Quick Answer: Privacy Policy Fine Amounts
- GDPR: Up to EUR 20 million or 4% of annual global revenue (whichever is higher)
- CCPA: Up to $2,500 per unintentional violation, $7,988 per intentional violation
- FTC: Up to $51,744 per violation per day (civil penalties for repeat offenders)
- Australia Privacy Act: Up to AUD 50 million for serious or repeated interference with privacy
- UK GDPR: Up to GBP 17.5 million or 4% of annual global revenue
Fine Amounts at a Glance
Privacy law enforcement has accelerated dramatically since 2018. Regulators across the US, EU, and beyond now have dedicated enforcement divisions, automated website scanning tools, and direct consumer complaint pipelines. The assumption that small businesses are safe from enforcement no longer holds true.
Fines scale with the severity of the violation and in many jurisdictions with company revenue. Even a business doing $500,000 a year faces meaningful financial exposure under GDPR or CCPA. And because fines are often assessed per consumer per violation, the totals accumulate fast.
| Regulator | Jurisdiction | Maximum Fine | Who It Covers |
|---|---|---|---|
| EU Data Protection Authorities | EU / EEA | EUR 20M or 4% global revenue | Any organization processing EU personal data |
| California AG / CPPA | California, USA | $7,988 per intentional violation | Qualifying California businesses |
| FTC | United States | $51,744 per day (repeat violations) | US businesses engaged in commerce |
| OAIC | Australia | AUD 50 million | Australian businesses with turnover over AUD 3M |
| ICO | United Kingdom | GBP 17.5M or 4% global revenue | Any organization processing UK personal data |
GDPR Fines and Penalties
The General Data Protection Regulation (GDPR) introduced a two-tier fine structure that applies to any organization processing the personal data of people in the European Union, regardless of where the organization is based. An ecommerce store in Texas that ships to Germany is subject to GDPR.
Lower-tier violations carry fines up to EUR 10 million or 2% of global annual revenue. Higher-tier violations - which include failing to provide transparent privacy information to data subjects under Articles 13 and 14 - carry fines up to EUR 20 million or 4% of global annual revenue.
Not having a privacy policy, or having one that does not meet GDPR's transparency requirements, typically triggers the higher tier because it directly violates data subjects' rights to know how their data is being used.
What GDPR Requires in Your Privacy Policy
Under GDPR Articles 13 and 14, your privacy policy must include all of the following:
- Identity and contact details of the data controller
- Contact details of the Data Protection Officer (if you have one)
- Purposes and legal basis for each type of data processing
- Legitimate interests pursued where that is your legal basis
- Recipients or categories of recipients of personal data
- Details of any international data transfers and the safeguards in place
- Retention periods for each category of data
- All eight data subject rights (access, erasure, portability, objection, restriction, rectification, not to be subject to automated decision-making, right to complain)
- Right to withdraw consent at any time (if consent is your legal basis)
- Right to lodge a complaint with a supervisory authority
- Whether providing personal data is a statutory or contractual requirement
Did you know?
The largest GDPR fine to date was EUR 1.2 billion imposed on Meta in 2023 for unlawful data transfers to the US. But smaller businesses have also been fined - a German court fined a small business EUR 4,000 for not having a compliant cookie notice, and an Austrian hotel received a EUR 3,500 fine for inadequate CCTV disclosure.
Notable GDPR Enforcement Examples
| Company | Fine Amount | Reason |
|---|---|---|
| Meta (Ireland) | EUR 1.2 billion | Unlawful EU-US personal data transfers without adequate safeguards |
| Amazon (Luxembourg) | EUR 746 million | Non-compliant advertising data processing and cookie practices |
| Google (France - CNIL) | EUR 150 million | Cookie opt-out mechanism more difficult than opt-in |
| H&M (Germany) | EUR 35 million | Unlawful and extensive collection of employee personal data |
| British Airways (ICO) | GBP 20 million | Data breach affecting 400,000 customers; inadequate security measures |
| Marriott International | GBP 18.4 million | Failure to protect personal data of 339 million guests |
GDPR Fine Calculation Factors
GDPR supervisory authorities consider multiple factors when determining the exact fine amount. Understanding these can help you prioritize where to invest in compliance:
- Nature, gravity, and duration of the infringement
- Intentional versus negligent character of the violation
- Actions taken to mitigate damage to data subjects
- Degree of responsibility of the controller or processor
- Any relevant previous infringements
- Degree of cooperation with the supervisory authority
- Categories of personal data affected (health, financial data attract higher fines)
- How the supervisory authority became aware of the infringement
CCPA Fines and Penalties
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. The fine structure distinguishes between unintentional and intentional violations, and gives special treatment to violations involving minors.
| Violation Type | Maximum Fine Per Violation |
|---|---|
| Unintentional violation | $2,500 |
| Intentional violation | $7,988 |
| Violation involving data of minors (under 16) | $7,988 even if unintentional |
"Per violation" in CCPA context means per consumer affected. If 10,000 California consumers visited your site and you failed to provide a compliant privacy policy or honor their opt-out requests, that is potentially 10,000 separate violations. In practice, regulators negotiate settlements, but the theoretical exposure is enormous for any business with significant California traffic.
The CCPA requires your privacy policy to disclose: categories of personal information collected in the past 12 months, purposes for collection, categories of sources, categories of third parties to whom you disclose data, whether you sell personal information, and the consumer rights available under California law.
Did you know?
Sephora was fined $1.2 million by the California AG in 2022 under the CCPA for failing to disclose it was selling consumer data and not honoring opt-out requests submitted via the Global Privacy Control. This was one of the first major CCPA enforcement actions and signaled that the state is actively monitoring compliance.
Which Businesses Must Comply with CCPA
The CCPA applies to for-profit businesses doing business in California that meet at least one of these thresholds:
- Annual gross revenue exceeding $25 million
- Annually buys, sells, or receives/shares for commercial purposes personal information of 100,000 or more California consumers or households
- Derives 50% or more of annual revenue from selling or sharing California consumers' personal information
FTC Enforcement Actions
The Federal Trade Commission does not enforce a single comprehensive federal privacy law in the US, but it does enforce privacy under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices. Publishing a privacy policy and then failing to honor it is a deceptive trade practice - and the FTC treats it seriously.
The FTC can seek injunctive relief, consent orders, and civil penalties of up to $51,744 per violation per day for violations of prior FTC orders. The FTC also enforces specific privacy statutes including COPPA (children's online privacy), GLBA (financial data), and its own Health Breach Notification Rule.
FTC Deception Framework for Privacy Policies
The FTC's approach is to evaluate whether a privacy policy is accurate relative to actual practices. Common deceptive claims the FTC has pursued include:
- Claiming data is not shared with third parties when it is
- Claiming data is anonymized when it can be re-identified
- Claiming users can opt out when the mechanism does not work
- Using vague language to obscure actual data collection practices
- Collecting more data than the policy discloses
Recent FTC Privacy Enforcement Highlights
- Meta/Facebook (2019): $5 billion penalty for violations related to Cambridge Analytica and user data misuse
- Google and YouTube (2019): $170 million for COPPA violations collecting children's data on YouTube
- WW International (Weight Watchers, 2022): $1.5 million for collecting children's data via its Kurbo app without parental consent
- Drizly (2023): 20-year security audit requirement plus executive personal liability after a data breach exposed 2.5 million consumers
- BetterHelp (2023): $7.8 million for sharing sensitive mental health data with Facebook and Snapchat for advertising
Australia Privacy Act Penalties
Australia's Privacy Act 1988 was significantly updated with the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2022. The maximum civil penalty for serious or repeated interferences with privacy was increased to AUD 50 million, or three times the value of any benefit obtained, or 30% of adjusted turnover for the relevant period - whichever is greatest.
The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act. Australian Privacy Principle 1 (APP 1) requires organizations to have a clearly expressed and up-to-date privacy policy, and APP 5 requires notification to individuals about data collection.
The Privacy Act applies to Australian government agencies and private sector organizations with annual turnover over AUD 3 million, as well as all health service providers, credit reporting bodies, and certain other categories regardless of turnover.
Did you know?
The Medibank data breach in 2022 exposed sensitive health data of 9.7 million Australians. The OAIC launched a formal investigation, and the breach prompted Australia to increase maximum privacy penalties to AUD 50 million - up from the previous maximum of AUD 2.2 million. The case is still ongoing as of 2026.
How Privacy Violations Are Discovered
Understanding how regulators discover violations helps you appreciate why compliance cannot be treated as optional, even for smaller businesses.
| Discovery Method | How Common | Details |
|---|---|---|
| Consumer complaints | Very common | All major regulators have online complaint forms; unhappy customers use them |
| Data breach notifications | Common | Breaches trigger regulatory review of all privacy practices, not just security |
| Automated website sweeps | Increasing | EU DPAs use automated tools to scan for missing or inadequate policies |
| Investigative journalism | Occasional | News reports about privacy issues often trigger formal enforcement action |
| Competitor reports | Less common | Competitors occasionally file complaints about non-compliant rivals |
| Privacy advocacy audits | Growing | Groups like noyb (None of Your Business) file systematic GDPR complaints |
How to Avoid Privacy Policy Fines
Avoiding fines comes down to three pillars: having an accurate privacy policy that reflects your actual data practices, keeping it updated when those practices change, and making it genuinely accessible to users.
Audit what data you actually collect
List every form, analytics tool, advertising pixel, third-party script, and integration on your site. Each one likely collects data that must be disclosed in your privacy policy.
Generate a policy that matches your real practices
Use a generator that asks specific questions about your actual data practices. A generic template that does not reflect reality provides no legal protection - it creates additional exposure as a deceptive document.
Post it prominently in the right places
Link your privacy policy in your website footer, in account registration forms, at checkout, in app onboarding flows, and anywhere you collect personal data. GDPR requires it to be 'easily accessible.'
Update it when your practices change
Adding a new analytics tool, launching email marketing, integrating a new payment processor, or sharing data with a new partner all require privacy policy updates before the change goes live.
Build processes to honor the rights you disclose
If your policy says users can request data deletion, access, or portability, you must have an actual process to handle those requests within the timeframes required by applicable law.
5 Common Mistakes That Lead to Privacy Fines
Using a template that does not match your actual data practices
Regulators compare what your policy says to what your site actually does. A mismatch between the two is treated as a deceptive practice under FTC rules and a transparency violation under GDPR.
Not updating the policy after adding new tools or integrations
Installing Google Analytics 4, adding Facebook Pixel, or connecting Mailchimp after your policy was written creates immediate non-compliance. Your policy must reflect your current practices.
Burying the privacy policy link where users cannot find it
GDPR requires privacy information to be 'easily accessible' and 'in an intelligible and easily accessible form.' A link hidden in a tertiary page menu or only in an app settings screen does not meet this standard.
Having a data rights section with no actual process to honor requests
Stating that users can request data deletion or access their data is meaningless without a working process. Regulators will test whether your disclosed rights actually function when they investigate.
Assuming the business is too small to be a target
While regulators tend to prioritize large violators for headline-generating enforcement, small businesses do get fined, particularly after data breaches, after consumer complaints, or when they operate in high-risk sectors like health or finance.
Frequently Asked Questions
What is the maximum GDPR fine for not having a privacy policy?
Can the CCPA fine small businesses?
How do privacy regulators find out about violations?
Is a free privacy policy generator enough to avoid fines?
What happens if I get a warning before a fine?
Generate a Compliant Privacy Policy in Under 2 Minutes
Do not risk fines. Create a privacy policy that accurately reflects your data practices and meets GDPR, CCPA, FTC, and other regulatory requirements automatically.
Generate Your Privacy Policy Free