Get updates on data privacy enforcement actions & trends from Osano's privacy team.

Sign up for updates
  • Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200
      Assessments

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • TrustHub
    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • FEATURED
    • Cookie
      Consent & Preference Management

      Simplify compliance with our powerful Consent Management Platform.

    • shield-02
      Data Privacy Management

      Automate and streamline your entire privacy program with our comprehensive platform.

    • By Regulation
    • CPRA
    • CCPA
    • GDPR
    • By Organization Type
    • trend-up-01
      Start-Up
    • building-01
      Mid-sized
    • building-07
      Enterprise
    • By Use Case
    • badge icon checked primary 200
      Consent & Preferences
    • profile icon primary 200
      Privacy Program Management
    • Icon (14)
      DSAR Automation
    • Icon (15)
      Vendor Risk Management
    • By Roles
    • For Non-Privacy Experts
    • For Legal & Compliance
    • For GRC, Risk & Security
  • Resources
    • Quick Links
    • book-open-01
      Articles
    • Icon (25)
      Guides, Checklists & Recordings
    • hand a heart icon primary 200
      Customer Stories
    • people icon primary 200
      Upcoming Webinars & Events
    • Key Resources

      Key resources to level up your privacy game

    • hammer icon primary 200
      Privacy Enforcement Tracker
    • star icon primary 200
      Privacy Program Maturity Model
    • globe icon primary 200
      U.S. Data Privacy Guide
    • Privacy Insider

      Data privacy is complex, but you're not alone

    • Icon (17)
      The Podcast
    • envelope icon primary 200
      The Newsletter
    • book-open-01
      The Book
    • Customers

      The latest from Osano and how to get the most from the platform

    • Product Updates
    • Osano Help Center
    • Developer Documentation
    • Sign up for enforcement updates

      Get updates on data privacy enforcement actions & trends from Osano's privacy team.

  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)
      Careers

      Become an Osanian and help us build the future of privacy!

    • Icon (26)
      Contact

      We’re eager to hear from you

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

    • Icon (28)
      Osano Swag Store

      Increase Trust. Stay Compliant. Get Cool Swag.

    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    Osano-guarantee-seal (1)
  • Plans
  • Sign In Book a Demo

Data Privacy Enforcement Tracker

What's new in the world of regulatory enforcement? Our Enforcement Tracker keeps you up to speed with relevant and noteworthy enforcement actions in the world of privacy. Stay informed, spot patterns early, and guide your program with confidence.
Note: While updated regularly this is not exhaustive and not intended as legal advice.

Filters applied (0)
Clear filters
Filter by Category
  • Privacy Law
    Select all
  • Region of Enforcement
    Select all
  • Industry Type
    Select all
  • Employee Count
    Select all
  • Estimated Annual Revenue
    Select all
  • Keyword(s)
    Select all
  • Level of Government
    Select all
  • Who Enforced
    Select all
Sort By
Showing 7 of 46 results
July 8, 2025

Selgros Cash & Carry SRL

Retail
Romania Romania
During the DPA's investigation, it was found that, due to an error in the programming or implementation of an application, personal data belonging to several targeted individuals were revealed.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 3,000
Keywords
Data Breach
July 8, 2025

Old Lemmer Foundation

Non-Profit
Netherlands Netherlands
Unlawfully live-streaming public-space video without a GDPR legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 500
Keywords
Unlawful processing
Other Actions
Halt posting live-stream of Lemmer online.
July 7, 2025

Alliance for the Union of Romanians Party (AUR)

Public Sector
Romania Romania
A configuration mistake in the aur.mobi app accidentally exposed a wide range of users’ personal information—everything from names, contact details, IDs and addresses to demographics (like age, gender, nationality, religion), education and work history—so anyone using the app at that time could view it.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 15,000
Keywords
Data Breach Sensitive Data
Other Actions
Operator deactivated the semnezsivotez.ro and semnezsivotez.org platforms during the investigation.
July 8, 2025

General Motors

Transportation
USA USA
AG Hilgers filed a lawsuit against General Motors for deceptive collection and sale of Nebraskans’ driving data. It is alleged that General Motors LLC and OnStar LLC unlawfully collected, processed, and sold sensitive driving data from Nebraskans without their knowledge or consent.
Privacy Law
Nebraska Consumer Protection Act and Uniform Deceptive Trade Practices Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
TrustHub CMP UC SRR
Fine / Penalty
TBD
Keywords
Selling Data Sensitive Data Tracking Tech
July 7, 2025

Deer Oaks

Healthcare
USA USA
Deer Oaks exposed ePHI in two incidents: a coding error in a pilot portal made 35 patients’ data publicly accessible online, and a ransomware attack in August 2023 compromised data for 171,871 individuals. OCR found Deer Oaks failed to conduct a proper risk analysis.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
OCR
Related Products
Assessments Vendor Data Mapping
Fine / Penalty
€ 225,000
Keywords
Data Breach Sensitive Data
Other Actions
Implement a corrective action plan that OCR will monitor for two years
July 3, 2025

Apoteket AB

Healthcare
Sweden Sweden
Apoteket AB improperly transferred customers’ sensitive health-related data to Meta via the Meta Pixel on their websites
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments Vendor Data Mapping
Fine / Penalty
SEK 37 million
Keywords
Data Breach Sensitive Data Tracking Tech
Other Actions
Ordered to improve their internal procedures to ensure the proper and secure processing of personal data.
July 3, 2025

Apohem AB

Healthcare
Sweden Sweden
Apohem AB improperly transferred customers’ sensitive health-related data to Meta via the Meta Pixel on their websites
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments Vendor Data Mapping
Fine / Penalty
SEK 8 million
Keywords
Data Breach Sensitive Data Tracking Tech
Other Actions
Ordered to improve their internal procedures to ensure the proper and secure processing of personal data.
July 8, 2025

TicketNetwork

Technology
USA USA
TicketNetwork's privacy notice was found to be unreadable, missing essential data rights, and containing malfunctioning rights mechanisms.
Privacy Law
Connecticut Data Privacy Act
Level of Government
State
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
AG
Related Products
Trusthub SRR
Fine / Penalty
$85,000
Keywords
Privacy Notice
July 1, 2025

U.S. Department of Health and Human Services’ (HHS)

Public Sector
USA USA
Attorney General Dan Rayfield and several states have sued HHS for sharing private Medicaid health records with DHS (including ICE).N10
Privacy Law
Medicaid Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Sensitive Data Sharing Data
July 1, 2025

Healthline

Healthcare
USA USA
Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties without CCPA-mandated privacy protections.
Privacy Law
CCPA
Level of Government
State
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC CMP Vendor Assessments Trust Hub
Fine / Penalty
$1,550,000.00
Keywords
Sensitive Data Tracking Tech Dark Patterns
Other Actions
Healthline must ensure opt-out tools are functional, stop sharing sensitive data, audit privacy terms in contracts, and keep its privacy disclosures accurate.
June 23, 2025

Vodafone Romania S.A.

Telecommunications
Romania Romania
 The controller did not implement adequate technical and organisational measures
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 4,000.00
Keywords
Data Breach
Other Actions
Ordered to take the corrective measure of technical and procedural implementation of a mechanism applied at regular intervals, regarding the testing, evaluation and periodic assessment of the effectiveness of the measures adopted.
June 23, 2025

Dublin Education and Training Board (CDETB)

Public Sector
Ireland Ireland
13,000 data subjects had their data compromised in a security breach in November 2018. This included special categories of PII.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€125,00
Keywords
Data Breach
Other Actions
Implement adequate security.
June 20, 2025

Walmart

Retail
USA USA
Walmart (including in its capacity as an agent of MoneyGram, Western Union, and Ria) allowed its money transfer services to be used by scammers who defrauded consumers out of hundreds of millions of dollars. 
Privacy Law
FTC Act
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
Vendor Assessments
Fine / Penalty
$10,000,000.00
Keywords
Data Breach
June 19, 2025

SC Diamir SRL

Retail
Romania Romania
The investigation was started following a complaint that the operator displayed a person's identity card at the workplace, thus revealing the name, surname, address, series and number of the identity document and the photo of the person.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
SRR Assessments
Fine / Penalty
€ 1,000.00
Keywords
Data Breach Sensitive Data
June 18, 2025

Dinc? Viorel George

Transportation
Romania Romania
The investigation was started following a notification that a natural person had a video surveillance system inadequately mounted on a building. The controller then did not respond to the DPA investigation.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Regulatory Guidance Privacy Expert
Fine / Penalty
€ 200.00
Keywords
N/A
Other Actions
Required to send a complete response to the National Supervisory Authority.
June 18, 2025

AB Storstockholms Lokaltrafik

Transportation
Sweden Sweden
Following a complaint from a consumer related to daily sobriety tests, the investigation found that the company processed PII and Sensitive PII without proper legal basis. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR Assessments
Fine / Penalty
€ 6,800.00
Keywords
Unlawful processing Sensitive Data
June 18, 2025

Waxholms Ångfartygs AB

Logistics
Sweden Sweden
Following a complaint from a consumer related to daily sobriety tests, the investigation found that the company processed PII and Sensitive PII without proper legal basis. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR Assessments
Fine / Penalty
€ 6,800.00
Keywords
Unlawful processing Sensitive Data
June 17, 2025

23andMe

Healthcare
United Kingdom United Kingdom
Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in the unauthorized access to personal information belonging to 155,592 UK residents.
Privacy Law
UK GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
£2,310,000.00
Keywords
Sensitive Data Data Breach
June 16, 2025

Paddle.com Market Limited

Technology
USA USA
Paddle provided foreign-based tech-support schemes with access to the U.S. payment system, allowing these companies to harm consumers.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
Assessments Trust Hub Vendor
Fine / Penalty
$5,000,000.00
Keywords
Data Breach
Other Actions
Permanently banned from processing payments for tech-support telemarketers.
June 16, 2025

SC Kashto Concept

Retail
Romania Romania
An investigation was launched following a notification received from a data subject, which found the website owned by the operator, cookies were stored that were not technically necessary for the operation of the website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP SRR
Fine / Penalty
€ 990.00
Keywords
Tracking Tech
June 12, 2025

Department of Social Protection (DSP)

Public Sector
Ireland Ireland
DSP failed to identify a valid lawful basis for the collection of biometric data, improperly retained this information, improperly completed a DPIA, and failed to provide information to data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR Assessments Trust Hub
Fine / Penalty
€ 550,000.00
Keywords
Unlawful processing Mishandling Data Sensitive Data
Other Actions
DPA issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within 9 months of this decision if the DSP cannot identify a valid lawful basis.
June 12, 2025

Temu

Retail
USA USA
AG Hilgers, Nebraska, alleges Temu unlawfully harvests data, including from kids, utilizes multiple deceptive practices to encourage purchases, allows infringement and counterfeits to thrive, and engages in deceptive marketing to greenwash its image.
Privacy Law
Nebraska Consumer Protection Laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
CMP UC SRR Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful processing Dark Patterns
June 12, 2025

23andMe

Healthcare
USA USA
AGJason Miyares, Virginia, has filed a lawsuit and separate objection to 23andMe’s plan to sell the personal genetic data of roughly 15 million consumers without their knowledge or consent in violation of Virginia law and the company’s own privacy commitments to consumers.
Privacy Law
VCDPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC CMP SRR Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Selling Data
June 12, 2025

Six Norwegian websites

All
Norway Norway
The Norwegian DPA investigated six websites, and found that all of them shared visitors' personal data with third parties illegally, and in several of the cases they shared sensitive data. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC CMP Vendor Data mapping Assessments
Fine / Penalty
NOK 250,000.00
Keywords
Sensitive Data Mishandling Data Tracking Tech Unlawful processing
June 10, 2025

Accounting Audit SRL

Professional Services
Romania Romania
 Accounting Audit SRL, as a processor, has not implemented adequate technical and organizational measures in order to ensure a level of security appropriate to the risk of processing, including the ability to ensure the confidentiality and integrity of the processing systems and services.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 10,000.00
Keywords
Data Breach
June 3, 2025

Vodafone

Telecommunications
Germany Germany
Vodafone GmbH had not adequately reviewed and monitored partner agencies working on its behalf. Further the BfDi found security deficiencies in the authentication process for the combined use of the online portal ‘MeinVodafone'.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Vendor Assessments
Fine / Penalty
€ 45,000,000.00
Keywords
Data Breach
May 30, 2025

AG-BROKER ASIGURARE S.R.L.

Professional Services
Romania Romania
The controller did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Data Breach
May 27, 2025

Yliopiston Apteekin

Healthcare
Finland Finland
Deficiencies in its cookie practices and the use of other tracking technologies on its online pharmacy website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 1,100,000.00
Keywords
Mishandling Data Unlawful processing Tracking Tech
May 22, 2025

A.A.A

Professional Services
Spain Spain
Insufficient legal basis for data processing. A legal representative processed a client’s sensitive information without consent. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP UC Trust Hub
Fine / Penalty
€ 2,000.00
Keywords
Unlawful processing
May 22, 2025

Dumitru Viorel Foc?a

Public Sector
 Romania  Romania
 It was found that the operator processed on its Facebook page (Meta), by disclosing in a public post, the personal data (name, surname, phone number) of the Authority's petitioner, without his consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Regulatory Guidance Assessments
Fine / Penalty
€ 1,000.00
Keywords
Data Breach Mishandling Data Unlawful processing
May 21, 2025

Data Diggers Market Research SRL

Professional Services
 Romania  Romania
 It was found that the controller did not provide the complainants with complete information as a result of exercising the right of access to personal data. Did not communicate with the petitioners, and did not prove a legal basis for processing.  
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
SRR Assessments
Fine / Penalty
€ 12,000.00
Keywords
Mishandling Data Unlawful processing
May 19, 2025

Replika

Technology
Italy Italy
Lack of Legal Basis, Inadequate Privacy Policy, No Effective Age Verification, and Transparency and Accountability Failures.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Trust Hub Assessments
Fine / Penalty
€ 5,000,000.00
Keywords
Unlawful processing
Other Actions
The Italian authority also ordered Luka Inc. to bring its data processing practices into compliance with GDPR.
May 16, 2025

ACCOUNTING & AUDIT CONSULTING SRL

Financial Services
 Romania  Romania
It was found that unauthorized persons illegally accessed the personal data of the operator's customers' employees, namely: name, surname, personal identification number, domicile, position, salary, bonuses and other salary rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Data Breach
May 15, 2025

CALOGA

Advertising
France France
Commercial prospecting without prospects’ consent and transferring their data to partners without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC Vendor
Fine / Penalty
€ 80,000.00
Keywords
Unlawful Marketing Unlawful processing
May 15, 2025

SOLOCAL MARKETING SERVICES

Advertising
France France
Insufficient legal basis for data processing. Failed to obtain proper consent from individuals before using their data for marketing purposes and for sharing the data with third parties without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC Vendor
Fine / Penalty
€ 900,000.00
Keywords
Unlawful processing Unlawful Marketing
May 14, 2025

CVA TAX & FINANCE S.R.L.

Financial Services
 Romania  Romania
A data breach led to the unauthorized disclosure and access to the personal data of a significant number of employees of the customers in the operator's portfolio, namely: name, surname, personal identification number, address, position, salary, bonuses and other salary r
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
May 13, 2025

Romoffice Construct Holding Ag SRL

Logistics
Romania Romania
The investigation was started following a complaint from a natural person, who complained that the operator Romoffice Construct Holding Ag SRL processed his personal data without his consent, it was found that the operator Romoffice Construct Holding Ag SRL processed without legal basis personal data belonging to the petitioner.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
CMP UC SRR Assessments
Fine / Penalty
€ 2,000.00
Keywords
Unlawful processing
May 12, 2025

CV PRO CONSULT S.R.L.

Financial Services
Romania Romania
It was found that, following a cyber attack, the operator's access to its own IT infrastructure was accessed and also restricted. This situation led to the unauthorized disclosure and access to the personal data of a significant number of employees of the customers in the operator's portfolio, namely: name, surname, personal identification number, address, position, salary, bonuses and other salary rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
May 9, 2025

ROUMASPORT SR

Retail
Romania Romania
The investigation found that the operator unlawfully accessed the video surveillance system at a workplace, processing employees' images—including for disciplinary purposes—violating processing principles and legal conditions.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Sensitive Data
Other Actions
Improve cybersecurity operations. 
May 8, 2025

Jerico Pictures, Inc., d/b/a National Public Data

Technology
USA USA
Failed to register and pay an annual fee as required by the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
CPPA
Related Products
Privacy Expert Regulatory Guidance
Fine / Penalty
$46,000.00
Keywords
N/A
May 7, 2025

Acea Energia

Advertising
Italy Italy
They engaged in aggressive telemarketing—using detailed personal data lists acquired without specific consent and misleading consumers with false technical?issue warnings to pressure them into switching energy suppliers.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP UC SRR
Fine / Penalty
€ 850,000.00
Keywords
Mishandling Data Unlawful processing Unlawful Marketing
Other Actions
Stringent corrective measures.
May 2, 2025

TikTok

Technology
Ireland Ireland
"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP UC SRR Trust Hub
Fine / Penalty
€ 530,000,000.00
Keywords
Cross-Border Transfer Unlawful processing
Other Actions
Required TikTok to improve its EEA Privacy Policy. Also, TikTok must put an end to the transfers to China.
April 23, 2025

Real Estate Agency

Professional Services
Belgium Belgium
A complaint was filed because the agency kept publishing property listings, including precise address information and cadastral references, even after the property was sold.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP UC Assessments Trust Hub Privacy Expert
Fine / Penalty
€ 6,000.00
Keywords
Sensitive Data Mishandling Data Unlawful processing
Other Actions
The agency was ordered to delete the data and cease its processing across all platforms.
April 23, 2025

Diskrimineringsombudsmannen

Public Sector
Sweden Sweden
The company operated a form that collected sensitive personal data that had a security misconfiguration in the analytics tool which failed to mask personal data on the form’s summary page before submission, and unintentionally transferred to an external data processor.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments Data mapping Vendor
Fine / Penalty
€ 9,200.00
Keywords
Sensitive Data Data Breach Mishandling Data
Other Actions
Removed form and required the processor to delete all information. 
April 22, 2025

[Name Not Public]

Advertising
Belgium Belgium
Non-compliance with several general data processing principles.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP UC SRR Assessments Privacy Expert Trust Hub
Fine / Penalty
€ 20,000.00
Keywords
Mishandling Data Unlawful processing
April 18, 2025

Court Overrules FCC’s Fine Against AT&T

Telecommunications
USA USA
This could have broader implications on the legality of regulatory agencies levying fines through administrative proceedings, the 5th U.S. Circuit Court of Appeals has overturned a $57 million fine imposed by the Federal Communications Commission against AT&T for violating the privacy of its customers’ location data.
Privacy Law
Communications Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
CMP UC SRR Assessments Data mapping
Fine / Penalty
$57,000,000.00
Keywords
Fine Overturned
April 14, 2025

DPP Law Ltd.

Professional Services
United Kingdom United Kingdom
DPP failed to adopt the principle of least privilege and failed to regularly audit administrative accounts on its network.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
£70,300.00
Keywords
Data Breach
April 11, 2025

Lusha

Advertising
Italy Italy
 The investigation follows complaints from individuals who received unsolicited calls, suggesting that their data may have been sourced from Lusha’s platform without proper consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful Marketing
April 11, 2025

NOVATES ALIMENTACIÓN MADRID, S.L.

Retail
Spain Spain
 Improper handling of video surveillance data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments CMP UC SRR
Fine / Penalty
€ 20,000.00
Keywords
Sensitive Data
Other Actions
They were ordered to implement and notify the AEPD of technical and organizational security measures within one month to secure surveillance data appropriately.
April 10, 2025

Marina Salud

Healthcare
Spain Spain
The Processor appointed sub-processors without authorisation from the controller.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor
Fine / Penalty
€ 500,000.00
Keywords
Unlawful processing
April 9, 2025

Servicios de Integración de Andalucía

Telecommunications
Spain Spain
(SIA) was sanctioned for including an employee’s personal phone number in a WhatsApp group used for internal communications, without valid consent or an alternative contact method.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP UC Assessments
Fine / Penalty
€ 2,000.00
Keywords
Unlawful processing
April 3, 2025

Poczta Polska

Logistics
Poland Poland
The postal service provider for unlawfully sharing personal data (including PESEL numbers, names, addresses, and travel details) of all registered Polish adults during the 2020 election preparations.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Vendor Assessments Data mapping
Fine / Penalty
€ 6,479,424.00
Keywords
Mishandling Data
April 3, 2025

Caixabank

Financial Services
Spain Spain
A complaint from a customer who discovered that a co-owner could access not only their joint account but also a third account due to a system error in "CaixaBankNow."
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 3,500,000.00
Keywords
Sensitive Data Data Breach Mishandling Data
April 3, 2025

Liga Nacional de Fútbol Profesional

Entertainment
Spain Spain
They were conducting biometric checks in stadiums without prior data protection impact assessments.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,000,000.00
Keywords
Sensitive Data Notice
April 3, 2025

Ibermutua Mutua Colaboradora Con La Seguridad Social Nº 274

Healthcare
Spain Spain
Software error that led to the accidental disclosure of personal data to third parties.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 600,000.00
Keywords
Sensitive Data Data Breach Mishandling Data
April 3, 2025

[Name Not Public]

Telecommunications
Germany Germany
They delayed responses to information requests.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 120,000.00
Keywords
Mishandling Data
March 28, 2025

FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA

Professional Services
Spain Spain
Failed to obtain the data subject’s consent or legal basis to process their personal bank account data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP UC SRR
Fine / Penalty
€ 2,000.00
Keywords
Sensitive Data Unlawful processing
March 21, 2025

Amazon

Technology
 Luxembourg  Luxembourg
Amazon’s €746M GDPR fine upheld. Fine was from inaquadue transparency and consent management.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Luxembourg Court
Related Products
CMP UC SRR Trust Hub
Fine / Penalty
€ 756,000,000.00
Keywords
Mishandling Data
March 13, 2025

Investigative Sweep on Location Data Industry 

Technology
USA  USA 
The agency is sending letters to advertising networks, mobile app providers and data brokers that appear to be violating the CCPA.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
AG
Related Products
Data mapping Assessments Regulatory Guidance Privacy Expert Vendor SRR UC CMP
Fine / Penalty
N/A
Keywords
Unlawful processing Data Minimization Mishandling Data Sensitive Data
March 12, 2025

Honda

Transportation
USA USA
Honda required more information than needed to process opt-out and data limitation requests. 
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CPPA
Related Products
SRR UC
Fine / Penalty
$632,500.00
Keywords
Data Minimization
March 12, 2025

Saturn Technologies

Technology
USA USA
They didn’t verify users’ school email addresses and age to ensure they were high school students, and didn't inform users that it would copy and use their “contact books”.
Privacy Law
New York Law
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
AG
Related Products
Data mapping Trust Hub Assessments Privacy Expert
Fine / Penalty
$650,000.00
Keywords
Mishandling Data Data Minimization Unlawful processing
March 6, 2025

Publicaciones y Ediciones Baraca 208, S.L.

Retail
Spain  Spain 
Unlawfully publishing personal data, including health information, without a legal basis. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Trust Hub Privacy Expert Assessments
Fine / Penalty
€ 6,000.00
Keywords
Data Breach Unlawful processing
March 6, 2025

Breogan Autolux, S.L.

Retail
Spain Spain
Sending SMS advertisements without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 6,000.00
Keywords
Unlawful Marketing
March 6, 2025

Polskie Radio Szczecin (Polish Radio Szczecin)

Logistics
Poland Poland
The radio station released a press article in which a conviction for sexual harassment was described. The journalist revealed that a parliament member’s son was the victim and did it in such a way that the child could be identified. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 13,500.00
Keywords
Mishandling Data Data Breach
March 5, 2025

EDPB enforcement sweep on SRRs

All
Europe  Europe 
EDPB has launched its 2025 enforcement sweep targeting organizations’ compliance with data subjects’ right of erasure (right to delete or be forgotten), focusing particularly on how exceptions are applied. Thirty-two EU member state data protection authorities (DPAs) will participate in this year-long sweep that began March 5, 2025.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
EDPB
Related Products
SRR
Fine / Penalty
TBD
Keywords
N/A
February 26, 2025

Cookie-Banner Class Actions (U.S)

All
USA USA
Since the beginning of 2025, several (at least three) class actions have been filed arising out of allegedly malfunctioning cookie banners. The plaintiffs claim to have opted out of non-essential cookies, but their opt-out was not effective.
Privacy Law
N/A
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
State Courts
Related Products
CMP UC
Fine / Penalty
N/A
Keywords
N/A
February 20, 2025

Medstar S.R.L.

Healthcare
Romania  Romania 
The investigation was started following a complaint from a data subject, who claimed that the operator where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 2,000.00
Keywords
Data Breach Mishandling Data
February 11, 2025

Amazon

Technology
USA USA
Maxwell v. Amazon: The plaintiffs claim that Amazon collected health data from consumers through its SDK without giving the required notice or getting consent. The complaint doesn't discuss whether this data collection could be considered necessary under MHMDA's rules. However, it suggests that since the services consumers used were provided by apps using the SDK (and not directly by Amazon), this exception doesn't apply.
Privacy Law
MHMDA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
State Courts
Related Products
CMP UC Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Unlawful processing
February 5, 2025

ORANGE ESPAGNE, S.A.U.

Telecommunications
Spain Spain
Unauthorized duplication of the complainant's SIM card, leading to financial losses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,200,000.00
Keywords
Data Breach
Other Actions
ORANGE was ordered to implement measures to ensure that SIM card duplications are only carried out with proper verification of the requester's identity.
February 4, 2025

[Name Not Public]

Retail
France France
Disproportionate surveillance of its employees' activity, through software.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Privacy Expert Assessments
Fine / Penalty
€ 40,000.00
Keywords
Data Minimization Tracking Tech Unlawful processing
January 23, 2025

Softehnica S.R.L.

Logistics
Romania Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 2,000.00
Keywords
Mishandling Data
January 20, 2025

Vodafone Romania S.A.

Telecommunications
Romania Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 15,000.00
Keywords
Data Breach
January 17, 2025

DELIVERY SOLUTIONS S.A.

Logistics
Romania Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
€ 2,000.00
Keywords
Data Breach
Other Actions
Corrective measures were ordered
January 9, 2025

Court Administration Office 

Public Sector
South Korea  South Korea 
Data breach involving litigation-related documents containing the personal data of 17,998 individuals. The PIPC claims the breach occurred as a result of the CAO’s unencrypted storage systems and weak data security protocols. The CAO also delayed reporting the breach, according to the PIPC.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
PIPC
Related Products
Assessments Data mapping
Fine / Penalty
$183,982.00
Keywords
Data Breach Mishandling Data
January 8, 2025

Bindl v EU commission

Public Sector
EU-wide EU-wide
European General Court Decision: The court ordered the European Commission to pay damages (400 EUR) for unlawfully transferring data to the U.S. without adequate protections. This transfer to the US occurred when data was shared with Meta via a "Sign in with Facebook" button on an official EU website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
European General Court
Related Products
Assessments Data mapping Trust Hub
Fine / Penalty
400 EUR
Keywords
Cross-Border Transfer
January 8, 2025

Allstate + Arity (Allstate's tech subsidiary)

Transportation
USA USA
Arity (Allstate's tech subsidiary) allegedly slipped their SDK into third-party apps to collect “trillions of miles” of driving behavior from mobile devices, other in car devices, and vehicles themselves.
Privacy Law
Texas Data Privacy and Security Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
Trust Hub UC
Fine / Penalty
TBD
Keywords
Selling Data Mishandling Data Tracking Tech Unlawful processing
January 8, 2025

Bayview Asset Management (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings)

Financial Services
USA USA
Failing to maintain sufficient cybersecurity practices and for not fully cooperating with state regulators following a data breach that impacted 5.8 million customers.
Privacy Law
State Agency Rules
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
52 state financial regulatory agencies
Related Products
Assessments Data mapping
Fine / Penalty
$20,000,000.00
Keywords
Data Breach Mishandling Data
Other Actions
Corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to the states.
January 8, 2025

ECJ v Austria

All
Austria Austria
The ECJ ruled that data subject complaints cannot be deemed excessive solely based on their frequency. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
ECJ
Related Products
SRR
Fine / Penalty
None
Keywords
N/A
Other Actions
None
January 7, 2025

Elgon Information Systems 

Healthcare
USA USA
Ransomware attack prompted HHS finding they had failed to conduct a thorough risk analysis to address vulnerabilities in its systems, exposing 31,248 individuals’ ePHI.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
HHS
Related Products
Assessments Data mapping
Fine / Penalty
$80,000.00
Keywords
Sensitive Data Data Breach Mishandling Data
December 20, 2024

OpenAI

Technology
Italy Italy
OpenAI had wrongly relied on legitimate interest as a legal basis for processing personal data, processed inaccurate personal data, and had no age verification measures in place.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC Privacy Expert Assessments
Fine / Penalty
15,000,000
Keywords
Unlawful processing
Other Actions
They must carry out a six month campaign informing Italians of how it uses their personal data for their services.
December 20, 2024

Grubhub

Logistics
USA USA
Grubhub engaged in deceptive practices, such as misleading diners about delivery fees, blocking access to gift card funds, and falsely advertising driver earning.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
Trust Hub Privacy Expert Regulatory Guidance
Fine / Penalty
$25,000,000.00
Keywords
Notice
Other Actions
Grubhub to make changes to its business practices, including not adding surprise fees to delivery totals, providing a simple way to cancel Grubhub+ subscriptions, stopping listing unaffiliated restaurants and not making misleading driver-earning claims. Illinois Attorney General aided in case. 
December 18, 2024

Netflix

Entertainment
Netherlands Netherlands
Netflix did not give customers sufficient information about what the company does with their personal data between 2018 and 2020.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP Templates Trust Hub
Fine / Penalty
4.75M euro
Keywords
Notice
December 18, 2024

Toyota Bank Polska S.A.

Financial Services
Poland Poland
The Data Personal Officer (DPO) was not fully independent in his work. Furthermore, Toyota Bank Polska S.A. failed to include profiling in the record of processing activities and data protection impact assessment.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments Trust Hub Privacy Expert Regulatory Guidance
Fine / Penalty
€ 132,000.00
Keywords
Unlawful processing
December 17, 2024

Meta Platforms Ireland Limited

Technology
Ireland  Ireland 
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
251,000,000
Keywords
Mishandling Data Data Breach
December 12, 2024

Various Organizations

All
France France
The French Data Protection Authority (CNIL) issued notices to several organizations regarding non-compliant cookie banners. The notices were a result of complaints about dark patterns that encouraged users to accept non-essential cookies. The CNIL found that the methods for rejecting cookies were not as easy to use as those for accepting them, and that the designs were misleading. https://www.huntonak.com/privacy-and-information-security-law/cnil-issues-notices-regarding-non-compliant-cookie-banners
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
N/A
Keywords
Dark Patterns
December 3, 2024

Gravy Analytics (and subsidiary Venntel)

Technology
USA USA
Unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP UC SRR Assessments Data mapping Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data Selling Data Unlawful processing
Other Actions
Prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.
November 28, 2024

Freedelity

Technology
Belgium Belgium
The DPA found issues with Freedelity’s:
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP UC Assessments Data mapping
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful processing
Other Actions
The company has a period of 4 months to comply with these injunctions, and will have to pay penalties of up to 5,000 euros per day of delay in the event of non-compliance or partial compliance.
November 27, 2024

Coupang

Retail
South Korea South Korea
he fine was in relation to two data breaches, the first caused by the mishandling of data transmitted and the second breach was caused by an authentication issue.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
Assessments Data mapping
Fine / Penalty
$1,100,000.00
Keywords
Data Breach
November 27, 2024

Mediahuis

Entertainment 
Belgium Belgium
Mediahuis had fully complied with the DPA’s order regarding illegal cookie banners, thereby avoiding a €25,000 (US$26,402) daily penalty.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Market Court 
Related Products
CMP
Fine / Penalty
Avoided $26,402 daily penalty
Keywords
Unlawful processing Tracking Tech
November 21, 2024

Eken

Technology
Hong Kong Hong Kong
Apparent violations of FCC rules that require the company to designate an agent located in the United States.
Privacy Law
FCC Rules
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
FCC
Related Products
Privacy Expert Regulatory Guidance
Fine / Penalty
TBD
Keywords
Unlawful processing
November 19, 2024

Facebook

Technology
Germany Germany
The German Federal Court of Justice made a judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR from a 2021 data breach of Facebook. This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
German Federal Court of Justice
Related Products
Data mapping
Fine / Penalty
€ 250.00
Keywords
Data Breach
November 19, 2024

Bunnings

Retail
Australia Australia
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behavior, according to the OAIC.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
UC Assessments Data mapping
Fine / Penalty
TBD
Keywords
Unlawful processing Tracking Tech Sensitive Data
November 15, 2024

Posti

Logistics
Finland  Finland 
Posti had automatically created an electronic OmaPosti mailbox for customers without a separate request. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC CMP SRR
Fine / Penalty
€ 2,400,000.00
Keywords
Mishandling Data
November 14, 2024

Growbots

Technology
USA  USA 
The company failed to register between February 1 and July 26, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$35,000.00
Keywords
N/A
November 14, 2024

UpLead

Technology
USA USA
The company failed to register between February 1 and July 21, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$34,400.00
Keywords
N/A
November 7, 2024

T-Mobile 

Telecommunications
USA USA
The telecom company promised to address “foundational security flaws,” work to improve “cyber hygiene,” and adopt “robust modern architectures,” such as zero trust and multi-factor authentication that is resistant to phishing. 
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Assessments Data mapping
Fine / Penalty
$31,500,000.00
Keywords
Data Breach
November 5, 2024

Meta

Technology
South Korea South Korea
From July 2018 to March 2022, the company gathered data from nearly 980,000 users without asking for their explicit permission. This information included highly personal details such as users’ political beliefs, religious preferences, and whether they were in same-sex relationships. Once the company collected this sensitive data, it shared it with around 4,000 advertisers.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
CMP UC Assessments
Fine / Penalty
?15,000,000
Keywords
Tracking Tech Unlawful processing Sensitive Data
November 3, 2024

Blackcab Systems SRL

Professional Services
Romania Romania
DSAR not fulfilled, and during the investigation, it was found that the operator Blackcab Systems SRL did not prove that it responded to the petitioner's request. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 1,000.00
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator:
November 1, 2024

Master Wealth Control and Property Lovers

Financial Services
Australia Australia
The companies failed to collect data fairly; to notify individuals whose data was collected; and 
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
OAIC
Related Products
CMP UC Assessments Data mapping Trust Hub
Fine / Penalty
n/a
Keywords
Unlawful processing Mishandling Data
Other Actions
Ordered to cease collecting personal information unfairly, destroy their leads lists within 30 days, update their privacy policies, and provide evidence of compliance.
October 31, 2024

Meta

Technology
USA USA
CFPB staff informed Meta on Sept. 18 that it is weighing potential legal action related to advertising for financial products on the company’s platforms, which include photo-sharing platform Instagram and messaging service WhatsApp, the company revealed in a Thursday securities filing.
Privacy Law
Dodd-Frank Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CFPB
Related Products
UC CMP
Fine / Penalty
TBD
Keywords
Unlawful Marketing
October 29, 2024

Temu

Retail
EU-wide EU-wide
The Commission has opened formal proceedings to assess whether Temu may have breached the Digital Services Act (DSA) in areas linked to the sale of illegal products, the potentially addictive design of the service, the systems used to recommend purchases to users, as well as data access for researchers.
Privacy Law
Digital Services Act (DSA)
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
EU Commission
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful Marketing
October 29, 2024

Untold SRL

Professional Services
Romania Romania
The controller did not resolve the request for access to the personal data of the data subject, although he communicated for correspondence his e-mail address, telephone number, full name and surname and postal address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 15,000.00
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator.
October 27, 2024

Vodafone Romania S.A.

Telecommunications
Romania Romania
It was found that the operator Vodafone Romania S.A. did not adopt sufficient technical and organizational measures to ensure the confidentiality of the processed personal data. no measures were taken to hide the recipients' email addresses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000.00
Keywords
Data Breach
October 23, 2024

LinkedIn

Technology
Ireland Ireland
Ireland’s data protection watchdog has fined the professional social media site for GDPR breaches related to targeted advertising.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPC
Related Products
UC CMP Assessments
Fine / Penalty
€ 310,100,000.00
Keywords
Tracking Tech Unlawful Marketing
Other Actions
In addition, the regulator handed LinkedIn a reprimand and ordered it to bring its processing into compliance. 
October 22, 2024

NHL 

Entertainment 
USA USA
VPPA: Lawsuit claims that the NHL collected and shared personal viewing data with third parties, such as Facebook, without user consent. 
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Class Actions Lawsuits 
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 22, 2024

MLB 

Entertainment 
USA USA
VPPA: MLB is facing a lawsuit for allegedly violating the Video Privacy Protection Act (VPPA) by sharing users’ personal video viewing information with Facebook without consent.  
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Class Actions Lawsuits 
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 21, 2024

Unisys

Professional Services
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat. 
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$4,000,000.00
Keywords
Data Breach
October 21, 2024

Avaya

Professional Services
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat. 
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$1,000,000.00
Keywords
Data Breach
October 21, 2024

Check Point 

Technology
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat. 
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$995,000.00
Keywords
Data Breach
October 21, 2024

Mimecast

Technology
USA USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat. 
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
Assessments Trust Hub
Fine / Penalty
$990,000.00
Keywords
Data Breach
October 21, 2024

IBERCAJA BANCO, S.A.

Financial Services
Spain Spain
Insufficient legal basis for data processing. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 180,000.00
Keywords
Unlawful processing
October 20, 2024

Grue municipality

Public Sector
Norway Norway
Sensitive Data breach in a public postal journal. 14 individuals were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
Fine / Penalty
€ 20,800.00
Keywords
Sensitive Data Data Breach
Other Actions
The municipality also initiated extensive control work and measures to prevent similar incidents in the future
October 15, 2024

Your Consulting SRL

Professional Services
Romania Romania
The operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Trust Hub Assessments
Fine / Penalty
€ 3,000.00
Keywords
Data Breach
Other Actions
Must implement robust security program starting with assessments
October 14, 2024

Quick Tax Claims 

Professional Services
UK UK
Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
CMP UC SRR
Fine / Penalty
£120,000.00
Keywords
Unlawful Marketing
October 14, 2024

National Basketball Association

Entertainment 
USA USA
Defendant’s allegedly disclosured the plaintiff’s video viewing information to Meta via the Facebook Pixel without consent, in violation of the VPPA.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Federal Courts
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
VPPA Unlawful processing
October 10, 2024

WerepairUK Ltd

Professional Services
UK UK
WerepairUK Ltd, based in Tonbridge, has been fined for making 42,688 unsolicited calls. It has appealed the decision. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
SRR UC
Fine / Penalty
£80,000.00
Keywords
Unlawful Marketing
October 10, 2024

Service Box Group Limited

Professional Services
UK UK
Service Box Group Limited, based in Hove, East Sussex, has been fined for 5,361 calls.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC SRR
Fine / Penalty
£40,000.00
Keywords
Unlawful Marketing
October 10, 2024

RTL Belgium

Telecommunications
Belgium Belgium
Failed to display both an 'accept all' and a 'reject all' button on the first layer of its cookie banner. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 40,000 per day
Keywords
Dark Patterns
Other Actions
See H171
October 8, 2024

Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)

Transportation
USA USA
Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. 
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
SRR Data mapping
Fine / Penalty
TBD
Keywords
Data Deletion Data Breach Mishandling Data Data Minimization
Other Actions
Must implement robust security program, and fulfil all delete SRR.
October 8, 2024

Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)

Transportation
USA USA
Attorney General Tong announced today that a coalition of 50 attorneys general, co-led by Connecticut, has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases.
Privacy Law
State consumer protection laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
50 US State AGs
Related Products
Data mapping SRR
Fine / Penalty
$52,000,000.00
Keywords
Data Breach Data Deletion Mishandling Data Data Minimization
October 2, 2024

TikTok

Technology
USA USA
The complaint alleges that TikTok did not provide verified parents with the ability to control or limit the privacy and account settings on a minor’s account, such as tools to limit TikTok’s sharing, disclosure and sale of a minor’s personal identifying information and control TikTok’s ability to display targeted advertising to a minor. 
Privacy Law
Securing Children Online Through Parental Empowerment (“SCOPE”) Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
10,000 per violation
Keywords
Unlawful processing
October 1, 2024

California Privacy Protection Agency Announces Investigative Sweep of Data Brokers

Technology
USA USA
The California Privacy Protection Agency (“CPPA”) announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act (the “Act”). Under the Act, the CPPA has the authority to impose an administrative fine of $200 per day for each day the data broker failed to register.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
CPPA
Related Products
UC SRR
Fine / Penalty
$200 per day
Keywords
N/A
September 26, 2024

Meta

Technology
Ireland Ireland
Meta informed the commission in 2019 it inadvertently stored certain passwords of its platforms’ users in “plaintext,” or without protection or encryption
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments Data mapping
Fine / Penalty
$100,000,000.00
Keywords
Data Breach
September 24, 2024

Mozilla

Technology
EU-wide EU-wide
Mozilla, the nonprofit that develops the Firefox web browser, has been hit with a complaint by European Union privacy rights group noyb, which accuses it of violating the bloc's General Data Protection Regulation (GDPR) by tracking Firefox users by default without their permission.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Noyb
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
Tracking Tech
September 16, 2024

AT&T

Telecommunications
USA USA
AT&T had a data breach of a cloud vendor in January 2023 that impacted 8.9 million customers.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Vendor Data mapping
Fine / Penalty
$13,000,000.00
Keywords
Data Breach
Other Actions
AT&T has also agreed to boost its data governance practices to increase supply chain integrity in the handling of sensitive data to protect consumers from similar vendor data breaches in the future.
September 1, 2024

Verkada

Technology
USA USA
FTC: Did not apply appropriate controls to sensitive data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
UC Assessments Data mapping
Fine / Penalty
$2,950,000.00
Keywords
Sensitive Data Data Breach
Other Actions
FTC is requiring Verkada to create a comprehensive information security program 
August 28, 2024

Apohem AB

Retail
Sweden Sweden
Apohem AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP Assessments Data mapping
Fine / Penalty
$730,000.00
Keywords
Tracking Tech Unlawful processing Unlawful Marketing Sensitive Data
August 28, 2024

Apoteket AB

Retail
Sweden Sweden
Apoteket AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP Assessments Data mapping
Fine / Penalty
$3,400,000.00
Keywords
Unlawful Marketing Unlawful processing Tracking Tech Sensitive Data
August 26, 2024

Uber Technologies, Inc.

Transportation
Netherlands  Netherlands 
The European Union’s data protection laws were violated by transferring sensitive personal data of its drivers to the U.S. without adequate safeguards.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
$310,000,000.00
Keywords
Cross-Border Transfer
August 22, 2024

Lawline

Technology
USA USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
CMP UC Trust Hub Data mapping Assessments
Fine / Penalty
TBD
Keywords
VPPA Tracking Tech
August 20, 2024

[Name Not Public]

Telecommunications
Thailand Thailand
Failure to Appoint a Data Protection Officer (DPO).
Privacy Law
Personal Data Protection Act ("PDPA")
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
PDPA
Related Products
Data mapping
Fine / Penalty
?205,520
Keywords
Data Breach Mishandling Data
Other Actions
The second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.
August 19, 2024

Equiniti Trust

Financial Services
USA USA
SEC rules: A lot going on here, with issues re handling client assets. Breach, data governance and poor retention.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Data mapping Assessments
Fine / Penalty
$850,000.00
Keywords
Data Breach
August 6, 2024

Advanced Computer Software Group

Technology
UK UK
UK GDPR: failed to implement sufficient security measures to protect personal information.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Data mapping Assessments
Fine / Penalty
£6,000,000.00
Keywords
Data Breach
August 5, 2024

UNIQLO EUROPE, LTD

Retail
Spain Spain
The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 270,00
Keywords
Data Breach Mishandling Data
July 29, 2024

Meta

Technology
USA USA
Meta knowingly violated the state’s Capture or Use of Biometric Identifier Act and Deceptive Trade Practices and Consumer Protection Act by implementing a now-defunct facial-recognition-based photo and video tagging feature. 
Privacy Law
Capture or Use of Biometric Identifier Act 
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
$1,400,000,000.00
Keywords
Sensitive Data Tracking Tech Selling Data
July 23, 2024

TikTok

Technology
UK UK
Failing to comply with a request for information and not cooperating with Ofcom’s investigation into the effectiveness of its child protection measures. 
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
Data mapping
Fine / Penalty
£1,875,000.00
Keywords
Sensitive Data Mishandling Data
July 17, 2024

Oracle 

Technology
USA USA
The proposed settlement was announced on 18 July in San Francisco federal court. In August 2022, plaintiffs had filed a lawsuit that alleged Oracle’s advertising tracking tools accessed, collected, stored, disclosed, sold and used internet users’ personal data without consent.
Privacy Law
US Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Courts 
Related Products
CMP UC
Fine / Penalty
$150,000,000.00
Keywords
Tracking Tech Unlawful processing
July 17, 2024

What’s App (Meta)

Technology
Nigeria   Nigeria  
Meta was ordered to “immediately reinstate the rights of Nigerian users to self-determine and control” data sharing, and stop sharing WhatsApp users’ information “with other Facebook companies and third parties” without users’ active consent.
Privacy Law
Nigeria Data Protection Act 2023
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Competition and Protection Commission
Related Products
Data mapping UC CMP
Fine / Penalty
$2,200,000,000.00
Keywords
Unlawful processing Mishandling Data
Other Actions
35,000 for investigation costs.
July 17, 2024

TracFone

Telecommunications
USA USA
Verizon-owned mobile virtual network operator TracFone
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FCC
Related Products
CMP UC Data mapping Vendor
Fine / Penalty
$16,000,000.00
Keywords
Data Breach
July 8, 2024

NGL 

Technology
USA USA
The FTC and the Los Angeles District Attorney’s Office accused NGL of violating the Children’s Online Privacy Protection Rule (COPPA Rule) by knowingly collecting the personal data of children younger than 13 without parental consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR Data mapping UC
Fine / Penalty
$5,000,000.00
Keywords
Unlawful processing Data Minimization Sensitive Data
July 1, 2024

Vinted

Retail
Lithuania Lithuania
Did not have proper rationale for denying the right to erasure (‘right to be forgotten’) and the right of access. They reasoned that the user did not identify in their request the ‘specific grounds’ under Article 17 of the GDPR.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR Data mapping
Fine / Penalty
€ 2,385,276.00
Keywords
Mishandling Data
June 30, 2024

Grindr 

Technology
Norway Norway
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR rules.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC SRR Data mapping Vendor
Fine / Penalty
€ 6,500,000.00
Keywords
Unlawful processing
June 17, 2024

Tilting Point Media LLC (Tilting Point)

Technology
USA USA
Tilting Point employed an age screen that did not ask for age in a “neutral manner” and therefore encouraged children to enter an older age. Further, Tilting Point inadvertently configured third-party software development kits (SDKs) to collect and sell children’s data without first obtaining consent.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
AG
Related Products
UC Assessments
Fine / Penalty
$500,000.00
Keywords
Unlawful processing Tracking Tech Mishandling Data
Other Actions
prohibition on selling and sharing the personal information of children without affirmative consent, a requirement to use neutral age screens, restrictions on the use of SDKs, children’s data minimization requirements, and a requirement to submit annual reports regarding compliance efforts to the California Department of Justice and the Los Angeles City Attorney’s office.
June 17, 2024

[Name Not Public]

Technology
USA USA
The Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
Privacy Law
Data Broker Law 
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
AG
Related Products
Regulatory Guidance Data mapping
Fine / Penalty
$10,000.00
Keywords
N/A
Other Actions
The Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act as well as federal laws including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).
June 4, 2024

Medibank Private Ltd (MPL.AX)

Financial Services
Australia Australia
Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Data mapping
Fine / Penalty
TBD
Keywords
Data Breach
May 22, 2024

Police Service of Northern Ireland (PSNI)

Public Sector 
UK UK
Exposed personal data belonging to all PSNI serving officers and staff.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Assessments
Fine / Penalty
£750,000.00
Keywords
Data Breach
May 21, 2024

Kakao Corp

Telecommunications
South Korea South Korea
Failure to report a data breach.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
PIPC
Related Products
Assessments
Fine / Penalty
$11,100,000.00
Keywords
Data Breach
May 19, 2024

Blackbaud

Financial Services
USA USA
Order finalized after announcement in February 2024.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
Data mapping
Fine / Penalty
$3,000,000.00
Keywords
Sensitive Data Data Deletion
Other Actions
Delete data that is no longer needed 
March 17, 2024

Benefytt Technologies

Healthcare
USA USA
Health company and its third parties operated series of deceptive websites that targeted consumers who were searching for comprehensive health insurance plans qualified under the Affordable Care Act.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR UC CMP
Fine / Penalty
$100,000,000.00
Keywords
Sensitive Data Tracking Tech Unlawful Marketing
March 14, 2024

Flo Health

Healthcare
Canada  Canada 
App shared personal health information to Facebook and other third-parties without users' consent.
Privacy Law
Canadian Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Supreme Court of British Columbia
Related Products
UC Vendor
Fine / Penalty
TBD
Keywords
Sensitive Data Unlawful processing Mishandling Data
March 4, 2024

Intellexa Consortium

Technology
USA USA
Used spyware and surveillance technology to target U.S. government officials, journalists and policy experts.
Privacy Law
OFAC sanctions
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
OFAC
Related Products
UC CMP
Fine / Penalty
TBD
Keywords
Tracking Tech Unlawful processing
February 27, 2024

BNSF Railway

Transportation
USA USA
Unlawfully collected fingerprint scans without consent from thousands of drivers using automated gate systems at the company’s four facilities in Illinois.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
UC
Fine / Penalty
$75,000,000.00
Keywords
Selling Data Unlawful processing
February 21, 2024

[Name Not Public]

Logistics
Italy Italy
Used facial recognition technology to determine employee attendance.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC Assessments
Fine / Penalty
€ 103,000.00
Keywords
Tracking Tech Unlawful processing
February 21, 2024

Avast Limited

Technology
USA USA
Collected, retained and sold data without proper notice or consent to third parties.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$16,500,000.00
Keywords
Selling Data Unlawful processing
February 20, 2024

Doordash

Retail
USA USA
Sold its customers' personal information without notice and without providing an opportunity to opt-out of the sale of their data.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP UC
Fine / Penalty
$375,000.00
Keywords
Selling Data Unlawful processing
February 13, 2024

College Board

Public Sector 
USA USA
Unlawfully sold students' personal data to schools and other customers
Privacy Law
New York law
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC
Fine / Penalty
$750,000.00
Keywords
Selling Data Unlawful processing
February 6, 2024

Montefiore Medical Center

Healthcare
USA USA
Breach of its unsecured electronic protected health information (“ePHI”) from 2015
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Department of Health and Human Services’ Office for Civil Rights
Related Products
CMP UC Data mapping
Fine / Penalty
$4,750,000.00
Keywords
Sensitive Data Data Breach
Other Actions
MMC has entered and agrees to comply with the Corrective Action Plan (“CAP”)
February 2, 2024

Tagadamedia

Technology
France France
Failure to comply with the obligation to have a legal basis for the processing of data
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
UC
Fine / Penalty
€ 75,000.00
Keywords
Unlawful processing
January 30, 2024

Uber Technologies, Inc.

Transportation
Netherlands Netherlands
Failed to disclose its data retention period for European drivers' data
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR Assessments Data mapping
Fine / Penalty
€ 10,000,000.00
Keywords
Data Deletion Mishandling Data Cross-Border Transfer
January 29, 2024

OpenAI (ChatGPT)

Technology
Italy Italy
Lack of a suitable legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying ChatGPT.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments CMP UC
Fine / Penalty
TBD
Keywords
Unlawful processing
January 15, 2024

X-Mode Social, Inc./Outlogic)

Technology
USA USA
Raw data collection and sale of location information that could be used to track people’s visits to places of worship, reproductive health clinics, and domestic abuse shelters.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
Unknown settlement amount
Keywords
Tracking Tech Selling Data Sensitive Data
January 13, 2024

Poxell Ltd & Skean Homes Ltd

Telecommunications
UK UK
Made unsolicited marketing calls to people registered with the Telephone Preference Service (TPS) while withholding their identity.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 150,000.00
Keywords
Unlawful Marketing
January 8, 2024

Amazon

Retail
Luxembourg Luxembourg
Processed users’ personal data for targeted advertising without their consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 818,000,000.00
Keywords
Unlawful Marketing Unlawful processing Tracking Tech
January 2, 2024

Kochava

Telecommunications
USA USA
Collected, without notice or consent, vast amounts of consumer location and personal data. 
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
TBD
Keywords
Unlawful processing Sensitive Data
December 28, 2023

Yahoo

Telecommunications
France France
Deposited cookies on website without user’s consent
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP UC
Fine / Penalty
€ 10,000,000.00
Keywords
Tracking Tech
December 28, 2023

NS Cards France

Telecommunications
France France
Failure to comply with the obligation to retain data for a period limited to the purpose for which it was collected (article 5.1.e of the GDPR).
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
UC CMP
Fine / Penalty
€ 105,000.00
Keywords
Tracking Tech Data Deletion
December 26, 2023

Amazon France Logistique

Retail
France France
Warehouse employees used scanners to tracker activities and the scans carried out by employees resulted in recording of data, which is stored and used to calculate indicators providing information on the quality, productivity and periods of inactivity of each employee.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 32,000,000.00
Keywords
Unlawful processing Tracking Tech
December 18, 2023

Rite Aid

Retail
USA USA
Rite Aid deployed artificial intelligence-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behavior.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
Assessments Data mapping
Fine / Penalty
N/A
Keywords
Tracking Tech Unlawful processing Sensitive Data
Other Actions
Prohibited from using facial recognition technologies for five years.
December 13, 2023

Kodas Design and Speed Auction

Technology
South Korea South Korea
Both companies violated safety measure obligations and personal information leakage notification and reporting obligations under the PIPA.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
PIPC
Related Products
Vendor Data mapping
Fine / Penalty
$1,71,653
Keywords
Data Breach
December 13, 2023

Tipros

Telecommunications
Singapore Singapore
Tipros unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organization's Google reviews page.
Privacy Law
Personal Data Protection Act (PDPA)
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
SRR
Fine / Penalty
N/A
Keywords
Data Breach
Other Actions
Review 13 other Google reviews and remove personal data from Google review page.
November 30, 2023

Google

Technology
USA USA
Secretly tracked the internet use of millions of people who were using its Chrome browser's incognito mode.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$5,000,000,000.00
Keywords
Tracking Tech Unlawful processing
November 27, 2023

Shanghai Commercial and Savings Bank

Financial Services
China China
Audit leak of customer data.
Privacy Law
Banking Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Financial Supervisory Commission 
Related Products
SRR
Fine / Penalty
NT 10,000,000
Keywords
Data Breach
November 1, 2023

Australian Clinical Labs Limited

Healthcare
Australia Australia
Data breach of patient's personal information and data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
OAIC
Related Products
SRR
Fine / Penalty
AUS$ 2,200,000
Keywords
Data Breach
October 31, 2023

First American Title Insurance Company

Financial Services
USA USA
Violations of the NYDFS Cybersecurity Regulation in connection with a 2019 data breach, which exposed consumers’ non-public information.
Privacy Law
NYDFS Cybersecurity Regulation
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$1,000,000.00
Keywords
Data Breach
October 25, 2023

FT v DW (C-307/22)

Healthcare
Germany Germany
A patient asked dentist for a copy of his dental records. Dentist said that patient is responsible for costs with such provision, per German law. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
CJEU
Related Products
SRR
Fine / Penalty
N/A
Keywords
Mishandling Data
October 22, 2023

Axpo Italia Spa

Energy
Italy Italy
Electricity and gas suppliers that activated accounts without data subject knowledge issued contracts in their name based on acquired, and unsolicited, contracts.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor Templates
Fine / Penalty
€ 10,000,000.00
Keywords
Unlawful processing
Other Actions
Corrective measures, including:
October 16, 2023

Clearview AI, Inc.

Technology
UK UK
Personal data of UK individuals collected through the use of its facial recognition technology and held in its database.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 7,500,000.00
Keywords
Unlawful processing Sensitive Data
October 4, 2023

Debt Collection Company

Financial Services
Croatia  Croatia 
Unlawfully processed sensitive data (health related) of 181,641 of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping UC
Fine / Penalty
€ 5,470,000.00
Keywords
Sensitive Data Unlawful processing
September 30, 2023

Backbaud

Telecommunications
USA USA
Ransomware attack (in 2020) exposed users’ personal data, donation history and financial information to unauthorized third parties.
Privacy Law
Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
UC SRR
Fine / Penalty
$49,500,000.00
Keywords
Data Breach
August 15, 2023

Ecommerce Enablers

Technology
Singapore Singapore
Access key to the company's storage servers on a private GitHub repository shared. Ex-filtration of data of 1.46 million email addresses, 10,000 national identity numbers, 300,000 bank account numbers and 380,000 pieces of partial credit card information.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
Data mapping
Fine / Penalty
€ 50,250.00
Keywords
Data Breach
August 15, 2023

DoorDash Technologies Australia Pty Ltd

Retail
Australia Australia
Promotional emails were sent to customers who had already unsubscribed, and 515,000 text messages were sent to their potential drivers without an unsubscribe function.
Privacy Law
Spam Act 2003
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ACMA
Related Products
SRR
Fine / Penalty
AUS$ 2,011,320
Keywords
Unlawful Marketing
August 13, 2023

Experian Consumer Services

Technology
USA USA
Failed to comply with CAN-SPAM Act.
Privacy Law
CAN-SPAM Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$650,000.00
Keywords
Unlawful Marketing
July 26, 2023

Greenley v. Kochava, Inc.

Technology
USA USA
Data broker coded its software development kits to track a user’s geolocation, search terms, click choices, purchase decisions, and/or payment methods
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
U.S. District Court for the Southern District of California 
Related Products
SRR UC
Fine / Penalty
$5,000 per fine
Keywords
CIPA
July 13, 2023

Meta Platforms Ireland Limited and Facebook Norway AS

Technology
Norway Norway
Processed personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior".
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
Unknown
Keywords
Tracking Tech Unlawful Marketing Unlawful processing
July 5, 2023

Telekall Infoservice

Telecommunications
Brazil Brazil
The company violated LGPD data processing requirements and failed to cooperate with its investigation.
Privacy Law
LGPD
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR UC Trust Hub
Fine / Penalty
€ 1,483.00
Keywords
Mishandling Data Unlawful processing
June 29, 2023

Tele2 Sverige Aktiebolag

Telecommunications
Sweden Sweden
NOYB filed a complaint relating to unlawful transferring of personal data to the US. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 1,000,000.00
Keywords
Cross-Border Transfer
Other Actions
DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU.
June 26, 2023

Creditinfo Lánstraust hf.

Professional Services
Iceland Iceland
Processed credit information re small loans, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping CMP
Fine / Penalty
€ 257,000.00
Keywords
Unlawful processing
June 14, 2023

CRITEO

Telecommunications
France France
Used cookies to track user behavior for advertising
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 40,000,000.00
Keywords
Tracking Tech Data Deletion
June 11, 2023

Piraeus Bank

Financial Services
Greece Greece
Processed personal data without taking appropriate and effective technical and organizational measures to process only the data necessary for the specific purpose. 
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
$210,000.00
Keywords
Data Minimization Mishandling Data
June 11, 2023

Spotify

Technology
Sweden Sweden
Not sufficiently complied with data subject rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 4,900,000.00
Keywords
Mishandling Data
May 30, 2023

Ring LLC

Technology
USA USA
Made false/misleading representations that it took reasonable steps to ensure that Ring home security cameras are a secure means to monitor private areas of consumers’ homes.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$5,800,000.00
Keywords
Mishandling Data
May 29, 2023

Shopee and Eslite

Retail
Taiwan Taiwan
Did not provide information on safety checks or evidence that corrective measures have been implemented. Failed to conduct audits on outsourced suppliers – one of their supply chains had inadequate account management.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
MODA
Related Products
Vendor
Fine / Penalty
2,000 TWD
Keywords
Data Breach
May 28, 2023

WIND (now NOVA)

Advertising
Poland Poland
Sending of five promotional messages despite objections.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP UC SRR
Fine / Penalty
€ 150,000.00
Keywords
Unlawful Marketing
May 11, 2023

Meta Platforms Ireland Limited

Technology
Ireland Ireland
Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR Assessments Data mapping
Fine / Penalty
€ 1,200,000,000.00
Keywords
Cross-Border Transfer
Other Actions
The DPC ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months of data already transferred to the U.S.
April 3, 2023

TikTok

Technology
UK UK
More than one million British children under the age of 13 were using TikTok without the consent of their parents.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
UC Data mapping
Fine / Penalty
€ 14,500,000.00
Keywords
Unlawful processing
March 15, 2023

Argon Medical Devices

Healthcare
Norway  Norway 
Reported data breach of compromised personal data after 67 days.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping Vendor
Fine / Penalty
€ 220,000.00
Keywords
Data Breach
March 10, 2023

[Name Not Public]

Healthcare
Turkey Turkey
A Hospital did not have a patient’s explicit consent before sharing their photographs and videos with the contracted media organizations for advertising and promotion purposes about the patients’ treatments. 
Privacy Law
Law on the Protection of Personal Data No. 6698
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC Data mapping
Fine / Penalty
$8,373.75
Keywords
Unlawful processing
February 21, 2023

VODAFONE ESPAÑA, S.A.U..

Telecommunications
Spain Spain
System error when an Amazon sales partner had concluded a contract without first obtaining the consent of the data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 56,000.00
Keywords
Mishandling Data
February 16, 2023

Suomen Asiakastieto Oy

Professional Services
Finland Finland
The company had unlawfully stored financial data of data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping SRR
Fine / Penalty
€ 440,000.00
Keywords
Unlawful processing
February 13, 2023

Byars v. Hot Topic, Inc.

Retail
USA USA
Case dismissed because third-party chat feature was a “tool” and no more than an “extension” of the website provider
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
U.S District Court for the Central District of California
Related Products
UC SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
February 5, 2023

Sats ASA

Retail
Norway Norway
Did not comply with Customers requests for information as well as deletion of their personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 900,000.00
Keywords
Data Deletion Mishandling Data
February 2, 2023

Byars v. Goodyear Tire & Rubber Co

Retail
USA USA
Website’s chat features and use of session replay software violated (CIPA).
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
US District Court for the Central District of California
Related Products
UC SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA Tracking Tech
January 31, 2023

GoodRx

Healthcare
USA USA
Google and Meta tracking pixels were installed on its website to share users’ medication information, location and other personal data.
Privacy Law
Health Breach Notification Rule
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP UC
Fine / Penalty
$1,500,000.00
Keywords
Tracking Tech
January 18, 2023

Hungarian Airline Company

Transportation
Poland Poland
Customer’s data was not timely erased when requested by airlines
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 13,244.00
Keywords
Data Deletion Mishandling Data
October 18, 2022

Medibank 

Healthcare
Australia Australia
Privacy Act: Did not apply appropriate controls to sensitive data. Medibank says the hacker claims to have stolen 200GB of data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Assessments Data mapping UC
Fine / Penalty
AUS$ 2,200,000
Keywords
Sensitive Data Data Breach
August 23, 2022

Sephora

Retail
USA USA
Sold consumers’ personal data using third-party trackers to get targeted ads and discounts on analytics, didn't disclose to consumers that it was selling their personal information, no GPC either. Did not cure these violations within the 30-day period
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP UC SRR
Fine / Penalty
$1,200,000.00
Keywords
Selling Data Tracking Tech
May 30, 2022

Javier v. Assurance IQ, LLC

Healthcare
USA USA
Privacy Law
TCPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
U.S. States Court of Northern District of California 
Related Products
UC SRR
Fine / Penalty
5,000 per fine
Keywords
CIPA
April 30, 2022

Patreon

Technology
USA USA
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
Assessments Vendor Data mapping CMP UC
Fine / Penalty
$7,250,000.00
Keywords
VPPA Unlawful Marketing Tracking Tech
Back
Next
FAQs

Frequently Asked Questions About the Tracker

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.