(IAPP, March 2022)
ICO announces 405K GBP in telemarketing fines
(IAPP, March 2022)
Irish DPC fines Meta 17M euros over 2018 data breaches
(IAPP, March 2022)
Italian DPA fines Clearview AI 20M euros
(IAPP, March 2022)
Dutch DPA imposes 525,000 euro penalty
(IAPP, February 2022)
Meta to pay $90M over Facebook user-tracking claims
(IAPP, February 2022)
Kronos agrees to $15M settlement for violating Illinois’ BIPA
(IAPP, February 2022)
Illinois McDonald’s restaurants to pay $50M settlement over lack of biometric disclosures
(IAPP, February 2022)
Belgian DPA fines IAB Europe 250K euros over consent framework GDPR violations
(IAPP, February 2022)
French Council of State validates CNIL fines against Google for cookie violations
(IAPP, January 2022)
Garante issues 26.5M euro GDPR fine
(IAPP, January 2022)
Fines for GDPR violations rise to $1.25 billion, research finds
(IAPP, January 2022)
Portugal’s NDPC fines municipality 1.25M euros
(IAPP, January 2022)
Accellion reaches $8.1 million agreement in data breach class-action lawsuit
(IAPP, January 2022)
Lead generation company to pay $1.5M over sale, use of consumer data
(IAPP, January 2022)
US appeals court upholds Google’s $13 million settlement with privacy groups
(IAPP, January 2022)
CNIL proposes ePrivacy fines totaling 210M euros
(IAPP, January 2022)
CNIL fines mobile telephone operator, finance company over alleged GDPR violations
(IAPP, January 2022)
Details emerge on appeal of WhatsApp’s 225M euro GDPR fine
(IAPP, January 2022)
Investment management company reaches $125M settlement over SEC charges
(IAPP, January 2022)
Luxembourg administrative court suspends 746M euro GDPR fine
(IAPP, December 2021)
FTC, DOJ fine background report provider $21M for deceiving consumers
(IAPP, December 2021)
Financial firm reaches $201M settlement in 2019 data breach lawsuit
(IAPP, December 2021)
Ad platform, FTC reach $2M settlement over COPPA allegations
(IAPP, December 2021)
Dutch DPA fines tax authority 2.75M euros
(IAPP, December 2021)
ICO hits Clearview AI with 17M GBP fine notice
(IAPP, November 2021)
Italy’s antitrust regulator fines Google, Apple 10M euros
(IAPP, November 2021)
View More Resources