The Biggest GDPR Cookie Fines in History: Lessons for Every Website Owner

Between 2021 and 2023, European data protection authorities issued over €1.4 billion in fines tied to consent and tracking violations. Regulators treat cookie and consent failures not as technicalities but as fundamental breaches of user autonomy — and the penalties reflect it.

This guide covers the ten largest fines related to cookie consent, tracking without permission, and dark-pattern design. For each case: the amount, the authority, what went wrong, and what it means for website owners in 2026. For the regulatory backdrop, see our guides on GDPR, the ePrivacy Directive, and CNIL cookie guidelines.

1. Amazon — €746 Million (Luxembourg, July 2021)

Authority: CNPD, Luxembourg | Date: July 16, 2021
Violation: Processing personal data for targeted advertising without valid consent

The largest GDPR fine ever issued stemmed from a broader consent failure at the heart of how tracking works. The Luxembourg CNPD concluded that Amazon had processed personal data for behavioral advertising without valid consent, following a 2018 complaint by La Quadrature du Net. The €746 million penalty demonstrated that regulators were willing to use the GDPR's upper-bound mechanism — up to 4% of global annual turnover — against major platforms.

2. Meta (Facebook & Instagram) — €390 Million (Ireland, January 2023)

Authority: DPC, Ireland | Date: January 4, 2023
Violation: Using 'contractual necessity' as legal basis for personalized advertising instead of consent

Split across two decisions (€210M for Facebook, €180M for Instagram), this fine tackled a deeper question than banner design: can you bury consent for ad tracking inside your Terms of Service? The DPC, pushed by other European authorities to increase the penalty, ruled that Meta could not rely on Article 6(1)(b) GDPR for personalized ads — they aren't necessary to provide a social media service.

Not a cookie-banner case in the narrow sense, but it directly affects how tracking technologies can be justified. If your legal basis for non-essential tracking isn't consent, the banner is window dressing.

3. Google — €150 Million (CNIL France, January 2022)

Authority: CNIL, France | Date: December 31, 2021 (announced January 2022)
Violation: Making it harder to reject cookies than to accept them on google.fr and youtube.com

The textbook cookie-banner fine. The CNIL found a single 'Accept all' button on Google's sites — but refusing cookies required five separate actions. The fine (€90M against Google LLC, €60M against Google Ireland) established the 'reject as easy as accept' principle as the single most enforced rule in European cookie compliance. Google eventually added an 'Only allow essential cookies' button, and the CNIL closed the injunction in July 2023. See our CNIL guidelines and one-click reject rule guides.

4. Meta (Facebook) — €60 Million (CNIL France, January 2022)

Authority: CNIL, France | Date: December 31, 2021 (announced January 2022)
Violation: No equivalent 'reject all' button on facebook.com

Announced the same day as the Google fine for the same violation: one-click accept, multi-step reject. Together, the two decisions totaled €210 million and established the template other authorities would follow. Banner asymmetry is not a UX preference — it's a compliance violation.

5. Microsoft — €60 Million (CNIL France, December 2022)

Authority: CNIL, France | Date: December 22, 2022
Violation: Depositing advertising cookies on Bing without consent; no easy reject mechanism

A year after Google and Facebook, the CNIL fined Microsoft €60 million for the same pattern on Bing: advertising cookies placed before consent, single-click accept, two clicks to refuse. Microsoft was given three months to comply (€60,000/day penalty for delay) and introduced a 'Refuse all' button in March 2023. The CNIL was unmoved by Microsoft's claim that it had already started making changes — compliance at the time of audit is what counts.

6. Criteo — €40 Million (CNIL France, June 2023)

Authority: CNIL, France | Date: June 15, 2023
Violation: Failing to verify consent for tracking cookies; retaining identifiers after opt-out

Criteo was fined €40 million (~2% of turnover) for five GDPR infringements. The core issue: Criteo relied on publisher partners to collect consent for its tracking cookie but never verified they actually did. When users opted out, Criteo stopped showing personalized ads but retained identifiers for algorithmic optimization. France's highest court upheld the fine in March 2026.

The lesson: If third-party scripts set cookies on your behalf, you're responsible for verifying consent — not just the vendor.

7. Apple — €8 Million (CNIL France, January 2023)

Authority: CNIL, France | Date: December 29, 2022 (announced January 4, 2023)
Violation: Reading ad identifiers on iPhones for personalized App Store ads without prior consent

Apple was fined €8 million for automatically reading advertising identifiers under iOS 14.6 to serve personalized App Store ads. The consent mechanism used a pre-checked setting — which the CNIL ruled invalid. Users had to navigate multiple steps to deactivate it. The fine was modest given Apple's size, but the principle was clear: pre-checked settings are not consent, per the CJEU's Planet49 ruling (2019), regardless of how a company positions itself on privacy.

8. CaixaBank — €6 Million (AEPD Spain, January 2021)

Authority: AEPD, Spain | Date: January 13, 2021
Violation: Processing personal data without valid consent; inadequate information to data subjects

Spain's largest GDPR fine at the time: €4 million for unlawful processing (Article 6) and €2 million for insufficient user information (Articles 13/14). CaixaBank had no adequate consent mechanism meeting GDPR standards. While focused on broader data processing rather than cookie banners, the consent infrastructure failures are directly relevant — a consent mechanism that doesn't meet GDPR requirements can trigger enforcement regardless of context.

9. TikTok — €5 Million (CNIL France, January 2023)

Authority: CNIL, France | Date: December 29, 2022 (announced January 12, 2023)
Violation: No 'reject all' button; insufficient cookie information on tiktok.com

Same reject-button asymmetry as Google, Facebook, and Microsoft. The CNIL investigated tiktok.com between May 2020 and June 2022, finding single-click accept but multi-step reject, plus insufficient detail about cookie purposes. TikTok added a 'Refuse all' button in February 2022 during the investigation, which likely mitigated the fine amount. The decision concerned only the website, not the mobile app.

10. Sephora — $1.2 Million (California AG, August 2022)

Authority: California Attorney General | Date: August 24, 2022
Violation: Selling personal information via tracking cookies without disclosure; failing to honor GPC signals

The first monetary penalty under the CCPA. The California AG alleged that Sephora's third-party tracking cookies constituted a 'sale' of personal information, and the company had failed to disclose this, provide a 'Do Not Sell' link, or honor Global Privacy Control opt-out signals. Cookie compliance isn't just a European problem — US state privacy laws (now active in over 20 states) define 'sale' broadly enough to cover standard advertising cookies.

The Five Violation Patterns That Trigger Enforcement

Across these ten cases, the same violations recur. Understanding the pattern tells you what regulators are looking for on your site right now.

1. Reject must be as easy as accept

Google, Facebook (CNIL), Microsoft, and TikTok were all fined for the same asymmetry: one-click accept, multi-step reject. Over €275 million in fines stem from this single pattern. If your banner hides the reject option behind a settings panel or extra clicks, you're replicating the exact violation. See our guides on the one-click reject rule and dark patterns in cookie banners.

2. Tracking fires before consent

Microsoft and Apple were fined because tracking started before users made any choice. Prior consent is a hard requirement under both the ePrivacy Directive and GDPR — cookies that fire on page load are a violation regardless of what the banner says.

3. Invalid legal basis for tracking

Meta's €390M fine: you can't bury consent for ad tracking inside Terms of Service by calling it 'contractual necessity.' If your legal basis for non-essential tracking isn't consent, it needs to genuinely hold.

4. Outsourcing consent without verification

Criteo's €40M fine: relying on partners to collect consent without checking that they did. Installing a third-party ad script and assuming the vendor handles consent is not a defense.

5. Ignoring opt-out signals

Sephora's CCPA settlement: websites must honor Global Privacy Control signals. Increasingly relevant beyond California as more US states and the GDPR's right to object create similar obligations.

How to Calculate Your Risk Exposure

The GDPR's maximum penalty for the most serious violations is €20 million or 4% of global annual turnover, whichever is higher (Article 83(5)). For less serious infringements, the cap is €10 million or 2% of turnover (Article 83(4)). The ePrivacy Directive's penalties are set by each member state's transposition — in France, the CNIL applies its own scale under French law.

In practice, fines are calibrated based on several factors:

• Nature and severity: A missing reject button on a site serving millions of users draws more attention than a misconfigured analytics cookie on a small site.
• Duration: How long the violation persisted. The CNIL's investigations often span years of non-compliance.
• Number of data subjects affected: Google and Facebook's fines reflected the massive user bases of google.fr, youtube.com, and facebook.com.
• Intentional vs. negligent: The Amazon appeal succeeded partly because the court found the CNPD had not adequately assessed whether the violation was intentional.
• Corrective steps taken: TikTok's fine was lower in part because the company had added a reject button during the investigation period.
• Previous violations: Repeat offenders face escalating penalties.

For a small or mid-sized website, the risk isn't a nine-figure fine. But even a €50,000–€500,000 penalty — well within the range that authorities issue to smaller organizations — can be devastating. And the real cost of enforcement often isn't the fine itself: it's the injunction to halt processing, the mandatory remediation timeline, and the public disclosure that follows.

For a practical compliance audit, use our cookie consent audit checklist.

Prevention: Eight Steps That Would Have Stopped Every Fine

1. Block all non-essential tracking until consent is given. No analytics, advertising, or social cookie should fire before the user actively consents. Your CMP must block scripts, not just display a banner while cookies load. This alone would have prevented the Google, Facebook, Microsoft, TikTok, and Apple violations.
2. Offer 'Reject all' with equal prominence. Same size, same visual weight, same number of clicks as 'Accept all.' The CNIL's most-enforced rule.
3. Default all toggles to off. Pre-checked boxes are invalid consent per Planet49. Apple's fine targeted exactly this.
4. Use consent as your legal basis for advertising. Don't bundle tracking into Terms of Service (Meta's €390M lesson).
5. Verify consent across your tracking chain. Audit third-party scripts, verify they respect consent signals, document the chain. 'My partner handles consent' is not a defense (Criteo's €40M lesson).
6. Honor opt-out signals. GPC is legally binding in California and expanding. Configure your solution to detect and respect it (Sephora's lesson).
7. Log consent with timestamps. Record what each user agreed to, when, and what information was presented. See our guide on consent expiry and re-consent.
8. Run regular cookie audits. Unknown cookies are unmanaged cookies. Use automated scanning to detect every cookie, script, and connection — including those from third parties. The GDPR compliance checklist gives you the step-by-step process.

How CookieBeam Prevents These Violations

CookieBeam was built with these enforcement actions in mind. Each of the violation patterns above maps to a specific capability:

• Script blocking until consent: CookieBeam blocks all non-essential scripts — analytics, advertising, social — before the user interacts with the banner. No tracking fires on page load. This directly addresses the violations in the Google, Microsoft, Apple, and TikTok cases.
• Equal-prominence reject button: Every CookieBeam banner includes 'Accept all' and 'Reject all' buttons on the first layer by default, with matching visual weight. The CNIL's most-enforced rule is built in, not opt-in.
• Defaults-off toggles: All non-essential cookie categories default to off. Users must actively opt in, per the Planet49 standard. No pre-checked boxes, no default-on settings.
• GPC and opt-out signal handling: CookieBeam detects Global Privacy Control signals and respects them automatically, addressing the Sephora-pattern violation under CCPA and emerging US state laws.
• Consent logging with proof: Every consent decision is logged with a timestamp, the exact banner version shown, the categories selected, and the legal basis applied. When a regulator asks for proof, you have it.
• Automated cookie scanning: CookieBeam's deep scanner detects cookies, scripts, and outbound connections across your site — including third-party trackers you may not know about. Unknown cookies get flagged before they become unknown violations. See how automated scanning works.
• Regional consent: Different jurisdictions trigger different banner behaviors — GDPR opt-in for European visitors, CCPA opt-out for Californians, proportionate treatment for other regions. One installation, compliant everywhere.

Key Takeaways

The ten cases in this guide span five countries, three legal frameworks (GDPR, ePrivacy Directive, CCPA), and five years of enforcement. The common thread is simple: if you track users without valid consent, regulators will eventually notice, and the penalties will hurt.

The violations that triggered these fines are not exotic or unusual. They are the design choices many websites still make today: a prominent 'Accept' button with a buried 'Reject' option, cookies that fire before the banner loads, pre-checked toggles, third-party scripts running without verified consent, opt-out signals being ignored. Each of these has now been explicitly penalized, in public, with published reasoning.

The enforcement record is not ambiguous. The prevention steps are not complicated. The cost of getting it wrong has been demonstrated at every scale, from $1.2 million to €746 million. The only remaining question is whether your site is compliant now — not whether regulators will eventually look.

Start with a compliance checklist, run a cookie scan, and make sure your banner actually does what it claims to do.