.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
Data Privacy Enforcement Tracker
What's new in the world of regulatory enforcement? Our Enforcement Tracker keeps you up to speed with relevant and noteworthy enforcement actions in the world of privacy. Stay informed, spot patterns early, and guide your program with confidence.
Note: While updated regularly this is not exhaustive and not intended as legal advice.
Filters applied (0)
Clear filters
Filter by Category
-
Privacy LawSelect all
-
Region of EnforcementSelect all
-
Industry TypeSelect all
-
Employee CountSelect all
-
Estimated Annual RevenueSelect all
-
Keyword(s)Select all
-
Level of GovernmentSelect all
-
Who EnforcedSelect all
Sort By
Showing 7 of 46 results
August 23, 2022
Sephora
Retail
USA
Sold consumers’ personal data using third-party trackers to get targeted ads and discounts on analytics, didn't disclose to consumers that it was selling their personal information, no GPC either. Did not cure these violations within the 30-day period
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP
UC
SRR
Fine / Penalty
$1,200,000
Keywords
Selling Data
Tracking Tech
May 30, 2022
Javier v. Assurance IQ, LLC
Healthcare
USA
Consent to a website session recording technology cannot apply retroactively
Unlawful wiretap over the session recording technology that helps companies protect against litigation abuse from the Telephone Consumer Protection Act (TCPA).
Privacy Law
TCPA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
U.S. States Court of Northern District of California
Related Products
UC
SRR
Fine / Penalty
5,000 per fine
Keywords
CIPA
January 18, 2023
Hungarian Airline Company
Transportation
Poland
Customer’s data was not timely erased when requested by airlines
Company failed to inform the Data Subject that account was deleted until 5 months later.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 13,244
Keywords
Data Deletion
Mishandling Data
January 31, 2023
GoodRx
Healthcare
USA
Google and Meta tracking pixels were installed on its website to share users’ medication information, location and other personal data.
Privacy Law
Health Breach Notification Rule
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$1,500,000
Keywords
Tracking Tech
February 2, 2023
Byars v. Goodyear Tire & Rubber Co
Retail
USA
Website’s chat features and use of session replay software violated (CIPA).
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
US District Court for the Central District of California
Related Products
UC
SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
Tracking Tech
February 5, 2023
Sats ASA
Retail
Norway
Did not comply with Customers requests for information as well as deletion of their personal data.
Processed certain customer data without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 900,000
Keywords
Data Deletion
Mishandling Data
February 13, 2023
Byars v. Hot Topic, Inc.
Retail
USA
Case dismissed because third-party chat feature was a “tool” and no more than an “extension” of the website provider
No finding of an unlawful third-party interception.
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
U.S District Court for the Central District of California
Related Products
UC
SRR
Fine / Penalty
$5,000 per fine
Keywords
CIPA
February 16, 2023
Suomen Asiakastieto Oy
Professional Services
Finland
The company had unlawfully stored financial data of data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
SRR
Fine / Penalty
€ 440,000
Keywords
Unlawful processing
February 21, 2023
VODAFONE ESPAÑA, S.A.U..
Telecommunications
Spain
System error when an Amazon sales partner had concluded a contract without first obtaining the consent of the data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 56,000
Keywords
Mishandling Data
March 10, 2023
[Name Not Public]
Healthcare
Turkey
A Hospital did not have a patient’s explicit consent before sharing their photographs and videos with the contracted media organizations for advertising and promotion purposes about the patients’ treatments.
Privacy Law
Law on the Protection of Personal Data No. 6698
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC
Data mapping
Fine / Penalty
$8,373.75
Keywords
Unlawful processing
March 15, 2023
Argon Medical Devices
Healthcare
Norway
Reported data breach of compromised personal data after 67 days.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
Vendor
Fine / Penalty
€ 220,000
Keywords
Data Breach
April 3, 2023
TikTok
Technology
UK
More than one million British children under the age of 13 were using TikTok without the consent of their parents.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
UC
Data mapping
Fine / Penalty
€ 14,500,000
Keywords
Unlawful processing
May 11, 2023
Meta Platforms Ireland Limited
Technology
Ireland
Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Assessments
Data mapping
Fine / Penalty
€ 1,200,000,000
Keywords
Cross-Border Transfer
May 28, 2023
WIND (now NOVA)
Advertising
Poland
Sending of five promotional messages despite objections.
Non-satisfaction of access rights, failure to provide a reply.
Did not have in practice the necessary procedures to ensure the right to object and stop processing the data for the promotional purpose.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Fine / Penalty
€ 150,000
Keywords
Unlawful Marketing
May 29, 2023
Shopee and Eslite
Retail
Taiwan
Did not provide information on safety checks or evidence that corrective measures have been implemented. Failed to conduct audits on outsourced suppliers – one of their supply chains had inadequate account management.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
MODA
Related Products
Vendor
Fine / Penalty
2,000 TWD
Keywords
Data Breach
May 30, 2023
Ring LLC
Technology
USA
Made false/misleading representations that it took reasonable steps to ensure that Ring home security cameras are a secure means to monitor private areas of consumers’ homes.
Gave thousands of employees and contractors unrestricted access to video recordings of customers’ intimate spaces (e.g., bathrooms, bedrooms and children’s nurseries) without customers’ knowledge or consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$5,800,000
Keywords
Mishandling Data
June 11, 2023
Piraeus Bank
Financial Services
Greece
Processed personal data without taking appropriate and effective technical and organizational measures to process only the data necessary for the specific purpose.
The bank had failed to properly comply with a data subject's request for access to their personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
$210,000
Keywords
Data Minimization
Mishandling Data
June 11, 2023
Spotify
Technology
Sweden
Not sufficiently complied with data subject rights.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 4,900,000
Keywords
Mishandling Data
June 14, 2023
CRITEO
Telecommunications
France
Used cookies to track user behavior for advertising
Users consent was not obtained
Failed to adequately respond to a data subject's requests for information regarding their personal data.
Did not delete the personal data of the data subjects.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 40,000,000
Keywords
Tracking Tech
Data Deletion
June 26, 2023
Creditinfo Lánstraust hf.
Professional Services
Iceland
Processed credit information re small loans, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
CMP
Fine / Penalty
€ 257,000
Keywords
Unlawful processing
June 29, 2023
Tele2 Sverige Aktiebolag
Telecommunications
Sweden
NOYB filed a complaint relating to unlawful transferring of personal data to the US.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
€ 1,000,000
Keywords
Cross-Border Transfer
July 5, 2023
Telekall Infoservice
Telecommunications
Brazil
The company violated LGPD data processing requirements and failed to cooperate with its investigation.
The ANPD also issued the company a warning for failing to designate a data protection officer.
Privacy Law
LGPD
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
SRR
UC
Trust Hub
Fine / Penalty
€ 1,483
Keywords
Mishandling Data
Unlawful processing
July 13, 2023
Meta Platforms Ireland Limited and Facebook Norway AS
Technology
Norway
Processed personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior".
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
Unknown
Keywords
Tracking Tech
Unlawful Marketing
Unlawful processing
July 26, 2023
Greenley v. Kochava, Inc.
Technology
USA
Data broker coded its software development kits to track a user’s geolocation, search terms, click choices, purchase decisions, and/or payment methods
Data broker collected this tracked information and then sold it to third-party advertisers.
Privacy Law
CIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
U.S. District Court for the Southern District of California
Related Products
SRR
UC
Fine / Penalty
$5,000 per fine
Keywords
CIPA
August 13, 2023
Experian Consumer Services
Technology
USA
Failed to comply with CAN-SPAM Act.
Privacy Law
CAN-SPAM Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$650,000
Keywords
Unlawful Marketing
August 15, 2023
Ecommerce Enablers
Technology
Singapore
Access key to the company's storage servers on a private GitHub repository shared. Ex-filtration of data of 1.46 million email addresses, 10,000 national identity numbers, 300,000 bank account numbers and 380,000 pieces of partial credit card information.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
Data mapping
Fine / Penalty
€ 50,250
Keywords
Data Breach
August 15, 2023
DoorDash Technologies Australia Pty Ltd
Retail
Australia
Promotional emails were sent to customers who had already unsubscribed, and 515,000 text messages were sent to their potential drivers without an unsubscribe function.
Privacy Law
Spam Act 2003
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ACMA
Related Products
SRR
Fine / Penalty
AUS$ 2,011,320
Keywords
Unlawful Marketing
September 30, 2023
Backbaud
Telecommunications
USA
Ransomware attack (in 2020) exposed users’ personal data, donation history and financial information to unauthorized third parties.
Privacy Law
Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
UC
SRR
Fine / Penalty
$49,500,000
Keywords
Data Breach
October 4, 2023
Debt Collection Company
Financial Services
Croatia
Unlawfully processed sensitive data (health related) of 181,641 of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
UC
Fine / Penalty
€ 5,470,000
Keywords
Sensitive Data
Unlawful processing
October 16, 2023
Clearview AI, Inc.
Technology
UK
Personal data of UK individuals collected through the use of its facial recognition technology and held in its database.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 7,500,000
Keywords
Unlawful processing
Sensitive Data
October 22, 2023
Axpo Italia Spa
Energy
Italy
Electricity and gas suppliers that activated accounts without data subject knowledge issued contracts in their name based on acquired, and unsolicited, contracts.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor
Templates
Fine / Penalty
€ 10,000,000
Keywords
Unlawful processing
Other Actions
Corrective measures, including:
use of a blocking "check-call" system to verify the accuracy of acquired
introduction of alert systems suitable for detecting any incorrect and/or fraudulent behavior
introduction of alert systems suitable for detecting any incorrect and/or fraudulent behavior
strengthen audits
October 25, 2023
FT v DW (C-307/22)
Healthcare
Germany
A patient asked dentist for a copy of his dental records. Dentist said that patient is responsible for costs with such provision, per German law.
CJEU determined that EU supersedes and that data subject is entitled to a free copy.
Controller can charge for subsequent copies.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
CJEU
Related Products
SRR
Fine / Penalty
N/A
Keywords
Mishandling Data
October 31, 2023
First American Title Insurance Company
Financial Services
USA
Violations of the NYDFS Cybersecurity Regulation in connection with a 2019 data breach, which exposed consumers’ non-public information.
Privacy Law
NYDFS Cybersecurity Regulation
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$1,000,000
Keywords
Data Breach
November 1, 2023
Australian Clinical Labs Limited
Healthcare
Australia
Data breach of patient's personal information and data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
OAIC
Related Products
SRR
Fine / Penalty
AUS$ 2,200,000
Keywords
Data Breach
November 27, 2023
Shanghai Commercial and Savings Bank
Financial Services
China
Audit leak of customer data.
Privacy Law
Banking Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Financial Supervisory Commission
Related Products
SRR
Fine / Penalty
NT 10,000,000
Keywords
Data Breach
November 30, 2023
Technology
USA
Secretly tracked the internet use of millions of people who were using its Chrome browser's incognito mode.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$5,000,000,000
Keywords
Tracking Tech
Unlawful processing
December 13, 2023
Kodas Design and Speed Auction
Technology
South Korea
Both companies violated safety measure obligations and personal information leakage notification and reporting obligations under the PIPA.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
PIPC
Related Products
Vendor
Data mapping
Fine / Penalty
$1,71,653
Keywords
Data Breach
December 13, 2023
Tipros
Telecommunications
Singapore
Tipros unreasonably disclosed the personal data of the complainant when responding to the complainant’s review on the Organization's Google reviews page.
Privacy Law
Personal Data Protection Act (PDPA)
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
PDPC
Related Products
SRR
Fine / Penalty
N/A
Keywords
Data Breach
December 18, 2023
Rite Aid
Retail
USA
Rite Aid deployed artificial intelligence-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behavior.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
Assessments
Data mapping
Fine / Penalty
N/A
Keywords
Tracking Tech
Unlawful processing
Sensitive Data
December 26, 2023
Amazon France Logistique
Retail
France
Warehouse employees used scanners to tracker activities and the scans carried out by employees resulted in recording of data, which is stored and used to calculate indicators providing information on the quality, productivity and periods of inactivity of each employee.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 32,000,000
Keywords
Unlawful processing
Tracking Tech
December 28, 2023
Yahoo
Telecommunications
France
Deposited cookies on website without user’s consent
Users of Yahoo Mail who withdrew consent were no longer be able to access the services and lost access to their messaging service.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 10,000,000
Keywords
Tracking Tech
December 28, 2023
NS Cards France
Telecommunications
France
Failure to comply with the obligation to retain data for a period limited to the purpose for which it was collected (article 5.1.e of the GDPR).
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
UC
CMP
Fine / Penalty
€ 105,000
Keywords
Tracking Tech
Data Deletion
January 2, 2024
Kochava
Telecommunications
USA
Collected, without notice or consent, vast amounts of consumer location and personal data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
Unlawful processing
Sensitive Data
January 8, 2024
Amazon
Retail
Luxembourg
Processed users’ personal data for targeted advertising without their consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 818,000,000
Keywords
Unlawful Marketing
Unlawful processing
Tracking Tech
January 13, 2024
Poxell Ltd & Skean Homes Ltd
Telecommunications
UK
Made unsolicited marketing calls to people registered with the Telephone Preference Service (TPS) while withholding their identity.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
Fine / Penalty
€ 150,000
Keywords
Unlawful Marketing
January 15, 2024
X-Mode Social, Inc./Outlogic)
Technology
USA
Raw data collection and sale of location information that could be used to track people’s visits to places of worship, reproductive health clinics, and domestic abuse shelters.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
Unknown settlement amount
Keywords
Tracking Tech
Selling Data
Sensitive Data
January 29, 2024
OpenAI (ChatGPT)
Technology
Italy
Lack of a suitable legal basis for the collection and processing of personal data for the purpose of training the algorithms underlying ChatGPT.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
CMP
UC
Fine / Penalty
TBD
Keywords
Unlawful processing
January 30, 2024
Uber Technologies, Inc.
Transportation
Netherlands
Failed to disclose its data retention period for European drivers' data
Failed to report to the non-EU countries it shares data with
Obstructed its drivers’ efforts to exercise their right to privacy.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
SRR
Assessments
Data mapping
Fine / Penalty
€ 10,000,000
Keywords
Data Deletion
Mishandling Data
Cross-Border Transfer
February 2, 2024
Tagadamedia
Technology
France
Failure to comply with the obligation to have a legal basis for the processing of data
Failure to comply with the obligation to implement a record of processing activities.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
UC
Fine / Penalty
€ 75,000
Keywords
Unlawful processing
February 6, 2024
Montefiore Medical Center
Healthcare
USA
Breach of its unsecured electronic protected health information (“ePHI”) from 2015
Employees inappropriately accessed patient account information of 12,517 patients from its electronic medical record system and then sold certain patient information to an identity theft ring.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Department of Health and Human Services’ Office for Civil Rights
Related Products
CMP
UC
Data mapping
Fine / Penalty
$4,750,000
Keywords
Sensitive Data
Data Breach
February 13, 2024
College Board
Public Sector
USA
Unlawfully sold students' personal data to schools and other customers
licensed this data to colleges, scholarship programs, and other customers who used it to solicit students to participate in their programs.
Privacy Law
New York law
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
AG
Related Products
UC
Fine / Penalty
$750,000
Keywords
Selling Data
Unlawful processing
February 20, 2024
Doordash
Retail
USA
Sold its customers' personal information without notice and without providing an opportunity to opt-out of the sale of their data.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP
UC
Fine / Penalty
$375,000
Keywords
Selling Data
Unlawful processing
February 21, 2024
[Name Not Public]
Logistics
Italy
Used facial recognition technology to determine employee attendance.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
UC
Assessments
Fine / Penalty
€ 103,000
Keywords
Tracking Tech
Unlawful processing
February 21, 2024
Avast Limited
Technology
USA
Collected, retained and sold data without proper notice or consent to third parties.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
CMP
UC
Fine / Penalty
$16,500,000
Keywords
Selling Data
Unlawful processing
February 27, 2024
BNSF Railway
Transportation
USA
Unlawfully collected fingerprint scans without consent from thousands of drivers using automated gate systems at the company’s four facilities in Illinois.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
UC
Fine / Penalty
$75,000,000
Keywords
Selling Data
Unlawful processing
March 4, 2024
Intellexa Consortium
Technology
USA
Used spyware and surveillance technology to target U.S. government officials, journalists and policy experts.
Privacy Law
OFAC sanctions
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
OFAC
Related Products
UC
CMP
Fine / Penalty
TBD
Keywords
Tracking Tech
Unlawful processing
March 14, 2024
Flo Health
Healthcare
Canada
App shared personal health information to Facebook and other third-parties without users' consent.
Privacy Law
Canadian Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Supreme Court of British Columbia
Related Products
UC
Vendor
Fine / Penalty
TBD
Keywords
Sensitive Data
Unlawful processing
Mishandling Data
March 17, 2024
Benefytt Technologies
Healthcare
USA
Health company and its third parties operated series of deceptive websites that targeted consumers who were searching for comprehensive health insurance plans qualified under the Affordable Care Act.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR
UC
CMP
Fine / Penalty
$100,000,000
Keywords
Sensitive Data
Tracking Tech
Unlawful Marketing
May 19, 2024
Blackbaud
Financial Services
USA
Order finalized after announcement in February 2024.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
Data mapping
Fine / Penalty
$3,000,000
Keywords
Sensitive Data
Data Deletion
May 21, 2024
Kakao Corp
Telecommunications
South Korea
Failure to report a data breach.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
PIPC
Related Products
Assessments
Fine / Penalty
$11,100,000
Keywords
Data Breach
May 22, 2024
Police Service of Northern Ireland (PSNI)
Public Sector
UK
Exposed personal data belonging to all PSNI serving officers and staff.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Assessments
Fine / Penalty
£750,000
Keywords
Data Breach
June 4, 2024
Medibank Private Ltd (MPL.AX)
Financial Services
Australia
Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Data mapping
Fine / Penalty
TBD
Keywords
Data Breach
June 17, 2024
Tilting Point Media LLC (Tilting Point)
Technology
USA
Tilting Point employed an age screen that did not ask for age in a “neutral manner” and therefore encouraged children to enter an older age. Further, Tilting Point inadvertently configured third-party software development kits (SDKs) to collect and sell children’s data without first obtaining consent.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
AG
Related Products
UC
Assessments
Fine / Penalty
$500,000
Keywords
Unlawful processing
Tracking Tech
Mishandling Data
Other Actions
prohibition on selling and sharing the personal information of children without affirmative consent, a requirement to use neutral age screens, restrictions on the use of SDKs, children’s data minimization requirements, and a requirement to submit annual reports regarding compliance efforts to the California Department of Justice and the Los Angeles City Attorney’s office.
June 17, 2024
[Name Not Public]
Technology
USA
The Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.
Privacy Law
Data Broker Law
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
AG
Related Products
Regulatory Guidance
Data mapping
Fine / Penalty
$10,000.00
Keywords
N/A
July 8, 2024
NGL
Technology
USA
The FTC and the Los Angeles District Attorney’s Office accused NGL of violating the Children’s Online Privacy Protection Rule (COPPA Rule) by knowingly collecting the personal data of children younger than 13 without parental consent.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
SRR
Data mapping
UC
Fine / Penalty
$5,000,000
Keywords
Unlawful processing
Data Minimization
Sensitive Data
June 30, 2024
Grindr
Technology
Norway
The Norwegian Data Protection Authority said that sharing such data without seeking explicit consent broke GDPR rules.
The fine was reduced from £8.6m after Grindr provided details about its financial situation, and made changes to its app.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Data mapping
Vendor
Fine / Penalty
€6,500,000
Keywords
Unlawful processing
July 17, 2024
Oracle
Technology
USA
The proposed settlement was announced on 18 July in San Francisco federal court. In August 2022, plaintiffs had filed a lawsuit that alleged Oracle’s advertising tracking tools accessed, collected, stored, disclosed, sold and used internet users’ personal data without consent.
Privacy Law
US Civil Law
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Courts
Related Products
CMP
UC
Fine / Penalty
$150,000,000
Keywords
Tracking Tech
Unlawful processing
July 17, 2024
What’s App (Meta)
Technology
Nigeria
Meta was ordered to “immediately reinstate the rights of Nigerian users to self-determine and control” data sharing, and stop sharing WhatsApp users’ information “with other Facebook companies and third parties” without users’ active consent.
Privacy Law
Nigeria Data Protection Act 2023
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Federal Competition and Protection Commission
Related Products
Data mapping
UC
CMP
Fine / Penalty
$2,200,000,000
Keywords
Unlawful processing
Mishandling Data
July 29, 2024
Meta
Technology
USA
Meta knowingly violated the state’s Capture or Use of Biometric Identifier Act and Deceptive Trade Practices and Consumer Protection Act by implementing a now-defunct facial-recognition-based photo and video tagging feature.
Texas law says it’s illegal for private entities to capture, disclose or profit from someone’s biometric identifiers without their informed consent.
Privacy Law
Capture or Use of Biometric Identifier Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
CMP
UC
Fine / Penalty
$1,400,000,000
Keywords
Sensitive Data
Tracking Tech
Selling Data
July 1, 2024
Vinted
Retail
Lithuania
Did not have proper rationale for denying the right to erasure (‘right to be forgotten’) and the right of access. They reasoned that the user did not identify in their request the ‘specific grounds’ under Article 17 of the GDPR.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Data mapping
Fine / Penalty
€ 2,385,276
Keywords
Mishandling Data
July 23, 2024
TikTok
Technology
UK
Failing to comply with a request for information and not cooperating with Ofcom’s investigation into the effectiveness of its child protection measures.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
ICO
Related Products
Data mapping
Fine / Penalty
£ 1,875,000
Keywords
Sensitive Data
Mishandling Data
July 17, 2024
TracFone
Telecommunications
USA
Verizon-owned mobile virtual network operator TracFone
Unauthorized third parties were able to exploit TracFone’s customer-facing application programming interfaces (APIs) to gain access to customer data between January 2021 and January 2023.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FCC
Related Products
CMP
UC
Data mapping
Vendor
Fine / Penalty
$16,000,000
Keywords
Data Breach
August 20, 2024
[Name Not Public]
Telecommunications
Thailand
Failure to Appoint a Data Protection Officer (DPO).
Inadequate Security Measures: The company lacked appropriate security measures as mandated by the PDPA, leading to data leaks to call center gangs and causing widespread damage.
Failure to Report Data Breaches: The company ignored complaints from data subjects and delayed reporting the breaches to the PDPC, preventing timely remediation.
Privacy Law
Personal Data Protection Act ("PDPA")
Level of Government
Federal
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
PDPA
Related Products
Data mapping
Fine / Penalty
฿205,520
Keywords
Data Breach
Mishandling Data
Other Actions
The second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.
August 26, 2024
Uber Technologies, Inc.
Transportation
Netherlands
The European Union’s data protection laws were violated by transferring sensitive personal data of its drivers to the U.S. without adequate safeguards.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
$310,000,000
Keywords
Cross-Border Transfer
August 6, 2024
Advanced Computer Software Group
Technology
UK
UK GDPR: failed to implement sufficient security measures to protect personal information.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
ICO
Related Products
Data mapping
Assessments
Fine / Penalty
£ 6,000,000
Keywords
Data Breach
October 18, 2022
Medibank
Healthcare
Australia
Privacy Act: Did not apply appropriate controls to sensitive data. Medibank says the hacker claims to have stolen 200GB of data.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
Assessments
Data mapping
UC
Fine / Penalty
AUS$ 2,200,000
Keywords
Sensitive Data
Data Breach
September 1, 2024
Verkada
Technology
USA
FTC: Did not apply appropriate controls to sensitive data.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
FTC
Related Products
UC
Assessments
Data mapping
Fine / Penalty
$2,950,000
Keywords
Sensitive Data
Data Breach
April 30, 2022
Patreon
Technology
USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
Assessments
Vendor
Data mapping
CMP
UC
Fine / Penalty
$7,250,000
Keywords
VPPA
Unlawful Marketing
Tracking Tech
August 22, 2024
Lawline
Technology
USA
VPPA: claims that the platform unlawfully disclosed its users' video viewing habits to third parties, specifically analytics and marketing companies, without obtaining proper consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
Federal Courts
Related Products
CMP
UC
Trust Hub
Data mapping
Assessments
Fine / Penalty
TBD
Keywords
VPPA
Tracking Tech
August 19, 2024
Equiniti Trust
Financial Services
USA
SEC rules: A lot going on here, with issues re handling client assets. Breach, data governance and poor retention.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Data mapping
Assessments
Fine / Penalty
$850,000
Keywords
Data Breach
August 28, 2024
Apohem AB
Retail
Sweden
Apohem AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
Incident spanned from April 15th, 2021 to April 26, 2022.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
Assessments
Data mapping
Fine / Penalty
$730,000
Keywords
Tracking Tech
Unlawful processing
Unlawful Marketing
Sensitive Data
August 28, 2024
Apoteket AB
Retail
Sweden
Apoteket AB had implemented Meta's tracking pixel on their websites to enhance marketing efforts on Facebook and Instagram. However, the activation of an advanced matching feature within the pixel led to the unintended transfer of sensitive customer data to Meta over an extended period.
Incident spanned from Janurary 19, 2020 to April 25, 2022.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
Assessments
Data mapping
Fine / Penalty
$3,400,000
Keywords
Unlawful Marketing
Unlawful processing
Tracking Tech
Sensitive Data
August 5, 2024
UNIQLO EUROPE, LTD
Retail
Spain
The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 270,00
Keywords
Data Breach
Mishandling Data
September 16, 2024
AT&T
Telecommunications
USA
AT&T had a data breach of a cloud vendor in January 2023 that impacted 8.9 million customers.
The exposed data included information like the number of lines on an account and in a few cases bill balance and rate plan information but did not contain credit card information, Social Security Numbers, account passwords and other sensitive personal information.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Vendor
Data mapping
Fine / Penalty
$13,000,000
Keywords
Data Breach
September 26, 2024
Meta
Technology
Ireland
Meta informed the commission in 2019 it inadvertently stored certain passwords of its platforms’ users in “plaintext,” or without protection or encryption
The authority said that 36 million users across the EU and EEA were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
$100,000,000
Keywords
Data Breach
September 24, 2024
Mozilla
Technology
EU-wide
Mozilla, the nonprofit that develops the Firefox web browser, has been hit with a complaint by European Union privacy rights group noyb, which accuses it of violating the bloc's General Data Protection Regulation (GDPR) by tracking Firefox users by default without their permission.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Noyb
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
Tracking Tech
October 8, 2024
Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)
Transportation
USA
Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FTC
Related Products
SRR
Data mapping
Fine / Penalty
TBD
Keywords
Data Deletion
Data Breach
Mishandling Data
Data Minimization
Other Actions
Must implement robust security program, and fulfil all delete SRR.
October 8, 2024
Marriott International, Inc. (subsidiary Starwood Hotels & Resorts Worldwide LLC)
Transportation
USA
Attorney General Tong announced today that a coalition of 50 attorneys general, co-led by Connecticut, has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases.
Privacy Law
State consumer protection laws
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
50 US State AGs
Related Products
Data mapping
SRR
Fine / Penalty
$52,000,000
Keywords
Data Breach
Data Deletion
Mishandling Data
Data Minimization
October 10, 2024
WerepairUK Ltd
Professional Services
UK
WerepairUK Ltd, based in Tonbridge, has been fined for making 42,688 unsolicited calls. It has appealed the decision. These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
SRR
UC
Fine / Penalty
£80,000
Keywords
Unlawful Marketing
October 10, 2024
Service Box Group Limited
Professional Services
UK
Service Box Group Limited, based in Hove, East Sussex, has been fined for 5,361 calls.
These calls were made to people who had explicitly opted out of receiving marketing communications, violating their privacy and causing some distress.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
UC
SRR
Fine / Penalty
£40,000
Keywords
Unlawful Marketing
October 14, 2024
Quick Tax Claims
Professional Services
UK
Quick Tax Claims Limited had sent 7,863,547 unlawful text messages over the course of a month, resulting in 66,793 complaints – 93% of these stating there was no ‘opt out’ option.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
ICO
Related Products
CMP
UC
SRR
Fine / Penalty
£120,000
Keywords
Unlawful Marketing
October 10, 2024
RTL Belgium
Telecommunications
Belgium
Failed to display both an 'accept all' and a 'reject all' button on the first layer of its cookie banner.
Used misleading colors in its cookie banner, directing users towards the choice of consenting to cookies by highlighting the 'accept all' button.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 40,000 per day
Keywords
Dark Patterns
Other Actions
See H171
October 14, 2024
National Basketball Association
Entertainment
USA
Defendant’s allegedly disclosured the plaintiff’s video viewing information to Meta via the Facebook Pixel without consent, in violation of the VPPA.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Federal Courts
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
VPPA
Unlawful processing
October 2, 2024
TikTok
Technology
USA
The complaint alleges that TikTok did not provide verified parents with the ability to control or limit the privacy and account settings on a minor’s account, such as tools to limit TikTok’s sharing, disclosure and sale of a minor’s personal identifying information and control TikTok’s ability to display targeted advertising to a minor.
Privacy Law
Securing Children Online Through Parental Empowerment (“SCOPE”) Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
AG
Related Products
CMP
UC
Fine / Penalty
10,000 per violation
Keywords
Unlawful processing
October 23, 2024
Technology
Ireland
Ireland’s data protection watchdog has fined the professional social media site for GDPR breaches related to targeted advertising.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPC
Related Products
UC
CMP
Assessments
Fine / Penalty
€310,100,000
Keywords
Tracking Tech
Unlawful Marketing
Other Actions
In addition, the regulator handed LinkedIn a reprimand and ordered it to bring its processing into compliance.
October 22, 2024
NHL
Entertainment
USA
VPPA: Lawsuit claims that the NHL collected and shared personal viewing data with third parties, such as Facebook, without user consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
Class Actions Lawsuits
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
VPPA
Unlawful processing
October 22, 2024
MLB
Entertainment
USA
VPPA: MLB is facing a lawsuit for allegedly violating the Video Privacy Protection Act (VPPA) by sharing users’ personal video viewing information with Facebook without consent.
Privacy Law
VPPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Class Actions Lawsuits
Related Products
CMP
UC
Fine / Penalty
TBD
Keywords
VPPA
Unlawful processing
October 31, 2024
Meta
Technology
USA
CFPB staff informed Meta on Sept. 18 that it is weighing potential legal action related to advertising for financial products on the company’s platforms, which include photo-sharing platform Instagram and messaging service WhatsApp, the company revealed in a Thursday securities filing.
Privacy Law
Dodd-Frank Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CFPB
Related Products
UC
CMP
Fine / Penalty
TBD
Keywords
Unlawful Marketing
October 29, 2024
Temu
Retail
EU-wide
The Commission has opened formal proceedings to assess whether Temu may have breached the Digital Services Act (DSA) in areas linked to the sale of illegal products, the potentially addictive design of the service, the systems used to recommend purchases to users, as well as data access for researchers.
Privacy Law
Digital Services Act (DSA)
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
EU Commission
Related Products
Assessments
Fine / Penalty
TBD
Keywords
Tracking Tech
Unlawful Marketing
October 21, 2024
Unisys
Professional Services
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$4,000,000
Keywords
Data Breach
October 21, 2024
Avaya
Professional Services
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$1,000,000
Keywords
Data Breach
October 21, 2024
Check Point
Technology
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$995,000
Keywords
Data Breach
October 21, 2024
Mimecast
Technology
USA
Negligently minimized its cybersecurity incident in its public disclosures. Downplayed the extent of the breach, and did not properly disclose the cyberthreat.
Privacy Law
SEC Rules
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
SEC
Related Products
Assessments
Trust Hub
Fine / Penalty
$990,000
Keywords
Data Breach
October 15, 2024
Your Consulting SRL
Professional Services
Romania
The operator did not implement adequate technical and organizational measures at the time of establishing the means of processing or at the time of the processing itself and did not carry out periodic testing, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Trust Hub
Assessments
Fine / Penalty
€ 3,000
Keywords
Data Breach
Other Actions
Must implement robust security program starting with assessments
October 20, 2024
Grue municipality
Public Sector
Norway
Sensitive Data breach in a public postal journal. 14 individuals were affected.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Data mapping
Fine / Penalty
€ 20,800
Keywords
Sensitive Data
Data Breach
Other Actions
The municipality also initiated extensive control work and measures to prevent similar incidents in the future
October 21, 2024
IBERCAJA BANCO, S.A.
Financial Services
Spain
Insufficient legal basis for data processing.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 180,000
Keywords
Unlawful processing
October 27, 2024
Vodafone Romania S.A.
Telecommunications
Romania
It was found that the operator Vodafone Romania S.A. did not adopt sufficient technical and organizational measures to ensure the confidentiality of the processed personal data. no measures were taken to hide the recipients' email addresses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 5,000
Keywords
Data Breach
October 29, 2024
Untold SRL
Professional Services
Romania
The controller did not resolve the request for access to the personal data of the data subject, although he communicated for correspondence his e-mail address, telephone number, full name and surname and postal address.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 15,000
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator.
November 3, 2024
Blackcab Systems SRL
Professional Services
Romania
DSAR not fulfilled, and during the investigation, it was found that the operator Blackcab Systems SRL did not prove that it responded to the petitioner's request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 1,000
Keywords
Mishandling Data
Other Actions
Corrective measures were ordered against the operator:
November 5, 2024
Meta
Technology
South Korea
From July 2018 to March 2022, the company gathered data from nearly 980,000 users without asking for their explicit permission. This information included highly personal details such as users’ political beliefs, religious preferences, and whether they were in same-sex relationships. Once the company collected this sensitive data, it shared it with around 4,000 advertisers.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
CMP
UC
Assessments
Fine / Penalty
₩ 15,000,000
Keywords
Tracking Tech
Unlawful processing
Sensitive Data
November 7, 2024
T-Mobile
Telecommunications
USA
The telecom company promised to address “foundational security flaws,” work to improve “cyber hygiene,” and adopt “robust modern architectures,” such as zero trust and multi-factor authentication that is resistant to phishing.
Privacy Law
FCC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
Assessments
Data mapping
Fine / Penalty
$31,500,000
Keywords
Data Breach
October 1, 2024
California Privacy Protection Agency Announces Investigative Sweep of Data Brokers
Technology
USA
The California Privacy Protection Agency (“CPPA”) announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act (the “Act”). Under the Act, the CPPA has the authority to impose an administrative fine of $200 per day for each day the data broker failed to register.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
CPPA
Related Products
UC
SRR
Fine / Penalty
$200 per day
Keywords
N/A
November 14, 2024
Growbots
Technology
USA
The company failed to register between February 1 and July 26, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$35,000
Keywords
N/A
November 14, 2024
UpLead
Technology
USA
The company failed to register between February 1 and July 21, 2024, per the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
CPPA
Related Products
Regulatory Guidance
Fine / Penalty
$34,400
Keywords
N/A
November 19, 2024
Technology
Germany
The German Federal Court of Justice made a judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR from a 2021 data breach of Facebook. This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
German Federal Court of Justice
Related Products
Data mapping
Fine / Penalty
€ 250
Keywords
Data Breach
November 21, 2024
Eken
Technology
Hong Kong
Apparent violations of FCC rules that require the company to designate an agent located in the United States.
Privacy Law
FCC Rules
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
FCC
Related Products
Privacy Expert
Regulatory Guidance
Fine / Penalty
TBD
Keywords
Unlawful processing
November 15, 2024
Posti
Logistics
Finland
Posti had automatically created an electronic OmaPosti mailbox for customers without a separate request.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC
CMP
SRR
Fine / Penalty
€ 2,400,000
Keywords
Mishandling Data
November 19, 2024
Bunnings
Retail
Australia
Individuals’ facial images were compared against those of individuals Bunnings had enrolled in a database who had been identified as posing a risk, for example, due to past crime or violent behavior, according to the OAIC.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
OAIC
Related Products
UC
Assessments
Data mapping
Fine / Penalty
TBD
Keywords
Unlawful processing
Tracking Tech
Sensitive Data
November 28, 2024
Freedelity
Technology
Belgium
The DPA found issues with Freedelity’s:
consent mechanisms for data processing;
excessive data collection; and
overly long data retention periods for personal data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Assessments
Data mapping
Fine / Penalty
TBD
Keywords
Tracking Tech
Unlawful processing
Other Actions
The company has a period of 4 months to comply with these injunctions, and will have to pay penalties of up to 5,000 euros per day of delay in the event of non-compliance or partial compliance.
November 27, 2024
Coupang
Retail
South Korea
he fine was in relation to two data breaches, the first caused by the mishandling of data transmitted and the second breach was caused by an authentication issue.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
PIPC
Related Products
Assessments
Data mapping
Fine / Penalty
$1,100,000
Keywords
Data Breach
November 27, 2024
Mediahuis
Entertainment
Belgium
Mediahuis had fully complied with the DPA’s order regarding illegal cookie banners, thereby avoiding a €25,000 (US$26,402) daily penalty.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
Market Court
Related Products
CMP
Fine / Penalty
Avoided $26,402 daily penalty
Keywords
Unlawful processing
Tracking Tech
November 1, 2024
Master Wealth Control and Property Lovers
Financial Services
Australia
The companies failed to collect data fairly; to notify individuals whose data was collected; and
ensure the accuracy of the information.
Privacy Law
Privacy Act 1988
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
OAIC
Related Products
CMP
UC
Assessments
Data mapping
Trust Hub
Fine / Penalty
n/a
Keywords
Unlawful processing
Mishandling Data
Other Actions
Ordered to cease collecting personal information unfairly, destroy their leads lists within 30 days, update their privacy policies, and provide evidence of compliance.
December 3, 2024
Gravy Analytics (and subsidiary Venntel)
Technology
USA
Unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
FTC
Related Products
CMP
UC
SRR
Assessments
Data mapping
Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data
Selling Data
Unlawful processing
Other Actions
Prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.
December 18, 2024
Netflix
Entertainment
Netherlands
Netflix did not give customers sufficient information about what the company does with their personal data between 2018 and 2020.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP
Templates
Trust Hub
Fine / Penalty
4.75M euro
Keywords
Notice
December 20, 2024
OpenAI
Technology
Italy
OpenAI had wrongly relied on legitimate interest as a legal basis for processing personal data, processed inaccurate personal data, and had no age verification measures in place.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
UC
Privacy Expert
Assessments
Fine / Penalty
15,000,000
Keywords
Unlawful processing
Other Actions
They must carry out a six month campaign informing Italians of how it uses their personal data for their services.
December 12, 2024
Various Organizations
All
France
The French Data Protection Authority (CNIL) issued notices to several organizations regarding non-compliant cookie banners. The notices were a result of complaints about dark patterns that encouraged users to accept non-essential cookies. The CNIL found that the methods for rejecting cookies were not as easy to use as those for accepting them, and that the designs were misleading. https://www.huntonak.com/privacy-and-information-security-law/cnil-issues-notices-regarding-non-compliant-cookie-banners
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
Fine / Penalty
N/A
Keywords
Dark Patterns
December 20, 2024
Grubhub
Logistics
USA
Grubhub engaged in deceptive practices, such as misleading diners about delivery fees, blocking access to gift card funds, and falsely advertising driver earning.
Privacy Law
FTC Act
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
FTC
Related Products
Trust Hub
Privacy Expert
Regulatory Guidance
Fine / Penalty
$25,000,000
Keywords
Notice
Other Actions
Grubhub to make changes to its business practices, including not adding surprise fees to delivery totals, providing a simple way to cancel Grubhub+ subscriptions, stopping listing unaffiliated restaurants and not making misleading driver-earning claims. Illinois Attorney General aided in case.
January 8, 2025
Bindl v EU commission
Public Sector
EU-wide
European General Court Decision: The court ordered the European Commission to pay damages (400 EUR) for unlawfully transferring data to the U.S. without adequate protections. This transfer to the US occurred when data was shared with Meta via a "Sign in with Facebook" button on an official EU website.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
European General Court
Related Products
Assessments
Data mapping
Trust Hub
Fine / Penalty
400 EUR
Keywords
Cross-Border Transfer
January 8, 2025
Allstate + Arity (Allstate's tech subsidiary)
Transportation
USA
Arity (Allstate's tech subsidiary) allegedly slipped their SDK into third-party apps to collect “trillions of miles” of driving behavior from mobile devices, other in car devices, and vehicles themselves.
Privacy Law
Texas Data Privacy and Security Act
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
AG
Related Products
Trust Hub
UC
Fine / Penalty
TBD
Keywords
Selling Data
Mishandling Data
Tracking Tech
Unlawful processing
Other Actions
N/A
January 9, 2025
Court Administration Office
Public Sector
South Korea
Data breach involving litigation-related documents containing the personal data of 17,998 individuals. The PIPC claims the breach occurred as a result of the CAO’s unencrypted storage systems and weak data security protocols. The CAO also delayed reporting the breach, according to the PIPC.
Privacy Law
PIPA
Level of Government
Federal
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
Unknown
Who Enforced
PIPC
Related Products
Assessments
Data mapping
Fine / Penalty
$183,982
Keywords
Data Breach
Mishandling Data
January 8, 2025
Bayview Asset Management (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings)
Financial Services
USA
Failing to maintain sufficient cybersecurity practices and for not fully cooperating with state regulators following a data breach that impacted 5.8 million customers.
Privacy Law
State Agency Rules
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
52 state financial regulatory agencies
Related Products
Assessments
Data mapping
Fine / Penalty
$20,000,000
Keywords
Data Breach
Mishandling Data
Other Actions
Corrective actions, improve cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to the states.
January 7, 2025
Elgon Information Systems
Healthcare
USA
Ransomware attack prompted HHS finding they had failed to conduct a thorough risk analysis to address vulnerabilities in its systems, exposing 31,248 individuals’ ePHI.
Privacy Law
HIPAA
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
HHS
Related Products
Assessments
Data mapping
Fine / Penalty
$80,000
Keywords
Sensitive Data
Data Breach
Mishandling Data
December 17, 2024
Meta Platforms Ireland Limited
Technology
Ireland
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
251,000,000
Keywords
Mishandling Data
Data Breach
January 8, 2025
ECJ v Austria
All
Austria
The ECJ ruled that data subject complaints cannot be deemed excessive solely based on their frequency.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
ECJ
Related Products
SRR
Fine / Penalty
None
Keywords
N/A
Other Actions
None
January 23, 2025
Softehnica S.R.L.
Logistics
Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€2,000
Keywords
Mishandling Data
January 20, 2025
Vodafone Romania S.A.
Telecommunications
Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 15,000
Keywords
Data Breach
January 17, 2025
DELIVERY SOLUTIONS S.A.
Logistics
Romania
Insufficient technical and organisational measures to ensure information security.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 2,000
Keywords
Data Breach
Other Actions
Corrective measures were ordered
February 11, 2025
Amazon
Technology
USA
Maxwell v. Amazon: The plaintiffs claim that Amazon collected health data from consumers through its SDK without giving the required notice or getting consent. The complaint doesn't discuss whether this data collection could be considered necessary under MHMDA's rules. However, it suggests that since the services consumers used were provided by apps using the SDK (and not directly by Amazon), this exception doesn't apply.
Privacy Law
MHMDA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
State Courts
Related Products
CMP
UC
Trust Hub
Fine / Penalty
TBD
Keywords
Sensitive Data
Unlawful processing
February 26, 2025
Cookie-Banner Class Actions (U.S)
All
USA
Since the beginning of 2025, several (at least three) class actions have been filed arising out of allegedly malfunctioning cookie banners. The plaintiffs claim to have opted out of non-essential cookies, but their opt-out was not effective.
Privacy Law
N/A
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
State Courts
Related Products
CMP
UC
Fine / Penalty
N/A
Keywords
N/A
February 4, 2025
[Name Not Public]
Retail
France
Disproportionate surveillance of its employees' activity, through software.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Privacy Expert
Assessments
Fine / Penalty
€ 40,000
Keywords
Data Minimization
Tracking Tech
Unlawful processing
February 5, 2025
ORANGE ESPAGNE, S.A.U.
Telecommunications
Spain
Unauthorized duplication of the complainant's SIM card, leading to financial losses.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,200,000
Keywords
Data Breach
Other Actions
ORANGE was ordered to implement measures to ensure that SIM card duplications are only carried out with proper verification of the requester's identity.
February 20, 2025
Medstar S.R.L.
Healthcare
Romania
The investigation was started following a complaint from a data subject, who claimed that the operator where he performed his medical tests, the Medstar clinic, disclosed his personal data and that of another data subject.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 2,000
Keywords
Data Breach
Mishandling Data
March 6, 2025
Publicaciones y Ediciones Baraca 208, S.L.
Retail
Spain
Unlawfully publishing personal data, including health information, without a legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
Trust Hub
Privacy Expert
Assessments
Fine / Penalty
€ 6,000
Keywords
Data Breach
Unlawful processing
March 6, 2025
Breogan Autolux, S.L.
Retail
Spain
Sending SMS advertisements without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Fine / Penalty
€ 6,000
Keywords
Unlawful Marketing
March 12, 2025
Honda
Transportation
USA
Honda required more information than needed to process opt-out and data limitation requests.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
CPPA
Related Products
SRR
UC
Fine / Penalty
$632,500
Keywords
Data Minimization
March 13, 2025
Investigative Sweep on Location Data Industry
Technology
USA
The agency is sending letters to advertising networks, mobile app providers and data brokers that appear to be violating the CCPA.
Privacy Law
CCPA/CPRA
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
AG
Related Products
Data mapping
Assessments
Regulatory Guidance
Privacy Expert
Vendor
SRR
UC
CMP
Fine / Penalty
N/A
Keywords
Unlawful processing
Data Minimization
Mishandling Data
Sensitive Data
March 12, 2025
Saturn Technologies
Technology
USA
They didn’t verify users’ school email addresses and age to ensure they were high school students, and didn't inform users that it would copy and use their “contact books”.
Privacy Law
New York Law
Level of Government
State
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
AG
Related Products
Data mapping
Trust Hub
Assessments
Privacy Expert
Fine / Penalty
$650,000
Keywords
Mishandling Data
Data Minimization
Unlawful processing
March 21, 2025
Amazon
Technology
Luxembourg
Amazon’s €746M GDPR fine upheld. Fine was from inaquadue transparency and consent management.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
Luxembourg Court
Related Products
CMP
UC
SRR
Trust Hub
Fine / Penalty
€ 756,000,000
Keywords
Mishandling Data
March 5, 2025
EDPB enforcement sweep on SRRs
All
Europe
EDPB has launched its 2025 enforcement sweep targeting organizations’ compliance with data subjects’ right of erasure (right to delete or be forgotten), focusing particularly on how exceptions are applied. Thirty-two EU member state data protection authorities (DPAs) will participate in this year-long sweep that began March 5, 2025.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
N/A
Who Enforced
EDPB
Related Products
SRR
Fine / Penalty
TBD
Keywords
N/A
April 3, 2025
Poczta Polska
Logistics
Poland
The postal service provider for unlawfully sharing personal data (including PESEL numbers, names, addresses, and travel details) of all registered Polish adults during the 2020 election preparations.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Vendor
Assessments
Data mapping
Fine / Penalty
€ 6,479,424
Keywords
Mishandling Data
April 3, 2025
Caixabank
Financial Services
Spain
A complaint from a customer who discovered that a co-owner could access not only their joint account but also a third account due to a system error in "CaixaBankNow."
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 3,500,000
Keywords
Sensitive Data
Data Breach
Mishandling Data
April 3, 2025
Liga Nacional de Fútbol Profesional
Entertainment
Spain
They were conducting biometric checks in stadiums without prior data protection impact assessments.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$1 billion – $10 billion
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€ 1,000,000
Keywords
Sensitive Data
Notice
April 3, 2025
Ibermutua Mutua Colaboradora Con La Seguridad Social Nº 274
Healthcare
Spain
Software error that led to the accidental disclosure of personal data to third parties.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Assessments
Data mapping
Fine / Penalty
€ 600,000
Keywords
Sensitive Data
Data Breach
Mishandling Data
April 3, 2025
[Name Not Public]
Telecommunications
Germany
They delayed responses to information requests.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
SRR
Fine / Penalty
€ 120,000
Keywords
Mishandling Data
April 11, 2025
Lusha
Advertising
Italy
The investigation follows complaints from individuals who received unsolicited calls, suggesting that their data may have been sourced from Lusha’s platform without proper consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Large (201-500 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Trust Hub
Fine / Penalty
TBD
Keywords
Unlawful Marketing
April 18, 2025
Court Overrules FCC’s Fine Against AT&T
Telecommunications
USA
This could have broader implications on the legality of regulatory agencies levying fines through administrative proceedings, the 5th U.S. Circuit Court of Appeals has overturned a $57 million fine imposed by the Federal Communications Commission against AT&T for violating the privacy of its customers’ location data.
Privacy Law
Communications Act of 1934
Level of Government
Federal
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
FCC
Related Products
CMP
UC
SRR
Assessments
Data mapping
Fine / Penalty
$57,000,000
Keywords
Fine Overturned
April 14, 2025
DPP Law Ltd.
Professional Services
United Kingdom
DPP failed to adopt the principle of least privilege and failed to regularly audit administrative accounts on its network.
Privacy Law
UK GDPR
Level of Government
Federal
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
£ 70,300
Keywords
Data Breach
May 8, 2025
Jerico Pictures, Inc., d/b/a National Public Data
Technology
USA
Failed to register and pay an annual fee as required by the Delete Act.
Privacy Law
Delete Act
Level of Government
State
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
CPPA
Related Products
Privacy Expert
Regulatory Guidance
Fine / Penalty
$46,000
Keywords
N/A
April 10, 2025
Marina Salud
Healthcare
Spain
The Processor appointed sub-processors without authorisation from the controller.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
Vendor
Fine / Penalty
€500,000.00
Keywords
Unlawful processing
May 2, 2025
TikTok
Technology
Ireland
"TikTok’s personal data transfers to China infringed the GDPR because TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.
As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”"
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Enterprise (501+)
Estimated Annual Revenue
Over $10 billion
Who Enforced
DPA
Related Products
CMP
UC
SRR
Trust Hub
Fine / Penalty
€530,000,000
Keywords
Cross-Border Transfer
Unlawful processing
Other Actions
Required TikTok to improve its EEA Privacy Policy. Also, TikTok must put an end to the transfers to China.
May 15, 2025
CALOGA
Advertising
France
Commercial prospecting without prospects’ consent and transferring their data to partners without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$100 million – $1 billion
Who Enforced
DPA
Related Products
CMP
UC
Vendor
Fine / Penalty
€80,000
Keywords
Unlawful Marketing
Unlawful processing
May 22, 2025
A.A.A
Professional Services
Spain
Insufficient legal basis for data processing. A legal representative processed a client’s sensitive information without consent.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
UC
Trust Hub
Fine / Penalty
€2000.00
Keywords
Unlawful processing
May 15, 2025
SOLOCAL MARKETING SERVICES
Advertising
France
Insufficient legal basis for data processing. Failed to obtain proper consent from individuals before using their data for marketing purposes and for sharing the data with third parties without a valid legal basis.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$10 million – $100 million
Who Enforced
DPA
Related Products
CMP
UC
Vendor
Fine / Penalty
€900,000.00
Keywords
Unlawful processing
Unlawful Marketing
December 18, 2024
Toyota Bank Polska S.A.
Financial Services
Poland
The Data Personal Officer (DPO) was not fully independent in his work. Furthermore, Toyota Bank Polska S.A. failed to include profiling in the record of processing activities and data protection impact assessment.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
Assessments
Trust Hub
Privacy Expert
Regulatory Guidance
Fine / Penalty
€132,000.00
Keywords
Unlawful processing
March 6, 2025
Polskie Radio Szczecin (Polish Radio Szczecin)
Logistics
Poland
The radio station released a press article in which a conviction for sexual harassment was described. The journalist revealed that a parliament member’s son was the victim and did it in such a way that the child could be identified.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Fine / Penalty
€13,500.00
Keywords
Mishandling Data
Data Breach
April 23, 2025
Real Estate Agency
Professional Services
Belgium
A complaint was filed because the agency kept publishing property listings, including precise address information and cadastral references, even after the property was sold.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
UC
Assessments
Trust Hub
Privacy Expert
Fine / Penalty
€6,000
Keywords
Sensitive Data
Mishandling Data
Unlawful processing
Other Actions
The agency was ordered to delete the data and cease its processing across all platforms.
April 23, 2025
Diskrimineringsombudsmannen
Public Sector
Sweden
The company operated a form that collected sensitive personal data that had a security misconfiguration in the analytics tool which failed to mask personal data on the form’s summary page before submission, and unintentionally transferred to an external data processor.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Medium (51-200 employees)
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
Data mapping
Vendor
Fine / Penalty
€9,200
Keywords
Sensitive Data
Data Breach
Mishandling Data
Other Actions
Removed form and required the processor to delete all information.
March 28, 2025
FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA
Professional Services
Spain
Failed to obtain the data subject’s consent or legal basis to process their personal bank account data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Small (1-50 employees)
Estimated Annual Revenue
Under $1 million
Who Enforced
DPA
Related Products
CMP
UC
SRR
Fine / Penalty
€2,000
Keywords
Sensitive Data
Unlawful processing
April 11, 2025
NOVATES ALIMENTACIÓN MADRID, S.L.
Retail
Spain
Improper handling of video surveillance data.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
$1 million – $10 million
Who Enforced
DPA
Related Products
Assessments
CMP
UC
SRR
Fine / Penalty
€20,000
Keywords
Sensitive Data
Other Actions
They were ordered to implement and notify the AEPD of technical and organizational security measures within one month to secure surveillance data appropriately.
April 9, 2025
Servicios de Integración de Andalucía
Telecommunications
Spain
(SIA) was sanctioned for including an employee’s personal phone number in a WhatsApp group used for internal communications, without valid consent or an alternative contact method.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
UC
Assessments
Fine / Penalty
€2,000
Keywords
Unlawful processing
April 22, 2025
[Name Not Public]
Advertising
Belgium
Non-compliance with several general data processing principles.
Privacy Law
GDPR
Level of Government
Supernational
Employee Count
Unknown
Estimated Annual Revenue
Unknown
Who Enforced
DPA
Related Products
CMP
UC
SRR
Assessments
Privacy Expert
Trust Hub
Fine / Penalty
€20,000
Keywords
Mishandling Data
Unlawful processing
Back
Next