Get updates on data privacy enforcement actions & trends from Osano's privacy team.

Sign up for updates
  • Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200
      Assessments

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • TrustHub
    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • FEATURED
    • Cookie
      Consent & Preference Management

      Simplify compliance with our powerful Consent Management Platform.

    • shield-02
      Data Privacy Management

      Automate and streamline your entire privacy program with our comprehensive platform.

    • By Regulation
    • CPRA
    • CCPA
    • GDPR
    • By Organization Type
    • trend-up-01
      Start-Up
    • building-01
      Mid-sized
    • building-07
      Enterprise
    • By Use Case
    • badge icon checked primary 200
      Consent & Preferences
    • profile icon primary 200
      Privacy Program Management
    • Icon (14)
      DSAR Automation
    • Icon (15)
      Vendor Risk Management
    • By Roles
    • For Non-Privacy Experts
    • For Legal & Compliance
    • For GRC, Risk & Security
  • Resources
    • Quick Links
    • book-open-01
      Articles
    • Icon (25)
      Guides, Checklists & Recordings
    • hand a heart icon primary 200
      Customer Stories
    • people icon primary 200
      Upcoming Webinars & Events
    • Key Resources

      Key resources to level up your privacy game

    • hammer icon primary 200
      Privacy Enforcement Tracker
    • star icon primary 200
      Privacy Program Maturity Model
    • globe icon primary 200
      U.S. Data Privacy Guide
    • Privacy Insider

      Data privacy is complex, but you're not alone

    • Icon (17)
      The Podcast
    • envelope icon primary 200
      The Newsletter
    • book-open-01
      The Book
    • Customers

      The latest from Osano and how to get the most from the platform

    • Product Updates
    • Osano Help Center
    • Developer Documentation
    • Sign up for enforcement updates

      Get updates on data privacy enforcement actions & trends from Osano's privacy team.

  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)
      Careers

      Become an Osanian and help us build the future of privacy!

    • Icon (26)
      Contact

      We’re eager to hear from you

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    Osano-guarantee-seal (1)

    We don't just sell you a product and walk away.

    Learn About Our Guarantee
  • Plans
  • Sign In Book a Demo

Data Privacy Enforcement Tracker

What's new in the world of regulatory enforcement? Our Enforcement Tracker keeps you up to speed with relevant and noteworthy enforcement actions in the world of privacy. Stay informed, spot patterns early, and guide your program with confidence.
Note: While updated regularly this is not exhaustive and not intended as legal advice.

Filters applied (0)
Clear filters
Filter by Category
  • Privacy Law
    Select all
  • Region of Enforcement
    Select all
  • Industry Type
    Select all
  • Employee Count
    Select all
  • Estimated Annual Revenue
    Select all
  • Keyword(s)
    Select all
  • Level of Government
    Select all
  • Who Enforced
    Select all
Reset ShowResults
Sort By
Showing 7 of 46 results
April 11, 2025

Lusha

Advertising
Italy Italy
The investigation follows complaints from individuals who received unsolicited calls, suggesting that their data may have been sourced from Lusha’s platform without proper consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$54,400,000.00
Who Enforced
DPA
Related Products
CMP UC Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful Marketing
April 3, 2025

Poczta Polska

Logistics
Poland Poland
The postal service provider for unlawfully sharing personal data (including PESEL numbers, names, addresses, and travel details) of all registered Polish adults during the 2020 election preparations.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$19,000,000,000.00
Who Enforced
DPA
Related Products
Vendor Assessments Data mapping
Fine / Penalty
€ 6,479,424
Keywords
Mishandling Data
April 3, 2025

Caixabank

Financial Services
Spain Spain
A complaint from a customer who discovered that a co-owner could access not only their joint account but also a third account due to a system error in "CaixaBankNow."
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$180,000,000,000.00
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 3,500,000
Keywords
Sensitive Data Data Breach Mishandling Data
April 3, 2025

Liga Nacional de Fútbol Profesional

Entertainment
Spain Spain
They were conducting biometric checks in stadiums without prior data protection impact assessments.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,000,000
Keywords
Sensitive Data Notice
April 3, 2025

Ibermutua Mutua Colaboradora Con La Seguridad Social Nº 274

Healthcare
Spain Spain
Software error that led to the accidental disclosure of personal data to third parties.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$750,000,000.00
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 600,000
Keywords
Sensitive Data Data Breach Mishandling Data
April 3, 2025

Two companies

Telecommunications
Germany Germany
They delayed responses to information requests.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 120,000
Keywords
Mishandling Data
March 21, 2025

Amazon

Technology
Luxembourg Luxembourg
Amazon’s €746M GDPR fine upheld. Fine was from inaquadue transparency and consent management.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$637,960,000,000.00
Who Enforced
Luxembourg Court / CNPD
Related Products
CMP UC SRR Trust Hub
Fine / Penalty
€ 756,000,000
Keywords
Mishandling Data
March 13, 2025

Investigative Sweep on Location Data Industry

Technology
USA USA
The agency is sending letters to advertising networks, mobile app providers and data brokers that appear to be violating the CCPA.
Privacy Law
CCPA
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
AG
Related Products
Data mapping Assessments Regulatory Guidance Privacy Expert Vendor SRR UC CMP
Fine / Penalty
N/A
Keywords
Unlawful processing Data Minimization Mishandling Data Sensitive Data
March 12, 2025

Honda

Transportation
USA USA
Honda required more information than needed to process opt-out and data limitation requests.
Privacy Law
CCPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$134,900,000,000.00
Who Enforced
California Privacy Protection Agency (CPPA)
Related Products
SRR UC
Fine / Penalty
$632,500
Keywords
Data Minimization
March 12, 2025

Saturn Technologies

Technology
USA USA
They didn’t verify users’ school email addresses and age to ensure they were high school students, and didn't inform users that it would copy and use their “contact books”
Privacy Law
New York Law
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1,000,000.00
Who Enforced
AG
Related Products
Data mapping Trust Hub Assessments Privacy Expert
Fine / Penalty
$650,000
Keywords
Mishandling Data Data Minimization Unlawful processing
March 6, 2025

Publicaciones y Ediciones Baraca 208, S.L.

Retail
Spain Spain
Unlawfully publishing personal data, including health information, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$500,000.00
Who Enforced
DPA
Related Products
Trust Hub Privacy Expert Assessments
Fine / Penalty
€ 6,000
Keywords
Data Breach Unlawful processing
March 6, 2025

Breogan Autolux, S.L.

Retail
Spain Spain
Sending SMS advertisements without consent
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$52,000,000.00
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 6,000
Keywords
Unlawful Marketing
March 5, 2025

EDPB enforcement sweep on SRRs

All
Europe Europe
EDPB has launched its 2025 enforcement sweep targeting organizations’ compliance with data subjects’ right of erasure (right to delete or be forgotten), focusing particularly on how exceptions are applied. Thirty-two EU member state data protection authorities (DPAs) will participate in this year-long sweep that began March 5, 2025.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
EDPB
Related Products
SRR
Fine / Penalty
TBD
Keywords
N/A
February 26, 2025

Cookie-Banner Class Actions (U.S)

All
USA USA
Since the beginning of 2025, several (at least three) class actions have been filed arising out of allegedly malfunctioning cookie banners. The plaintiffs claim to have opted out of non-essential cookies, but their opt-out was not effective.
Privacy Law
N/A
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
Court
Related Products
CMP UC
Fine / Penalty
N/A
Keywords
N/A
February 20, 2025

Medstar S.R.L.

Healthcare
Romania Romania
The investigation was started following a complaint from a data subject, who claimed that the operator where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$38,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 2,000
Keywords
Data Breach Mishandling Data
February 11, 2025

Amazon

Technology
USA USA
Maxwell v. Amazon: The plaintiffs claim that Amazon collected health data from consumers through its SDK without giving the required notice or getting consent. The complaint doesn't discuss whether this data collection could be considered necessary under MHMDA's rules. However, it suggests that since the services consumers used were provided by apps using the SDK (and not directly by Amazon), this exception doesn't apply.
Privacy Law
MHMDA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$158,900,000,000.00
Who Enforced
Court
Related Products
CMP UC Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Unlawful processing
February 5, 2025

ORANGE ESPAGNE, S.A.U.

Telecommunications
Spain Spain
Unauthorized duplication of the complainant's SIM card, leading to financial losses of 9,000 euros.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$4,700,000,000.00
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,200,000
Keywords
Data Breach
Other Actions
ORANGE was ordered to implement measures to ensure that SIM card duplications are only carried out with proper verification of the requester's identity.
February 4, 2025

Real estate company

Retail
France France
Disproportionate surveillance of its employees' activity, through software
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
DPA
Related Products
Privacy Expert Assessments
Fine / Penalty
€ 40,000
Keywords
Data Minimization Tracking Tech Unlawful processing
January 23, 2025

Softehnica S.R.L.

Logistics
Romania Romania
Insufficient technical and organisational measures to ensure information security
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1,454,100.95
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€2,000
Keywords
Mishandling Data
January 20, 2025

Vodafone Romania S.A.

Telecommunications
Romania Romania
Insufficient technical and organisational measures to ensure information security
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$764,000,000.00
Who Enforced
Romanian DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 15,000
Keywords
Data Breach
January 17, 2025

DELIVERY SOLUTIONS S.A.

Logistics
Romania Romania
Insufficient technical and organisational measures to ensure information secur
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$186,620,689.99
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 2,000
Keywords
Data Breach
Other Actions
Corrective measures were ordered
January 9, 2025

Court Administration Office

Public Sector
South Korea South Korea
Data breach involving litigation-related documents containing the personal data of 17,998 individuals. The PIPC claims the breach occurred as a result of the CAO’s unencrypted storage systems and weak data security protocols. The CAO also delayed reporting the breach, according to the PIPC.
Privacy Law
Personal Information Protection Act (“PIPA”)
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
N/A
Who Enforced
Personal Information Protection Commission (PIPC)
Related Products
Assessments Data mapping
Fine / Penalty
$183,982
Keywords
Data Breach Mishandling Data
January 8, 2025

Bindl v EU commission

Public Sector
EU EU
European General Court Decision: The court ordered the European Commission to pay damages (400 EUR) for unlawfully transferring data to the U.S. without adequate protections. This transfer to the US occurred when data was shared with Meta via a "Sign in with Facebook" button on an official EU website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
N/A
Who Enforced
European General Court
Related Products
Assessments Data mapping Trust Hub
Fine / Penalty
400 EUR
Keywords
Cross-Border Transfer
January 8, 2025

Allstate + Arity (Allstate's tech subsidiary)

Transportation
USA USA
Arity (Allstate's tech subsidiary) allegedly slipped their SDK into third-party apps to collect “trillions of miles” of driving behavior from mobile devices, other in car devices, and vehicles themselves.
Privacy Law
Texas Data Privacy and Security Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$57,090,000,000.00
Who Enforced
Texas AG
Related Products
Trust Hub UC
Fine / Penalty
TBD
Keywords
Selling Data Mishandling Data Tracking Tech Unlawful processing
Other Actions
N/A
January 8, 2025

Bayview Asset Management (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings)

Financial Services
USA USA
Failing to maintain sufficient cybersecurity practices and for not fully cooperating with state regulators following a data breach that impacted 5.8 million customers.
Privacy Law
State Agency Rules
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$92,800,000.00
Who Enforced
52 state financial regulatory agencies
Related Products
Assessments Data mapping
Fine / Penalty
$20,000,000
Keywords
Data Breach Mishandling Data
Other Actions
Corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to the states.
January 8, 2025

ECJ v Austria

All
Austria Austria
The ECJ ruled on 9 January 2025 that data subject complaints cannot be deemed excessive solely based on their frequency. The decision follows the Austrian data protection regulator’s refusal to handle a 2020 complaint, citing the data subject’s 77 similar complaints over 20 months. The ECJ clarified that regulators must demonstrate abusive intent to justify refusal under the GDPR. It noted that relying on the number of complaints alone could lead to arbitrary infringement of data subject rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
ECJ
Related Products
SRR
Fine / Penalty
None
Keywords
N/A
Other Actions
None
January 7, 2025

Elgon Information Systems

Healthcare
USA USA
Ransomware attack prompted HHS finding they had failed to conduct a thorough risk analysis to address vulnerabilities in its systems, exposing 31,248 individuals’ ePHI.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$580,000.00
Who Enforced
US Department of Health and Human Services (HHS)
Related Products
Assessments Data mapping
Fine / Penalty
$80,000
Keywords
Sensitive Data Data Breach Mishandling Data
December 20, 2024

OpenAI

Technology
Italy Italy
OpenAI had wrongly relied on legitimate interest as a legal basis for processing personal data, processed inaccurate personal data, and had no age verification measures in place.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,600,000,000.00
Who Enforced
DPA
Related Products
UC Privacy Expert Assessments
Fine / Penalty
15,000,000
Keywords
Unlawful processing
Other Actions
They must carry out a six month campaign informing Italians of how it uses their personal data for their services.
December 20, 2024

Grubhub

Logistics
USA USA
Grubhub engaged in deceptive practices, such as misleading diners about delivery fees, blocking access to gift card funds, and falsely advertising driver earning.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,800,000,000.00
Who Enforced
FTC
Related Products
Trust Hub Privacy Expert Regulatory Guidance
Fine / Penalty
$25,000,000
Keywords
Notice
Other Actions
Grubhub to make changes to its business practices, including not adding surprise fees to delivery totals, providing a simple way to cancel Grubhub+ subscriptions, stopping listing unaffiliated restaurants and not making misleading driver-earning claims. Illinois Attorney General aided in case.
December 18, 2024

Netflix

Entertainment
Netherlands Netherlands
Dutch Data Protection Authority (Dutch DPA) is imposing a fine of 4.75 million euro on the streaming service because Netflix did not give customers sufficient information about what the company does with their personal data between 2018 and 2020
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$37,000,000,000.00
Who Enforced
DPA
Related Products
CMP Templates Trust Hub
Fine / Penalty
4.75M euro
Keywords
Notice
December 17, 2024

Meta Platforms Ireland Limited

Technology
Ireland Ireland
Insufficient technical and organisational measures to ensure information security
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$134,000,000,000.00
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
251,000,000
Keywords
Mishandling Data Data Breach
December 12, 2024

Various Organizations

All
France France
The French Data Protection Authority (CNIL) issued notices to several organizations regarding non-compliant cookie banners. The notices were a result of complaints about dark patterns that encouraged users to accept non-essential cookies. The CNIL found that the methods for rejecting cookies were not as easy to use as those for accepting them, and that the designs were misleading. https://www.huntonak.com/privacy-and-information-security-law/cnil-issues-notices-regarding-non-compliant-cookie-banners
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
N/A
Keywords
Dark Patterns
December 3, 2024

Gravy Analytics (and subsidiary Venntel)

Technology
USA USA
Unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$15,000,000.00
Who Enforced
FTC
Related Products
CMP UC SRR Assessments Data mapping Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Selling Data Unlawful processing
Other Actions
Prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.
November 28, 2024

Freedelity

Technology
Belgium Belgium
The DPA found issues with Freedelity’s: consent mechanisms for data processing; excessive data collection; and overly long data retention periods for personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
DPA
Related Products
CMP UC Assessments Data mapping
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful processing
Other Actions
The company has a period of 4 months to comply with these injunctions, and will have to pay penalties of up to 5,000 euros per day of delay in the event of non-compliance or partial compliance.
November 27, 2024

Coupang

Retail
South Korea South Korea
he fine was in relation to two data breaches, the first caused by the mishandling of data transmitted and the second breach was caused by an authentication issue.
Privacy Law
Personal Information Protection Act (“PIPA”)
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$20,000,000,000.00
Who Enforced
Personal Information Protection Commission (PIPC)
Related Products
Assessments Data mapping
Fine / Penalty
$1,100,000
Keywords
Data Breach
November 27, 2024

Mediahuis

Entertainment
Belgium Belgium
Mediahuis had fully complied with the DPA’s order regarding illegal cookie banners, thereby avoiding a €25,000 (US$26,402) daily penalty.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$640,000,000.00
Who Enforced
Market Court
Related Products
CMP
Fine / Penalty
Avoided $26,402 daily penalty
Keywords
Unlawful processing Tracking Tech
November 21, 2024

Eken

Technology
Hong Kong Hong Kong
Apparent violations of FCC rules that require the company to designate an agent located in the United States.
Privacy Law
FCC Rules
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10,000,000.00
Who Enforced
FCC
Related Products
Privacy Expert Regulatory Guidance
Fine / Penalty
TBD
Keywords
Unlawful processing
November 19, 2024

Facebook

Technology
Germany Germany
The German Federal Court of Justice made a judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR from a 2021 data breach of Facebook. This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data and its amount – that has been controversial and inconsistently handled to dat
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$134,900,000,000.00
Who Enforced
German Federal Court of Justice (Bundesgerichtshof – “BGH”)
Related Products
Data mapping
Fine / Penalty
€ 250
Keywords
Data Breach
November 19, 2024

Bunnings

Retail
Australia Australia
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behavior, according to the OAIC.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10,000,000,000.00
Who Enforced
Office of the Australian Information Commissioner (OAIC)
Related Products
UC Assessments Data mapping
Fine / Penalty
TBD
Keywords
Unlawful processing Tracking Tech Sensitive Data
November 15, 2024

Posti

Logistics
Finland Finland
Posti had automatically created an electronic OmaPosti mailbox for customers without a separate request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,600,000,000.00
Who Enforced
DPA
Related Products
UC CMP SRR
Fine / Penalty
€ 2,400,000
Keywords
Mishandling Data
November 14, 2024

Growbots

Technology
USA USA
The company failed to register between February 1 and July 26, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
Enforcement Division of the California Privacy Protection Agency (CPPA)
Related Products
Regulatory Guidance
Fine / Penalty
$35,000
Keywords
N/A
November 14, 2024

UpLead

Technology
USA USA
The company failed to register between February 1 and July 21, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
Enforcement Division of the California Privacy Protection Agency (CPPA)
Related Products
Regulatory Guidance
Fine / Penalty
$34,400
Keywords
N/A
November 7, 2024

T-Mobile

Telecommunications
USA USA
The telecom company promised to address “foundational security flaws,” work to improve “cyber hygiene,” and adopt “robust modern architectures,” such as zero trust and multi-factor authentication that is resistant to phishing.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$80,000,000,000.00
Who Enforced
FCC
Related Products
Assessments Data mapping
Fine / Penalty
$31,500,000
Keywords
Data Breach
November 5, 2024

Meta

Technology
South Korea South Korea
From July 2018 to March 2022, the company gathered data from nearly 980,000 users without asking for their explicit permission. This information included highly personal details such as users’ political beliefs, religious preferences, and whether they were in same-sex relationships. Once the company collected this sensitive data, it shared it with around 4,000 advertisers.
Privacy Law
Personal Information Protection Act (“PIPA”)
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$134,900,000,000.00
Who Enforced
Personal Information Protection Commission (PIPC)
Related Products
CMP UC Assessments
Fine / Penalty
₩ 15,000,000
Keywords
Tracking Tech Unlawful processing Sensitive Data
November 3, 2024

Blackcab Systems SRL

Professional Services
Romania Romania
DSAR not fulfilled, and during the investigation, it was found that the operator Blackcab Systems SRL did not prove that it responded to the petitioner's request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 1,000
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator:
November 1, 2024

Master Wealth Control and Property Lovers

Financial Services
Australia Australia
The companies failed to: collect data fairly; to notify individuals whose data was collected; and ensure the accuracy of the information.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$9,000,000.00
Who Enforced
Office of the Australian Information Commissioner (OAIC)
Related Products
CMP UC Assessments Data mapping Trust Hub
Fine / Penalty
n/a
Keywords
Unlawful processing Mishandling Data
Other Actions
Ordered to cease collecting personal information unfairly, destroy their leads lists within 30 days, update their privacy policies, and provide evidence of compliance.
October 31, 2024

Meta

Technology
USA USA
CFPB staff informed Meta on Sept. 18 that it is weighing potential legal action related to advertising for financial products on the company’s platforms, which include photo-sharing platform Instagram and messaging service WhatsApp, the company revealed in a Thursday securities filing.
Privacy Law
Dodd-Frank Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$134,900,000,000.00
Who Enforced
Consumer Financial Protection Bureau
Related Products
UC CMP
Fine / Penalty
TBD
Keywords
Unlawful Marketing
October 29, 2024

Temu

Retail
EU EU
The Commission has opened formal proceedings to assess whether Temu may have breached the Digital Services Act (DSA) in areas linked to the sale of illegal products, the potentially addictive design of the service, the systems used to recommend purchases to users, as well as data access for researchers.
Privacy Law
Digital Services Act (DSA)
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$35,000,000,000.00
Who Enforced
EU Commission
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful Marketing
October 29, 2024

Untold SRL

Professional Services
Romania Romania
The controller did not resolve the request for access to the personal data of the data subject, although he communicated for correspondence his e-mail address, telephone number, full name and surname and postal address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 15,000
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator.
October 27, 2024

Vodafone Romania S.A.

Telecommunications
Romania Romania
It was found that the operator Vodafone Romania S.A. did not adopt sufficient technical and organizational measures to ensure the confidentiality of the processed personal data. no measures were taken to hide the recipients' email addresses
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$600,000,000.00
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000
Keywords
Data Breach
October 23, 2024

LinkedIn

Technology
Ireland Ireland
Ireland’s data protection watchdog has fined the professional social media site for GDPR breaches related to targeted advertising.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10,000,000,000.00
Who Enforced
DPC
Related Products
UC CMP Assessments
Fine / Penalty
€310,100,000
Keywords
Tracking Tech Unlawful Marketing
Other Actions
In addition, the regulator handed LinkedIn a reprimand and ordered it to bring its processing into compliance.
October 22, 2024

NHL 

Entertainment
USA USA
VPPA: Lawsuit claims that the NHL collected and shared personal viewing data with third parties, such as Facebook, without user consent. 
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$6,200,000,000.00
Who Enforced
Class Actions Lawsuits 
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 22, 2024

MLB 

Entertainment
USA USA
VPPA: MLB is facing a lawsuit for allegedly violating the Video Privacy Protection Act (VPPA) by sharing users’ personal video viewing information with Facebook without consent.  
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10,800,000,000.00
Who Enforced
Class Actions Lawsuits 
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 21, 2024

Unisys

Professional Services
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$4,000,000
Keywords
Data Breach
October 21, 2024

Avaya

Professional Services
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$1,000,000
Keywords
Data Breach
October 21, 2024

Check Point

Technology
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$995,000
Keywords
Data Breach
October 21, 2024

Mimecast

Technology
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$360,000,000.00
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$990,000
Keywords
Data Breach
October 21, 2024

IBERCAJA BANCO, S.A.

Financial Services
Spain Spain
Insufficient legal basis for data processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 180,000
Keywords
Unlawful processing
October 20, 2024

Grue municipality

Public Sector
Norway Norway
Sensitive Data breach in a public postal journal. 14 individuals were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
Data mapping
Fine / Penalty
€ 20,800
Keywords
Sensitive Data Data Breach
Other Actions
The municipality also initiated extensive control work and measures to prevent similar incidents in the future
October 15, 2024

Your Consulting SRL

Professional Services
Romania Romania
The operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10,000,000.00
Who Enforced
National Supervisory Authority
Related Products
Trust Hub Assessments
Fine / Penalty
€ 3,000
Keywords
Data Breach
Other Actions
Must implement robust security program starting with assessments
October 14, 2024

Quick Tax Claims

Professional Services
UK UK
Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10,000,000.00
Who Enforced
ICO
Related Products
CMP UC SRR
Fine / Penalty
£120,000
Keywords
Unlawful Marketing
October 14, 2024

National Basketball Association

Entertainment
USA USA
Defendant’s allegedly disclosured the plaintiff’s video viewing information to Meta via the Facebook Pixel without consent, in violation of the VPPA.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$6,410,000,000.00
Who Enforced
Federal Courts
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 10, 2024

WerepairUK Ltd

Professional Services
UK UK
WerepairUK Ltd, based in Tonbridge, has been fined for making 42,688 unsolicited calls. It has appealed the decision. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10,000,000.00
Who Enforced
ICO
Related Products
SRR UC
Fine / Penalty
£80,000
Keywords
Unlawful Marketing
October 10, 2024

Service Box Group Limited

Professional Services
UK UK
Service Box Group Limited, based in Hove, East Sussex, has been fined for 5,361 calls. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
ICO
Related Products
UC SRR
Fine / Penalty
£40,000
Keywords
Unlawful Marketing
October 10, 2024

RTL Belgium

Telecommunications
Belgium Belgium
Belgian Data Protection Authority (Belgian DPA) issued its Decision No. 131/2024 in which it imposed a fine of €40,000 a day on RTL Belgium AS for violations of the General Data Protection Regulation (GDPR), following a complaint from none of your business (NOYB). (1) failed to display both an 'accept all' and a 'reject all' button on the first layer of its cookie banner. (2) used misleading colors in its cookie banner, directing users towards the choice of consenting to cookies by highlighting the 'accept all' button.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 40,000 per day
Keywords
Dark Patterns
Other Actions
See H171
October 8, 2024

Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)

Transportation
USA USA
Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$20,000,000,000.00
Who Enforced
FTC
Related Products
SRR Data mapping
Fine / Penalty
TBD
Keywords
Data Deletion Data Breach Mishandling Data Data Minimization
Other Actions
Must implement robust security program, and fulfil all delete SRR.
October 8, 2024

Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)

Transportation
USA USA
Attorney General Tong announced today that a coalition of 50 attorneys general, co-led by Connecticut, has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases.
Privacy Law
State consumer protection laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$20,000,000,000.00
Who Enforced
50 US State AGs
Related Products
Data mapping SRR
Fine / Penalty
$52,000,000
Keywords
Data Breach Data Deletion Mishandling Data Data Minimization
October 2, 2024

TikTok

Technology
USA USA
The complaint alleges that TikTok did not provide verified parents with the ability to control or limit the privacy and account settings on a minor’s account, such as tools to (1) limit TikTok’s sharing, disclosure and sale of a minor’s personal identifying information and (2) control TikTok’s ability to display targeted advertising to a minor. 
Privacy Law
Securing Children Online Through Parental Empowerment (“SCOPE”) Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
10,000 per violation
Keywords
Unlawful processing
October 1, 2024

California Privacy Protection Agency Announces Investigative Sweep of Data Brokers

Technology
USA USA
On October 30, 2024, the California Privacy Protection Agency (“CPPA”) announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act (the “Act”). Under the Act, the CPPA has the authority to impose an administrative fine of $200 per day for each day the data broker failed to register
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
CPPA
Related Products
UC SRR
Fine / Penalty
$200 per day
Keywords
N/A
September 26, 2024

Meta

Technology
Ireland Ireland
Meta informed the commission in 2019 it inadvertently stored certain passwords of its platforms’ users in “plaintext,” or without protection or encryption The authority said that 36 million users across the EU and EEA were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$117,900,000,000.00
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
$100,000,000
Keywords
Data Breach
September 24, 2024

Mozilla

Technology
EU EU
Mozilla, the nonprofit that develops the Firefox web browser, has been hit with a complaint by European Union privacy rights group noyb, which accuses it of violating the bloc's General Data Protection Regulation (GDPR) by tracking Firefox users by default without their permission. If EU privacy regulators agree with the complaint the Firefox-maker could be slapped with orders to change tack -- or even face a penalty (the GDPR allows for fines of up to 4% of global revenue).
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
Noyb
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
Tracking Tech
September 16, 2024

AT&T

Telecommunications
USA USA
AT&T had a data breach of a cloud vendor in January 2023 that impacted 8.9 million customers. The exposed data included information like the number of lines on an account and in a few cases bill balance and rate plan information but did not contain credit card information, Social Security Numbers, account passwords and other sensitive personal information.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$170,000,000,000.00
Who Enforced
FCC
Related Products
Vendor Data mapping
Fine / Penalty
$13,000,000
Keywords
Data Breach
Other Actions
AT&T has also agreed to boost its data governance practices to increase supply chain integrity in the handling of sensitive data to protect consumers from similar vendor data breaches in the future.
September 1, 2024

Verkada

Technology
USA USA
FTC: Did not apply appropriate controls to sensitive data
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
FTC
Related Products
UC Assessments Data mapping
Fine / Penalty
$2,950,000
Keywords
Sensitive Data Data Breach
Other Actions
FTC is requiring Verkada to create a comprehensive information security program
August 28, 2024

Apohem AB

Retail
Sweden Sweden
Apohem AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period. Incident spanned from April 15th, 2021 to April 26, 2022.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$40,000,000.00
Who Enforced
DPA
Related Products
CMP Assessments Data mapping
Fine / Penalty
$730,000
Keywords
Tracking Tech Unlawful processing Unlawful Marketing Sensitive Data
August 28, 2024

Apoteket AB

Retail
Sweden Sweden
Apoteket AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period. Incident spanned from Janurary 19, 2020 to April 25, 2022.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$600,000,000.00
Who Enforced
Ucm Data naooig
Related Products
CMP Assessments Data mapping
Fine / Penalty
$3,400,000
Keywords
Unlawful Marketing Unlawful processing Tracking Tech Sensitive Data
August 26, 2024

Uber Technologies, Inc.

Transportation
Netherlands Netherlands
The European Union’s data protection laws were violated by transferring sensitive personal data of its drivers to the U.S. without adequate safeguards
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$31,800,000,000.00
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
$310,000,000
Keywords
Cross-Border Transfer
August 22, 2024

Lawline

Technology
USA USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
Fed Courts - Settled
Related Products
CMP UC Trust Hub Data mapping Assessments
Fine / Penalty
TBD
Keywords
VPPA Tracking Tech
August 20, 2024

"A major private company "

Telecommunications
Thailand Thailand
Failure to Appoint a Data Protection Officer (DPO). Inadequate Security Measures: The company lacked appropriate security measures as mandated by the PDPA, leading to data leaks to call center gangs and causing widespread damage. Failure to Report Data Breaches: The company ignored complaints from data subjects and delayed reporting the breaches to the PDPC, preventing timely remediation.
Privacy Law
Personal Data Protection Act ("PDPA")
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
Thai Personal Data Protection Act (PDPA) Expert Committee
Related Products
Data mapping
Fine / Penalty
฿205,520
Keywords
Data Breach Mishandling Data
Other Actions
The second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.
August 19, 2024

Equiniti Trust

Financial Services
USA USA
SEC rules: A lot going on here, with issues re handling client assets. Breach, data governance and poor retention.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
SEC
Related Products
Data mapping Assessments
Fine / Penalty
$850,000
Keywords
Data Breach
August 6, 2024

Advanced Computer Software Group

Technology
UK UK
UK GDPR: failed to implement sufficient security measures to protect personal information.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
ICO
Related Products
Data mapping Assessments
Fine / Penalty
£ 6,000,000
Keywords
Data Breach
August 5, 2024

UNIQLO EUROPE, LTD

Retail
Spain Spain
The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$300,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 270,00
Keywords
Data Breach Mishandling Data
July 29, 2024

Meta

Technology
USA USA
Meta knowingly violated the state’s Capture or Use of Biometric Identifier Act and Deceptive Trade Practices and Consumer Protection Act by implementing a now-defunct facial-recognition-based photo and video tagging feature. Texas law says it’s illegal for private entities to capture, disclose or profit from someone’s biometric identifiers without their informed consent.
Privacy Law
Capture or Use of Biometric Identifier Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$117,900,000,000.00
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
$1,400,000,000
Keywords
Sensitive Data Tracking Tech Selling Data
July 23, 2024

TikTok

Technology
UK UK
Failing to comply with a request for information and not cooperating with Ofcom’s investigation into the effectiveness of its child protection measures. 
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
UK Office of Communications (Ofcom)
Related Products
Data mapping
Fine / Penalty
£ 1,875,000
Keywords
Sensitive Data Mishandling Data
July 17, 2024

Oracle

Technology
USA USA
The proposed settlement was announced on 18 July in San Francisco federal court. In August 2022, plaintiffs had filed a lawsuit that alleged Oracle’s advertising tracking tools accessed, collected, stored, disclosed, sold and used internet users’ personal data without consent.
Privacy Law
US Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$40,000,000,000.00
Who Enforced
Federal Courts
Related Products
CMP UC
Fine / Penalty
$150,000,000
Keywords
Tracking Tech Unlawful processing
July 17, 2024

What’s App (Meta)

Technology
Nigeria Nigeria
Meta was ordered to “immediately reinstate the rights of Nigerian users to self-determine and control” data sharing, and stop sharing WhatsApp users’ information “with other Facebook companies and third parties” without users’ active consent.
Privacy Law
Nigeria Data Protection Act 2023
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$15,000,000,000.00
Who Enforced
Federal Competition and Protection Commission (Nigeria)
Related Products
Data mapping UC CMP
Fine / Penalty
$2,200,000,000
Keywords
Unlawful processing Mishandling Data
Other Actions
35,000 for investigation costs.
July 17, 2024

TracFone

Telecommunications
USA USA
Verizon-owned mobile virtual network operator TracFone Unauthorized third parties were able to exploit TracFone’s customer-facing application programming interfaces (APIs) to gain access to customer data between January 2021 and January 2023.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
FCC
Related Products
CMP UC Data mapping Vendor
Fine / Penalty
$16,000,000
Keywords
Data Breach
July 8, 2024

NGL

Technology
USA USA
The FTC and the Los Angeles District Attorney’s Office accused NGL of violating the Children’s Online Privacy Protection Rule (COPPA Rule) by knowingly collecting the personal data of children younger than 13 without parental consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
FTC
Related Products
SRR Data mapping UC
Fine / Penalty
$5,000,000
Keywords
Unlawful processing Data Minimization Sensitive Data
July 1, 2024

Vinted

Retail
Lithuania Lithuania
Did not have proper rationale for denying the right to erasure (‘right to be forgotten’) and the right of access. They reasoned that the user did not identify in their request the ‘specific grounds’ under Article 17 of the GDPR.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$240,000,000.00
Who Enforced
DPA
Related Products
SRR Data mapping
Fine / Penalty
€ 2,385,276
Keywords
Mishandling Data
June 30, 2024

Grindr

Technology
Norway Norway
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR rules. The fine was reduced from £8.6m after Grindr provided details about its financial situation, and made changes to its app.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
CMP UC SRR Data mapping Vendor
Fine / Penalty
€6,500,000
Keywords
Unlawful processing
June 17, 2024

Tilting Point Media LLC (Tilting Point)

Technology
USA USA
Tilting Point employed an age screen that did not ask for age in a “neutral manner” and therefore encouraged children to enter an older age. Further, Tilting Point inadvertently configured third-party software development kits (SDKs) to collect and sell children’s data without first obtaining consent.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$40,000,000.00
Who Enforced
California Attorney General and Los Angeles City Attorney
Related Products
UC Assessments
Fine / Penalty
$500,000
Keywords
Unlawful processing Tracking Tech Mishandling Data
Other Actions
prohibition on selling and sharing the personal information of children without affirmative consent, a requirement to use neutral age screens, restrictions on the use of SDKs, children’s data minimization requirements, and a requirement to submit annual reports regarding compliance efforts to the California Department of Justice and the Los Angeles City Attorney’s office.
June 17, 2024

Multiple undisclosed

Technology
USA USA
The Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
Privacy Law
Data Broker Law
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
AG
Related Products
Regulatory Guidance Data mapping
Fine / Penalty
$10,000.00
Keywords
N/A
Other Actions
The Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act as well as federal laws including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).
June 4, 2024

Medibank Private Ltd (MPL.AX)

Financial Services
Australia Australia
Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$7,600,000,000.00
Who Enforced
Office of the Australian Information Commissioner (OAIC)
Related Products
Data mapping
Fine / Penalty
TBD
Keywords
Data Breach
May 22, 2024

Police Service of Northern Ireland (PSNI)

Public Sector
UK UK
Exposed personal data belonging to all PSNI serving officers and staff.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$141,000,000.00
Who Enforced
UK ICO
Related Products
Assessments
Fine / Penalty
£750,000
Keywords
Data Breach
May 21, 2024

Kakao Corp

Telecommunications
South Korea South Korea
Failure to report a data breach.
Privacy Law
Personal Information Protection Act (“PIPA”)
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
South Korea’s PIPC
Related Products
Assessments
Fine / Penalty
$11,100,000
Keywords
Data Breach
May 19, 2024

Blackbaud

Financial Services
USA USA
Order finalized after announcement in February 2024.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$600,000,000.00
Who Enforced
FTC
Related Products
Data mapping
Fine / Penalty
$3,000,000
Keywords
Sensitive Data Data Deletion
Other Actions
Delete data that is no longer needed
March 17, 2024

Benefytt Technologies

Healthcare
USA USA
Health company and its third parties operated series of deceptive websites that targeted consumers who were searching for comprehensive health insurance plans qualified under the Affordable Care Act.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
FTC
Related Products
SRR UC CMP
Fine / Penalty
$100,000,000
Keywords
Sensitive Data Tracking Tech Unlawful Marketing
March 14, 2024

Flo Health

Healthcare
Canada Canada
App shared personal health information to Facebook and other third-parties without users' consent
Privacy Law
Canadian Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
Supreme Court of British Columbia
Related Products
UC Vendor
Fine / Penalty
TBD
Keywords
Sensitive Data Unlawful processing Mishandling Data
March 4, 2024

Intellexa Consortium

Technology
USA USA
Used spyware and surveillance technology to target U.S. government officials, journalists and policy experts
Privacy Law
OFAC sanctions
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
Treasury Department Office of Foreign Assets Control (OFAC)
Related Products
UC CMP
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful processing
February 27, 2024

BNSF Railway

Transportation
USA USA
Unlawfully collected fingerprint scans without consent from thousands of drivers using automated gate systems at the company’s four facilities in Illinois.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$23,000,000,000.00
Who Enforced
FTC
Related Products
UC
Fine / Penalty
$75,000,000
Keywords
Selling Data Unlawful processing
February 21, 2024

5 waste management companies

Logistics
Italy Italy
Used facial recognition technology to determine employee attendance.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
DPA
Related Products
UC Assessments
Fine / Penalty
€ 103,000
Keywords
Tracking Tech Unlawful processing
February 21, 2024

Avast Limited

Technology
USA USA
Collected, retained and sold data without proper notice or consent to third parties
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$340,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$16,500,000
Keywords
Selling Data Unlawful processing
February 20, 2024

Doordash

Retail
USA USA
Sold its customers' personal information without notice and without providing an opportunity to opt-out of the sale of their data
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
California AG
Related Products
CMP UC
Fine / Penalty
$375,000
Keywords
Selling Data Unlawful processing
February 13, 2024

College Board

Public Sector
USA USA
Unlawfully sold students' personal data to schools and other customers licensed this data to colleges, scholarship programs, and other customers who used it to solicit students to participate in their programs
Privacy Law
New York law
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$520,000,000.00
Who Enforced
New York Attorney General
Related Products
UC
Fine / Penalty
$750,000
Keywords
Selling Data Unlawful processing
February 6, 2024

Montefiore Medical Center

Healthcare
USA USA
Breach of its unsecured electronic protected health information (“ePHI”) from 2015 Employees inappropriately accessed patient account information of 12,517 patients from its electronic medical record system and then sold certain patient information to an identity theft ring
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$500,000,000.00
Who Enforced
Department of Health and Human Services’ Office for Civil Rights
Related Products
CMP UC Data mapping
Fine / Penalty
$4,750,000
Keywords
Sensitive Data Data Breach
Other Actions
MMC has entered and agrees to comply with the Corrective Action Plan (“CAP”)
February 2, 2024

Tagadamedia

Technology
France France
Failure to comply with the obligation to have a legal basis for the processing of data Failure to comply with the obligation to implement a record of processing activities
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
DPA
Related Products
UC
Fine / Penalty
€ 75,000
Keywords
Unlawful processing
January 30, 2024

Uber Technologies, Inc.

Transportation
Netherlands Netherlands
Failed to disclose its data retention period for European drivers' data Failed to report to the non-EU countries it shares data with Obstructed its drivers’ efforts to exercise their right to privacy
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$31,800,000,000.00
Who Enforced
DPA
Related Products
SRR Assessments Data mapping
Fine / Penalty
€ 10,000,000
Keywords
Data Deletion Mishandling Data Cross-Border Transfer
January 29, 2024

OpenAI (ChatGPT)

Technology
Italy Italy
Lack of a suitable legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying ChatGPT
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,600,000,000.00
Who Enforced
DPA
Related Products
Assessments CMP UC
Fine / Penalty
TBD
Keywords
Unlawful processing
January 15, 2024

X-Mode Social, Inc./Outlogic)

Technology
USA USA
Raw data collection and sale of location information that could be used to track people’s visits to places of worship, reproductive health clinics, and domestic abuse shelters
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
Unknown settlement amount
Keywords
Tracking Tech Selling Data Sensitive Data
January 13, 2024

Poxell Ltd & Skean Homes Ltd

Telecommunications
UK UK
Made unsolicited marketing calls to people registered with the Telephone Preference Service (TPS) while withholding their identity
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
Information Commissioner’s Office (ICO)
Related Products
UC
Fine / Penalty
€ 150,000
Keywords
Unlawful Marketing
January 8, 2024

Amazon

Retail
Luxembourg Luxembourg
Processed users’ personal data for targeted advertising without their consent
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$514,000,000,000.00
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 818,000,000
Keywords
Unlawful Marketing Unlawful processing Tracking Tech
January 2, 2024

Kochava

Telecommunications
USA USA
Collected, without notice or consent, vast amounts of consumer location and personal data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
Unlawful processing Sensitive Data
December 28, 2023

Yahoo

Telecommunications
France France
Deposited cookies on website without user’s consent Users of Yahoo Mail who withdrew consent were no longer be able to access the services and lost access to their messaging service
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,500,000,000.00
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 10,000,000
Keywords
Tracking Tech
December 28, 2023

NS Cards France

Telecommunications
France France
Failure to comply with the obligation to retain data for a period limited to the purpose for which it was collected (article 5.1.e of the GDPR)
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
UC CMP
Fine / Penalty
€ 105,000
Keywords
Tracking Tech Data Deletion
December 26, 2023

Amazon France Logistique

Retail
France France
Warehouse employees used scanners to tracker activities and the scans carried out by employees resulted in recording of data, which is stored and used to calculate indicators providing information on the quality, productivity and periods of inactivity of each employee.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$300,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 32,000,000
Keywords
Unlawful processing Tracking Tech
December 18, 2023

Rite Aid

Retail
USA USA
Rite Aid deployed artificial intelligence-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behavior.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$24,000,000,000.00
Who Enforced
FTC
Related Products
Assessments Data mapping
Fine / Penalty
N/A
Keywords
Tracking Tech Unlawful processing Sensitive Data
Other Actions
Prohibited from using facial recognition technologies for five years.
December 13, 2023

Kodas Design and Speed Auction

Technology
South Korea South Korea
Both companies violated safety measure obligations and personal information leakage notification and reporting obligations under the PIPA.
Privacy Law
Personal Information Protection Act (PIPA)
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
PIPC
Related Products
Vendor Data mapping
Fine / Penalty
$1,71,653
Keywords
Data Breach
December 13, 2023

Tipros

Telecommunications
Singapore Singapore
Tipros unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organization's Google reviews page.
Privacy Law
Personal Data Protection Act (PDPA)
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
Singapore’s Personal Data Protection Commission
Related Products
SRR
Fine / Penalty
N/A
Keywords
Data Breach
Other Actions
Review 13 other Google reviews and remove personal data from Google review page.
November 30, 2023

Google

Technology
USA USA
Secretly tracked the internet use of millions of people who were using its Chrome browser's incognito mode.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$280,000,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$5,000,000,000
Keywords
Tracking Tech Unlawful processing
November 27, 2023

Shanghai Commercial and Savings Bank

Financial Services
China China
Audit leak of customer data.
Privacy Law
Banking Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
Financial Supervisory Commission
Related Products
SRR
Fine / Penalty
NT 10,000,000
Keywords
Data Breach
November 1, 2023

Australian Clinical Labs Limited

Healthcare
Australia Australia
Data breach of patient's personal information and data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$400,000,000.00
Who Enforced
Office of the Australian Information Commissioner (OAIC)
Related Products
SRR
Fine / Penalty
AUS$ 2,200,000
Keywords
Data Breach
October 31, 2023

First American Title Insurance Company

Financial Services
USA USA
Violations of the NYDFS Cybersecurity Regulation in connection with a 2019 data breach, which exposed consumers’ non-public information
Privacy Law
NYDFS Cybersecurity Regulation
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$7,000,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$1,000,000
Keywords
Data Breach
October 25, 2023

FT v DW (C-307/22)

Healthcare
Germany Germany
A patient asked dentist for a copy of his dental records. Dentist said that patient is responsible for costs with such provision, per German law. CJEU determined that EU supersedes and that data subject is entitled to a free copy. Controller can charge for subsequent copies.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
CJEU
Related Products
SRR
Fine / Penalty
N/A
Keywords
Mishandling Data
October 22, 2023

Axpo Italia Spa

Energy
Italy Italy
Electricity and gas suppliers that activated accounts without data subject knowledge issued contracts in their name based on acquired, and unsolicited, contracts.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
Italian Privacy Regulator
Related Products
Vendor Templates
Fine / Penalty
€ 10,000,000
Keywords
Unlawful processing
Other Actions
Corrective measures, including: use of a blocking "check-call" system to verify the accuracy of acquired introduction of alert systems suitable for detecting any incorrect and/or fraudulent behavior introduction of alert systems suitable for detecting any incorrect and/or fraudulent behavior strengthen audits
October 16, 2023

Clearview AI, Inc.

Technology
UK UK
Personal data of UK individuals collected through the use of its facial recognition technology and held in its database
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10,000,000.00
Who Enforced
Information Commissioner’s Office
Related Products
UC
Fine / Penalty
€ 7,500,000
Keywords
Unlawful processing Sensitive Data
October 4, 2023

Debt Collection Company

Financial Services
Croatia Croatia
Unlawfully processed sensitive data (health related) of 181,641 of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
Data mapping UC
Fine / Penalty
€ 5,470,000
Keywords
Sensitive Data Unlawful processing
September 30, 2023

Backbaud

Telecommunications
USA USA
Ransomware attack (in 2020) exposed users’ personal data, donation history and financial information to unauthorized third parties.
Privacy Law
Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$600,000,000.00
Who Enforced
SEC
Related Products
UC SRR
Fine / Penalty
$49,500,000
Keywords
Data Breach
August 15, 2023

Ecommerce Enablers

Technology
Singapore Singapore
Access key to the company's storage servers on a private GitHub repository shared. Ex-filtration of data of 1.46 million email addresses, 10,000 national identity numbers, 300,000 bank account numbers and 380,000 pieces of partial credit card information.
Privacy Law
Personal Data Protection Act (PDPA)
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
Personal Data Protection Commission (PDPC)
Related Products
Data mapping
Fine / Penalty
€ 50,250
Keywords
Data Breach
August 15, 2023

DoorDash Technologies Australia Pty Ltd

Retail
Australia Australia
Promotional emails were sent to customers who had already unsubscribed, and 515,000 text messages were sent to their potential drivers without an unsubscribe function.
Privacy Law
Spam Act 2003
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
Australian Communications and Media Authority (ACMA)
Related Products
SRR
Fine / Penalty
AUS$ 2,011,320
Keywords
Unlawful Marketing
August 13, 2023

Experian Consumer Services

Technology
USA USA
Failed to comply with CAN-SPAM Act
Privacy Law
CAN-SPAM Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$5,000,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$650,000
Keywords
Unlawful Marketing
July 26, 2023

Greenley v. Kochava, Inc.

Technology
USA USA
Data broker coded its software development kits to track a user’s geolocation, search terms, click choices, purchase decisions, and/or payment methods Data broker collected this tracked information and then sold it to third-party advertisers
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$20,000,000.00
Who Enforced
U.S. District Court for the Southern District of California
Related Products
SRR UC
Fine / Penalty
$5,000 per fine
Keywords
CIPA
July 13, 2023

Meta Platforms Ireland Limited and Facebook Norway AS

Technology
Norway Norway
Processed personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior"
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$117,900,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
Unknown
Keywords
Tracking Tech Unlawful Marketing Unlawful processing
July 5, 2023

Telekall Infoservice

Telecommunications
Brazil Brazil
The company violated LGPD data processing requirements and failed to cooperate with its investigation. The ANPD also issued the company a warning for failing to designate a data protection officer.
Privacy Law
LGPD
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
SRR UC Trust Hub
Fine / Penalty
€ 1,483
Keywords
Mishandling Data Unlawful processing
June 29, 2023

Tele2 Sverige Aktiebolag

Telecommunications
Sweden Sweden
NOYB filed a complaint relating to unlawful transferring of personal data to the US.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 1,000,000
Keywords
Cross-Border Transfer
Other Actions
DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU.
June 26, 2023

Creditinfo Lánstraust hf.

Professional Services
Iceland Iceland
Processed credit information re small loans, without a legal basis
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
Data mapping CMP
Fine / Penalty
€ 257,000
Keywords
Unlawful processing
June 14, 2023

CRITEO

Telecommunications
France France
Used cookies to track user behavior for advertising Users consent was not obtained Failed to adequately respond to a data subject's requests for information regarding their personal data. Did not delete the personal data of the data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$500,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 40,000,000
Keywords
Tracking Tech Data Deletion
June 11, 2023

Piraeus Bank

Financial Services
Greece Greece
Processed personal data without taking appropriate and effective technical and organizational measures to process only the data necessary for the specific purpose. The bank had failed to properly comply with a data subject's request for access to their personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,200,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
$210,000
Keywords
Data Minimization Mishandling Data
June 11, 2023

Spotify

Technology
Sweden Sweden
Not sufficiently complied with data subject rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$11,700,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 4,900,000
Keywords
Mishandling Data
May 30, 2023

Ring LLC

Technology
USA USA
Made false/misleading representations that it took reasonable steps to ensure that Ring home security cameras are a secure means to monitor private areas of consumers’ homes. Gave thousands of employees and contractors unrestricted access to video recordings of customers’ intimate spaces (e.g., bathrooms, bedrooms and children’s nurseries) without customers’ knowledge or consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$260,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$5,800,000
Keywords
Mishandling Data
May 29, 2023

Shopee and Eslite

Retail
Taiwan Taiwan
Did not provide information on safety checks or evidence that corrective measures have been implemented. Failed to conduct audits on outsourced suppliers – one of their supply chains had inadequate account management
Privacy Law
Personal Data Protection Act (“ PDPA ”)
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
The Ministry of Digital Affairs (MODA)
Related Products
Vendor
Fine / Penalty
2,000 TWD
Keywords
Data Breach
May 28, 2023

WIND (now NOVA)

Advertising
Poland Poland
Sending of five promotional messages despite objections. Non-satisfaction of access rights, failure to provide a reply. Did not have in practice the necessary procedures to ensure the right to object and stop processing the data for the promotional purpose.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
DPA
Related Products
CMP UC SRR
Fine / Penalty
€ 150,000
Keywords
Unlawful Marketing
May 11, 2023

Meta Platforms Ireland Limited

Technology
Ireland Ireland
Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$117,900,000,000.00
Who Enforced
DPA
Related Products
SRR Assessments Data mapping
Fine / Penalty
€ 1,200,000,000
Keywords
Cross-Border Transfer
Other Actions
The DPC ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months of data already transferred to the U.S.
April 3, 2023

TikTok

Technology
UK UK
More than one million British children under the age of 13 were using TikTok without the consent of their parents.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
Information Commissioner
Related Products
UC Data mapping
Fine / Penalty
€ 14,500,000
Keywords
Unlawful processing
March 15, 2023

Argon Medical Devices

Healthcare
Norway Norway
Reported data breach of compromised personal data after 67 days.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
Datatilsynet
Related Products
Data mapping Vendor
Fine / Penalty
€ 220,000
Keywords
Data Breach
March 10, 2023

Private Hospital

Healthcare
Turkey Turkey
A Hospital did not have a patient’s explicit consent before sharing their photographs and videos with the contracted media organizations for advertising and promotion purposes about the patients’ treatments.
Privacy Law
Law on the Protection of Personal Data No. 6698
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
DPA
Related Products
UC Data mapping
Fine / Penalty
$8,373.75
Keywords
Unlawful processing
February 21, 2023

VODAFONE ESPAÑA, S.A.U..

Telecommunications
Spain Spain
System error when an Amazon sales partner had concluded a contract without first obtaining the consent of the data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,500,000,000.00
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 56,000
Keywords
Mishandling Data
February 16, 2023

Suomen Asiakastieto Oy

Professional Services
Finland Finland
The company had unlawfully stored financial data of data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100,000,000.00
Who Enforced
DPA
Related Products
Data mapping SRR
Fine / Penalty
€ 440,000
Keywords
Unlawful processing
February 13, 2023

Byars v. Hot Topic, Inc.

Retail
USA USA
Case dismissed because third-party chat feature was a “tool” and no more than an “extension” of the website provider No finding of an unlawful third-party interception
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1,000,000,000.00
Who Enforced
U.S District Court for the Central District of California
Related Products
UC SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
February 5, 2023

Sats ASA

Retail
Norway Norway
Did not comply with Customers requests for information as well as deletion of their personal data. Processed certain customer data without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$400,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 900,000
Keywords
Data Deletion Mishandling Data
February 2, 2023

Byars v. Goodyear Tire & Rubber Co

Retail
USA USA
Website’s chat features and use of session replay software violated (CIPA)
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$17,500,000,000.00
Who Enforced
US District Court for the Central District of California
Related Products
UC SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA Tracking Tech
January 31, 2023

GoodRx

Healthcare
USA USA
Google and Meta tracking pixels were installed on its website to share users’ medication information, location and other personal data
Privacy Law
Health Breach Notification Rule
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$550,000,000.00
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$1,500,000
Keywords
Tracking Tech
January 18, 2023

Hungarian Airline Company

Transportation
Poland Poland
Customer’s data was not timely erased when requested by airlines Company failed to inform the Data Subject that account was deleted until 5 months later.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 13,244
Keywords
Data Deletion Mishandling Data
October 18, 2022

Medibank

Healthcare
Australia Australia
Privacy Act: Did not apply appropriate controls to sensitive data. Medibank says the hacker claims to have stolen 200GB of data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$2,000,000,000.00
Who Enforced
OAIC
Related Products
Assessments Data mapping UC
Fine / Penalty
AUS$ 2,200,000
Keywords
Sensitive Data Data Breach
August 23, 2022

Sephora

Retail
USA USA
Sold consumers’ personal data using third-party trackers to get targeted ads and discounts on analytics, didn't disclose to consumers that it was selling their personal information, no GPC either. --Did not cure these violations within the 30-day period
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10,000,000,000.00
Who Enforced
California AG
Related Products
CMP UC SRR
Fine / Penalty
$1,200,000
Keywords
Selling Data Tracking Tech
May 30, 2022

Javier v. Assurance IQ, LLC

Healthcare
USA USA
Consent to a website session recording technology cannot apply retroactively Unlawful wiretap over the session recording technology that helps companies protect against litigation abuse from the Telephone Consumer Protection Act (TCPA).
Privacy Law
TCPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$200,000,000.00
Who Enforced
U.S. States Court of Northern District of California
Related Products
UC SRR
Fine / Penalty
5,000 per fine
Keywords
CIPA
April 30, 2022

Patreon

Technology
USA USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$60,000,000.00
Who Enforced
Fed Courts - Settled
Related Products
Assessments Vendor Data mapping CMP UC
Fine / Penalty
$7,250,000
Keywords
VPPA Unlawful Marketing Tracking Tech
October 1, 2024

Court Overrules FCC’s Fine Against AT&T

Telecommunications
USA USA
This could have broader implications on the legality of regulatory agencies levying fines through administrative proceedings, the 5th U.S. Circuit Court of Appeals has overturned a $57 million fine imposed by the Federal Communications Commission against AT&T for violating the privacy of its customers’ location data.
Privacy Law
Communications Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$122,340,000,000.00
Who Enforced
FCC
Related Products
CMP UC SRR Assessments Data mapping
Fine / Penalty
$57,000,000
Keywords
Fine Overturned
Back
Next

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.

Book a Demo Get started