All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
You may have heard the acronym GDPR, but do you know what it means for consumers and how it affects companies?
The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 to help protect the personal data of people in the EU. The regulations give consumers more control over their personal information when dealing with companies online. These regulations apply to businesses of all sizes — even those based in the U.S. — that gather any kind of personal data related to EU citizens.
These fines make it clear that following all GDPR rules and regulations is critical — even for U.S. companies serving customers in the EU. Read on to find out more about what’s required for GDPR compliance.
How to avoid GDPR fines
Types of GDPR fines
What happens if you ignore GDPR fines?
Top 5 GDPR fines in the news
FAQs
Bottom line
Meet the experts
Does GDPR apply to me?
While the GDPR regulates personally identifiable information in the EU, it also applies to companies that collect personal data from citizens of the EU. So if you’re a U.S.-based e-commerce company that sells to European citizens, you need to know the rules of GDPR and ensure you’re protecting the information of your customers.
The data protected by the GDPR may be provided by the consumer, or it may be personal data from computer cookies.
So what information do companies need to protect? The GDPR defines personal data as any information related to a natural person (data subject) that can directly or indirectly identify that person. This includes names, addresses, payment information, medical history, and more.
While the EU specifically protects its citizens, protecting this type of information for other customers can help businesses anywhere in the world.
The GDPR is based on seven principles to protect the personal data of consumers. Those seven principles include:
- Lawfulness, fairness, and transparency: Consumers should be able to understand what data they’re using, how they’re using it, and for what purpose.
- Purpose limitation: Data should only be collected and used for specific purposes.
- Data minimization: Companies should only collect the data necessary based on the purpose of the interaction.
- Accuracy: Data should be accurate and up to date.
- Storage limitation: Personal data should only be kept for as long as it is needed.
- Integrity and confidentiality: Companies should protect the data of their customers and only use it for the purposes defined.
- Accountability: You’re responsible for the data of your customers and should be able to prove your GDPR compliance.
The 27 countries that are part of the European Union include: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Note that GDPR still applies to UK citizens through the UK GDPR.
How to avoid GDPR fines
So how do you avoid GDPR fines? The GDPR outlines several critical things every company must do to ensure they’re compliant. For the most part, companies should have a written document that outlines their approach to the GDPR and compliance. According to the GDPR, “If you think you are compliant with the GDPR but can’t show how, then you’re not GDPR compliant.”[1]
The GDPR infractions that have had the most amount of fines include:
- Non-compliance with general data processing principles.
- Insufficient legal basis for data processing.
- Insufficient fulfillment of information obligations.
Companies can learn from these statistics to understand the infractions that have had the highest enforcement and make sure the company is in compliance. The most common GDPR compliance mistakes U.S. companies make when collecting or handling EU customer data stem from lack of awareness.
Ankit Gupta, a senior cybersecurity leader, explains:
"The biggest mistake is assuming GDPR doesn’t apply. Many U.S. companies think that just because they don’t have a physical office in the EU, they’re off the hook — but if they collect data from EU residents, they’re subject to GDPR. Another standard error is using pre-checked boxes or vague consent language, which fails the GDPR’s 'freely given, specific, informed, and unambiguous' consent standard. Ultimately, many organizations underestimate the importance of accurate data mapping. Without a clear understanding of where personal data flows, you can’t comply with core GDPR principles, such as data minimization and purpose limitation."
For small businesses with limited resources, building an effective GDPR compliance strategy is crucial. Gupta details how small businesses can approach their GDPR compliance strategy:
"Start with risk-based prioritization. You don’t need an army of consultants to get the basics right. Begin with a data inventory, know what personal data you collect, where it’s stored, who has access, and why it’s being collected. From there, implement simple policies around data access, consent collection, and breach notification. Use templates from reputable sources (like the EDPB or UK ICO) for privacy notices and DPIAs. And most importantly, train your staff. Many breaches stem from human error, not technology failures."
Businesses can follow these six key steps to help prevent a GDPR violation.
1. Create a GDPR-compliant privacy policy
An important first step in GDPR compliance includes your website privacy policy. The GDPR requires that a company’s privacy policy be:
- “In a concise, transparent, intelligible, and easily accessible form
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner
- Provided free of charge”[2]
According to the GDPR, a privacy policy should include the following if a company is getting information directly from consumers:
- “The identity and contact details of the organization, its representative, and its Data Protection Officer
- The purpose for the organization to process an individual’s personal data and its legal basis
- The legitimate interests of the organization (or third party, where applicable)
- Any recipient or categories of recipients of an individual’s data
- The details regarding any transfer of personal data to a third country and the safeguards taken
- The retention period or criteria used to determine the retention period of the data
- The existence of each data subject’s rights
- The right to withdraw consent at any time (where relevant)
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
- The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences”
Do U.S. companies need a Data Protection Officer?
A Data Protection Officer (DPO) is appointed by the company to ensure that it complies with the rules and regulations governing the processing of personal data of its employees, customers, service providers, or other data subjects.
Gupta explains the role of DPOs in a U.S. company subject to GDPR:
"A DPO acts as an independent advisor within the company, monitoring GDPR compliance, conducting audits, providing staff training, and serving as the primary point of contact for EU regulators. A U.S. company must appoint a DPO if it engages in large-scale systematic monitoring of individuals (like behavioral tracking) or processes special categories of data (like health or biometric data) on a large scale. That said, even if not legally required, appointing a DPO, or at least a privacy lead, signals a serious commitment to compliance and can help build customer trust."
2. Update your privacy policy
Your privacy policy isn’t a “set it and forget it” type of document. Companies should regularly evaluate their privacy policies whenever data practices or privacy policies change. There’s no specific time required to update your privacy policy, so it may be helpful to set a calendar reminder every six months to evaluate and make any necessary changes.
3. Get express consent
An important aspect of GDPR includes the express consent of consumers. This means that companies must get permission to store a person’s information. As part of this, customers should also be able to easily revoke their consent.
Article 4 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
There are a few specifications for gaining consent, including:
- The user must perform the action of giving consent. You cannot have a pre-checked box permitting the use of personal data. The user must check the box.
- Asking for consent must be its own question. It cannot be a part of other terms and conditions.
- Consent must be specific, and it’s important that users can change their express consent at a later date.
How can U.S. companies ensure their consent mechanisms adhere to the GDPR?
U.S. businesses with EU customers must ensure that their consent tools, such as cookie banners and email opt-ins, comply with the GDPR’s stringent standards. Gupta makes it clear: "Consent under GDPR must be active, granular, and revocable."
So for U.S. companies, Gupta Advises:
- "No pre-ticked boxes.
- Cookie banners must allow users to select categories (e.g., strictly necessary vs. marketing) and decline non-essential cookies without undue friction.
- Email opt-ins must clearly state what the user is signing up for and provide an option to opt out at any time.
Ensure that your consent logs are stored for audit purposes, and always provide a simple way to withdraw consent, such as an unsubscribe link or a cookie preference manager."
4. Limit the personal data you collect
When collecting personal data from consumers, you should only collect data that is relevant to the task. Requiring additional information that’s not required to complete the task is a violation of the GDPR.
For example, if you’re an e-commerce store, you should only ask for the information necessary to process payment and ship the goods. Information such as Social Security numbers or other details unrelated to payment and order processing isn’t necessary.
Let’s say you’re signing users up for a newsletter. In this case, you should only require an email address and possibly their name. It’s not necessary to ask for their birth date, mailing address, etc.
5. Make sure personal data is protected
Now that you’ve received consent to a consumer’s personal information, you should take steps — and document those steps — to protect the data.
The GDPR requires that companies use “appropriate technical and organizational measures” to protect their customers’ data.[3] These might include two-factor authentication for employees to access any customer data. Companies should also implement additional security measures to protect their data, such as antivirus software and end-to-end encryption.
Companies should also regularly conduct security training to ensure all employees understand data privacy policies.
6. Report data breaches
The final piece of the regulations set by the GDPR requires a company to notify a Data Protection Authority (DPA) or Data Protection Commission (DPC) within 72 hours of becoming aware of a data breach. Each country in the European Union has its own DPA, an independent entity that investigates GDPR violations. A full list of each country’s DPA is available here.
Once the DPA is notified, the company should investigate the breach, understand its extent, and notify any customers whose data may have been jeopardized.
The GDPR also stipulates that the company should inform the data subject about the breach without delay. This means that the company must communicate with any customer whose data was breached and notify them immediately.
What to do after discovering a data breach
There are specific steps companies can take when handling a data breach that involves EU customers. Gupta breaks down the action plan: "Time is critical. Within 72 hours, a company should:
- Investigate and contain the breach immediately.
- Determine if EU personal data was involved, and if there's a risk to individuals' rights and freedoms.
- Notify the relevant supervisory authority (usually in the EU country of your data subjects) within the 72-hour window, even if you don’t have all the details yet.
- Document everything that happened, how it was detected, mitigation steps, and your rationale for reporting or not reporting.
- If there’s a high risk to individuals (e.g., identity theft), notify the affected individuals directly without undue delay."
Types of GDPR fines
Article 83 of the GDPR outlines the infractions and administrative fines that are part of the GDPR. The regulations outline a set of criteria to determine the nature of the violation. These criteria also help determine which tier the company’s infraction will be placed in. The 10 criteria, according to the GDPR, include:
- “Gravity and nature — The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
- Intention — Whether the infringement was intentional or the result of negligence.
- Mitigation — Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
- Precautionary measures — The amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR.
- History — Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
- Cooperation — Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
- Data category — The type of personal data the infringement affects.
- Notification — Whether the firm, or a designated third party, proactively reported the infringement to the supervisory authority.
- Certification — Whether the firm followed approved codes of conduct or was previously certified.
- Aggravating/mitigating factors — Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.”[4]
Each country has its own independent Data Collection Authorities that use the criteria to determine the fine associated with an infraction. The GDPR splits the infractions into two tiers, each with its own fine limitations.
The first tier carries a fine of up to 10 million euros ($10.5 million), or 2% of the company’s revenue from the previous year, whichever is greater. Tier 1 violations may include infractions that fall into the following Articles of the GDPR:
- Controllers and processors (Articles 8, 11, 25-39, 42, and 43)
- Certification bodies (Articles 42 and 43)
- Monitoring bodies (Article 41)
Tier 2 violations are more serious and carry increased fines of up to 20 million euros ($21 million), or 4% of the company's revenue from the previous year, whichever is greater. These violations may involve articles of the GDPR such as:
- The basic principles for processing (Articles 5, 6, and 9)
- The conditions for consent (Article 7)
- The data subjects’ rights (Articles 12-22)
- The transfer of data to an international organization or a recipient in a third country (Articles 44-49).
Tier 2 violations may also be levied because of the following:
- Any violation of member state laws adopted under Chapter IX, which gives EU states the ability to add additional data privacy restrictions. Violation of these additional restrictions may result in a Tier 2 fine.
- Non-compliance with an order by a supervisory authority: If a company ignores or fails to comply with requests from a GDPR authority, it may be subject to Tier 2 fines, regardless of the original infraction.
What happens if you ignore GDPR fines?
Failing to comply with a GDPR fine or ignoring an investigation can result in a more severe financial penalty. Companies that ignore a fine and remain non-compliant with the GDPR could face Tier 2 fines as a result.
Top 5 GDPR fines in the news
In 2021, there were over 8,700 fines issued for GDPR violations. Those infractions totaled more than 9 billion euros ($9.5 billion) in fines. Ironically, 2021 also saw some of the biggest GDPR fines to date. In fact, the top 5 infractions all occurred in 2021. It's no surprise that Big Tech companies, such as Amazon, Meta, and Google, are the biggest violators.
Company | Country | Year | GDPR fine | Reason |
Amazon | Luxembourg | 2021 | €746 million ($823.9 million) | Improper tracking of user data for targeted advertising |
Ireland | 2021 | €225 million ($248.5 million) | Violating data handling processes | |
United States | 2021 | €90 million ($99 million) | YouTube’s lack of cookie compliance | |
Google Ireland | Ireland | 2021 | €60 million ($66 million) | Lack of cookie compliance with the ePrivacy Directive |
Facebook Ireland | Ireland | 2021 | €60 million ($66 million) | Violated rules on cookie usage |
FAQs
Who administers GDPR fines?
Each country uses an independent Data Protection Authority to manage GDPR violations and administer any fines. Data Protection Authorities are part of the European Data Protection Board, which oversees GDPR enforcement throughout the EU.
What is the fine for violating GDPR?
There are two tiers of GDPR fines based on the severity of the infraction. The lower tier can carry fines up to €10 million or 2% of revenue from the previous year, whichever is greater. For higher infractions, fines can be up to €20 million or 4% of revenue from the prior year.
What are some examples of personal data breaches?
Personal data breaches happen in many different ways. In some cases, it may be that a company’s data was hacked, and personal information like credit card numbers or Social Security numbers were compromised. Big names like Marriott, 23andMe, T-Mobile, AT&T, Yahoo, National Public Data, Facebook, Ticketmaster, and plenty more have made the news due to big data breaches in recent years.
Personal data breaches may also be more limited. An employee's briefcase may be lost or stolen and contain sensitive documents that include personal customer information. Another example may be an employee who clicked on a harmful email that installed malware on company devices that infiltrated a database and could have accessed sensitive data (e.g., LastPass data breaches of 2022).
Bottom line
The GDPR is the strictest data privacy regulation available, and although it primarily focuses on the EU, it still plays a crucial role for companies worldwide.
The GDPR and the fines that go along with it are applicable to any company doing business in the EU. So if you sell goods or services to EU citizens, you should also comply with GDPR standards.
While the fines may seem daunting, the GDPR outlines the necessary protections to be compliant, including:
- A clear and concise privacy policy.
- Getting express consent from consumers.
- Only asking for information that’s necessary for the purpose of your business.
- Protecting the data that’s given to you.
- Reporting any data breaches in a timely manner.
Even if you don’t currently do business in the EU, following these data privacy practices will help give your customers peace of mind. For other privacy solutions to suit your business needs, here's our list of the best VPNs for small businesses.
Meet the experts
/images/2023/10/11/best-data-removal-service.png)
/images/2023/01/26/best-antivirus-software.png)
/images/2023/07/07/termly-review.png)
/images/2023/03/08/gavel-digital-code-privacy-laws.jpg)
/images/2023/02/08/what_are_dark_patterns.jpg)
/images/2023/02/01/what_is_the_right_to_be_forgotten.jpg)
/images/2023/01/06/virginia-privacy-law.jpeg)
/images/2022/07/08/how-to-avoid-gdpr-fines.jpg)