When €3 billion in GDPR fines alone isn’t enough to teach Big Tech a lesson

Introduction: The Year Regulators Stopped Playing Nice

If 2024 was the year of regulatory preparation, 2025 was the year enforcement went nuclear. European data protection authorities alone imposed over €3 billion in GDPR fines in the first half of 2025—more than any previous full year. The message from regulators worldwide was unmistakable: privacy compliance is no longer optional, and the era of lenient warnings has definitively ended.

But the numbers only tell part of the story. Behind every billion-euro fine lies a pattern of corporate negligence, a trail of exposed user data, and a regulatory authority that finally decided enough was enough. From TikTok’s systematic deception about data flows to China, to X’s “verification” system that verified nothing, to California’s aggressive crackdown on data brokers, 2025 established precedents that will reshape privacy compliance for years to come.

As we’ve documented throughout the year on Compliance Hub Wiki, the regulatory landscape has fundamentally shifted. Over €800 million in fines across 72 major enforcement actions in Q2 alone marked Summer 2025 as a pivotal period—and that was just the beginning.

This is our annual “Fines & Follies” Awards: recognizing the most significant, egregious, and instructive privacy enforcement actions of 2025. Some companies earned their spots through spectacular failures. Others made it by pioneering new forms of data exploitation. All of them have lessons to teach.

2025 Year in Review: The Breaches That Defined a Decade’s Worst Year for Data Security

🏆 The “Third Time’s NOT the Charm” Award: TikTok’s €530 Million Data Transfer Deception

Amount: €530 million ($601 million) Authority: Irish Data Protection Commission Violation: Unlawful data transfers to China, systematic deception of regulators

The Irish DPC’s May 2025 decision against TikTok wasn’t just the third-largest GDPR fine in history—it was a masterclass in how NOT to handle a regulatory investigation.

For years, TikTok assured European regulators that EU user data was absolutely, definitely, 100% NOT being stored on Chinese servers. Then, in April 2025, came the admission: oops, they’d discovered in February that “limited EEA user data had in fact been stored on servers in China.”

As we detailed in our analysis of the €530 million question, this wasn’t a technical oversight—it was systematic deception that transformed a potential compliance violation into a case of regulatory fraud. The fine breakdown reveals the severity:

  • €485 million for unlawful data transfers to China (Article 46(1) breach)- €45 million for transparency violations (Article 13(1)(f))

But the €530 million fine was just the beginning of TikTok’s 2025 troubles. Texas AG Ken Paxton sued the platform twice—once under the SCOPE Act for sharing minors’ data without parental consent, and again under the Texas Deceptive Trade Practices Act for allegedly marketing the app as safe for children despite regularly exposing them to harmful content.

The Lesson: When regulators ask where you store data, telling the truth is not optional. Subsequent discoveries of contrary facts will be treated as intentional deception.

🏆 The “First Blood” Award: X’s €120 Million DSA Debut

Amount: €120 million Authority: European Commission Violation: DSA transparency breaches, deceptive verification system

The European Commission saved a special distinction for Elon Musk’s X: the first-ever fine under the Digital Services Act. On December 5, 2025, the Commission found that X had breached its transparency obligations in three key ways:

The “Verified” Problem: X’s blue checkmark, once a symbol of identity verification, became available to anyone willing to pay €7/month. As the Commission bluntly stated: “X’s use of the ‘blue checkmark’ for ‘verified accounts’ deceives users.” The result? A platform flooded with impersonators, scammers, and bots masquerading as verified accounts.

The Ads Archive Disaster: X’s advertising repository was designed with barriers that undermine the entire purpose of transparency requirements.

The Research Lockout: X’s terms of service actually prohibited eligible researchers from accessing public data—the exact opposite of what the DSA requires.

As we covered in our Meta and TikTok DSA enforcement analysis, this is just the opening salvo. Meta and TikTok face preliminary DSA findings with potential fines reaching 6% of global revenue—approximately $9.87 billion for Meta.

Musk’s response? Posting “Bullshit” on the platform and calling for the abolition of the EU. The Commission was unimpressed, giving X 60 days to fix the checkmark problem or face additional penalties.

The Lesson: “Move fast and break things” doesn’t work when what you’re breaking is regulatory compliance. The DSA has teeth, and it’s not afraid to use them.

🏆 The “Lone Star Sheriff” Award: Texas AG Ken Paxton’s $2.775 Billion Privacy Crusade

Total Settlements: $1.4 billion (Meta) + $1.375 billion (Google) = $2.775 billion Authority: Texas Attorney General Pattern: Biometric data violations, deceptive tracking practices

No single state enforcement authority dominated 2025 like Texas AG Ken Paxton’s Privacy and Tech Team. The office secured historic settlements that dwarfed anything previously obtained by a single state:

Meta Settlement ($1.4 Billion): For unlawfully collecting and using facial recognition data from millions of Texans—the largest privacy settlement ever obtained by a single state.

Google Settlement ($1.375 Billion): Resolving multiple lawsuits over deceptive tracking practices, including location tracking without consent and the misleading “Incognito Mode” that wasn’t as incognito as advertised.

But Paxton wasn’t done. His office launched investigations into over 200 companies, including Character.AI, Reddit, Instagram, and Discord over children’s privacy practices. He sued TikTok twice, sued Allstate and Arity for secretly collecting and selling driving data, and investigated DeepSeek for potential violations tied to Chinese government access.

As we’ve analyzed in our 2025 privacy developments overview, Texas has positioned itself as America’s privacy enforcement leader—even before comprehensive federal legislation.

The Lesson: Don’t assume that because the U.S. lacks a federal privacy law, enforcement is weak. Individual states—especially Texas—are filling the void with aggressive, well-funded enforcement programs.

🏆 The “Cookie Monster” Award: Google’s €325 Million French Cookie Fine Duo

Amount: €200 million (Google LLC) + €125 million (Google Ireland) = €325 million Authority: CNIL (France) Violation: Deceptive cookie consent, direct marketing violations

France’s CNIL continued its crusade against Big Tech’s cookie practices with a one-two punch against Google in September 2025:

Google LLC ($200 million): For designing a fundamentally flawed cookie consent mechanism on Gmail that violated users’ right to free and informed choice. Users weren’t properly informed that advertising cookies were part of the “free” service—effectively making consent invalid.

Google Ireland ($125 million): For identical violations, demonstrating that corporate structure doesn’t insulate related entities from separate penalties.

The CNIL found that ads disguised as emails in Gmail’s “Promotions” and “Social” tabs violated direct marketing rules because users never properly consented. Both entities face €100,000 daily penalties if they don’t fix the problems within six months.

This pattern of cookie enforcement aligns with what we’ve documented in our GDPR enforcement surge analysis: regulators are no longer satisfied with cookie banners that technically exist but practically deceive.

The Lesson: Making it easy to accept cookies but hard to reject them isn’t compliance—it’s a dark pattern, and regulators have zero patience left for it.

🏆 The “Fashion Victims” Award: SHEIN’s €150 Million Cookie Disaster

Amount: €150 million Authority: CNIL (France) Violation: Cookie placement without consent, misleading consent interfaces

Fast fashion giant SHEIN joined the hall of shame with a €150 million CNIL fine for its approach to cookies on shein.com:

  • Placing advertising cookies on users’ devices BEFORE they could consent- Providing incomplete or misleading information in cookie banners- Failing to clearly identify third-party cookies- Making it difficult for users to refuse or withdraw consent

For a company already facing scrutiny over labor practices and supply chain transparency, adding “systematic privacy violations” to the list wasn’t a great look.

The Lesson: Cookie consent isn’t a formality—it’s a legal requirement that must happen BEFORE tracking begins.

🏆 The “Genetic Gamble Gone Wrong” Award: 23andMe’s £2.31 Million ICO Fine

Amount: £2.31 million Authority: UK Information Commissioner’s Office Violation: Inadequate security measures for genetic data

Of all the data types to leave poorly protected, genetic information ranks among the worst. The ICO’s June 2025 fine against 23andMe highlighted a credential stuffing attack that exposed some of the most intimate personal information possible:

  • Names, birth years, location data- Profile images, race, ethnicity- Family trees and health reports- Affecting 155,592 UK residents

As Information Commissioner John Edwards noted: “Once this information is out there, it cannot be changed or reissued like a password or credit card number.”

The breach exploited reused login credentials—a reminder that in 2025, companies handling sensitive data still weren’t implementing basic protections like mandatory multi-factor authentication.

The Lesson: Genetic data is uniquely sensitive because it’s uniquely permanent. Adequate security isn’t just a compliance checkbox—it’s an ethical imperative.

🏆 The “Data Broker Dragnet” Award: California’s CalPrivacy Crackdown

Amount: $331,600+ in fines, 8 enforcement actions Authority: California Privacy Protection Agency (CalPrivacy) Target: Unregistered data brokers and CCPA violators

CalPrivacy transformed from a regulatory newcomer to an enforcement powerhouse in 2025. The formation of the Data Broker Enforcement Strike Force in November signaled a dramatic escalation, but the groundwork was laid throughout the year.

As we covered in our CalPrivacy enforcement surge analysis, the agency’s enforcement actions included:

Tractor Supply Company ($1.35 million): CalPrivacy’s largest fine for failing to provide effective opt-out mechanisms, inadequate privacy notices to job applicants, and insufficient service provider contracts.

Healthline Media LLC ($1.55 million): The California AG’s largest CCPA settlement, finding that even after consumers exercised opt-out rights through multiple methods, Healthline continued transmitting personal information to dozens of advertisers.

Honda ($632,500): The first major CCPA penalty against an automotive manufacturer, establishing precedents for the rapidly expanding connected vehicle industry. Key violations included requiring excessive verification for opt-out requests and implementing asymmetric cookie consent designs.

Todd Snyder Inc. ($345,178): Fined for a broken cookie banner that prevented opt-outs for 40 days and requiring photo ID for privacy requests.

The message from CalPrivacy was clear: a business cannot bypass privacy requirements “by selling personal information as part of a larger suite of products and services.”

For comprehensive analysis of California’s privacy landscape, see our California 2025 privacy and AI legislative deep dive.

The Lesson: Data broker registration is mandatory. Cookie banners must actually work. And “we didn’t know our privacy tools were broken” is not a defense.

🏆 The “Driving Data Disaster” Award: Connected Vehicles Under Surveillance

Targets: General Motors, Allstate, Arity Authority: Texas Attorney General Violation: Illegal collection and sale of driving data

One of the most alarming privacy patterns of 2025 involved connected vehicles secretly becoming surveillance devices. Texas AG Paxton’s lawsuits revealed that:

General Motors allegedly used in-car technology to monitor drivers’ movements, recording sensitive data and sharing it with insurance companies—without meaningful disclosure or consent.

Allstate and Arity allegedly collected and sold driving behavior data from consumers’ mobile devices and vehicles to create detailed profiles affecting insurance rates. The lawsuit accused them of violating TDPSA’s heightened protections for sensitive data by failing to:

  • Provide notice and obtain consent for processing sensitive location data- Offer meaningful opt-out mechanisms- Register as data brokers under the Texas Data Broker Act

As we’ve analyzed in our global AI and data privacy landscape briefing, the automotive sector has become a major privacy battleground—and it’s only getting more complicated as vehicles become increasingly connected.

The Lesson: Your car is watching you. If you’re in the automotive industry, privacy compliance can no longer be an afterthought.

🏆 The “Financial Services Fumble” Award: NYDFS’s $82 Million Enforcement Blitz

Total Fines: $82+ million Authority: New York Department of Financial Services Pattern: MFA failures, email retention gaps, AML deficiencies

NYDFS demonstrated unprecedented enforcement vigor in 2025, as we detailed in our NYDFS enforcement analysis:

Block Inc. (Cash App) - $40 million: For significant deficiencies in anti-money laundering compliance, including transaction monitoring systems that failed to flag Bitcoin transactions tied to illicit activity.

PayPal - $2 million: Following a 2022 incident that exposed sensitive customer information on 34,000+ accounts. Unlike many enforcement actions focusing on missing policies, the PayPal case highlighted implementation failures—they had the policies but failed to execute them.

Insurance Company Fines: Multiple insurance companies faced penalties for failing to accurately and timely report data through NYDFS reporting systems.

Critical NYDFS cybersecurity deadlines that hit in 2025:

  • May 1, 2025: Covered entities must impose limits on privileged accounts, allow only secure connections for remotely controlled devices, and maintain written password policies- November 1, 2025: MFA becomes mandatory for all individuals accessing any information systems, regardless of location or user type

The Lesson: Financial services face the strictest cybersecurity compliance requirements in the U.S. Policies without implementation equal enforcement actions.

🏆 The “Billion Euro Club” Award: All-Time GDPR Fine Leaders

As of December 2025, cumulative GDPR fines have reached approximately €5.88+ billion since 2018. Here are the all-time leaders:

Rank Company Fine Amount Year Primary Violation

1 Meta €1.2 billion 2023 Improper US data transfers

2 Amazon €746 million 2021 Invalid consent for ads

3 TikTok €530 million 2025 China data transfers, deception

4 Meta €405 million 2022 Children’s data handling

5 Meta €390 million 2023 Forced consent for targeted ads

6 TikTok €345 million 2023 Children’s data handling

7 Meta €310 million 2024 LinkedIn behavioral advertising

8 Uber €290 million 2024 US data transfers

9 Google LLC €200 million 2025 Cookie consent violations

10 SHEIN €150 million 2025 Cookie consent violations

For comprehensive analysis, see our largest data protection fines 2018-2025 guide.

🏆 The “Healthcare Horror Show” Award: HIPAA Enforcement Intensifies

Healthcare organizations couldn’t escape 2025 unscathed. HHS Office for Civil Rights (OCR) continued its systematic focus on risk analysis failures:

Solara Medical Supplies ($3 million): For multiple breaches of unsecured electronic protected health information.

Warby Parker ($600,000): Demonstrating OCR’s expansion beyond traditional healthcare entities to include “health-adjacent” consumer companies.

Multiple Phishing-Related Settlements: OCR focused on organizations that fell victim to sophisticated phishing attacks, finding that “we got hacked” isn’t a defense when basic security measures weren’t in place.

As we’ve covered in our healthcare cybersecurity 2025 analysis, proposed HIPAA Security Rule updates include:

  • 48-hour breach notifications for healthcare organizations (down from 72 hours)- Mandatory annual security assessments- Enhanced third-party vendor requirements

Budget for comprehensive HIPAA compliance upgrades: $500,000-$2,000,000+ based on OCR’s current enforcement focus.

The Lesson: Healthcare data protection failures now result in multi-million dollar penalties. The days of treating cybersecurity as an IT problem rather than a compliance imperative are over.

🏆 The “UK Regulatory Renaissance” Award: FCA and ICO Assert Authority

FCA Total Fines: £75+ million ($96 million) ICO Notable Actions: £14 million (Capita), £2.31 million (23andMe), £1.2 million (LastPass)

UK regulators made 2025 a year to remember, as we detailed in our UK banking enforcement analysis:

Vocalink ($11.9 million): The Bank of England’s first-ever fine against a financial market infrastructure firm, emphasizing that critical payment infrastructure providers face heightened expectations.

Barclays ($37 million combined): For failing to conduct adequate due diligence before opening accounts and failing to manage money laundering risks.

Monzo ($9 million): Demonstrating that “innovative technology and rapid growth cannot excuse fundamental compliance failures.”

Capita (£14 million): The ICO finally dropped the hammer on one of the UK’s worst data breaches—30 months after the incident.

LastPass (£1.2 million): For security failures that led to one of the most consequential password manager breaches in history. As we analyzed in our LastPass ICO fine coverage, the fine represented less than 0.3% of documented cryptocurrency losses from the breach.

The Lesson: UK regulators are focusing on implementation effectiveness rather than policy documentation. Having the right policies means nothing if you can’t demonstrate results.

🏆 The “AI Accountability Arrives” Award: EU AI Act Enforcement Begins

Effective: August 2, 2025 (GPAI model obligations) Maximum Penalties: €35 million or 7% of global turnover for prohibited practices

2025 marked the first year of EU AI Act enforcement, with prohibited AI practices becoming illegal on February 2, 2025. As we covered in our EU AI Act compliance guide:

Banned AI Practices Now Illegal:

  • Social scoring systems- Real-time biometric identification in public spaces (with limited law enforcement exceptions)- AI systems that manipulate behavior in harmful ways- Exploitation of vulnerabilities based on age, disability, or other factors

August 2, 2025 Deadline: General-purpose AI model providers must now comply with transparency and documentation requirements.

While major AI Act fines haven’t materialized yet, the European AI Office is operational and monitoring compliance. Companies like Meta have rejected the voluntary GPAI Code of Practice, setting up potential enforcement showdowns in 2026.

The EU also proposed the world’s first AI-specific liability framework, allowing individuals harmed by AI systems to seek compensation more easily.

The Lesson: AI governance is no longer theoretical. Companies deploying AI systems in the EU—or whose outputs affect EU residents—face real compliance obligations with real penalties.

The Global Enforcement Landscape: 2025 By the Numbers

GDPR Enforcement Statistics

Metric 2025 Value

Cumulative Fines (2018-2025) ~€5.88+ billion

2025 Fines (Jan-Jun) €3+ billion

Average Fine (Major Cases) €4.8 million

Leading DPA (Total Fines) Ireland (~€3.5 billion)

Most Active DPA (Volume) Spain (1,021+ fines)

U.S. State Privacy Enforcement

  • 20 states with comprehensive privacy laws by year-end 2025- 8 new state privacy laws took effect in 2025: Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee- 7-state enforcement consortium formed for coordinated privacy enforcement- Texas secured $2.775 billion in settlements from Meta and Google alone

Global Regulatory Highlights

  • Australia: Implemented world-first social media ban for users under 16- Brazil: ANPD issued $12 million in fines in Q1 2025 for improper biometric data handling- UK: Financial regulators imposed £75+ million in penalties- Germany: NIS2 implementation finally completed December 2025- China: Personal Information Protection Law (PIPL) enforcement continued to expand

Sector-Specific Analysis: Where Did the Fines Hit Hardest?

Big Tech: €2+ Billion in 2025 Alone

The usual suspects dominated 2025’s enforcement landscape:

  • TikTok: €530 million GDPR + multiple Texas lawsuits- Google: €325 million CNIL cookies + $1.375 billion Texas settlement- Meta: $1.4 billion Texas settlement + ongoing DSA investigation- X: €120 million DSA fine + potential additional enforcement- SHEIN: €150 million CNIL cookies

Financial Services: $120+ Million

  • Block Inc. (Cash App): $40 million NYDFS- Barclays: £37 million combined FCA- Vocalink: £11.9 million Bank of England- PayPal: $2 million NYDFS- Monzo: £9 million FCA- ING Bank: €1.6 million (GDPR) + €4.3 million (Poland)

Healthcare: $10+ Million

  • Solara Medical: $3 million HIPAA- Multiple phishing settlements: $600,000+ each- Yale New Haven Health: $18 million settlement (civil litigation)- Change Healthcare: 190 million potential breach exposure

Automotive: $2+ Billion

  • Honda: $632,500 CalPrivacy- General Motors: Texas litigation ongoing- Allstate/Arity: Texas litigation ongoing

Retail/E-Commerce

  • SHEIN: €150 million CNIL- Tractor Supply: $1.35 million CalPrivacy- Todd Snyder: $345,178 CalPrivacy- Healthline Media: $1.55 million California AG

1. Personal Liability Is Coming

The Dutch Data Protection Commission’s investigation into holding Clearview AI’s directors personally liable for GDPR breaches represents a potentially seismic shift. As we analyzed in our compliance crossroads guide, executives can no longer assume corporate structures will shield them from individual accountability.

2. Implementation Beats Documentation

Across jurisdictions, regulators focused on whether privacy controls actually worked, not just whether they existed. The PayPal, Monzo, and Todd Snyder cases all emphasized that broken privacy tools = enforcement action.

3. Third-Party Risk Is Your Risk

The Vodafone (€45 million), TikTok, and numerous data broker cases demonstrated that you’re liable for your vendors’ actions. As we covered in our class action litigation guide, attempts to blame third parties are being consistently rejected.

4. Children’s Privacy Became Non-Negotiable

From TikTok’s children’s data handling to Texas’s SCOPE Act enforcement to the FTC’s COPPA updates, protecting minors’ data became a top enforcement priority globally.

The Google, SHEIN, and X cases proved that regulators are finally examining whether consent mechanisms actually enable informed choice—not just whether they technically exist.

Looking Ahead: What to Expect in 2026

As we detailed in our 2026 regulatory wave preparation guide, several major compliance deadlines loom:

Q1 2026:

  • NYDFS Cybersecurity Regulation full compliance deadlines- EU AI Act high-risk system obligations take effect- CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) reporting requirements go live

Full Year 2026:

  • Colorado AI Act enforcement begins (first comprehensive U.S. AI framework)- Texas App Store Accountability Act takes effect (requiring age verification for ALL apps)- Additional state privacy laws activate- Potential federal privacy legislation (though don’t hold your breath)

Enforcement Predictions:

  • First major EU AI Act fine (likely targeting prohibited practices)- Continuation of coordinated multi-state U.S. enforcement- Increased personal liability actions against executives- Major DSA fines against Meta and/or TikTok- Focus on AI training data and consent

Compliance Action Items: What Organizations Should Do Now

Immediate Priorities

  1. Audit your data flows. Know exactly where personal data goes, especially cross-border transfers. TikTok’s €530 million fine proves that “we didn’t know” isn’t a defense.2. Test your privacy tools. Actually use your cookie consent banners, opt-out mechanisms, and DSAR processes. Todd Snyder was fined because their cookie banner was broken for 40 days—and they didn’t notice.3. Review vendor contracts. Ensure all data processors have GDPR/CCPA-compliant agreements. CalPrivacy specifically cited missing vendor contracts in multiple enforcement actions.4. Implement MFA everywhere. NYDFS now requires it for all information systems. The 23andMe breach exploited credential stuffing that MFA would have prevented.5. Prepare for AI compliance. Even if you’re not developing AI, you may be deploying it. Understand your obligations under the EU AI Act and emerging state laws.

Strategic Investments

  • Privacy-by-design architecture: Build compliance into systems rather than bolting it on later- Automated compliance monitoring: Detect broken privacy tools before regulators do- Third-party risk management: Implement vendor due diligence and ongoing monitoring- Incident response capabilities: 48-72 hour notification requirements demand rapid detection and response- Employee training: Social engineering and phishing remain top breach vectors

For detailed compliance cost estimates, use our compliance fine calculator.

Conclusion: The Cost of Complacency

2025 taught us that privacy enforcement has matured from theoretical risk to existential threat. TikTok discovered that deceiving regulators about data flows carries a nine-figure price tag. X learned that “move fast and break things” doesn’t work when what you’re breaking is regulatory compliance. And countless companies learned that having privacy policies means nothing if those policies don’t translate into actual protection.

The organizations that thrived in 2025 were those that treated privacy as a strategic imperative rather than a compliance checkbox. They invested in systems that actually work, vendors they actually vetted, and cultures that actually prioritize data protection.

For 2026, the stakes only get higher. The EU AI Act moves from theory to enforcement. U.S. state privacy laws continue their patchwork expansion. And regulators worldwide have demonstrated they’re no longer interested in warnings—they’re interested in results.

The question for every organization is simple: Will you be reading about the 2026 “Fines & Follies” Awards, or will you be featured in them?

GDPR Enforcement:

U.S. State Enforcement:

Financial Services:

AI Regulation:

DSA Enforcement:

UK Enforcement:

Healthcare:

Compliance Guides:

Privacy Guides (myprivacy.blog):

This analysis is based on publicly available regulatory enforcement actions, official government announcements, and verified industry reports from January through December 2025. For personalized compliance guidance, organizations should consult with qualified privacy counsel and compliance professionals.