All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
You may have heard the acronym GDPR, but do you know what it means for consumers and how it affects companies?
The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 to help protect the personal data of people in the EU. The regulations give consumers more control over their personal information when dealing with companies online. These regulations apply to businesses of all sizes — even those based in the U.S. — that gather any kind of personal data related to EU citizens.
These fines make it clear that following all GDPR rules and regulations is critical — even for U.S. companies serving customers in the EU. Read on to find out more about what’s required for GDPR compliance.
While the GDPR regulates personally identifiable information in the EU, it also applies to companies that collect personal data from citizens of the EU. So if you’re a U.S.-based e-commerce company that sells to European citizens, you need to know the rules of GDPR and ensure you’re protecting the information of your customers.
The data protected by the GDPR may be provided by the consumer, or it may be personal data from computer cookies.
So what information do companies need to protect? The GDPR defines personal data as any information related to a natural person (data subject) that can directly or indirectly identify that person. This includes names, addresses, payment information, medical history, and more.
While the EU specifically protects its citizens, protecting this type of information for other customers can help businesses anywhere in the world.
The GDPR is based on seven principles to protect the personal data of consumers. Those seven principles include:
The 27 countries that are part of the European Union include: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Note that GDPR still applies to UK citizens through the UK GDPR.
So how do you avoid GDPR fines? The GDPR outlines several critical things every company must do to ensure they’re compliant. For the most part, companies should have a written document that outlines their approach to the GDPR and compliance. According to the GDPR, “If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant.”[1]
The GDPR infractions that have had the most amount of fines include:
Companies can learn from these statistics to understand the infractions that have had the highest enforcement and make sure the company is in compliance. There are six main things companies should do to help avoid a GDPR violation.
An important first step in GDPR compliance includes your website privacy policy. The GDPR requires that a company’s privacy policy is:
According to the GDPR, a privacy policy should include the following if a company is getting information directly from consumers:
A Data Protection Officer (DPO) is appointed by the company to ensure that the company follows the rules and regulations related to how the company processes the personal data of its employees, customers, service providers, or other data subjects.
If you need to create a policy, you can use a privacy policy template (PDF download) to get started. Another solution to stay up to date with compliance is Termly. Termly is a compliance solution that comes with a consent management platform, terms and conditions generator, privacy policy generator, and more features for your business to stay compliant and save on legal fees. It offers a free plan that's ideal for home-based businesses or small businesses on a tight budget, with coverage for one site, one user, and one legal policy, as well as several higher tiers with more extensive features.
All-in-one compliance solution
Free plan available
Your privacy policy isn’t a “set it and forget it” type of document. Companies should evaluate their privacy policy anytime data practices or privacy policies change. There’s no specific time that you need to update your privacy policy, so it may be helpful to set a calendar reminder every six months to evaluate and make any necessary changes.
An important aspect of GDPR includes the express consent of consumers. This means that companies must get permission to store a person’s information. As part of this, customers should also be able to remove consent easily as well.
Article 4 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
There are a few specifications to gaining consent, including:
It’s important that users can change their express consent at a later date.
When collecting personal data from consumers, you should only collect data that applies to the task. Requiring additional information that’s not required to complete the task is a violation of the GDPR.
For example, if you’re an e-commerce store, you should only ask for the information necessary to process payment and ship the goods. Information such as Social Security numbers or other information outside of payment and order processing isn’t necessary.
Let’s say you’re signing users up for a newsletter. In this case, you should only require an email address and possibly their name. It’s not necessary to ask for their birth date, mailing address, etc.
Now that you’ve received consent to a consumer’s personal information, you should take steps — and document those steps — to protect the data.
The GDPR requires that companies use “appropriate technical and organizational measures” to protect their customer’s data.[3] These might include two-factor authentication for employees to access any customer data. Companies should also have other security measures to protect data, such as antivirus software and end-to-end encryption.
Companies should also regularly conduct security training to ensure all employees understand data privacy policies.
The final piece of the regulations set by the GDPR requires a company to notify a Data Protection Authority (DPA) or Data Protection Commission (DPC) within 72 hours of noticing a data breach. Each country in the European Union has its own DPA, an independent entity that investigates GDPR violations. A full list of each country’s DPA is available here.
Once the DPA is notified, the company should investigate the breach, understand its extent, and notify any customers whose data may have been jeopardized.
The GDPR also stipulates that the company should inform the data subject about the breach without delay. This means that the company needs to communicate with any customer whose data was breached and notify them of it immediately.
To report a data breach that affects UK citizens, you'll need to contact the UK's Information Commissioner's Office (ICO).
In Article 83 of the GDPR, the EU outlines the infractions and administrative fines that are a part of the GDPR. The regulations outline a set of criteria to understand the violation. These criteria also help determine in which tier the company’s infraction will be placed. The 10 criteria, according to the GDPR, include:
Each country has its own independent Data Collection Authorities who use the criteria to determine the fine associated with an infraction. The GDPR splits the infractions into two tiers, each with its own fine limitations.
The first tier carries a fine of up to 10 million euros ($10.5 million), or 2% of the company’s revenue from the prior year, whichever is greater. Tier 1 violations may include infractions that fall into the following Articles of the GDPR:
Tier 2 violations are more serious and carry increased fines up to 20 million euros ($21 million), or 4% of revenue from the previous year, whichever is greater. These violations may involve articles of the GDPR such as:
Tier 2 violations may also be levied because of the following:
Ignoring a GDPR fine or not complying with an investigation can result in an even greater financial penalty. Companies that ignore a fine and remain uncompliant with the GDPR could face Tier 2 fines because of it.
In 2021, there were more than 8,700 fines for GDPR violations. Those infractions added up to more than 9 billion euros ($9.5 billion) in fines. Ironically, 2021 also saw some of the biggest GDPR fines to date. In fact, the top 5 infractions all occurred in 2021. It's no surprise that Big Tech Amazon, Meta, and Google are the biggest violators.
| Company | Country | Year | GDPR fine | Reason |
| Amazon | Luxembourg | 2021 | €746 million ($823.9 million) | Improper tracking of user data for targeted advertising |
| Ireland | 2021 | €225 million ($248.5 million) | Violating data handling processes | |
| United States | 2021 | €90 million ($99 million) | YouTube’s lack of cookie compliance | |
| Google Ireland | Ireland | 2021 | €60 million ($66 million) | Lack of cookie compliance with the ePrivacy Directive |
| Facebook Ireland | Ireland | 2021 | €60 million ($66 million) | Violated rules on cookie usage |
Each country uses an independent Data Protection Authority to manage GDPR violations and administer any fines. Data Protection Authorities are part of the European Data Protection Board, which oversees GDPR enforcement throughout the EU.
There are two tiers of GDPR fines based on the severity of the infraction. The lower tier can carry fines up to €10 million or 2% of revenue from the previous year, whichever is greater. For higher infractions, fines can be up to €20 million or 4% of revenue from the prior year.
Personal data breaches happen in many different ways. In some cases, it may be that a company’s data was hacked, and personal information like credit card numbers or Social Security numbers were compromised. Big names like Marriott, 23andMe, T-Mobile, AT&T, Yahoo, National Public Data, Facebook, Ticketmaster, and plenty more have made the news due to big data breaches in recent years.
Personal data breaches may also be more limited. An employee's briefcase may be lost or stolen and contain sensitive documents that include personal customer information. Another example may be an employee who clicked on a harmful email that installed malware on company devices that infiltrated a database and could have accessed sensitive data (e.g., LastPass data breaches of 2022).
The GDPR is the strictest data privacy regulation out there, and while it’s focused on the EU, it still plays an integral role for companies around the world.
The GDPR, and the fines that go along with it, are applicable to any company that does business in the EU. So if you sell goods or services in the EU, you should also comply with GDPR standards.
While the fines may seem daunting, the GDPR outlines the necessary protections to be compliant, including:
Even if you don’t do business in the EU currently, following these data privacy practices will help give your customers peace of mind. For other privacy solutions for your business, here's our list of the best VPNs for small businesses.
Unlimited simultaneous connections for all your devices (Rare perk)
Block YouTube ads and malware when connected
3,200+ servers worldwide that are fast and reliable
/images/2023/01/27/norton-antivirus-review.png)
/images/2023/10/11/best-data-removal-service.png)
/images/2023/07/07/termly-review.png)
/images/2023/03/08/gavel-digital-code-privacy-laws.jpg)
/images/2023/02/08/what_are_dark_patterns.jpg)
/images/2023/02/01/what_is_the_right_to_be_forgotten.jpg)
/images/2023/01/06/virginia-privacy-law.jpeg)
/images/2022/07/08/how-to-avoid-gdpr-fines.jpg)
/authors/andrew-adams-allaboutcookies-author.jpg){kind=small}
/authors/catherine-mcnally-allaboutcookies-editor.jpg){kind=small}
/images/2023/07/07/logo-termly.png){kind=logo}
/images/2022/09/02/logo-surfshark-vpn.png){kind=logo}
/authors/andrew-adams-allaboutcookies-author.jpg)