Latest Data Privacy Fines and Violations: Global Case Studies

Fines hit cash flow, investigations drain teams, and consent or transfer missteps can stall launches in key markets. In 2024, the total GDPR fines surpassed five billion. By September 2025, this had risen to six billion across 2590 cases. The U.S. state enforcement is catching up, too: California’s CPPA hit Honda ($632,500) and Todd Snyder ($345,178) for broken opt-outs, over-collection, and vendor misconfigurations. This blog catches you up with privacy news on the latest data privacy fines issued by data protection enforcers around the world.

Data privacy laws are the rules and regulations that govern data processing and aim to protect the confidentiality and integrity of Personal information (PI), also called personal data.

These laws regulate the collection, use, storage, and sharing of PI and guide entities towards ethical and rightful handling of consumer data.

They recognise privacy as a right, impose obligations upon organisations like yours to protect these rights, and set out fines for non-compliance with the privacy regulations.

The following are solid examples of data protection and privacy laws around the world.

EU data privacy laws

The General Data Protection Regulation (GDPR), the ePrivacy Directive in the European Union and cookie consent guidelines published by EU countries such as Belgium and France act as the data privacy framework.

GDPR data breach fines may go up to 20 Million Euros or 4% of the company’s global annual turnover.

North America’s data privacy laws

PIPEDA and provincial laws in Canada, the Children’s Online Privacy Protection Act (COPPA), sector-wise data privacy laws such as GLBA and HIPAA, the California Consumer Protection Act (CCPA), and 20+ US state laws form the data privacy laws and regulations in North America.

US data privacy laws

Unlike the EU, there is no federal privacy legislation in the US, except for sector-specific ones. However, around 20 US states have enacted their privacy laws. These include Texas TDPSA, Tennessee TIPA, Oregon OCPA, and more.  

Middle East and Asia data privacy laws

Singapore PDPA, China’s PDPL and emerging laws like Vietnam PDPL and the Privacy law in India: DPDPA are some of the data privacy laws in Asia.

In the Middle East, the UAE PDPL and Saudi Arabia’s PDPL are two important laws.

Other Jurisdictions

Brazil’s data privacy law- the Lei Geral de Proteção de Dados (LGPD) is a strong privacy framework in South America. It is similar to the EU GDPR in many ways, including consent requirements.

South Africa’s POPIA governs the processing of personal information by public and private bodies and requires organisations to obtain valid consent, ensure data security, and uphold individual privacy rights.

Take a look at these recent data protection fines for non-compliance that you shouldn’t overlook.

CNIL Fines SHEIN: € 150 MILLION

The French Data Protection Authority, CNIL, fined a subsidiary of SHEIN (INFINITE STYLES SERVICES CO. LIMITED) €150 million.

What was violated?

SHEIN violated cookie consent and transparency obligations under Article 82 of the French Data Protection Act (implementing the ePrivacy Directive). The CNIL found that:

• Advertising cookies were placed before users gave consent.
  
• Cookie banners were incomplete, omitting details of advertising purposes.
  
• No information on third parties setting cookies was provided at the second level of information.
  
• Mechanisms for refusing or withdrawing consent were ineffective, as cookies continued to be placed or read after refusal.
  

The CNIL considered the large scale of processing, with around 12 million monthly visitors in France, and SHEIN’s failure to respect repeated regulatory warnings since 2020.

France (GDPR/ePrivacy): Orange: €50 million

CNIL fined Orange €50,000,000 and ordered corrective action with a daily penalty if the company failed to comply. 

What was violated?

• Direct marketing without valid consent (Article L.34-5 of the French Post and Electronic Communications Code).
  
• Continued reading of cookies after consent withdrawal (Article 82 of the French Data Protection Act).

Orange displayed adverts amongst genuine emails in its “Mail Orange” inboxes. That format counted as direct marketing and required consent. CNIL also found cookies were still being read after users withdrew consent, explicitly prohibited by French law. 

Belgium (GDPR/ePrivacy): RTL Belgium cookie banner orders

The Belgian DPA’s Litigation Chamber issued a final decision against RTL Belgium over deceptive cookie banners. 

It required a first-layer “reject all” equal to “accept all”, neutral button styling, and easy withdrawal, turning a previously floated “transaction” into a formal order. 

What was violated?

• Transparency and consent requirements under GDPR Articles 5(1)(a), 6(1)(a) and 7(1), plus the ePrivacy consent rule (Article 5(3) of the ePrivacy Directive as implemented in Belgium). 

The decision specifically criticised the absence of a first-layer “reject all”, deceptive colour choices that nudged acceptance, and harder withdrawal than grant of consent.

The authority directed that the consent controls must be at the same level, with equal prominence for both accept and reject buttons. Dark patterns that steer users toward “accept” are out. The order came with a clear timeline to fix the banner. 

Spain (GDPR): UNIQLO Europe, Ltd

The Spanish Data Protection Authority, AEPD, fined UNIQLO Europe €270,000.

What was violated?

UNIQLO violated the integrity/confidentiality principles and security obligations. The controller emailed payroll information for 447 workers to a former employee. AEPD’s resolution cites GDPR Articles 5(1)(f) and 32. 

The decision (PS-00238-2024) sets out shortcomings in protecting the personal data of employees, leading to the exposure of information that should have been safeguarded. 

California CPPA settlement: Healthline Media

In 2025, California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline relating to alleged data privacy violations of the California Consumer Protection Act (CCPA) and the state’s Unfair Competition Law. 

What was violated?

According to the complaint and proposed settlement, regulators accused Healthline of several failures:

• Healthline continued sharing data for targeted advertising even after consumers opted out.
• It used personal information for incompatible purposes by sharing article titles that could indicate a reader’s medical diagnosis to target ads, beyond the purposes disclosed. 
• It did not maintain contracts with advertising partners containing the CCPA-mandated privacy terms and did not verify that third parties followed an industry framework. 
• The site’s consent banner claimed to disable tracking cookies when a box was unchecked, but it did not.
  

Spain AEPD fine: Trive Credit Spain

AEPD recently imposed a €225,000 fine (settled at €180,000 via voluntary payment) on Trive Credit Spain, S.L., for failing to comply with a binding supervisory order to fulfil a data subject’s right of access under the GDPR.

What was violated?

According to the AEPD’s final decision, Trive breached:

• Article 58(2) GDPR by not complying with a corrective order.
  
• Despite multiple reminders, the company did not certify whether access was granted or denied, nor inform the AEPD as required.

China (PIPL/Cybersecurity Law): 68 mobile apps flagged

China’s National Computer Virus Emergency Response Centre (CVERC) reported 68 mobile applications that illegally collected/used personal information. A further 22 apps from an earlier list still had issues on re-test and were removed from app stores. 

What was violated?

• No prompts to read the privacy policy, difficult to access the privacy policy, and default/implicit acceptance of the policy.
  
• Privacy policies failing to list the controller’s identity, purposes of collection, methods of collection, retention period, and third-party.
  
• Data-sharing with third parties without informing users and without obtaining separate consent.
  
• Collecting personal data or enabling device permissions without consent.
  
• No effective functions to correct/delete data or close accounts, or failure to act within promised timelines.
  
• Failure to accept and resolve complaints/rights requests within stated deadlines.
  
• No easy way to withdraw consent.
  
• Targeted marketing via automated decision-making without a non-targeted option or an easy way to refuse.
  
• Weak security (e.g., lack of encryption/de-identification).
  
• No privacy policy at all for several apps 

Texas (TDPSA): Allstate & Arity 

The Texas Attorney General filed the first-ever lawsuit under the Texas Data Privacy and Security Act (TDPSA) against Allstate and its analytics subsidiary Arity. The complaint alleges the companies embedded an SDK in third-party apps, collected and sold sensitive driving-behaviour and location data, and failed to provide required notices, consent, and opt-outs. 

What was violated?

• No clear, accessible privacy notice disclosing sensitive data processing and how to exercise rights. 
• Missing “NOTICE: we may sell your sensitive data” disclosure where sensitive data is sold.
• No affirmative consent obtained before processing sensitive geolocation/behaviour data 
• No clear, conspicuous opt-out of targeted advertising/sale; links allegedly routed to generic third-party pages rather than an Arity mechanism.