.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
Data Privacy Enforcement Tracker
What's new in the world of regulatory enforcement? Our Enforcement Tracker keeps you up to speed with relevant and noteworthy enforcement actions in the world of privacy. Stay informed, spot patterns early, and guide your program with confidence.
Note: While updated regularly this is not exhaustive and not intended as legal advice.
Filters applied (0)
Clear filters
Filter by Category
-
Privacy LawSelect all
-
Region of EnforcementSelect all
-
Industry TypeSelect all
-
Employee CountSelect all
-
Estimated Annual RevenueSelect all
-
Keyword(s)Select all
-
Level of GovernmentSelect all
-
Who EnforcedSelect all
Sort By
Showing 7 of 46 results
July 8, 2025
Selgros Cash & Carry SRL
Retail
Romania
During the DPA's investigation, it was found that, due to an error in the programming or implementation of an application, personal data belonging to several targeted individuals were revealed.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 3,000
Keywords
Data Breach
July 8, 2025
Old Lemmer Foundation
Non-Profit
Netherlands
Unlawfully live-streaming public-space video without a GDPR legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 500
Keywords
Unlawful processing
Other Actions
Halt posting live-stream of Lemmer online.
July 7, 2025
Alliance for the Union of Romanians Party (AUR)
Public Sector
Romania
A configuration mistake in the aur.mobi app accidentally exposed a wide range of users’ personal information—everything from names, contact details, IDs and addresses to demographics (like age, gender, nationality, religion), education and work history—so anyone using the app at that time could view it.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 15,000
Keywords
Data Breach
Sensitive Data
Other Actions
Operator deactivated the semnezsivotez.ro and semnezsivotez.org platforms during the investigation.
July 8, 2025
General Motors
Transportation
USA
AG Hilgers filed a lawsuit against General Motors for deceptive collection and sale of Nebraskans’ driving data. It is alleged that General Motors LLC and OnStar LLC unlawfully collected, processed, and sold sensitive driving data from Nebraskans without their knowledge or consent.
Privacy Law
Nebraska Consumer Protection Act and Uniform Deceptive Trade Practices Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
TrustHub
CMP
UC
SRR
Fine / Penalty
TBD
Keywords
Selling Data
Sensitive Data
Tracking Tech
July 7, 2025
Deer Oaks
Healthcare
USA
Deer Oaks exposed ePHI in two incidents: a coding error in a pilot portal made 35 patients’ data publicly accessible online, and a ransomware attack in August 2023 compromised data for 171,871 individuals. OCR found Deer Oaks failed to conduct a proper risk analysis.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
OCR
Related Products
Assessments
Vendor
Data Mapping
Fine / Penalty
€ 225,000
Keywords
Data Breach
Sensitive Data
Other Actions
Implement a corrective action plan that OCR will monitor for two years
July 3, 2025
Apoteket AB
Healthcare
Sweden
Apoteket AB improperly transferred customers’ sensitive health-related data to Meta via the Meta Pixel on their websites
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Vendor
Data Mapping
Fine / Penalty
SEK 37 million
Keywords
Data Breach
Sensitive Data
Tracking Tech
Other Actions
Ordered to improve their internal procedures to ensure the proper and secure processing of personal data.
July 3, 2025
Apohem AB
Healthcare
Sweden
Apohem AB improperly transferred customers’ sensitive health-related data to Meta via the Meta Pixel on their websites
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Vendor
Data Mapping
Fine / Penalty
SEK 8 million
Keywords
Data Breach
Sensitive Data
Tracking Tech
Other Actions
Ordered to improve their internal procedures to ensure the proper and secure processing of personal data.
July 8, 2025
TicketNetwork
Technology
USA
TicketNetwork's privacy notice was found to be unreadable, missing essential data rights, and containing malfunctioning rights mechanisms.
Privacy Law
Connecticut Data Privacy Act
Level of Government
State
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
AG
Related Products
Trusthub
SRR
Fine / Penalty
$85,000
Keywords
Privacy Notice
July 1, 2025
U.S. Department of Health and Human Services’ (HHS)
Public Sector
USA
Attorney General Dan Rayfield and several states have sued HHS for sharing private Medicaid health records with DHS (including ICE).N10
Privacy Law
Medicaid Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Sensitive Data
Sharing Data
July 1, 2025
Healthline
Healthcare
USA
Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections.
Privacy Law
CCPA
Level of Government
State
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC
CMP
Vendor
Assessments
Trust Hub
Fine / Penalty
$1,550,000.00
Keywords
Sensitive Data
Tracking Tech
Dark Patterns
Other Actions
Healthline must ensure opt-out tools are functional, stop sharing sensitive data, audit privacy terms in contracts, and keep its privacy disclosures accurate.
June 23, 2025
Vodafone Romania S.A.
Telecommunications
Romania
The controller did not implement adequate technical and organisational measures
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 4,000.00
Keywords
Data Breach
Other Actions
Ordered to take the corrective measure of technical and procedural implementation of a mechanism applied at regular intervals, regarding the testing, evaluation and periodic assessment of the effectiveness of the measures adopted.
June 23, 2025
Dublin Education and Training Board (CDETB)
Public Sector
Ireland
13,000 data subjects had their data compromised in a security breach in November 2018. This included special categories of PII.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€125,00
Keywords
Data Breach
Other Actions
Implement adequate security.
June 20, 2025
Walmart
Retail
USA
Walmart (including in its capacity as an agent of MoneyGram, Western Union, and Ria) allowed its money transfer services to be used by scammers who defrauded consumers out of hundreds of millions of dollars.
Privacy Law
FTC Act
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
Vendor
Assessments
Fine / Penalty
$10,000,000.00
Keywords
Data Breach
June 19, 2025
SC Diamir SRL
Retail
Romania
The investigation was started following a complaint that the operator displayed a person's identity card at the workplace, thus revealing the name, surname, address, series and number of the identity document and the photo of the person.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
SRR
Assessments
Fine / Penalty
€ 1,000.00
Keywords
Data Breach
Sensitive Data
June 18, 2025
Dinc? Viorel George
Transportation
Romania
The investigation was started following a notification that a natural person had a video surveillance system inadequately mounted on a building. The controller then did not respond to the DPA investigation.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Regulatory Guidance
Privacy Expert
Fine / Penalty
€ 200.00
Keywords
N/A
Other Actions
Required to send a complete response to the National Supervisory Authority.
June 18, 2025
AB Storstockholms Lokaltrafik
Transportation
Sweden
Following a complaint from a consumer related to daily sobriety tests, the investigation found that the company processed PII and Sensitive PII without proper legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
Assessments
Fine / Penalty
€ 6,800.00
Keywords
Unlawful processing
Sensitive Data
June 18, 2025
Waxholms Ångfartygs AB
Logistics
Sweden
Following a complaint from a consumer related to daily sobriety tests, the investigation found that the company processed PII and Sensitive PII without proper legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Assessments
Fine / Penalty
€ 6,800.00
Keywords
Unlawful processing
Sensitive Data
June 17, 2025
23andMe
Healthcare
United Kingdom
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in the unauthorized access to personal information belonging to 155,592 UK residents.
Privacy Law
UK GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
£2,310,000.00
Keywords
Sensitive Data
Data Breach
June 16, 2025
Paddle.com Market Limited
Technology
USA
Paddle provided foreign-based tech-support schemes with access to the U.S. payment system, allowing these companies to harm consumers.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
Assessments
Trust Hub
Vendor
Fine / Penalty
$5,000,000.00
Keywords
Data Breach
Other Actions
Permanently banned from processing payments for tech-support telemarketers.
June 16, 2025
SC Kashto Concept
Retail
Romania
An investigation was launched following a notification received from a data subject, which found the website owned by the operator, cookies were stored that were not technically necessary for the operation of the website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
SRR
Fine / Penalty
€ 990.00
Keywords
Tracking Tech
June 12, 2025
Department of Social Protection (DSP)
Public Sector
Ireland
DSP failed to identify a valid lawful basis for the collection of biometric data, improperly retained this information, improperly completed a DPIA, and failed to provide information to data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
Assessments
Trust Hub
Fine / Penalty
€ 550,000.00
Keywords
Unlawful processing
Mishandling Data
Sensitive Data
Other Actions
DPA issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within 9 months of this decision if the DSP cannot identify a valid lawful basis.
June 12, 2025
Temu
Retail
USA
AG Hilgers, Nebraska, alleges Temu unlawfully harvests data, including from kids, utilizes multiple deceptive practices to encourage purchases, allows infringement and counterfeits to thrive, and engages in deceptive marketing to greenwash its image.
Privacy Law
Nebraska Consumer Protection Laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
CMP
UC
SRR
Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful processing
Dark Patterns
June 12, 2025
23andMe
Healthcare
USA
AGJason Miyares, Virginia, has filed a lawsuit and separate objection to 23andMe’s plan to sell the personal genetic data of roughly 15 million consumers without their knowledge or consent in violation of Virginia law and the company’s own privacy commitments to consumers.
Privacy Law
VCDPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC
CMP
SRR
Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data
Selling Data
June 12, 2025
Six Norwegian websites
All
Norway
The Norwegian DPA investigated six websites, and found that all of them shared visitors' personal data with third parties illegally, and in several of the cases they shared sensitive data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC
CMP
Vendor
Data mapping
Assessments
Fine / Penalty
NOK 250,000.00
Keywords
Sensitive Data
Mishandling Data
Tracking Tech
Unlawful processing
June 10, 2025
Accounting Audit SRL
Professional Services
Romania
Accounting Audit SRL, as a processor, has not implemented adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, including the ability to ensure the confidentiality and integrity of the processing systems and services.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 10,000.00
Keywords
Data Breach
June 3, 2025
Vodafone
Telecommunications
Germany
Vodafone GmbH had not adequately reviewed and monitored partner agencies working on its behalf. Further the BfDi found security deficiencies in the authentication process for the combined use of the online portal ‘MeinVodafone'.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Vendor
Assessments
Fine / Penalty
€ 45,000,000.00
Keywords
Data Breach
May 30, 2025
AG-BROKER ASIGURARE S.R.L.
Professional Services
Romania
The controller did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Data Breach
May 27, 2025
Yliopiston Apteekin
Healthcare
Finland
Deficiencies in its cookie practices and the use of other tracking technologies on its online pharmacy website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 1,100,000.00
Keywords
Mishandling Data
Unlawful processing
Tracking Tech
May 22, 2025
A.A.A
Professional Services
Spain
Insufficient legal basis for data processing. A legal representative processed a client’s sensitive information without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
UC
Trust Hub
Fine / Penalty
€ 2,000.00
Keywords
Unlawful processing
May 22, 2025
Dumitru Viorel Foc?a
Public Sector
Romania
It was found that the operator processed on its Facebook page (Meta), by disclosing in a public post, the personal data (name, surname, phone number) of the Authority's petitioner, without his consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Regulatory Guidance
Assessments
Fine / Penalty
€ 1,000.00
Keywords
Data Breach
Mishandling Data
Unlawful processing
May 21, 2025
Data Diggers Market Research SRL
Professional Services
Romania
It was found that the controller did not provide the complainants with complete information as a result of exercising the right of access to personal data. Did not communicate with the petitioners, and did not prove a legal basis for processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
SRR
Assessments
Fine / Penalty
€ 12,000.00
Keywords
Mishandling Data
Unlawful processing
May 19, 2025
Replika
Technology
Italy
Lack of Legal Basis, Inadequate Privacy Policy, No Effective Age Verification, and Transparency and Accountability Failures.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Trust Hub
Assessments
Fine / Penalty
€ 5,000,000.00
Keywords
Unlawful processing
Other Actions
The Italian authority also ordered Luka Inc. to bring its data processing practices into compliance with GDPR.
May 16, 2025
ACCOUNTING & AUDIT CONSULTING SRL
Financial Services
Romania
It was found that unauthorized persons illegally accessed the personal data of the operator's customers' employees, namely: name, surname, personal identification number, domicile, position, salary, bonuses and other salary rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Data Breach
May 15, 2025
CALOGA
Advertising
France
Commercial prospecting without prospects’ consent and transferring their data to partners without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
Vendor
Fine / Penalty
€ 80,000.00
Keywords
Unlawful Marketing
Unlawful processing
May 15, 2025
SOLOCAL MARKETING SERVICES
Advertising
France
Insufficient legal basis for data processing. Failed to obtain proper consent from individuals before using their data for marketing purposes and for sharing the data with third parties without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Vendor
Fine / Penalty
€ 900,000.00
Keywords
Unlawful processing
Unlawful Marketing
May 14, 2025
CVA TAX & FINANCE S.R.L.
Financial Services
Romania
A data breach led to the unauthorized disclosure and access to the personal data of a significant number of employees of the customers in the operator's portfolio, namely: name, surname, personal identification number, address, position, salary, bonuses and other salary r
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
May 13, 2025
Romoffice Construct Holding Ag SRL
Logistics
Romania
The investigation was started following a complaint from a natural person, who complained that the operator Romoffice Construct Holding Ag SRL processed his personal data without his consent, it was found that the operator Romoffice Construct Holding Ag SRL processed without legal basis personal data belonging to the petitioner.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
CMP
UC
SRR
Assessments
Fine / Penalty
€ 2,000.00
Keywords
Unlawful processing
May 12, 2025
CV PRO CONSULT S.R.L.
Financial Services
Romania
It was found that, following a cyber attack, the operator's access to its own IT infrastructure was accessed and also restricted. This situation led to the unauthorized disclosure and access to the personal data of a significant number of employees of the customers in the operator's portfolio, namely: name, surname, personal identification number, address, position, salary, bonuses and other salary rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
May 9, 2025
ROUMASPORT SR
Retail
Romania
The investigation found that the operator unlawfully accessed the video surveillance system at a workplace, processing employees' images—including for disciplinary purposes—violating processing principles and legal conditions.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Sensitive Data
Other Actions
Improve cybersecurity operations.
May 8, 2025
Jerico Pictures, Inc., d/b/a National Public Data
Technology
USA
Failed to register and pay an annual fee as required by the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
CPPA
Related Products
Privacy Expert
Regulatory Guidance
Fine / Penalty
$46,000.00
Keywords
N/A
May 7, 2025
Acea Energia
Advertising
Italy
They engaged in aggressive telemarketing—using detailed personal data lists acquired without specific consent and misleading consumers with false technical?issue warnings to pressure them into switching energy suppliers.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Fine / Penalty
€ 850,000.00
Keywords
Mishandling Data
Unlawful processing
Unlawful Marketing
Other Actions
Stringent corrective measures.
May 2, 2025
TikTok
Technology
Ireland
"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Trust Hub
Fine / Penalty
€ 530,000,000.00
Keywords
Cross-Border Transfer
Unlawful processing
Other Actions
Required TikTok to improve its EEA Privacy Policy. Also, TikTok must put an end to the transfers to China.
April 23, 2025
Real Estate Agency
Professional Services
Belgium
A complaint was filed because the agency kept publishing property listings, including precise address information and cadastral references, even after the property was sold.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
UC
Assessments
Trust Hub
Privacy Expert
Fine / Penalty
€ 6,000.00
Keywords
Sensitive Data
Mishandling Data
Unlawful processing
Other Actions
The agency was ordered to delete the data and cease its processing across all platforms.
April 23, 2025
Diskrimineringsombudsmannen
Public Sector
Sweden
The company operated a form that collected sensitive personal data that had a security misconfiguration in the analytics tool which failed to mask personal data on the form’s summary page before submission, and unintentionally transferred to an external data processor.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Data mapping
Vendor
Fine / Penalty
€ 9,200.00
Keywords
Sensitive Data
Data Breach
Mishandling Data
Other Actions
Removed form and required the processor to delete all information.
April 22, 2025
[Name Not Public]
Advertising
Belgium
Non-compliance with several general data processing principles.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
UC
SRR
Assessments
Privacy Expert
Trust Hub
Fine / Penalty
€ 20,000.00
Keywords
Mishandling Data
Unlawful processing
April 18, 2025
Court Overrules FCC’s Fine Against AT&T
Telecommunications
USA
This could have broader implications on the legality of regulatory agencies levying fines through administrative proceedings, the 5th U.S. Circuit Court of Appeals has overturned a $57 million fine imposed by the Federal Communications Commission against AT&T for violating the privacy of its customers’ location data.
Privacy Law
Communications Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
CMP
UC
SRR
Assessments
Data mapping
Fine / Penalty
$57,000,000.00
Keywords
Fine Overturned
April 14, 2025
DPP Law Ltd.
Professional Services
United Kingdom
DPP failed to adopt the principle of least privilege and failed to regularly audit administrative accounts on its network.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
£70,300.00
Keywords
Data Breach
April 11, 2025
Lusha
Advertising
Italy
The investigation follows complaints from individuals who received unsolicited calls, suggesting that their data may have been sourced from Lusha’s platform without proper consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful Marketing
April 11, 2025
NOVATES ALIMENTACIÓN MADRID, S.L.
Retail
Spain
Improper handling of video surveillance data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
CMP
UC
SRR
Fine / Penalty
€ 20,000.00
Keywords
Sensitive Data
Other Actions
They were ordered to implement and notify the AEPD of technical and organizational security measures within one month to secure surveillance data appropriately.
April 10, 2025
Marina Salud
Healthcare
Spain
The Processor appointed sub-processors without authorisation from the controller.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor
Fine / Penalty
€ 500,000.00
Keywords
Unlawful processing
April 9, 2025
Servicios de Integración de Andalucía
Telecommunications
Spain
(SIA) was sanctioned for including an employee’s personal phone number in a WhatsApp group used for internal communications, without valid consent or an alternative contact method.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
UC
Assessments
Fine / Penalty
€ 2,000.00
Keywords
Unlawful processing
April 3, 2025
Poczta Polska
Logistics
Poland
The postal service provider for unlawfully sharing personal data (including PESEL numbers, names, addresses, and travel details) of all registered Polish adults during the 2020 election preparations.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Vendor
Assessments
Data mapping
Fine / Penalty
€ 6,479,424.00
Keywords
Mishandling Data
April 3, 2025
Caixabank
Financial Services
Spain
A complaint from a customer who discovered that a co-owner could access not only their joint account but also a third account due to a system error in "CaixaBankNow."
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 3,500,000.00
Keywords
Sensitive Data
Data Breach
Mishandling Data
April 3, 2025
Liga Nacional de Fútbol Profesional
Entertainment
Spain
They were conducting biometric checks in stadiums without prior data protection impact assessments.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,000,000.00
Keywords
Sensitive Data
Notice
April 3, 2025
Ibermutua Mutua Colaboradora Con La Seguridad Social Nº 274
Healthcare
Spain
Software error that led to the accidental disclosure of personal data to third parties.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 600,000.00
Keywords
Sensitive Data
Data Breach
Mishandling Data
April 3, 2025
[Name Not Public]
Telecommunications
Germany
They delayed responses to information requests.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 120,000.00
Keywords
Mishandling Data
March 28, 2025
FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA
Professional Services
Spain
Failed to obtain the data subject’s consent or legal basis to process their personal bank account data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
UC
SRR
Fine / Penalty
€ 2,000.00
Keywords
Sensitive Data
Unlawful processing
March 21, 2025
Amazon
Technology
Luxembourg
Amazon’s €746M GDPR fine upheld. Fine was from inaquadue transparency and consent management.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Luxembourg Court
Related Products
CMP
UC
SRR
Trust Hub
Fine / Penalty
€ 756,000,000.00
Keywords
Mishandling Data
March 13, 2025
Investigative Sweep on Location Data Industry
Technology
USA
The agency is sending letters to advertising networks, mobile app providers and data brokers that appear to be violating the CCPA.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
AG
Related Products
Data mapping
Assessments
Regulatory Guidance
Privacy Expert
Vendor
SRR
UC
CMP
Fine / Penalty
N/A
Keywords
Unlawful processing
Data Minimization
Mishandling Data
Sensitive Data
March 12, 2025
Honda
Transportation
USA
Honda required more information than needed to process opt-out and data limitation requests.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CPPA
Related Products
SRR
UC
Fine / Penalty
$632,500.00
Keywords
Data Minimization
March 12, 2025
Saturn Technologies
Technology
USA
They didn’t verify users’ school email addresses and age to ensure they were high school students, and didn't inform users that it would copy and use their “contact books”.
Privacy Law
New York Law
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
AG
Related Products
Data mapping
Trust Hub
Assessments
Privacy Expert
Fine / Penalty
$650,000.00
Keywords
Mishandling Data
Data Minimization
Unlawful processing
March 6, 2025
Publicaciones y Ediciones Baraca 208, S.L.
Retail
Spain
Unlawfully publishing personal data, including health information, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Trust Hub
Privacy Expert
Assessments
Fine / Penalty
€ 6,000.00
Keywords
Data Breach
Unlawful processing
March 6, 2025
Breogan Autolux, S.L.
Retail
Spain
Sending SMS advertisements without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 6,000.00
Keywords
Unlawful Marketing
March 6, 2025
Polskie Radio Szczecin (Polish Radio Szczecin)
Logistics
Poland
The radio station released a press article in which a conviction for sexual harassment was described. The journalist revealed that a parliament member’s son was the victim and did it in such a way that the child could be identified.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 13,500.00
Keywords
Mishandling Data
Data Breach
March 5, 2025
EDPB enforcement sweep on SRRs
All
Europe
EDPB has launched its 2025 enforcement sweep targeting organizations’ compliance with data subjects’ right of erasure (right to delete or be forgotten), focusing particularly on how exceptions are applied. Thirty-two EU member state data protection authorities (DPAs) will participate in this year-long sweep that began March 5, 2025.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
EDPB
Related Products
SRR
Fine / Penalty
TBD
Keywords
N/A
February 26, 2025
Cookie-Banner Class Actions (U.S)
All
USA
Since the beginning of 2025, several (at least three) class actions have been filed arising out of allegedly malfunctioning cookie banners. The plaintiffs claim to have opted out of non-essential cookies, but their opt-out was not effective.
Privacy Law
N/A
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
State Courts
Related Products
CMP
UC
Fine / Penalty
N/A
Keywords
N/A
February 20, 2025
Medstar S.R.L.
Healthcare
Romania
The investigation was started following a complaint from a data subject, who claimed that the operator where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
Mishandling Data
February 11, 2025
Amazon
Technology
USA
Maxwell v. Amazon: The plaintiffs claim that Amazon collected health data from consumers through its SDK without giving the required notice or getting consent. The complaint doesn't discuss whether this data collection could be considered necessary under MHMDA's rules. However, it suggests that since the services consumers used were provided by apps using the SDK (and not directly by Amazon), this exception doesn't apply.
Privacy Law
MHMDA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
State Courts
Related Products
CMP
UC
Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data
Unlawful processing
February 5, 2025
ORANGE ESPAGNE, S.A.U.
Telecommunications
Spain
Unauthorized duplication of the complainant's SIM card, leading to financial losses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,200,000.00
Keywords
Data Breach
Other Actions
ORANGE was ordered to implement measures to ensure that SIM card duplications are only carried out with proper verification of the requester's identity.
February 4, 2025
[Name Not Public]
Retail
France
Disproportionate surveillance of its employees' activity, through software.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Privacy Expert
Assessments
Fine / Penalty
€ 40,000.00
Keywords
Data Minimization
Tracking Tech
Unlawful processing
January 23, 2025
Softehnica S.R.L.
Logistics
Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 2,000.00
Keywords
Mishandling Data
January 20, 2025
Vodafone Romania S.A.
Telecommunications
Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 15,000.00
Keywords
Data Breach
January 17, 2025
DELIVERY SOLUTIONS S.A.
Logistics
Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
Other Actions
Corrective measures were ordered
January 9, 2025
Court Administration Office
Public Sector
South Korea
Data breach involving litigation-related documents containing the personal data of 17,998 individuals. The PIPC claims the breach occurred as a result of the CAO’s unencrypted storage systems and weak data security protocols. The CAO also delayed reporting the breach, according to the PIPC.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
PIPC
Related Products
Assessments
Data mapping
Fine / Penalty
$183,982.00
Keywords
Data Breach
Mishandling Data
January 8, 2025
Bindl v EU commission
Public Sector
EU-wide
European General Court Decision: The court ordered the European Commission to pay damages (400 EUR) for unlawfully transferring data to the U.S. without adequate protections. This transfer to the US occurred when data was shared with Meta via a "Sign in with Facebook" button on an official EU website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
European General Court
Related Products
Assessments
Data mapping
Trust Hub
Fine / Penalty
400 EUR
Keywords
Cross-Border Transfer
January 8, 2025
Allstate + Arity (Allstate's tech subsidiary)
Transportation
USA
Arity (Allstate's tech subsidiary) allegedly slipped their SDK into third-party apps to collect “trillions of miles” of driving behavior from mobile devices, other in car devices, and vehicles themselves.
Privacy Law
Texas Data Privacy and Security Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
Trust Hub
UC
Fine / Penalty
TBD
Keywords
Selling Data
Mishandling Data
Tracking Tech
Unlawful processing
January 8, 2025
Bayview Asset Management (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings)
Financial Services
USA
Failing to maintain sufficient cybersecurity practices and for not fully cooperating with state regulators following a data breach that impacted 5.8 million customers.
Privacy Law
State Agency Rules
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
52 state financial regulatory agencies
Related Products
Assessments
Data mapping
Fine / Penalty
$20,000,000.00
Keywords
Data Breach
Mishandling Data
Other Actions
Corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to the states.
January 8, 2025
ECJ v Austria
All
Austria
The ECJ ruled that data subject complaints cannot be deemed excessive solely based on their frequency.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
ECJ
Related Products
SRR
Fine / Penalty
None
Keywords
N/A
Other Actions
None
January 7, 2025
Elgon Information Systems
Healthcare
USA
Ransomware attack prompted HHS finding they had failed to conduct a thorough risk analysis to address vulnerabilities in its systems, exposing 31,248 individuals’ ePHI.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
HHS
Related Products
Assessments
Data mapping
Fine / Penalty
$80,000.00
Keywords
Sensitive Data
Data Breach
Mishandling Data
December 20, 2024
OpenAI
Technology
Italy
OpenAI had wrongly relied on legitimate interest as a legal basis for processing personal data, processed inaccurate personal data, and had no age verification measures in place.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC
Privacy Expert
Assessments
Fine / Penalty
15,000,000
Keywords
Unlawful processing
Other Actions
They must carry out a six month campaign informing Italians of how it uses their personal data for their services.
December 20, 2024
Grubhub
Logistics
USA
Grubhub engaged in deceptive practices, such as misleading diners about delivery fees, blocking access to gift card funds, and falsely advertising driver earning.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
Trust Hub
Privacy Expert
Regulatory Guidance
Fine / Penalty
$25,000,000.00
Keywords
Notice
Other Actions
Grubhub to make changes to its business practices, including not adding surprise fees to delivery totals, providing a simple way to cancel Grubhub+ subscriptions, stopping listing unaffiliated restaurants and not making misleading driver-earning claims. Illinois Attorney General aided in case.
December 18, 2024
Netflix
Entertainment
Netherlands
Netflix did not give customers sufficient information about what the company does with their personal data between 2018 and 2020.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP
Templates
Trust Hub
Fine / Penalty
4.75M euro
Keywords
Notice
December 18, 2024
Toyota Bank Polska S.A.
Financial Services
Poland
The Data Personal Officer (DPO) was not fully independent in his work. Furthermore, Toyota Bank Polska S.A. failed to include profiling in the record of processing activities and data protection impact assessment.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Trust Hub
Privacy Expert
Regulatory Guidance
Fine / Penalty
€ 132,000.00
Keywords
Unlawful processing
December 17, 2024
Meta Platforms Ireland Limited
Technology
Ireland
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
251,000,000
Keywords
Mishandling Data
Data Breach
December 12, 2024
Various Organizations
All
France
The French Data Protection Authority (CNIL) issued notices to several organizations regarding non-compliant cookie banners. The notices were a result of complaints about dark patterns that encouraged users to accept non-essential cookies. The CNIL found that the methods for rejecting cookies were not as easy to use as those for accepting them, and that the designs were misleading. https://www.huntonak.com/privacy-and-information-security-law/cnil-issues-notices-regarding-non-compliant-cookie-banners
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
N/A
Keywords
Dark Patterns
December 3, 2024
Gravy Analytics (and subsidiary Venntel)
Technology
USA
Unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP
UC
SRR
Assessments
Data mapping
Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data
Selling Data
Unlawful processing
Other Actions
Prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.
November 28, 2024
Freedelity
Technology
Belgium
The DPA found issues with Freedelity’s:
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Assessments
Data mapping
Fine / Penalty
TBD
Keywords
Tracking Tech
Unlawful processing
Other Actions
The company has a period of 4 months to comply with these injunctions, and will have to pay penalties of up to 5,000 euros per day of delay in the event of non-compliance or partial compliance.
November 27, 2024
Coupang
Retail
South Korea
he fine was in relation to two data breaches, the first caused by the mishandling of data transmitted and the second breach was caused by an authentication issue.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
Assessments
Data mapping
Fine / Penalty
$1,100,000.00
Keywords
Data Breach
November 27, 2024
Mediahuis
Entertainment
Belgium
Mediahuis had fully complied with the DPA’s order regarding illegal cookie banners, thereby avoiding a €25,000 (US$26,402) daily penalty.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Market Court
Related Products
CMP
Fine / Penalty
Avoided $26,402 daily penalty
Keywords
Unlawful processing
Tracking Tech
November 21, 2024
Eken
Technology
Hong Kong
Apparent violations of FCC rules that require the company to designate an agent located in the United States.
Privacy Law
FCC Rules
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
FCC
Related Products
Privacy Expert
Regulatory Guidance
Fine / Penalty
TBD
Keywords
Unlawful processing
November 19, 2024
Technology
Germany
The German Federal Court of Justice made a judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR from a 2021 data breach of Facebook. This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
German Federal Court of Justice
Related Products
Data mapping
Fine / Penalty
€ 250.00
Keywords
Data Breach
November 19, 2024
Bunnings
Retail
Australia
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behavior, according to the OAIC.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
UC
Assessments
Data mapping
Fine / Penalty
TBD
Keywords
Unlawful processing
Tracking Tech
Sensitive Data
November 15, 2024
Posti
Logistics
Finland
Posti had automatically created an electronic OmaPosti mailbox for customers without a separate request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC
CMP
SRR
Fine / Penalty
€ 2,400,000.00
Keywords
Mishandling Data
November 14, 2024
Growbots
Technology
USA
The company failed to register between February 1 and July 26, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$35,000.00
Keywords
N/A
November 14, 2024
UpLead
Technology
USA
The company failed to register between February 1 and July 21, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$34,400.00
Keywords
N/A
November 7, 2024
T-Mobile
Telecommunications
USA
The telecom company promised to address “foundational security flaws,” work to improve “cyber hygiene,” and adopt “robust modern architectures,” such as zero trust and multi-factor authentication that is resistant to phishing.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Assessments
Data mapping
Fine / Penalty
$31,500,000.00
Keywords
Data Breach
November 5, 2024
Meta
Technology
South Korea
From July 2018 to March 2022, the company gathered data from nearly 980,000 users without asking for their explicit permission. This information included highly personal details such as users’ political beliefs, religious preferences, and whether they were in same-sex relationships. Once the company collected this sensitive data, it shared it with around 4,000 advertisers.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
CMP
UC
Assessments
Fine / Penalty
?15,000,000
Keywords
Tracking Tech
Unlawful processing
Sensitive Data
November 3, 2024
Blackcab Systems SRL
Professional Services
Romania
DSAR not fulfilled, and during the investigation, it was found that the operator Blackcab Systems SRL did not prove that it responded to the petitioner's request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 1,000.00
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator:
November 1, 2024
Master Wealth Control and Property Lovers
Financial Services
Australia
The companies failed to collect data fairly; to notify individuals whose data was collected; and
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
OAIC
Related Products
CMP
UC
Assessments
Data mapping
Trust Hub
Fine / Penalty
n/a
Keywords
Unlawful processing
Mishandling Data
Other Actions
Ordered to cease collecting personal information unfairly, destroy their leads lists within 30 days, update their privacy policies, and provide evidence of compliance.
October 31, 2024
Meta
Technology
USA
CFPB staff informed Meta on Sept. 18 that it is weighing potential legal action related to advertising for financial products on the company’s platforms, which include photo-sharing platform Instagram and messaging service WhatsApp, the company revealed in a Thursday securities filing.
Privacy Law
Dodd-Frank Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CFPB
Related Products
UC
CMP
Fine / Penalty
TBD
Keywords
Unlawful Marketing
October 29, 2024
Temu
Retail
EU-wide
The Commission has opened formal proceedings to assess whether Temu may have breached the Digital Services Act (DSA) in areas linked to the sale of illegal products, the potentially addictive design of the service, the systems used to recommend purchases to users, as well as data access for researchers.
Privacy Law
Digital Services Act (DSA)
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
EU Commission
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Tracking Tech
Unlawful Marketing
October 29, 2024
Untold SRL
Professional Services
Romania
The controller did not resolve the request for access to the personal data of the data subject, although he communicated for correspondence his e-mail address, telephone number, full name and surname and postal address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 15,000.00
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator.
October 27, 2024
Vodafone Romania S.A.
Telecommunications
Romania
It was found that the operator Vodafone Romania S.A. did not adopt sufficient technical and organizational measures to ensure the confidentiality of the processed personal data. no measures were taken to hide the recipients' email addresses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Data Breach
October 23, 2024
Technology
Ireland
Ireland’s data protection watchdog has fined the professional social media site for GDPR breaches related to targeted advertising.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPC
Related Products
UC
CMP
Assessments
Fine / Penalty
€ 310,100,000.00
Keywords
Tracking Tech
Unlawful Marketing
Other Actions
In addition, the regulator handed LinkedIn a reprimand and ordered it to bring its processing into compliance.
October 22, 2024
NHL
Entertainment
USA
VPPA: Lawsuit claims that the NHL collected and shared personal viewing data with third parties, such as Facebook, without user consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Class Actions Lawsuits
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
VPPA
Unlawful processing
October 22, 2024
MLB
Entertainment
USA
VPPA: MLB is facing a lawsuit for allegedly violating the Video Privacy Protection Act (VPPA) by sharing users’ personal video viewing information with Facebook without consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Class Actions Lawsuits
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
VPPA
Unlawful processing
October 21, 2024
Unisys
Professional Services
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$4,000,000.00
Keywords
Data Breach
October 21, 2024
Avaya
Professional Services
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$1,000,000.00
Keywords
Data Breach
October 21, 2024
Check Point
Technology
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$995,000.00
Keywords
Data Breach
October 21, 2024
Mimecast
Technology
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$990,000.00
Keywords
Data Breach
October 21, 2024
IBERCAJA BANCO, S.A.
Financial Services
Spain
Insufficient legal basis for data processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 180,000.00
Keywords
Unlawful processing
October 20, 2024
Grue municipality
Public Sector
Norway
Sensitive Data breach in a public postal journal. 14 individuals were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
Fine / Penalty
€ 20,800.00
Keywords
Sensitive Data
Data Breach
Other Actions
The municipality also initiated extensive control work and measures to prevent similar incidents in the future
October 15, 2024
Your Consulting SRL
Professional Services
Romania
The operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Trust Hub
Assessments
Fine / Penalty
€ 3,000.00
Keywords
Data Breach
Other Actions
Must implement robust security program starting with assessments
October 14, 2024
Quick Tax Claims
Professional Services
UK
Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
CMP
UC
SRR
Fine / Penalty
£120,000.00
Keywords
Unlawful Marketing
October 14, 2024
National Basketball Association
Entertainment
USA
Defendant’s allegedly disclosured the plaintiff’s video viewing information to Meta via the Facebook Pixel without consent, in violation of the VPPA.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Federal Courts
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
VPPA
Unlawful processing
October 10, 2024
WerepairUK Ltd
Professional Services
UK
WerepairUK Ltd, based in Tonbridge, has been fined for making 42,688 unsolicited calls. It has appealed the decision. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
SRR
UC
Fine / Penalty
£80,000.00
Keywords
Unlawful Marketing
October 10, 2024
Service Box Group Limited
Professional Services
UK
Service Box Group Limited, based in Hove, East Sussex, has been fined for 5,361 calls.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
SRR
Fine / Penalty
£40,000.00
Keywords
Unlawful Marketing
October 10, 2024
RTL Belgium
Telecommunications
Belgium
Failed to display both an 'accept all' and a 'reject all' button on the first layer of its cookie banner.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 40,000 per day
Keywords
Dark Patterns
Other Actions
See H171
October 8, 2024
Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)
Transportation
USA
Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
SRR
Data mapping
Fine / Penalty
TBD
Keywords
Data Deletion
Data Breach
Mishandling Data
Data Minimization
Other Actions
Must implement robust security program, and fulfil all delete SRR.
October 8, 2024
Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)
Transportation
USA
Attorney General Tong announced today that a coalition of 50 attorneys general, co-led by Connecticut, has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases.
Privacy Law
State consumer protection laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
50 US State AGs
Related Products
Data mapping
SRR
Fine / Penalty
$52,000,000.00
Keywords
Data Breach
Data Deletion
Mishandling Data
Data Minimization
October 2, 2024
TikTok
Technology
USA
The complaint alleges that TikTok did not provide verified parents with the ability to control or limit the privacy and account settings on a minor’s account, such as tools to limit TikTok’s sharing, disclosure and sale of a minor’s personal identifying information and control TikTok’s ability to display targeted advertising to a minor.
Privacy Law
Securing Children Online Through Parental Empowerment (“SCOPE”) Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP
UC
Fine / Penalty
10,000 per violation
Keywords
Unlawful processing
October 1, 2024
California Privacy Protection Agency Announces Investigative Sweep of Data Brokers
Technology
USA
The California Privacy Protection Agency (“CPPA”) announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act (the “Act”). Under the Act, the CPPA has the authority to impose an administrative fine of $200 per day for each day the data broker failed to register.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
CPPA
Related Products
UC
SRR
Fine / Penalty
$200 per day
Keywords
N/A
September 26, 2024
Meta
Technology
Ireland
Meta informed the commission in 2019 it inadvertently stored certain passwords of its platforms’ users in “plaintext,” or without protection or encryption
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
$100,000,000.00
Keywords
Data Breach
September 24, 2024
Mozilla
Technology
EU-wide
Mozilla, the nonprofit that develops the Firefox web browser, has been hit with a complaint by European Union privacy rights group noyb, which accuses it of violating the bloc's General Data Protection Regulation (GDPR) by tracking Firefox users by default without their permission.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Noyb
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
Tracking Tech
September 16, 2024
AT&T
Telecommunications
USA
AT&T had a data breach of a cloud vendor in January 2023 that impacted 8.9 million customers.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Vendor
Data mapping
Fine / Penalty
$13,000,000.00
Keywords
Data Breach
Other Actions
AT&T has also agreed to boost its data governance practices to increase supply chain integrity in the handling of sensitive data to protect consumers from similar vendor data breaches in the future.
September 1, 2024
Verkada
Technology
USA
FTC: Did not apply appropriate controls to sensitive data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
UC
Assessments
Data mapping
Fine / Penalty
$2,950,000.00
Keywords
Sensitive Data
Data Breach
Other Actions
FTC is requiring Verkada to create a comprehensive information security program
August 28, 2024
Apohem AB
Retail
Sweden
Apohem AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
Assessments
Data mapping
Fine / Penalty
$730,000.00
Keywords
Tracking Tech
Unlawful processing
Unlawful Marketing
Sensitive Data
August 28, 2024
Apoteket AB
Retail
Sweden
Apoteket AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
Assessments
Data mapping
Fine / Penalty
$3,400,000.00
Keywords
Unlawful Marketing
Unlawful processing
Tracking Tech
Sensitive Data
August 26, 2024
Uber Technologies, Inc.
Transportation
Netherlands
The European Union’s data protection laws were violated by transferring sensitive personal data of its drivers to the U.S. without adequate safeguards.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
$310,000,000.00
Keywords
Cross-Border Transfer
August 22, 2024
Lawline
Technology
USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
CMP
UC
Trust Hub
Data mapping
Assessments
Fine / Penalty
TBD
Keywords
VPPA
Tracking Tech
August 20, 2024
[Name Not Public]
Telecommunications
Thailand
Failure to Appoint a Data Protection Officer (DPO).
Privacy Law
Personal Data Protection Act ("PDPA")
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
PDPA
Related Products
Data mapping
Fine / Penalty
?205,520
Keywords
Data Breach
Mishandling Data
Other Actions
The second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.
August 19, 2024
Equiniti Trust
Financial Services
USA
SEC rules: A lot going on here, with issues re handling client assets. Breach, data governance and poor retention.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Data mapping
Assessments
Fine / Penalty
$850,000.00
Keywords
Data Breach
August 6, 2024
Advanced Computer Software Group
Technology
UK
UK GDPR: failed to implement sufficient security measures to protect personal information.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Data mapping
Assessments
Fine / Penalty
£6,000,000.00
Keywords
Data Breach
August 5, 2024
UNIQLO EUROPE, LTD
Retail
Spain
The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 270,00
Keywords
Data Breach
Mishandling Data
July 29, 2024
Meta
Technology
USA
Meta knowingly violated the state’s Capture or Use of Biometric Identifier Act and Deceptive Trade Practices and Consumer Protection Act by implementing a now-defunct facial-recognition-based photo and video tagging feature.
Privacy Law
Capture or Use of Biometric Identifier Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
CMP
UC
Fine / Penalty
$1,400,000,000.00
Keywords
Sensitive Data
Tracking Tech
Selling Data
July 23, 2024
TikTok
Technology
UK
Failing to comply with a request for information and not cooperating with Ofcom’s investigation into the effectiveness of its child protection measures.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
Data mapping
Fine / Penalty
£1,875,000.00
Keywords
Sensitive Data
Mishandling Data
July 17, 2024
Oracle
Technology
USA
The proposed settlement was announced on 18 July in San Francisco federal court. In August 2022, plaintiffs had filed a lawsuit that alleged Oracle’s advertising tracking tools accessed, collected, stored, disclosed, sold and used internet users’ personal data without consent.
Privacy Law
US Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Courts
Related Products
CMP
UC
Fine / Penalty
$150,000,000.00
Keywords
Tracking Tech
Unlawful processing
July 17, 2024
What’s App (Meta)
Technology
Nigeria
Meta was ordered to “immediately reinstate the rights of Nigerian users to self-determine and control” data sharing, and stop sharing WhatsApp users’ information “with other Facebook companies and third parties” without users’ active consent.
Privacy Law
Nigeria Data Protection Act 2023
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Competition and Protection Commission
Related Products
Data mapping
UC
CMP
Fine / Penalty
$2,200,000,000.00
Keywords
Unlawful processing
Mishandling Data
Other Actions
35,000 for investigation costs.
July 17, 2024
TracFone
Telecommunications
USA
Verizon-owned mobile virtual network operator TracFone
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FCC
Related Products
CMP
UC
Data mapping
Vendor
Fine / Penalty
$16,000,000.00
Keywords
Data Breach
July 8, 2024
NGL
Technology
USA
The FTC and the Los Angeles District Attorney’s Office accused NGL of violating the Children’s Online Privacy Protection Rule (COPPA Rule) by knowingly collecting the personal data of children younger than 13 without parental consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR
Data mapping
UC
Fine / Penalty
$5,000,000.00
Keywords
Unlawful processing
Data Minimization
Sensitive Data
July 1, 2024
Vinted
Retail
Lithuania
Did not have proper rationale for denying the right to erasure (‘right to be forgotten’) and the right of access. They reasoned that the user did not identify in their request the ‘specific grounds’ under Article 17 of the GDPR.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Data mapping
Fine / Penalty
€ 2,385,276.00
Keywords
Mishandling Data
June 30, 2024
Grindr
Technology
Norway
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR rules.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Data mapping
Vendor
Fine / Penalty
€ 6,500,000.00
Keywords
Unlawful processing
June 17, 2024
Tilting Point Media LLC (Tilting Point)
Technology
USA
Tilting Point employed an age screen that did not ask for age in a “neutral manner” and therefore encouraged children to enter an older age. Further, Tilting Point inadvertently configured third-party software development kits (SDKs) to collect and sell children’s data without first obtaining consent.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
AG
Related Products
UC
Assessments
Fine / Penalty
$500,000.00
Keywords
Unlawful processing
Tracking Tech
Mishandling Data
Other Actions
prohibition on selling and sharing the personal information of children without affirmative consent, a requirement to use neutral age screens, restrictions on the use of SDKs, children’s data minimization requirements, and a requirement to submit annual reports regarding compliance efforts to the California Department of Justice and the Los Angeles City Attorney’s office.
June 17, 2024
[Name Not Public]
Technology
USA
The Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
Privacy Law
Data Broker Law
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
AG
Related Products
Regulatory Guidance
Data mapping
Fine / Penalty
$10,000.00
Keywords
N/A
Other Actions
The Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act as well as federal laws including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).
June 4, 2024
Medibank Private Ltd (MPL.AX)
Financial Services
Australia
Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Data mapping
Fine / Penalty
TBD
Keywords
Data Breach
May 22, 2024
Police Service of Northern Ireland (PSNI)
Public Sector
UK
Exposed personal data belonging to all PSNI serving officers and staff.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Assessments
Fine / Penalty
£750,000.00
Keywords
Data Breach
May 21, 2024
Kakao Corp
Telecommunications
South Korea
Failure to report a data breach.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
PIPC
Related Products
Assessments
Fine / Penalty
$11,100,000.00
Keywords
Data Breach
May 19, 2024
Blackbaud
Financial Services
USA
Order finalized after announcement in February 2024.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
Data mapping
Fine / Penalty
$3,000,000.00
Keywords
Sensitive Data
Data Deletion
Other Actions
Delete data that is no longer needed
March 17, 2024
Benefytt Technologies
Healthcare
USA
Health company and its third parties operated series of deceptive websites that targeted consumers who were searching for comprehensive health insurance plans qualified under the Affordable Care Act.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR
UC
CMP
Fine / Penalty
$100,000,000.00
Keywords
Sensitive Data
Tracking Tech
Unlawful Marketing
March 14, 2024
Flo Health
Healthcare
Canada
App shared personal health information to Facebook and other third-parties without users' consent.
Privacy Law
Canadian Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Supreme Court of British Columbia
Related Products
UC
Vendor
Fine / Penalty
TBD
Keywords
Sensitive Data
Unlawful processing
Mishandling Data
March 4, 2024
Intellexa Consortium
Technology
USA
Used spyware and surveillance technology to target U.S. government officials, journalists and policy experts.
Privacy Law
OFAC sanctions
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
OFAC
Related Products
UC
CMP
Fine / Penalty
TBD
Keywords
Tracking Tech
Unlawful processing
February 27, 2024
BNSF Railway
Transportation
USA
Unlawfully collected fingerprint scans without consent from thousands of drivers using automated gate systems at the company’s four facilities in Illinois.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
UC
Fine / Penalty
$75,000,000.00
Keywords
Selling Data
Unlawful processing
February 21, 2024
[Name Not Public]
Logistics
Italy
Used facial recognition technology to determine employee attendance.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC
Assessments
Fine / Penalty
€ 103,000.00
Keywords
Tracking Tech
Unlawful processing
February 21, 2024
Avast Limited
Technology
USA
Collected, retained and sold data without proper notice or consent to third parties.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$16,500,000.00
Keywords
Selling Data
Unlawful processing
February 20, 2024
Doordash
Retail
USA
Sold its customers' personal information without notice and without providing an opportunity to opt-out of the sale of their data.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP
UC
Fine / Penalty
$375,000.00
Keywords
Selling Data
Unlawful processing
February 13, 2024
College Board
Public Sector
USA
Unlawfully sold students' personal data to schools and other customers
Privacy Law
New York law
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC
Fine / Penalty
$750,000.00
Keywords
Selling Data
Unlawful processing
February 6, 2024
Montefiore Medical Center
Healthcare
USA
Breach of its unsecured electronic protected health information (“ePHI”) from 2015
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Department of Health and Human Services’ Office for Civil Rights
Related Products
CMP
UC
Data mapping
Fine / Penalty
$4,750,000.00
Keywords
Sensitive Data
Data Breach
Other Actions
MMC has entered and agrees to comply with the Corrective Action Plan (“CAP”)
February 2, 2024
Tagadamedia
Technology
France
Failure to comply with the obligation to have a legal basis for the processing of data
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
UC
Fine / Penalty
€ 75,000.00
Keywords
Unlawful processing
January 30, 2024
Uber Technologies, Inc.
Transportation
Netherlands
Failed to disclose its data retention period for European drivers' data
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Assessments
Data mapping
Fine / Penalty
€ 10,000,000.00
Keywords
Data Deletion
Mishandling Data
Cross-Border Transfer
January 29, 2024
OpenAI (ChatGPT)
Technology
Italy
Lack of a suitable legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying ChatGPT.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
CMP
UC
Fine / Penalty
TBD
Keywords
Unlawful processing
January 15, 2024
X-Mode Social, Inc./Outlogic)
Technology
USA
Raw data collection and sale of location information that could be used to track people’s visits to places of worship, reproductive health clinics, and domestic abuse shelters.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
Unknown settlement amount
Keywords
Tracking Tech
Selling Data
Sensitive Data
January 13, 2024
Poxell Ltd & Skean Homes Ltd
Telecommunications
UK
Made unsolicited marketing calls to people registered with the Telephone Preference Service (TPS) while withholding their identity.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 150,000.00
Keywords
Unlawful Marketing
January 8, 2024
Amazon
Retail
Luxembourg
Processed users’ personal data for targeted advertising without their consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 818,000,000.00
Keywords
Unlawful Marketing
Unlawful processing
Tracking Tech
January 2, 2024
Kochava
Telecommunications
USA
Collected, without notice or consent, vast amounts of consumer location and personal data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
Unlawful processing
Sensitive Data
December 28, 2023
Yahoo
Telecommunications
France
Deposited cookies on website without user’s consent
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 10,000,000.00
Keywords
Tracking Tech
December 28, 2023
NS Cards France
Telecommunications
France
Failure to comply with the obligation to retain data for a period limited to the purpose for which it was collected (article 5.1.e of the GDPR).
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
UC
CMP
Fine / Penalty
€ 105,000.00
Keywords
Tracking Tech
Data Deletion
December 26, 2023
Amazon France Logistique
Retail
France
Warehouse employees used scanners to tracker activities and the scans carried out by employees resulted in recording of data, which is stored and used to calculate indicators providing information on the quality, productivity and periods of inactivity of each employee.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 32,000,000.00
Keywords
Unlawful processing
Tracking Tech
December 18, 2023
Rite Aid
Retail
USA
Rite Aid deployed artificial intelligence-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behavior.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
Assessments
Data mapping
Fine / Penalty
N/A
Keywords
Tracking Tech
Unlawful processing
Sensitive Data
Other Actions
Prohibited from using facial recognition technologies for five years.
December 13, 2023
Kodas Design and Speed Auction
Technology
South Korea
Both companies violated safety measure obligations and personal information leakage notification and reporting obligations under the PIPA.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
PIPC
Related Products
Vendor
Data mapping
Fine / Penalty
$1,71,653
Keywords
Data Breach
December 13, 2023
Tipros
Telecommunications
Singapore
Tipros unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organization's Google reviews page.
Privacy Law
Personal Data Protection Act (PDPA)
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
SRR
Fine / Penalty
N/A
Keywords
Data Breach
Other Actions
Review 13 other Google reviews and remove personal data from Google review page.
November 30, 2023
Technology
USA
Secretly tracked the internet use of millions of people who were using its Chrome browser's incognito mode.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$5,000,000,000.00
Keywords
Tracking Tech
Unlawful processing
November 27, 2023
Shanghai Commercial and Savings Bank
Financial Services
China
Audit leak of customer data.
Privacy Law
Banking Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Financial Supervisory Commission
Related Products
SRR
Fine / Penalty
NT 10,000,000
Keywords
Data Breach
November 1, 2023
Australian Clinical Labs Limited
Healthcare
Australia
Data breach of patient's personal information and data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
OAIC
Related Products
SRR
Fine / Penalty
AUS$ 2,200,000
Keywords
Data Breach
October 31, 2023
First American Title Insurance Company
Financial Services
USA
Violations of the NYDFS Cybersecurity Regulation in connection with a 2019 data breach, which exposed consumers’ non-public information.
Privacy Law
NYDFS Cybersecurity Regulation
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$1,000,000.00
Keywords
Data Breach
October 25, 2023
FT v DW (C-307/22)
Healthcare
Germany
A patient asked dentist for a copy of his dental records. Dentist said that patient is responsible for costs with such provision, per German law.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
CJEU
Related Products
SRR
Fine / Penalty
N/A
Keywords
Mishandling Data
October 22, 2023
Axpo Italia Spa
Energy
Italy
Electricity and gas suppliers that activated accounts without data subject knowledge issued contracts in their name based on acquired, and unsolicited, contracts.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor
Templates
Fine / Penalty
€ 10,000,000.00
Keywords
Unlawful processing
Other Actions
Corrective measures, including:
October 16, 2023
Clearview AI, Inc.
Technology
UK
Personal data of UK individuals collected through the use of its facial recognition technology and held in its database.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 7,500,000.00
Keywords
Unlawful processing
Sensitive Data
October 4, 2023
Debt Collection Company
Financial Services
Croatia
Unlawfully processed sensitive data (health related) of 181,641 of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
UC
Fine / Penalty
€ 5,470,000.00
Keywords
Sensitive Data
Unlawful processing
September 30, 2023
Backbaud
Telecommunications
USA
Ransomware attack (in 2020) exposed users’ personal data, donation history and financial information to unauthorized third parties.
Privacy Law
Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
UC
SRR
Fine / Penalty
$49,500,000.00
Keywords
Data Breach
August 15, 2023
Ecommerce Enablers
Technology
Singapore
Access key to the company's storage servers on a private GitHub repository shared. Ex-filtration of data of 1.46 million email addresses, 10,000 national identity numbers, 300,000 bank account numbers and 380,000 pieces of partial credit card information.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
Data mapping
Fine / Penalty
€ 50,250.00
Keywords
Data Breach
August 15, 2023
DoorDash Technologies Australia Pty Ltd
Retail
Australia
Promotional emails were sent to customers who had already unsubscribed, and 515,000 text messages were sent to their potential drivers without an unsubscribe function.
Privacy Law
Spam Act 2003
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ACMA
Related Products
SRR
Fine / Penalty
AUS$ 2,011,320
Keywords
Unlawful Marketing
August 13, 2023
Experian Consumer Services
Technology
USA
Failed to comply with CAN-SPAM Act.
Privacy Law
CAN-SPAM Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$650,000.00
Keywords
Unlawful Marketing
July 26, 2023
Greenley v. Kochava, Inc.
Technology
USA
Data broker coded its software development kits to track a user’s geolocation, search terms, click choices, purchase decisions, and/or payment methods
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
U.S. District Court for the Southern District of California
Related Products
SRR
UC
Fine / Penalty
$5,000 per fine
Keywords
CIPA
July 13, 2023
Meta Platforms Ireland Limited and Facebook Norway AS
Technology
Norway
Processed personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior".
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
Unknown
Keywords
Tracking Tech
Unlawful Marketing
Unlawful processing
July 5, 2023
Telekall Infoservice
Telecommunications
Brazil
The company violated LGPD data processing requirements and failed to cooperate with its investigation.
Privacy Law
LGPD
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
UC
Trust Hub
Fine / Penalty
€ 1,483.00
Keywords
Mishandling Data
Unlawful processing
June 29, 2023
Tele2 Sverige Aktiebolag
Telecommunications
Sweden
NOYB filed a complaint relating to unlawful transferring of personal data to the US.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 1,000,000.00
Keywords
Cross-Border Transfer
Other Actions
DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU.
June 26, 2023
Creditinfo Lánstraust hf.
Professional Services
Iceland
Processed credit information re small loans, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
CMP
Fine / Penalty
€ 257,000.00
Keywords
Unlawful processing
June 14, 2023
CRITEO
Telecommunications
France
Used cookies to track user behavior for advertising
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 40,000,000.00
Keywords
Tracking Tech
Data Deletion
June 11, 2023
Piraeus Bank
Financial Services
Greece
Processed personal data without taking appropriate and effective technical and organizational measures to process only the data necessary for the specific purpose.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
$210,000.00
Keywords
Data Minimization
Mishandling Data
June 11, 2023
Spotify
Technology
Sweden
Not sufficiently complied with data subject rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 4,900,000.00
Keywords
Mishandling Data
May 30, 2023
Ring LLC
Technology
USA
Made false/misleading representations that it took reasonable steps to ensure that Ring home security cameras are a secure means to monitor private areas of consumers’ homes.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$5,800,000.00
Keywords
Mishandling Data
May 29, 2023
Shopee and Eslite
Retail
Taiwan
Did not provide information on safety checks or evidence that corrective measures have been implemented. Failed to conduct audits on outsourced suppliers – one of their supply chains had inadequate account management.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
MODA
Related Products
Vendor
Fine / Penalty
2,000 TWD
Keywords
Data Breach
May 28, 2023
WIND (now NOVA)
Advertising
Poland
Sending of five promotional messages despite objections.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Fine / Penalty
€ 150,000.00
Keywords
Unlawful Marketing
May 11, 2023
Meta Platforms Ireland Limited
Technology
Ireland
Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Assessments
Data mapping
Fine / Penalty
€ 1,200,000,000.00
Keywords
Cross-Border Transfer
Other Actions
The DPC ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months of data already transferred to the U.S.
April 3, 2023
TikTok
Technology
UK
More than one million British children under the age of 13 were using TikTok without the consent of their parents.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
UC
Data mapping
Fine / Penalty
€ 14,500,000.00
Keywords
Unlawful processing
March 15, 2023
Argon Medical Devices
Healthcare
Norway
Reported data breach of compromised personal data after 67 days.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
Vendor
Fine / Penalty
€ 220,000.00
Keywords
Data Breach
March 10, 2023
[Name Not Public]
Healthcare
Turkey
A Hospital did not have a patient’s explicit consent before sharing their photographs and videos with the contracted media organizations for advertising and promotion purposes about the patients’ treatments.
Privacy Law
Law on the Protection of Personal Data No. 6698
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC
Data mapping
Fine / Penalty
$8,373.75
Keywords
Unlawful processing
February 21, 2023
VODAFONE ESPAÑA, S.A.U..
Telecommunications
Spain
System error when an Amazon sales partner had concluded a contract without first obtaining the consent of the data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 56,000.00
Keywords
Mishandling Data
February 16, 2023
Suomen Asiakastieto Oy
Professional Services
Finland
The company had unlawfully stored financial data of data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
SRR
Fine / Penalty
€ 440,000.00
Keywords
Unlawful processing
February 13, 2023
Byars v. Hot Topic, Inc.
Retail
USA
Case dismissed because third-party chat feature was a “tool” and no more than an “extension” of the website provider
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
U.S District Court for the Central District of California
Related Products
UC
SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
February 5, 2023
Sats ASA
Retail
Norway
Did not comply with Customers requests for information as well as deletion of their personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 900,000.00
Keywords
Data Deletion
Mishandling Data
February 2, 2023
Byars v. Goodyear Tire & Rubber Co
Retail
USA
Website’s chat features and use of session replay software violated (CIPA).
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
US District Court for the Central District of California
Related Products
UC
SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
Tracking Tech
January 31, 2023
GoodRx
Healthcare
USA
Google and Meta tracking pixels were installed on its website to share users’ medication information, location and other personal data.
Privacy Law
Health Breach Notification Rule
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$1,500,000.00
Keywords
Tracking Tech
January 18, 2023
Hungarian Airline Company
Transportation
Poland
Customer’s data was not timely erased when requested by airlines
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 13,244.00
Keywords
Data Deletion
Mishandling Data
October 18, 2022
Medibank
Healthcare
Australia
Privacy Act: Did not apply appropriate controls to sensitive data. Medibank says the hacker claims to have stolen 200GB of data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Assessments
Data mapping
UC
Fine / Penalty
AUS$ 2,200,000
Keywords
Sensitive Data
Data Breach
August 23, 2022
Sephora
Retail
USA
Sold consumers’ personal data using third-party trackers to get targeted ads and discounts on analytics, didn't disclose to consumers that it was selling their personal information, no GPC either. Did not cure these violations within the 30-day period
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP
UC
SRR
Fine / Penalty
$1,200,000.00
Keywords
Selling Data
Tracking Tech
May 30, 2022
Javier v. Assurance IQ, LLC
Healthcare
USA
Privacy Law
TCPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
U.S. States Court of Northern District of California
Related Products
UC
SRR
Fine / Penalty
5,000 per fine
Keywords
CIPA
April 30, 2022
Patreon
Technology
USA
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
Assessments
Vendor
Data mapping
CMP
UC
Fine / Penalty
$7,250,000.00
Keywords
VPPA
Unlawful Marketing
Tracking Tech
Back
Next