Get updates on data privacy enforcement actions & trends from Osano's privacy team.

Sign up for updates
  • Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200
      Assessments

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • TrustHub
    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • FEATURED
    • Cookie
      Consent & Preference Management

      Simplify compliance with our powerful Consent Management Platform.

    • shield-02
      Data Privacy Management

      Automate and streamline your entire privacy program with our comprehensive platform.

    • By Regulation
    • CPRA
    • CCPA
    • GDPR
    • By Organization Type
    • trend-up-01
      Start-Up
    • building-01
      Mid-sized
    • building-07
      Enterprise
    • By Use Case
    • badge icon checked primary 200
      Consent & Preferences
    • profile icon primary 200
      Privacy Program Management
    • Icon (14)
      DSAR Automation
    • Icon (15)
      Vendor Risk Management
    • By Roles
    • For Non-Privacy Experts
    • For Legal & Compliance
    • For GRC, Risk & Security
  • Resources
    • Quick Links
    • book-open-01
      Articles
    • Icon (25)
      Guides, Checklists & Recordings
    • hand a heart icon primary 200
      Customer Stories
    • people icon primary 200
      Upcoming Webinars & Events
    • Key Resources

      Key resources to level up your privacy game

    • hammer icon primary 200
      Privacy Enforcement Tracker
    • star icon primary 200
      Privacy Program Maturity Model
    • globe icon primary 200
      U.S. Data Privacy Guide
    • Privacy Insider

      Data privacy is complex, but you're not alone

    • Icon (17)
      The Podcast
    • envelope icon primary 200
      The Newsletter
    • book-open-01
      The Book
    • Customers

      The latest from Osano and how to get the most from the platform

    • Product Updates
    • Osano Help Center
    • Developer Documentation
    • Sign up for enforcement updates

      Get updates on data privacy enforcement actions & trends from Osano's privacy team.

  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)
      Careers

      Become an Osanian and help us build the future of privacy!

    • Icon (26)
      Contact

      We’re eager to hear from you

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    Osano-guarantee-seal (1)
  • Plans
  • Sign In Book a Demo

Data Privacy Enforcement Tracker

What's new in the world of regulatory enforcement? Our Enforcement Tracker keeps you up to speed with relevant and noteworthy enforcement actions in the world of privacy. Stay informed, spot patterns early, and guide your program with confidence.
Note: While updated regularly this is not exhaustive and not intended as legal advice.

Filters applied (0)
Clear filters
Filter by Category
  • Privacy Law
    Select all
  • Region of Enforcement
    Select all
  • Industry Type
    Select all
  • Employee Count
    Select all
  • Estimated Annual Revenue
    Select all
  • Keyword(s)
    Select all
  • Level of Government
    Select all
  • Who Enforced
    Select all
Sort By
Showing 7 of 46 results
August 23, 2022

Sephora

Retail
USA USA
Sold consumers’ personal data using third-party trackers to get targeted ads and discounts on analytics, didn't disclose to consumers that it was selling their personal information, no GPC either. Did not cure these violations within the 30-day period
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP UC SRR
Fine / Penalty
$1,200,000
Keywords
Selling Data Tracking Tech
Other Actions
N/A
May 30, 2022

Javier v. Assurance IQ, LLC

Healthcare
USA USA
Consent to a website session recording technology cannot apply retroactively Unlawful wiretap over the session recording technology that helps companies protect against litigation abuse from the Telephone Consumer Protection Act (TCPA).
Privacy Law
TCPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
U.S. States Court of Northern District of California
Related Products
UC SRR
Fine / Penalty
5,000 per fine
Keywords
CIPA
Other Actions
N/A
January 18, 2023

Hungarian Airline Company

Transportation
Poland Poland
Customer’s data was not timely erased when requested by airlines Company failed to inform the Data Subject that account was deleted until 5 months later.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 13,244
Keywords
Data Deletion Mishandling Data
Other Actions
N/A
January 31, 2023

GoodRx

Healthcare
USA USA
Google and Meta tracking pixels were installed on its website to share users’ medication information, location and other personal data.
Privacy Law
Health Breach Notification Rule
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$1,500,000
Keywords
Tracking Tech
Other Actions
N/A
February 2, 2023

Byars v. Goodyear Tire & Rubber Co

Retail
USA USA
Website’s chat features and use of session replay software violated (CIPA).
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
US District Court for the Central District of California
Related Products
UC SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA Tracking Tech
Other Actions
N/A
February 5, 2023

Sats ASA

Retail
Norway Norway
Did not comply with Customers requests for information as well as deletion of their personal data. Processed certain customer data without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 900,000
Keywords
Data Deletion Mishandling Data
Other Actions
N/A
February 13, 2023

Byars v. Hot Topic, Inc.

Retail
USA USA
Case dismissed because third-party chat feature was a “tool” and no more than an “extension” of the website provider No finding of an unlawful third-party interception.
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
U.S District Court for the Central District of California
Related Products
UC SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
Other Actions
N/A
February 16, 2023

Suomen Asiakastieto Oy

Professional Services
Finland Finland
The company had unlawfully stored financial data of data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping SRR
Fine / Penalty
€ 440,000
Keywords
Unlawful processing
February 21, 2023

VODAFONE ESPAÑA, S.A.U..

Telecommunications
Spain Spain
System error when an Amazon sales partner had concluded a contract without first obtaining the consent of the data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 56,000
Keywords
Mishandling Data
Other Actions
N/A
March 10, 2023

[Name Not Public]

Healthcare
Turkey Turkey
A Hospital did not have a patient’s explicit consent before sharing their photographs and videos with the contracted media organizations for advertising and promotion purposes about the patients’ treatments.
Privacy Law
Law on the Protection of Personal Data No. 6698
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC Data mapping
Fine / Penalty
$8,373.75
Keywords
Unlawful processing
Other Actions
N/A
March 15, 2023

Argon Medical Devices

Healthcare
Norway Norway
Reported data breach of compromised personal data after 67 days.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping Vendor
Fine / Penalty
€ 220,000
Keywords
Data Breach
Other Actions
N/A
April 3, 2023

TikTok

Technology
UK UK
More than one million British children under the age of 13 were using TikTok without the consent of their parents.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
UC Data mapping
Fine / Penalty
€ 14,500,000
Keywords
Unlawful processing
Other Actions
N/A
May 11, 2023

Meta Platforms Ireland Limited

Technology
Ireland Ireland
Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR Assessments Data mapping
Fine / Penalty
€ 1,200,000,000
Keywords
Cross-Border Transfer
Other Actions
The DPC ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months of data already transferred to the U.S.
May 28, 2023

WIND (now NOVA)

Advertising
Poland Poland
Sending of five promotional messages despite objections. Non-satisfaction of access rights, failure to provide a reply. Did not have in practice the necessary procedures to ensure the right to object and stop processing the data for the promotional purpose.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC SRR
Fine / Penalty
€ 150,000
Keywords
Unlawful Marketing
Other Actions
N/A
May 29, 2023

Shopee and Eslite

Retail
Taiwan Taiwan
Did not provide information on safety checks or evidence that corrective measures have been implemented. Failed to conduct audits on outsourced suppliers – one of their supply chains had inadequate account management.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
MODA
Related Products
Vendor
Fine / Penalty
2,000 TWD
Keywords
Data Breach
Other Actions
N/A
May 30, 2023

Ring LLC

Technology
USA USA
Made false/misleading representations that it took reasonable steps to ensure that Ring home security cameras are a secure means to monitor private areas of consumers’ homes. Gave thousands of employees and contractors unrestricted access to video recordings of customers’ intimate spaces (e.g., bathrooms, bedrooms and children’s nurseries) without customers’ knowledge or consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$5,800,000
Keywords
Mishandling Data
Other Actions
N/A
June 11, 2023

Piraeus Bank

Financial Services
Greece Greece
Processed personal data without taking appropriate and effective technical and organizational measures to process only the data necessary for the specific purpose. The bank had failed to properly comply with a data subject's request for access to their personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
$210,000
Keywords
Data Minimization Mishandling Data
Other Actions
N/A
June 11, 2023

Spotify

Technology
Sweden Sweden
Not sufficiently complied with data subject rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 4,900,000
Keywords
Mishandling Data
Other Actions
N/A
June 14, 2023

CRITEO

Telecommunications
France France
Used cookies to track user behavior for advertising Users consent was not obtained Failed to adequately respond to a data subject's requests for information regarding their personal data. Did not delete the personal data of the data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 40,000,000
Keywords
Tracking Tech Data Deletion
Other Actions
N/A
June 26, 2023

Creditinfo Lánstraust hf.

Professional Services
Iceland Iceland
Processed credit information re small loans, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping CMP
Fine / Penalty
€ 257,000
Keywords
Unlawful processing
Other Actions
N/A
June 29, 2023

Tele2 Sverige Aktiebolag

Telecommunications
Sweden Sweden
NOYB filed a complaint relating to unlawful transferring of personal data to the US.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 1,000,000
Keywords
Cross-Border Transfer
Other Actions
DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU.
July 5, 2023

Telekall Infoservice

Telecommunications
Brazil Brazil
The company violated LGPD data processing requirements and failed to cooperate with its investigation. The ANPD also issued the company a warning for failing to designate a data protection officer.
Privacy Law
LGPD
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR UC Trust Hub
Fine / Penalty
€ 1,483
Keywords
Mishandling Data Unlawful processing
Other Actions
N/A
July 13, 2023

Meta Platforms Ireland Limited and Facebook Norway AS

Technology
Norway Norway
Processed personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior".
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
Unknown
Keywords
Tracking Tech Unlawful Marketing Unlawful processing
Other Actions
N/A
July 26, 2023

Greenley v. Kochava, Inc.

Technology
USA USA
Data broker coded its software development kits to track a user’s geolocation, search terms, click choices, purchase decisions, and/or payment methods Data broker collected this tracked information and then sold it to third-party advertisers.
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
U.S. District Court for the Southern District of California
Related Products
SRR UC
Fine / Penalty
$5,000 per fine
Keywords
CIPA
Other Actions
N/A
August 13, 2023

Experian Consumer Services

Technology
USA USA
Failed to comply with CAN-SPAM Act.
Privacy Law
CAN-SPAM Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$650,000
Keywords
Unlawful Marketing
Other Actions
N/A
August 15, 2023

Ecommerce Enablers

Technology
Singapore Singapore
Access key to the company's storage servers on a private GitHub repository shared. Ex-filtration of data of 1.46 million email addresses, 10,000 national identity numbers, 300,000 bank account numbers and 380,000 pieces of partial credit card information.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
Data mapping
Fine / Penalty
€ 50,250
Keywords
Data Breach
Other Actions
N/A
August 15, 2023

DoorDash Technologies Australia Pty Ltd

Retail
Australia Australia
Promotional emails were sent to customers who had already unsubscribed, and 515,000 text messages were sent to their potential drivers without an unsubscribe function.
Privacy Law
Spam Act 2003
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ACMA
Related Products
SRR
Fine / Penalty
AUS$ 2,011,320
Keywords
Unlawful Marketing
Other Actions
N/A
September 30, 2023

Backbaud

Telecommunications
USA USA
Ransomware attack (in 2020) exposed users’ personal data, donation history and financial information to unauthorized third parties.
Privacy Law
Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
UC SRR
Fine / Penalty
$49,500,000
Keywords
Data Breach
Other Actions
N/A
October 4, 2023

Debt Collection Company

Financial Services
Croatia Croatia
Unlawfully processed sensitive data (health related) of 181,641 of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping UC
Fine / Penalty
€ 5,470,000
Keywords
Sensitive Data Unlawful processing
Other Actions
N/A
October 16, 2023

Clearview AI, Inc.

Technology
UK UK
Personal data of UK individuals collected through the use of its facial recognition technology and held in its database.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 7,500,000
Keywords
Unlawful processing Sensitive Data
Other Actions
N/A
October 22, 2023

Axpo Italia Spa

Energy
Italy Italy
Electricity and gas suppliers that activated accounts without data subject knowledge issued contracts in their name based on acquired, and unsolicited, contracts.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor Templates
Fine / Penalty
€ 10,000,000
Keywords
Unlawful processing
Other Actions
Corrective measures, including: use of a blocking "check-call" system to verify the accuracy of acquired introduction of alert systems suitable for detecting any incorrect and/or fraudulent behavior introduction of alert systems suitable for detecting any incorrect and/or fraudulent behavior strengthen audits
October 25, 2023

FT v DW (C-307/22)

Healthcare
Germany Germany
A patient asked dentist for a copy of his dental records. Dentist said that patient is responsible for costs with such provision, per German law. CJEU determined that EU supersedes and that data subject is entitled to a free copy. Controller can charge for subsequent copies.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
CJEU
Related Products
SRR
Fine / Penalty
N/A
Keywords
Mishandling Data
Other Actions
N/A
October 31, 2023

First American Title Insurance Company

Financial Services
USA USA
Violations of the NYDFS Cybersecurity Regulation in connection with a 2019 data breach, which exposed consumers’ non-public information.
Privacy Law
NYDFS Cybersecurity Regulation
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$1,000,000
Keywords
Data Breach
Other Actions
N/A
November 1, 2023

Australian Clinical Labs Limited

Healthcare
Australia Australia
Data breach of patient's personal information and data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
OAIC
Related Products
SRR
Fine / Penalty
AUS$ 2,200,000
Keywords
Data Breach
Other Actions
N/A
November 27, 2023

Shanghai Commercial and Savings Bank

Financial Services
China China
Audit leak of customer data.
Privacy Law
Banking Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Financial Supervisory Commission
Related Products
SRR
Fine / Penalty
NT 10,000,000
Keywords
Data Breach
Other Actions
N/A
November 30, 2023

Google

Technology
USA USA
Secretly tracked the internet use of millions of people who were using its Chrome browser's incognito mode.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$5,000,000,000
Keywords
Tracking Tech Unlawful processing
Other Actions
N/A
December 13, 2023

Kodas Design and Speed Auction

Technology
South Korea South Korea
Both companies violated safety measure obligations and personal information leakage notification and reporting obligations under the PIPA.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
PIPC
Related Products
Vendor Data mapping
Fine / Penalty
$1,71,653
Keywords
Data Breach
Other Actions
N/A
December 13, 2023

Tipros

Telecommunications
Singapore Singapore
Tipros unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organization's Google reviews page.
Privacy Law
Personal Data Protection Act (PDPA)
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
SRR
Fine / Penalty
N/A
Keywords
Data Breach
Other Actions
Review 13 other Google reviews and remove personal data from Google review page.
December 18, 2023

Rite Aid

Retail
USA USA
Rite Aid deployed artificial intelligence-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behavior.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
Assessments Data mapping
Fine / Penalty
N/A
Keywords
Tracking Tech Unlawful processing Sensitive Data
Other Actions
Prohibited from using facial recognition technologies for five years.
December 26, 2023

Amazon France Logistique

Retail
France France
Warehouse employees used scanners to tracker activities and the scans carried out by employees resulted in recording of data, which is stored and used to calculate indicators providing information on the quality, productivity and periods of inactivity of each employee.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 32,000,000
Keywords
Unlawful processing Tracking Tech
Other Actions
N/A
December 28, 2023

Yahoo

Telecommunications
France France
Deposited cookies on website without user’s consent Users of Yahoo Mail who withdrew consent were no longer be able to access the services and lost access to their messaging service.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 10,000,000
Keywords
Tracking Tech
Other Actions
N/A
December 28, 2023

NS Cards France

Telecommunications
France France
Failure to comply with the obligation to retain data for a period limited to the purpose for which it was collected (article 5.1.e of the GDPR).
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
UC CMP
Fine / Penalty
€ 105,000
Keywords
Tracking Tech Data Deletion
Other Actions
N/A
January 2, 2024

Kochava

Telecommunications
USA USA
Collected, without notice or consent, vast amounts of consumer location and personal data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
Unlawful processing Sensitive Data
Other Actions
N/A
January 8, 2024

Amazon

Retail
Luxembourg Luxembourg
Processed users’ personal data for targeted advertising without their consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 818,000,000
Keywords
Unlawful Marketing Unlawful processing Tracking Tech
Other Actions
N/A
January 13, 2024

Poxell Ltd & Skean Homes Ltd

Telecommunications
UK UK
Made unsolicited marketing calls to people registered with the Telephone Preference Service (TPS) while withholding their identity.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 150,000
Keywords
Unlawful Marketing
Other Actions
N/A
January 15, 2024

X-Mode Social, Inc./Outlogic)

Technology
USA USA
Raw data collection and sale of location information that could be used to track people’s visits to places of worship, reproductive health clinics, and domestic abuse shelters.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
Unknown settlement amount
Keywords
Tracking Tech Selling Data Sensitive Data
Other Actions
N/A
January 29, 2024

OpenAI (ChatGPT)

Technology
Italy Italy
Lack of a suitable legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying ChatGPT.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments CMP UC
Fine / Penalty
TBD
Keywords
Unlawful processing
Other Actions
N/A
January 30, 2024

Uber Technologies, Inc.

Transportation
Netherlands Netherlands
Failed to disclose its data retention period for European drivers' data Failed to report to the non-EU countries it shares data with Obstructed its drivers’ efforts to exercise their right to privacy.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR Assessments Data mapping
Fine / Penalty
€ 10,000,000
Keywords
Data Deletion Mishandling Data Cross-Border Transfer
Other Actions
N/A
February 2, 2024

Tagadamedia

Technology
France France
Failure to comply with the obligation to have a legal basis for the processing of data Failure to comply with the obligation to implement a record of processing activities.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
UC
Fine / Penalty
€ 75,000
Keywords
Unlawful processing
Other Actions
N/A
February 6, 2024

Montefiore Medical Center

Healthcare
USA USA
Breach of its unsecured electronic protected health information (“ePHI”) from 2015 Employees inappropriately accessed patient account information of 12,517 patients from its electronic medical record system and then sold certain patient information to an identity theft ring.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Department of Health and Human Services’ Office for Civil Rights
Related Products
CMP UC Data mapping
Fine / Penalty
$4,750,000
Keywords
Sensitive Data Data Breach
Other Actions
MMC has entered and agrees to comply with the Corrective Action Plan (“CAP”)
February 13, 2024

College Board

Public Sector
USA USA
Unlawfully sold students' personal data to schools and other customers licensed this data to colleges, scholarship programs, and other customers who used it to solicit students to participate in their programs.
Privacy Law
New York law
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC
Fine / Penalty
$750,000
Keywords
Selling Data Unlawful processing
Other Actions
N/A
February 20, 2024

Doordash

Retail
USA USA
Sold its customers' personal information without notice and without providing an opportunity to opt-out of the sale of their data.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
$375,000
Keywords
Selling Data Unlawful processing
Other Actions
N/A
February 21, 2024

[Name Not Public]

Logistics
Italy Italy
Used facial recognition technology to determine employee attendance.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC Assessments
Fine / Penalty
€ 103,000
Keywords
Tracking Tech Unlawful processing
Other Actions
N/A
February 21, 2024

Avast Limited

Technology
USA USA
Collected, retained and sold data without proper notice or consent to third parties.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$16,500,000
Keywords
Selling Data Unlawful processing
Other Actions
N/A
February 27, 2024

BNSF Railway

Transportation
USA USA
Unlawfully collected fingerprint scans without consent from thousands of drivers using automated gate systems at the company’s four facilities in Illinois.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
UC
Fine / Penalty
$75,000,000
Keywords
Selling Data Unlawful processing
Other Actions
N/A
March 4, 2024

Intellexa Consortium

Technology
USA USA
Used spyware and surveillance technology to target U.S. government officials, journalists and policy experts.
Privacy Law
OFAC sanctions
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
OFAC
Related Products
UC CMP
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful processing
Other Actions
N/A
March 14, 2024

Flo Health

Healthcare
Canada Canada
App shared personal health information to Facebook and other third-parties without users' consent.
Privacy Law
Canadian Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Supreme Court of British Columbia
Related Products
UC Vendor
Fine / Penalty
TBD
Keywords
Sensitive Data Unlawful processing Mishandling Data
Other Actions
N/A
March 17, 2024

Benefytt Technologies

Healthcare
USA USA
Health company and its third parties operated series of deceptive websites that targeted consumers who were searching for comprehensive health insurance plans qualified under the Affordable Care Act.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR UC CMP
Fine / Penalty
$100,000,000
Keywords
Sensitive Data Tracking Tech Unlawful Marketing
Other Actions
N/A
May 19, 2024

Blackbaud

Financial Services
USA USA
Order finalized after announcement in February 2024.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
Data mapping
Fine / Penalty
$3,000,000
Keywords
Sensitive Data Data Deletion
Other Actions
Delete data that is no longer needed
May 21, 2024

Kakao Corp

Telecommunications
South Korea South Korea
Failure to report a data breach.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
PIPC
Related Products
Assessments
Fine / Penalty
$11,100,000
Keywords
Data Breach
Other Actions
N/A
May 22, 2024

Police Service of Northern Ireland (PSNI)

Public Sector
UK UK
Exposed personal data belonging to all PSNI serving officers and staff.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Assessments
Fine / Penalty
£750,000
Keywords
Data Breach
Other Actions
N/A
June 4, 2024

Medibank Private Ltd (MPL.AX)

Financial Services
Australia Australia
Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Data mapping
Fine / Penalty
TBD
Keywords
Data Breach
Other Actions
N/A
June 17, 2024

Tilting Point Media LLC (Tilting Point)

Technology
USA USA
Tilting Point employed an age screen that did not ask for age in a “neutral manner” and therefore encouraged children to enter an older age. Further, Tilting Point inadvertently configured third-party software development kits (SDKs) to collect and sell children’s data without first obtaining consent.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
AG
Related Products
UC Assessments
Fine / Penalty
$500,000
Keywords
Unlawful processing Tracking Tech Mishandling Data
Other Actions
prohibition on selling and sharing the personal information of children without affirmative consent, a requirement to use neutral age screens, restrictions on the use of SDKs, children’s data minimization requirements, and a requirement to submit annual reports regarding compliance efforts to the California Department of Justice and the Los Angeles City Attorney’s office.
June 17, 2024

[Name Not Public]

Technology
USA USA
The Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
Privacy Law
Data Broker Law
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
AG
Related Products
Regulatory Guidance Data mapping
Fine / Penalty
$10,000.00
Keywords
N/A
Other Actions
The Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act as well as federal laws including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).
July 8, 2024

NGL

Technology
USA USA
The FTC and the Los Angeles District Attorney’s Office accused NGL of violating the Children’s Online Privacy Protection Rule (COPPA Rule) by knowingly collecting the personal data of children younger than 13 without parental consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR Data mapping UC
Fine / Penalty
$5,000,000
Keywords
Unlawful processing Data Minimization Sensitive Data
Other Actions
N/A
June 30, 2024

Grindr

Technology
Norway Norway
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR rules. The fine was reduced from £8.6m after Grindr provided details about its financial situation, and made changes to its app.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC SRR Data mapping Vendor
Fine / Penalty
€6,500,000
Keywords
Unlawful processing
Other Actions
N/A
July 17, 2024

Oracle

Technology
USA USA
The proposed settlement was announced on 18 July in San Francisco federal court. In August 2022, plaintiffs had filed a lawsuit that alleged Oracle’s advertising tracking tools accessed, collected, stored, disclosed, sold and used internet users’ personal data without consent.
Privacy Law
US Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Courts
Related Products
CMP UC
Fine / Penalty
$150,000,000
Keywords
Tracking Tech Unlawful processing
Other Actions
N/A
July 17, 2024

What’s App (Meta)

Technology
Nigeria Nigeria
Meta was ordered to “immediately reinstate the rights of Nigerian users to self-determine and control” data sharing, and stop sharing WhatsApp users’ information “with other Facebook companies and third parties” without users’ active consent.
Privacy Law
Nigeria Data Protection Act 2023
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Competition and Protection Commission
Related Products
Data mapping UC CMP
Fine / Penalty
$2,200,000,000
Keywords
Unlawful processing Mishandling Data
Other Actions
35,000 for investigation costs.
July 29, 2024

Meta

Technology
USA USA
Meta knowingly violated the state’s Capture or Use of Biometric Identifier Act and Deceptive Trade Practices and Consumer Protection Act by implementing a now-defunct facial-recognition-based photo and video tagging feature. Texas law says it’s illegal for private entities to capture, disclose or profit from someone’s biometric identifiers without their informed consent.
Privacy Law
Capture or Use of Biometric Identifier Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
$1,400,000,000
Keywords
Sensitive Data Tracking Tech Selling Data
Other Actions
N/A
July 1, 2024

Vinted

Retail
Lithuania Lithuania
Did not have proper rationale for denying the right to erasure (‘right to be forgotten’) and the right of access. They reasoned that the user did not identify in their request the ‘specific grounds’ under Article 17 of the GDPR.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR Data mapping
Fine / Penalty
€ 2,385,276
Keywords
Mishandling Data
Other Actions
N/A
July 23, 2024

TikTok

Technology
UK UK
Failing to comply with a request for information and not cooperating with Ofcom’s investigation into the effectiveness of its child protection measures. 
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
Data mapping
Fine / Penalty
£ 1,875,000
Keywords
Sensitive Data Mishandling Data
Other Actions
N/A
July 17, 2024

TracFone

Telecommunications
USA USA
Verizon-owned mobile virtual network operator TracFone Unauthorized third parties were able to exploit TracFone’s customer-facing application programming interfaces (APIs) to gain access to customer data between January 2021 and January 2023.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FCC
Related Products
CMP UC Data mapping Vendor
Fine / Penalty
$16,000,000
Keywords
Data Breach
Other Actions
N/A
August 20, 2024

[Name Not Public]

Telecommunications
Thailand Thailand
Failure to Appoint a Data Protection Officer (DPO). Inadequate Security Measures: The company lacked appropriate security measures as mandated by the PDPA, leading to data leaks to call center gangs and causing widespread damage. Failure to Report Data Breaches: The company ignored complaints from data subjects and delayed reporting the breaches to the PDPC, preventing timely remediation.
Privacy Law
Personal Data Protection Act ("PDPA")
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
PDPA
Related Products
Data mapping
Fine / Penalty
฿205,520
Keywords
Data Breach Mishandling Data
Other Actions
The second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.
August 26, 2024

Uber Technologies, Inc.

Transportation
Netherlands Netherlands
The European Union’s data protection laws were violated by transferring sensitive personal data of its drivers to the U.S. without adequate safeguards.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
$310,000,000
Keywords
Cross-Border Transfer
Other Actions
N/A
August 6, 2024

Advanced Computer Software Group

Technology
UK UK
UK GDPR: failed to implement sufficient security measures to protect personal information.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Data mapping Assessments
Fine / Penalty
£ 6,000,000
Keywords
Data Breach
Other Actions
N/A
October 18, 2022

Medibank

Healthcare
Australia Australia
Privacy Act: Did not apply appropriate controls to sensitive data. Medibank says the hacker claims to have stolen 200GB of data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Assessments Data mapping UC
Fine / Penalty
AUS$ 2,200,000
Keywords
Sensitive Data Data Breach
Other Actions
N/A
September 1, 2024

Verkada

Technology
USA USA
FTC: Did not apply appropriate controls to sensitive data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
UC Assessments Data mapping
Fine / Penalty
$2,950,000
Keywords
Sensitive Data Data Breach
Other Actions
FTC is requiring Verkada to create a comprehensive information security program
April 30, 2022

Patreon

Technology
USA USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
Assessments Vendor Data mapping CMP UC
Fine / Penalty
$7,250,000
Keywords
VPPA Unlawful Marketing Tracking Tech
Other Actions
N/A
August 22, 2024

Lawline

Technology
USA USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
CMP UC Trust Hub Data mapping Assessments
Fine / Penalty
TBD
Keywords
VPPA Tracking Tech
Other Actions
N/A
August 19, 2024

Equiniti Trust

Financial Services
USA USA
SEC rules: A lot going on here, with issues re handling client assets. Breach, data governance and poor retention.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Data mapping Assessments
Fine / Penalty
$850,000
Keywords
Data Breach
Other Actions
N/A
August 28, 2024

Apohem AB

Retail
Sweden Sweden
Apohem AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period. Incident spanned from April 15th, 2021 to April 26, 2022.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP Assessments Data mapping
Fine / Penalty
$730,000
Keywords
Tracking Tech Unlawful processing Unlawful Marketing Sensitive Data
Other Actions
N/A
August 28, 2024

Apoteket AB

Retail
Sweden Sweden
Apoteket AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period. Incident spanned from Janurary 19, 2020 to April 25, 2022.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP Assessments Data mapping
Fine / Penalty
$3,400,000
Keywords
Unlawful Marketing Unlawful processing Tracking Tech Sensitive Data
Other Actions
N/A
August 5, 2024

UNIQLO EUROPE, LTD

Retail
Spain Spain
The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 270,00
Keywords
Data Breach Mishandling Data
Other Actions
N/A
September 16, 2024

AT&T

Telecommunications
USA USA
AT&T had a data breach of a cloud vendor in January 2023 that impacted 8.9 million customers. The exposed data included information like the number of lines on an account and in a few cases bill balance and rate plan information but did not contain credit card information, Social Security Numbers, account passwords and other sensitive personal information.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Vendor Data mapping
Fine / Penalty
$13,000,000
Keywords
Data Breach
Other Actions
AT&T has also agreed to boost its data governance practices to increase supply chain integrity in the handling of sensitive data to protect consumers from similar vendor data breaches in the future.
September 26, 2024

Meta

Technology
Ireland Ireland
Meta informed the commission in 2019 it inadvertently stored certain passwords of its platforms’ users in “plaintext,” or without protection or encryption The authority said that 36 million users across the EU and EEA were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
$100,000,000
Keywords
Data Breach
Other Actions
N/A
September 24, 2024

Mozilla

Technology
EU-wide EU-wide
Mozilla, the nonprofit that develops the Firefox web browser, has been hit with a complaint by European Union privacy rights group noyb, which accuses it of violating the bloc's General Data Protection Regulation (GDPR) by tracking Firefox users by default without their permission.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Noyb
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
Tracking Tech
Other Actions
N/A
October 8, 2024

Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)

Transportation
USA USA
Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
SRR Data mapping
Fine / Penalty
TBD
Keywords
Data Deletion Data Breach Mishandling Data Data Minimization
Other Actions
Must implement robust security program, and fulfil all delete SRR.
October 8, 2024

Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)

Transportation
USA USA
Attorney General Tong announced today that a coalition of 50 attorneys general, co-led by Connecticut, has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases.
Privacy Law
State consumer protection laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
50 US State AGs
Related Products
Data mapping SRR
Fine / Penalty
$52,000,000
Keywords
Data Breach Data Deletion Mishandling Data Data Minimization
October 10, 2024

WerepairUK Ltd

Professional Services
UK UK
WerepairUK Ltd, based in Tonbridge, has been fined for making 42,688 unsolicited calls. It has appealed the decision. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
SRR UC
Fine / Penalty
£80,000
Keywords
Unlawful Marketing
October 10, 2024

Service Box Group Limited

Professional Services
UK UK
Service Box Group Limited, based in Hove, East Sussex, has been fined for 5,361 calls. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC SRR
Fine / Penalty
£40,000
Keywords
Unlawful Marketing
October 14, 2024

Quick Tax Claims

Professional Services
UK UK
Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
CMP UC SRR
Fine / Penalty
£120,000
Keywords
Unlawful Marketing
October 10, 2024

RTL Belgium

Telecommunications
Belgium Belgium
Failed to display both an 'accept all' and a 'reject all' button on the first layer of its cookie banner. Used misleading colors in its cookie banner, directing users towards the choice of consenting to cookies by highlighting the 'accept all' button.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 40,000 per day
Keywords
Dark Patterns
Other Actions
See H171
October 14, 2024

National Basketball Association

Entertainment
USA USA
Defendant’s allegedly disclosured the plaintiff’s video viewing information to Meta via the Facebook Pixel without consent, in violation of the VPPA.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Federal Courts
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 2, 2024

TikTok

Technology
USA USA
The complaint alleges that TikTok did not provide verified parents with the ability to control or limit the privacy and account settings on a minor’s account, such as tools to limit TikTok’s sharing, disclosure and sale of a minor’s personal identifying information and control TikTok’s ability to display targeted advertising to a minor. 
Privacy Law
Securing Children Online Through Parental Empowerment (“SCOPE”) Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
10,000 per violation
Keywords
Unlawful processing
October 23, 2024

LinkedIn

Technology
Ireland Ireland
Ireland’s data protection watchdog has fined the professional social media site for GDPR breaches related to targeted advertising.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPC
Related Products
UC CMP Assessments
Fine / Penalty
€310,100,000
Keywords
Tracking Tech Unlawful Marketing
Other Actions
In addition, the regulator handed LinkedIn a reprimand and ordered it to bring its processing into compliance.
October 22, 2024

NHL 

Entertainment
USA USA
VPPA: Lawsuit claims that the NHL collected and shared personal viewing data with third parties, such as Facebook, without user consent. 
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Class Actions Lawsuits 
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 22, 2024

MLB 

Entertainment
USA USA
VPPA: MLB is facing a lawsuit for allegedly violating the Video Privacy Protection Act (VPPA) by sharing users’ personal video viewing information with Facebook without consent.  
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Class Actions Lawsuits 
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 31, 2024

Meta

Technology
USA USA
CFPB staff informed Meta on Sept. 18 that it is weighing potential legal action related to advertising for financial products on the company’s platforms, which include photo-sharing platform Instagram and messaging service WhatsApp, the company revealed in a Thursday securities filing.
Privacy Law
Dodd-Frank Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CFPB
Related Products
UC CMP
Fine / Penalty
TBD
Keywords
Unlawful Marketing
October 29, 2024

Temu

Retail
EU-wide EU-wide
The Commission has opened formal proceedings to assess whether Temu may have breached the Digital Services Act (DSA) in areas linked to the sale of illegal products, the potentially addictive design of the service, the systems used to recommend purchases to users, as well as data access for researchers.
Privacy Law
Digital Services Act (DSA)
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
EU Commission
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful Marketing
October 21, 2024

Unisys

Professional Services
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$4,000,000
Keywords
Data Breach
October 21, 2024

Avaya

Professional Services
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$1,000,000
Keywords
Data Breach
October 21, 2024

Check Point

Technology
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$995,000
Keywords
Data Breach
October 21, 2024

Mimecast

Technology
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$990,000
Keywords
Data Breach
October 15, 2024

Your Consulting SRL

Professional Services
Romania Romania
The operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Trust Hub Assessments
Fine / Penalty
€ 3,000
Keywords
Data Breach
Other Actions
Must implement robust security program starting with assessments
October 20, 2024

Grue municipality

Public Sector
Norway Norway
Sensitive Data breach in a public postal journal. 14 individuals were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
Fine / Penalty
€ 20,800
Keywords
Sensitive Data Data Breach
Other Actions
The municipality also initiated extensive control work and measures to prevent similar incidents in the future
October 21, 2024

IBERCAJA BANCO, S.A.

Financial Services
Spain Spain
Insufficient legal basis for data processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 180,000
Keywords
Unlawful processing
October 27, 2024

Vodafone Romania S.A.

Telecommunications
Romania Romania
It was found that the operator Vodafone Romania S.A. did not adopt sufficient technical and organizational measures to ensure the confidentiality of the processed personal data. no measures were taken to hide the recipients' email addresses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000
Keywords
Data Breach
October 29, 2024

Untold SRL

Professional Services
Romania Romania
The controller did not resolve the request for access to the personal data of the data subject, although he communicated for correspondence his e-mail address, telephone number, full name and surname and postal address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 15,000
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator.
November 3, 2024

Blackcab Systems SRL

Professional Services
Romania Romania
DSAR not fulfilled, and during the investigation, it was found that the operator Blackcab Systems SRL did not prove that it responded to the petitioner's request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 1,000
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator:
November 5, 2024

Meta

Technology
South Korea South Korea
From July 2018 to March 2022, the company gathered data from nearly 980,000 users without asking for their explicit permission. This information included highly personal details such as users’ political beliefs, religious preferences, and whether they were in same-sex relationships. Once the company collected this sensitive data, it shared it with around 4,000 advertisers.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
CMP UC Assessments
Fine / Penalty
₩ 15,000,000
Keywords
Tracking Tech Unlawful processing Sensitive Data
November 7, 2024

T-Mobile

Telecommunications
USA USA
The telecom company promised to address “foundational security flaws,” work to improve “cyber hygiene,” and adopt “robust modern architectures,” such as zero trust and multi-factor authentication that is resistant to phishing.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Assessments Data mapping
Fine / Penalty
$31,500,000
Keywords
Data Breach
October 1, 2024

California Privacy Protection Agency Announces Investigative Sweep of Data Brokers

Technology
USA USA
The California Privacy Protection Agency (“CPPA”) announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act (the “Act”). Under the Act, the CPPA has the authority to impose an administrative fine of $200 per day for each day the data broker failed to register.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
CPPA
Related Products
UC SRR
Fine / Penalty
$200 per day
Keywords
N/A
November 14, 2024

Growbots

Technology
USA USA
The company failed to register between February 1 and July 26, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$35,000
Keywords
N/A
November 14, 2024

UpLead

Technology
USA USA
The company failed to register between February 1 and July 21, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$34,400
Keywords
N/A
November 19, 2024

Facebook

Technology
Germany Germany
The German Federal Court of Justice made a judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR from a 2021 data breach of Facebook. This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
German Federal Court of Justice
Related Products
Data mapping
Fine / Penalty
€ 250
Keywords
Data Breach
November 21, 2024

Eken

Technology
Hong Kong Hong Kong
Apparent violations of FCC rules that require the company to designate an agent located in the United States.
Privacy Law
FCC Rules
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
FCC
Related Products
Privacy Expert Regulatory Guidance
Fine / Penalty
TBD
Keywords
Unlawful processing
November 15, 2024

Posti

Logistics
Finland Finland
Posti had automatically created an electronic OmaPosti mailbox for customers without a separate request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC CMP SRR
Fine / Penalty
€ 2,400,000
Keywords
Mishandling Data
November 19, 2024

Bunnings

Retail
Australia Australia
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behavior, according to the OAIC.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
UC Assessments Data mapping
Fine / Penalty
TBD
Keywords
Unlawful processing Tracking Tech Sensitive Data
November 28, 2024

Freedelity

Technology
Belgium Belgium
The DPA found issues with Freedelity’s: consent mechanisms for data processing; excessive data collection; and overly long data retention periods for personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC Assessments Data mapping
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful processing
Other Actions
The company has a period of 4 months to comply with these injunctions, and will have to pay penalties of up to 5,000 euros per day of delay in the event of non-compliance or partial compliance.
November 27, 2024

Coupang

Retail
South Korea South Korea
he fine was in relation to two data breaches, the first caused by the mishandling of data transmitted and the second breach was caused by an authentication issue.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
Assessments Data mapping
Fine / Penalty
$1,100,000
Keywords
Data Breach
November 27, 2024

Mediahuis

Entertainment
Belgium Belgium
Mediahuis had fully complied with the DPA’s order regarding illegal cookie banners, thereby avoiding a €25,000 (US$26,402) daily penalty.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Market Court
Related Products
CMP
Fine / Penalty
Avoided $26,402 daily penalty
Keywords
Unlawful processing Tracking Tech
November 1, 2024

Master Wealth Control and Property Lovers

Financial Services
Australia Australia
The companies failed to collect data fairly; to notify individuals whose data was collected; and ensure the accuracy of the information.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
OAIC
Related Products
CMP UC Assessments Data mapping Trust Hub
Fine / Penalty
n/a
Keywords
Unlawful processing Mishandling Data
Other Actions
Ordered to cease collecting personal information unfairly, destroy their leads lists within 30 days, update their privacy policies, and provide evidence of compliance.
December 3, 2024

Gravy Analytics (and subsidiary Venntel)

Technology
USA USA
Unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP UC SRR Assessments Data mapping Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Selling Data Unlawful processing
Other Actions
Prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.
December 18, 2024

Netflix

Entertainment
Netherlands Netherlands
Netflix did not give customers sufficient information about what the company does with their personal data between 2018 and 2020.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP Templates Trust Hub
Fine / Penalty
4.75M euro
Keywords
Notice
December 20, 2024

OpenAI

Technology
Italy Italy
OpenAI had wrongly relied on legitimate interest as a legal basis for processing personal data, processed inaccurate personal data, and had no age verification measures in place.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC Privacy Expert Assessments
Fine / Penalty
15,000,000
Keywords
Unlawful processing
Other Actions
They must carry out a six month campaign informing Italians of how it uses their personal data for their services.
December 12, 2024

Various Organizations

All
France France
The French Data Protection Authority (CNIL) issued notices to several organizations regarding non-compliant cookie banners. The notices were a result of complaints about dark patterns that encouraged users to accept non-essential cookies. The CNIL found that the methods for rejecting cookies were not as easy to use as those for accepting them, and that the designs were misleading. https://www.huntonak.com/privacy-and-information-security-law/cnil-issues-notices-regarding-non-compliant-cookie-banners
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
N/A
Keywords
Dark Patterns
December 20, 2024

Grubhub

Logistics
USA USA
Grubhub engaged in deceptive practices, such as misleading diners about delivery fees, blocking access to gift card funds, and falsely advertising driver earning.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
Trust Hub Privacy Expert Regulatory Guidance
Fine / Penalty
$25,000,000
Keywords
Notice
Other Actions
Grubhub to make changes to its business practices, including not adding surprise fees to delivery totals, providing a simple way to cancel Grubhub+ subscriptions, stopping listing unaffiliated restaurants and not making misleading driver-earning claims. Illinois Attorney General aided in case.
January 8, 2025

Bindl v EU commission

Public Sector
EU-wide EU-wide
European General Court Decision: The court ordered the European Commission to pay damages (400 EUR) for unlawfully transferring data to the U.S. without adequate protections. This transfer to the US occurred when data was shared with Meta via a "Sign in with Facebook" button on an official EU website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
European General Court
Related Products
Assessments Data mapping Trust Hub
Fine / Penalty
400 EUR
Keywords
Cross-Border Transfer
January 8, 2025

Allstate + Arity (Allstate's tech subsidiary)

Transportation
USA USA
Arity (Allstate's tech subsidiary) allegedly slipped their SDK into third-party apps to collect “trillions of miles” of driving behavior from mobile devices, other in car devices, and vehicles themselves.
Privacy Law
Texas Data Privacy and Security Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
Trust Hub UC
Fine / Penalty
TBD
Keywords
Selling Data Mishandling Data Tracking Tech Unlawful processing
Other Actions
N/A
January 9, 2025

Court Administration Office

Public Sector
South Korea South Korea
Data breach involving litigation-related documents containing the personal data of 17,998 individuals. The PIPC claims the breach occurred as a result of the CAO’s unencrypted storage systems and weak data security protocols. The CAO also delayed reporting the breach, according to the PIPC.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
PIPC
Related Products
Assessments Data mapping
Fine / Penalty
$183,982
Keywords
Data Breach Mishandling Data
January 8, 2025

Bayview Asset Management (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings)

Financial Services
USA USA
Failing to maintain sufficient cybersecurity practices and for not fully cooperating with state regulators following a data breach that impacted 5.8 million customers.
Privacy Law
State Agency Rules
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
52 state financial regulatory agencies
Related Products
Assessments Data mapping
Fine / Penalty
$20,000,000
Keywords
Data Breach Mishandling Data
Other Actions
Corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to the states.
January 7, 2025

Elgon Information Systems

Healthcare
USA USA
Ransomware attack prompted HHS finding they had failed to conduct a thorough risk analysis to address vulnerabilities in its systems, exposing 31,248 individuals’ ePHI.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
HHS
Related Products
Assessments Data mapping
Fine / Penalty
$80,000
Keywords
Sensitive Data Data Breach Mishandling Data
December 17, 2024

Meta Platforms Ireland Limited

Technology
Ireland Ireland
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
251,000,000
Keywords
Mishandling Data Data Breach
January 8, 2025

ECJ v Austria

All
Austria Austria
The ECJ ruled that data subject complaints cannot be deemed excessive solely based on their frequency.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
ECJ
Related Products
SRR
Fine / Penalty
None
Keywords
N/A
Other Actions
None
January 23, 2025

Softehnica S.R.L.

Logistics
Romania Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€2,000
Keywords
Mishandling Data
January 20, 2025

Vodafone Romania S.A.

Telecommunications
Romania Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 15,000
Keywords
Data Breach
January 17, 2025

DELIVERY SOLUTIONS S.A.

Logistics
Romania Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 2,000
Keywords
Data Breach
Other Actions
Corrective measures were ordered
February 11, 2025

Amazon

Technology
USA USA
Maxwell v. Amazon: The plaintiffs claim that Amazon collected health data from consumers through its SDK without giving the required notice or getting consent. The complaint doesn't discuss whether this data collection could be considered necessary under MHMDA's rules. However, it suggests that since the services consumers used were provided by apps using the SDK (and not directly by Amazon), this exception doesn't apply.
Privacy Law
MHMDA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
State Courts
Related Products
CMP UC Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Unlawful processing
February 26, 2025

Cookie-Banner Class Actions (U.S)

All
USA USA
Since the beginning of 2025, several (at least three) class actions have been filed arising out of allegedly malfunctioning cookie banners. The plaintiffs claim to have opted out of non-essential cookies, but their opt-out was not effective.
Privacy Law
N/A
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
State Courts
Related Products
CMP UC
Fine / Penalty
N/A
Keywords
N/A
February 4, 2025

[Name Not Public]

Retail
France France
Disproportionate surveillance of its employees' activity, through software.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Privacy Expert Assessments
Fine / Penalty
€ 40,000
Keywords
Data Minimization Tracking Tech Unlawful processing
February 5, 2025

ORANGE ESPAGNE, S.A.U.

Telecommunications
Spain Spain
Unauthorized duplication of the complainant's SIM card, leading to financial losses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,200,000
Keywords
Data Breach
Other Actions
ORANGE was ordered to implement measures to ensure that SIM card duplications are only carried out with proper verification of the requester's identity.
February 20, 2025

Medstar S.R.L.

Healthcare
Romania Romania
The investigation was started following a complaint from a data subject, who claimed that the operator where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 2,000
Keywords
Data Breach Mishandling Data
March 6, 2025

Publicaciones y Ediciones Baraca 208, S.L.

Retail
Spain Spain
Unlawfully publishing personal data, including health information, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Trust Hub Privacy Expert Assessments
Fine / Penalty
€ 6,000
Keywords
Data Breach Unlawful processing
March 6, 2025

Breogan Autolux, S.L.

Retail
Spain Spain
Sending SMS advertisements without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 6,000
Keywords
Unlawful Marketing
March 12, 2025

Honda

Transportation
USA USA
Honda required more information than needed to process opt-out and data limitation requests.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CPPA
Related Products
SRR UC
Fine / Penalty
$632,500
Keywords
Data Minimization
March 13, 2025

Investigative Sweep on Location Data Industry

Technology
USA USA
The agency is sending letters to advertising networks, mobile app providers and data brokers that appear to be violating the CCPA.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
AG
Related Products
Data mapping Assessments Regulatory Guidance Privacy Expert Vendor SRR UC CMP
Fine / Penalty
N/A
Keywords
Unlawful processing Data Minimization Mishandling Data Sensitive Data
March 12, 2025

Saturn Technologies

Technology
USA USA
They didn’t verify users’ school email addresses and age to ensure they were high school students, and didn't inform users that it would copy and use their “contact books”.
Privacy Law
New York Law
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
AG
Related Products
Data mapping Trust Hub Assessments Privacy Expert
Fine / Penalty
$650,000
Keywords
Mishandling Data Data Minimization Unlawful processing
March 21, 2025

Amazon

Technology
Luxembourg  Luxembourg
Amazon’s €746M GDPR fine upheld. Fine was from inaquadue transparency and consent management.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Luxembourg Court
Related Products
CMP UC SRR Trust Hub
Fine / Penalty
€ 756,000,000
Keywords
Mishandling Data
March 5, 2025

EDPB enforcement sweep on SRRs

All
Europe Europe
EDPB has launched its 2025 enforcement sweep targeting organizations’ compliance with data subjects’ right of erasure (right to delete or be forgotten), focusing particularly on how exceptions are applied. Thirty-two EU member state data protection authorities (DPAs) will participate in this year-long sweep that began March 5, 2025.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
EDPB
Related Products
SRR
Fine / Penalty
TBD
Keywords
N/A
April 3, 2025

Poczta Polska

Logistics
Poland Poland
The postal service provider for unlawfully sharing personal data (including PESEL numbers, names, addresses, and travel details) of all registered Polish adults during the 2020 election preparations.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Vendor Assessments Data mapping
Fine / Penalty
€ 6,479,424
Keywords
Mishandling Data
April 3, 2025

Caixabank

Financial Services
Spain Spain
A complaint from a customer who discovered that a co-owner could access not only their joint account but also a third account due to a system error in "CaixaBankNow."
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 3,500,000
Keywords
Sensitive Data Data Breach Mishandling Data
April 3, 2025

Liga Nacional de Fútbol Profesional

Entertainment
Spain Spain
They were conducting biometric checks in stadiums without prior data protection impact assessments.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,000,000
Keywords
Sensitive Data Notice
April 3, 2025

Ibermutua Mutua Colaboradora Con La Seguridad Social Nº 274

Healthcare
Spain Spain
Software error that led to the accidental disclosure of personal data to third parties.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 600,000
Keywords
Sensitive Data Data Breach Mishandling Data
April 3, 2025

[Name Not Public]

Telecommunications
Germany Germany
They delayed responses to information requests.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 120,000
Keywords
Mishandling Data
April 11, 2025

Lusha

Advertising
Italy Italy
The investigation follows complaints from individuals who received unsolicited calls, suggesting that their data may have been sourced from Lusha’s platform without proper consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful Marketing
April 18, 2025

Court Overrules FCC’s Fine Against AT&T

Telecommunications
USA USA
This could have broader implications on the legality of regulatory agencies levying fines through administrative proceedings, the 5th U.S. Circuit Court of Appeals has overturned a $57 million fine imposed by the Federal Communications Commission against AT&T for violating the privacy of its customers’ location data.
Privacy Law
Communications Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
CMP UC SRR Assessments Data mapping
Fine / Penalty
$57,000,000
Keywords
Fine Overturned
April 14, 2025

DPP Law Ltd.

Professional Services
United Kingdom United Kingdom
DPP failed to adopt the principle of least privilege and failed to regularly audit administrative accounts on its network.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
£ 70,300
Keywords
Data Breach
May 8, 2025

Jerico Pictures, Inc., d/b/a National Public Data

Technology
USA USA
Failed to register and pay an annual fee as required by the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
CPPA
Related Products
Privacy Expert Regulatory Guidance
Fine / Penalty
$46,000
Keywords
N/A
Other Actions
N/A
April 10, 2025

Marina Salud

Healthcare
Spain Spain
The Processor appointed sub-processors without authorisation from the controller.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor
Fine / Penalty
€500,000.00
Keywords
Unlawful processing
May 2, 2025

TikTok

Technology
Ireland Ireland
"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU. As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”"
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP UC SRR Trust Hub
Fine / Penalty
€530,000,000
Keywords
Cross-Border Transfer Unlawful processing
Other Actions
Required TikTok to improve its EEA Privacy Policy. Also, TikTok must put an end to the transfers to China.
May 15, 2025

CALOGA

Advertising
France France
Commercial prospecting without prospects’ consent and transferring their data to partners without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC Vendor
Fine / Penalty
€80,000
Keywords
Unlawful Marketing Unlawful processing
May 22, 2025

A.A.A

Professional Services
Spain Spain
Insufficient legal basis for data processing. A legal representative processed a client’s sensitive information without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP UC Trust Hub
Fine / Penalty
€2000.00
Keywords
Unlawful processing
May 15, 2025

SOLOCAL MARKETING SERVICES

Advertising
France France
Insufficient legal basis for data processing. Failed to obtain proper consent from individuals before using their data for marketing purposes and for sharing the data with third parties without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC Vendor
Fine / Penalty
€900,000.00
Keywords
Unlawful processing Unlawful Marketing
December 18, 2024

Toyota Bank Polska S.A.

Financial Services
Poland Poland
The Data Personal Officer (DPO) was not fully independent in his work. Furthermore, Toyota Bank Polska S.A. failed to include profiling in the record of processing activities and data protection impact assessment.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments Trust Hub Privacy Expert Regulatory Guidance
Fine / Penalty
€132,000.00
Keywords
Unlawful processing
March 6, 2025

Polskie Radio Szczecin (Polish Radio Szczecin)

Logistics
Poland Poland
The radio station released a press article in which a conviction for sexual harassment was described. The journalist revealed that a parliament member’s son was the victim and did it in such a way that the child could be identified.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€13,500.00
Keywords
Mishandling Data Data Breach
April 23, 2025

Real Estate Agency

Professional Services
Belgium Belgium
A complaint was filed because the agency kept publishing property listings, including precise address information and cadastral references, even after the property was sold.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP UC Assessments Trust Hub Privacy Expert
Fine / Penalty
€6,000
Keywords
Sensitive Data Mishandling Data Unlawful processing
Other Actions
The agency was ordered to delete the data and cease its processing across all platforms.
April 23, 2025

Diskrimineringsombudsmannen

Public Sector
Sweden Sweden
The company operated a form that collected sensitive personal data that had a security misconfiguration in the analytics tool which failed to mask personal data on the form’s summary page before submission, and unintentionally transferred to an external data processor.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments Data mapping Vendor
Fine / Penalty
€9,200
Keywords
Sensitive Data Data Breach Mishandling Data
Other Actions
Removed form and required the processor to delete all information.
March 28, 2025

FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA

Professional Services
Spain Spain
Failed to obtain the data subject’s consent or legal basis to process their personal bank account data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP UC SRR
Fine / Penalty
€2,000
Keywords
Sensitive Data Unlawful processing
April 11, 2025

NOVATES ALIMENTACIÓN MADRID, S.L.

Retail
Spain Spain
Improper handling of video surveillance data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments CMP UC SRR
Fine / Penalty
€20,000
Keywords
Sensitive Data
Other Actions
They were ordered to implement and notify the AEPD of technical and organizational security measures within one month to secure surveillance data appropriately.
April 9, 2025

Servicios de Integración de Andalucía

Telecommunications
Spain Spain
(SIA) was sanctioned for including an employee’s personal phone number in a WhatsApp group used for internal communications, without valid consent or an alternative contact method.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP UC Assessments
Fine / Penalty
€2,000
Keywords
Unlawful processing
April 22, 2025

[Name Not Public]

Advertising
Belgium Belgium
Non-compliance with several general data processing principles.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP UC SRR Assessments Privacy Expert Trust Hub
Fine / Penalty
€20,000
Keywords
Mishandling Data Unlawful processing
Back
Next

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.