Date
Jan 12, 2026
Tags
Data Privacy, GDPR, Piano Analytics
Privacy fines related to Digital Analytics in Europe: what you need to know
Every month, authorities across Europe hand out fines ranging from a few thousand euros to over €300 million. Global tech leaders, banks, media groups, and retailers face penalties for consent violations, weak transparency, and mishandling user rights.
This overview helps marketers, publishers, and technology providers be updated on the latest news regarding privacy fines in the digital marketing environment. Use this list to anticipate what regulators will focus on next, so you can make smarter choices about your data before issues ever arise.
Summary
Consent violations (cookie drops, unclear consent, refusal harder than acceptance) are the single most common fine category across all years.
Right-of-access and deletion failures are also extremely frequent – operationally hard for many companies.
Data retention and transparency mistakes repeatedly lead to six- and seven-figure fines.
Even global tech giants (LinkedIn, Meta, Microsoft, Google, Amazon) are fined regularly.
Fines range from €2,500 to €310,000,000, showing that regulators penalize companies of every size.
Why leading enterprises choose Piano
Piano is the most privacy-compliant analytics solution globally – we’re the only analytics vendor certified by EuroPrivacy; as well as GDPR- and HIPAA-compliant, and ePrivacy aligned. For us, comprehensive compliance and data privacy are a core part of our mission.
Trusted by leading financial institutions (Rabobank, Amundi, AXA), broadcasters (RTÉ), and global publishers (Le Monde, Bonnier, Funke, BBC), Piano is compliant by design, protecting your business against data suspension or deletion orders, substantial fines, reputational damage and even criminal penalties.
2025 Fines
France
Banking
Misled users on “strictly necessary” cookies and continued reading cookies after “Refuse all.”
Fine: €1,500,000
Source: https://www.cnil.fr/en/cookies-american-express-fined-eu15-million-cnil
Media & publishing
Misled users on “strictly necessary” cookies and continued reading cookies after “Refuse all.” Shows how aggressively CNIL enforces cookie-consent violations.
Fine: €750,000
Fashion
Placed cookies and collected personal data without explicit consent – one of the largest consent-related fines in ePrivacy/GDPR history.
Fine: €150,000,000
Source: https://www.cnil.fr/en/cookies-placed-without-consent-shein-fined-150-million-euros-cnil
Spain
E-commerce
Cookies dropped without explicit consent, demonstrating widespread non-compliance even among smaller companies.
Fine: €3,000
Source: https://www.aepd.es/documento/ps-00160-2025.pdf
Italy
Banking
Failed to respect right of access and right to erasure – a recurring GDPR violation.
Fine: €100,000
Source: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10168555
Late 2024 Fines
Netherlands
Transportation/tech
Incomplete disclosure around data retention of EU driver data – transparency failures remain a top GDPR issue.
Fine: €10,000,000
Spain
Transportation
Failed to obtain and honor consent correctly – another example of consent withdrawal rules being strictly interpreted.
Fine: €12,000
Source: https://legacy.dataguidance.com/news/spain-aepd-fines-seat-20000-unlawful-placement-cookies
Sweden
Financial services/banking:
Unauthorized transfer of personal data – showing supervisory focus on internal data-sharing controls.
Fine: €1,300,000
Source: https://swissprivacy.law/309/
Finland
E-commerce
Failed to limit data retention periods and lacked transparency – retention timelines continue to be a major compliance blind spot.
Fine: €856,000
2023 Fines
France
Transportation
Used Google Analytics cookies without consent, retained data indefinitely, and had incomplete transparency – highlighting multiple overlapping failures.
Fine: €105,000
Source: cnil.fr/fr/paiement-electronique-la-cnil-inflige-une-amende-de-105-000-euros-ns-cards-France
Norway
Fitness
Failed to respect access/deletion rights and processed customer personal data unlawfully.
Fine: €878,035
Source: https://www.datatilsynet.no/en/news/aktuelle-nyheter-2023/administrative-fine-imposed-on-sats
Spain
Utilities
Serious transparency, purpose-limitation, and breach-notification failures.
Fine: €6,100,000
Source: https://www.lexology.com/library/detail.aspx?g=04db215c-5fb2-4a49-b1ac-a6f7fa14616e
Media
Made rejecting cookies harder than accepting and lacked purpose information – a classic consent-manipulation case.
Fine: €75,000
Source: https://www.linkedin.com/feed/update/urn:li:activity:7044666870670487552/
Norway
Tech
Shared sensitive data with thousands of third parties without proper purpose limitation or consent.
Fine: €5,800,000
Source: https://noyb.eu/en/eu-58-million-fine-grindr-confirmed
France
Tech
Made rejecting cookies harder than accepting and lacked clarity on cookie purposes.
Fine: €5,000,000
Source: https://www.cnil.fr/fr/cookies-la-cnil-sanctionne-tiktok-hauteur-de-5-millions-deuros
Clairvoyance
Excessive collection, unlawful retention, security failures, and cookie violations – an “all of the above” compliance failure.
Fine: €150,000
Sweden
Tech
Provided incomplete access-request responses – rights-management again leading to high fines.
Fine: €5,000,000
Source: https://noyb.eu/en/spotify-fined-eu-5-million-gdpr-violation
Health
Retained health data too long and set ad cookies even after refusal – mixing sensitive-data misuse with consent failures.
Fine: €380,000
Source: https://www.cnil.fr/en/health-data-and-use-cookies-doctissimo-fined-eu380000
Hungary
Media
Transparency and purpose-limitation violations.
Fine: €25,000
2022 Fines
France
Tech
Deposited cookies without consent.
Fine: €60,000,000
Telecommunications
Failed to respect access/erasure rights and had documented security failures.
Fine: €300,000
Italy
E-commerce
Consent and retention violations – a frequent pairing across multiple cases.
Fine: €1,400,000
Source: https://www.gamingtechlaw.com/2022/12/crm-card-italian-data-protection-authority-fine/
Ireland
Tech
Large-scale data protection and breach-management failures.
Fine: €265,000,000
Source: https://www.rte.ie/news/business/2022/1128/1338739-meta-fined-265m-by-irish-data-watchdog/
Spain
Media
Illegal sharing of sensitive user data and indefinite retention.
Fine: €525,000
Source: https://digitalpolicyalert.org/event/16523-issued-ruling-for-data-protection-breaches
Belgium
Media
Incompliant and misleading consent collection.
Fine: €50,000
Poland
Utilities
Insufficient security for personal data.
Fine: €1,080,000
Greece
Telecommunications
Weak data protection and pseudonymization processes, and retention failures.
Fine: €6,000,000
France
Tech
Made rejecting cookies harder than accepting – a widely cited precedent case.
Fine: €150,000,000
Source: http://www.cnil.fr/en/cookies-google-fined-150-million-euros
2021–2020 Fines
France
Media
Cookie-consent violations.
Fine: €50,000
Tech
Placed advertising-purpose cookies without valid consent.
Fine: €35,000,000
Source: https://www.cnil.fr/en/cookies-council-state-confirms-2020-sanction-imposed-cnil-against-amazon
Banking
Inadequate information, cookie violations, and improper data-retention practices.
Fine: €800,000
Source: https://www.cnil.fr/en/cnil-fines-carrefour-france-2-25-million-eu-and-carrefour-banque-800000-eu
Food & beverage
Same issues as above — showing systemic compliance weakness across the group.
Fine: €2,250,000
Source: https://www.cnil.fr/en/cnil-fines-carrefour-france-2-25-million-eu-and-carrefour-banque-800000-eu
Spain
Banking
Unauthorized cookies and incomplete information.
Fine: €2,500
Source: https://gdprhub.eu/AEPD_(Spain)_-_PS/00471/2021
Where Piano has an advantage
ePrivacy Exemption / Hybrid Measurement
Built-in opt-out mechanisms
CNIL-validated compliance models
100% customer data ownership + no third-party sharing
Rights-of-access/deletion support
EU-only data hosting
Pseudonymization & anonymization
Transparent documentation
