Fines & Penalties

Image of money and gavel.

What are the penalties for non-compliance with GDPR?

The GDPR uses a two-tiered approach for administrative fines that may be imposed for violations.

First level fines can be up to €10 million or, in the case of an undertaking (a concept by which the GDPR looks at a related group of companies), up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.   Level 1 fines will be imposed for violations relating to:

  • failure to obtain consent for processing data relating to children;
  • failure to integrate data protection by design and by default;
  • failure to keep adequate records of processing activities;
  • failure to conduct appropriate or adequate Data Protection Impact Assessments;
  • failure to notify Supervisory Authority of personal data breach;
  • failure to designate a Data Protection Officer;
  • failure to certify; and
  • failure to cooperate with the Supervisory Authority

Second level fines increase up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  Tier 2 fines will be imposed for violations relating to:

  • failure to adhere to the basic principles for processing, including conditions for consent and special category data;
  • failure to respect data subjects’ rights;
  • international transfer of data;
  • failure to meet obligations under Member State law adopted under Chapter IX of the GDPR; and
  • non-compliance with an order imposed by a Supervisory Authority.

Are there fines and penalties for non-compliance with the CPRA?

There are fines and penalties for non-compliance with the California Privacy Rights Act (CPRA). Businesses can face penalties of up to $2,500 per unintentional violation and up to $7,500 per intentional violation. Additionally, consumers can bring a private right of action in the case of data breaches involving certain personal information. 

The CA Attorney General's Office is cracking down on CPRA violations and the fines are startling.  In July 2025, Healthline Media LLC was fined a record $1.55 million by the California Attorney General for alleged violations of the CPRA.  Violations included failing to honor consumer opt-out requests, sharing user article titles that could reveal health conditions with third parties, and inadequate contracts with vendors.  Subsequently, in September 2025, Tractor Supply Company was fined $1.35 million for violations related to job applicant privacy rights. 

To avoid paying massive fines, businesses should appoint a Data Protection Officer to ensure that the data protection rules are respected in cooperation with the relevant Data Protection Authority.

Contact us for information on our Data Protection Officer outsource services.