The Biggest GDPR Fines of 2025-2026: Lessons for Every Website Owner

GDPR Enforcement Is Accelerating

When GDPR took effect in May 2018, many businesses treated it as a theoretical risk. Seven years later, the numbers tell a different story. Data protection authorities across Europe have issued over €4 billion in fines, with enforcement actions increasing year over year.

2025 and 2026 have seen some of the largest and most instructive fines yet. Here are the key cases and what every website owner can learn from them.

Meta — €1.2 Billion (May 2023, Still Under Appeal)

The Irish DPC fined Meta €1.2 billion for transferring EU user data to the US without adequate safeguards. While this is primarily about data transfers, the precedent matters: any website using US-based services (Google Analytics, Facebook Pixel, AWS) must ensure proper data transfer mechanisms are in place.

Lesson: Know where your data flows. If third-party scripts on your site send data to US servers, you need Standard Contractual Clauses or an adequacy decision in place.

Amazon — €746 Million (2021)

Luxembourg's CNPD fined Amazon for processing personal data for targeted advertising without valid consent. The fine was specifically about how Amazon collected and used behavioural data for ad targeting.

Lesson: Consent for marketing and advertising must be explicit, informed, and granular. Bundled consent is not valid.

TikTok — €345 Million (2023)

The Irish DPC fined TikTok for violating children's data protection rules, including making children's accounts public by default and using dark patterns in consent flows.

Lesson: Dark patterns in consent UIs are actively being penalised. If your cookie banner makes "Accept" prominent while hiding "Reject," you're using a dark pattern.

Criteo — €40 Million (2023)

The French CNIL fined ad-tech company Criteo for collecting and processing personal data through tracking cookies without valid consent. This is directly relevant to any website running Criteo's tracking pixel.

Lesson: You are responsible for the scripts running on your website. If an ad-tech partner collects data without proper consent, you share liability.

Small and Medium Business Fines

It's not just tech giants getting fined. Recent enforcement against smaller businesses includes:

• A German e-commerce shop fined €25,000 for setting Google Analytics cookies without consent
• A Spanish real estate website fined €30,000 for a cookie banner with no reject option
• An Italian marketing agency fined €50,000 for using pre-ticked consent checkboxes
• A French local newspaper fined €10,000 for a non-functional cookie banner (scripts fired regardless of consent choice)

Regulators are increasingly targeting everyday websites, not just headline-grabbing tech companies.

What This Means for You

The pattern is clear:

1. Fines are getting larger and more frequent
2. Small businesses are not exempt
3. Cookie consent violations are a top enforcement priority
4. Dark patterns and fake consent are being actively targeted
5. "I didn't know" is never accepted as a defence

The cost of compliance (a few minutes to set up LegalBanner) is trivial compared to even the smallest fine. Don't wait for a complaint to find out your banner doesn't work.