Cookie consent penalties used to be a European problem. By mid-2026, more than 40 countries enforce some form of consent or tracking regulation, and the penalties range from token fees to fines that can end a mid-size business. The real differences aren't just the maximum number — they're enforcement posture, per-violation compounding, and whether fines scale with revenue or hit a fixed cap.
This guide covers the penalty structures that matter most for websites with global traffic: the law, the maximum fine, the enforcing authority, and what enforcement actually looks like. For case studies, see our biggest GDPR cookie fines guide. For US-specific coverage, see our US state privacy laws guide.
EU/EEA: GDPR and the ePrivacy Directive
The European Union treats cookie consent violations under two overlapping instruments: the GDPR (Regulation 2016/679) for personal data processing, and the ePrivacy Directive (Directive 2002/58/EC, as amended) for device access — including cookies, fingerprinting, and tracking pixels.
GDPR maximum penalties
The GDPR's upper tier allows fines of up to €20 million or 4% of global annual turnover, whichever is higher. The lower tier (up to €10 million or 2% of turnover) applies to controller obligations like record-keeping and impact assessments. Cookie consent violations — particularly dropping tracking cookies without valid consent or using dark patterns to manipulate consent — are routinely treated as upper-tier violations by supervisory authorities.
ePrivacy: implemented nationally, enforced unevenly
The ePrivacy Directive is not a regulation — it's a directive, transposed into each member state's national law. This means each country sets its own penalty ceiling and enforcement apparatus. In practice, the dominant authorities have adopted GDPR-scale penalties for cookie violations, but the approach varies:
- France (CNIL) — The most prolific enforcer. Fines under both GDPR and France's ePrivacy transposition at GDPR-scale penalties. Hit Google for €150M, Meta for €60M, and Microsoft for €60M — all for cookie banner dark patterns. See our CNIL cookie guidelines guide.
- Italy (Garante) — Active on both GDPR and the Italian Codice Privacy. Penalties reach GDPR maximums. Has fined companies for pre-checked consent and cookie walls.
- Spain (AEPD) — Enforces under GDPR and the LSSI (Spain's ePrivacy transposition). The LSSI historically carried a lower cap (up to €150,000), but AEPD increasingly fines under GDPR for personal data processing violations, unlocking the full €20M/4% ceiling. One of the highest-volume enforcers by decision count.
- Germany (Länder DPAs) — Cookie enforcement is handled by state-level authorities, not the federal BfDI (which covers federal bodies and telecoms). Enforcement varies across 16 states; Hamburg and Baden-Württemberg have been the most active. Penalties follow GDPR maximums.
- Netherlands (AP) — Enforces under the Dutch Telecommunications Act for cookies and GDPR for data processing. Has fined organizations for cookie walls where consent was not freely given.
- Belgium (GBA/APD) — Enforces under the Belgian Electronic Communications Act and GDPR. The GBA's landmark IAB Europe decision found the TCF consent string itself constitutes personal data.
The long-awaited ePrivacy Regulation would replace the Directive with a single, directly-applicable regulation, but it remains stalled. Until it's adopted, the patchwork of national transpositions is what compliance teams must navigate.
United Kingdom: PECR and the Data (Use and Access) Act 2025
The UK's cookie consent regime has undergone a significant penalty upgrade. Cookie and electronic communications violations fall under the Privacy and Electronic Communications Regulations 2003 (PECR), enforced by the ICO.
Old regime: £500,000 maximum
Until February 2026, the maximum PECR fine was £500,000 — a relic of pre-GDPR regulation that made UK cookie enforcement toothless compared to EU equivalents. The ICO could (and did) issue enforcement notices, but the monetary ceiling limited deterrence.
New regime: £17.5M or 4% of turnover
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, with key PECR penalty provisions taking effect on 5 February 2026. The maximum PECR fine is now £17.5 million or 4% of global annual turnover, whichever is higher — aligning it with the UK GDPR's most serious tier. This is a 35-fold increase over the old ceiling.
UK cookie consent compliance now carries the same financial stakes as EU GDPR. Cookie banner dark patterns, pre-ticked boxes, and missing reject options all face meaningful fines under the new ceiling. For the full breakdown, see our PECR and UK cookie law guide.
United States: CCPA/CPRA, State AGs, and the FTC
The US has no federal privacy law equivalent to GDPR. Enforcement is fragmented across state laws, attorney general actions, and federal trade regulation — with per-violation penalties rather than percentage-of-revenue.
California: CCPA/CPRA
California's CCPA (as amended by the CPRA) is enforced jointly by the California Attorney General and the California Privacy Protection Agency (CPPA). Penalties:
- $2,500 per unintentional violation (inflation-adjusted to ~$2,663 in 2026)
- $7,500 per intentional violation or violation involving a minor's data (inflation-adjusted to ~$7,988)
Each affected consumer can constitute a separate violation, so fines compound rapidly. The CPRA eliminated the 30-day cure period. In May 2026, the CPPA announced a $12.75 million settlement with General Motors for selling driving data without consent — the largest CCPA fine to date.
Other US states
More than 20 US states now have comprehensive privacy laws in force, most enforced by the state attorney general. Per-violation penalties typically range from $2,500 to $7,500, following the California model. Colorado, Connecticut, Virginia, and Texas have been the most active enforcers. See our US state privacy laws guide for the full breakdown.
FTC Section 5
The Federal Trade Commission enforces unfair or deceptive practices under Section 5 of the FTC Act. Cookie consent violations can trigger FTC action when a company's stated privacy practices differ from actual behavior. For violations of FTC consent orders or trade regulation rules, penalties reach $53,088 per violation (2025/2026 inflation-adjusted amount, per the Federal Register). The FTC has pursued enforcement actions against companies using tracking technologies without adequate disclosure, particularly in health and children's data.
Brazil: LGPD
Brazil's Lei Geral de Proteção de Dados (LGPD), enforced by the ANPD (Autoridade Nacional de Proteção de Dados), applies a revenue-based penalty model:
- Up to 2% of the company's revenue in Brazil in the preceding fiscal year, net of taxes
- Capped at R$50 million (~US$10 million) per infraction
The ANPD has transitioned from cautious early enforcement to a significantly more active posture. Between 2023 and 2025, fines totaled approximately BRL 98 million (~US$20 million). The 2025-2026 enforcement roadmap prioritizes children's data, AI/biometrics, and data scraping.
For websites serving Brazilian visitors: the LGPD requires explicit consent before placing non-essential cookies that process personal data. The ANPD follows a graduated sanctioning model — starting with warnings and progressing to fines — but the R$50 million cap is now a realistic threat for repeat offenders. See our guides on LGPD compliance and LGPD enforcement in 2026.
Canada: PIPEDA and Quebec Law 25
Canada's privacy enforcement operates at two levels, and the gap between them is large.
Federal: PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA), enforced by the Office of the Privacy Commissioner (OPC), carries a maximum fine of C$100,000 per offence — limited to specific violations like failing to report a breach or obstructing an investigation. For cookie consent, PIPEDA is primarily enforced through complaints and compliance agreements rather than monetary penalties. The proposed replacement (Bill C-27/CPPA) would have dramatically increased federal penalties, but the bill lapsed when Parliament prorogued in early 2025. PIPEDA remains the federal law in force.
Quebec: Law 25
Quebec Law 25 (formerly Bill 64) has been fully in force since September 2024 and carries dramatically higher penalties:
- Up to C$25 million or 4% of worldwide turnover, whichever is higher
- Applies to any business collecting personal information about Quebec residents, regardless of where the business is located
This makes Quebec's penalty regime comparable to GDPR. For multi-jurisdictional compliance, Quebec — not federal PIPEDA — is the Canadian jurisdiction to prioritize. See our PIPEDA and cookie consent guide.
India: DPDP Act 2023
India's Digital Personal Data Protection Act (DPDP Act 2023) introduces a tiered penalty structure with some of the highest nominal caps in the world:
- ₹250 crore (~US$30 million) for failure to take reasonable security safeguards leading to a data breach
- ₹200 crore (~US$24 million) for breach notification failures and children's data violations
- ₹50 crore (~US$6 million) for general violations, including consent requirements
The Data Protection Board of India became operational on 13 November 2025 when the DPDP Rules 2025 were notified. However — and this is critical for compliance planning — the substantive compliance obligations (consent requirements, breach reporting, data principal rights) don't take effect until 13 May 2027. Until that date, the penalties described above aren't actively enforced.
For websites with significant Indian traffic: start building consent infrastructure now, but understand that enforcement is still in the implementation phase. See our India DPDP Act guide for the full regulatory timeline.
Australia: Privacy Act 1988 (2024 Amendments)
Australia's privacy regime received a major penalty upgrade via the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024. The new maximum penalty for serious or repeated breaches:
- AUD 50 million, three times the benefit obtained, or 30% of adjusted turnover — whichever is greatest
The Australian Information Commissioner (OAIC) enforces the Privacy Act. Australia doesn't have a cookie-specific consent law equivalent to the ePrivacy Directive, but the Privacy Act requires consent for collecting sensitive information through cookies or tracking technologies. The OAIC published guidance in late 2024 clarifying that tracking pixels trigger Privacy Act obligations.
While Australia doesn't mandate cookie banners for all sites, organizations collecting sensitive data through tracking technologies face penalties on par with GDPR. The 30% turnover calculation can actually exceed GDPR's 4% cap for high-margin companies.
China: PIPL
China's Personal Information Protection Law (PIPL), in force since November 2021, is enforced primarily by the Cyberspace Administration of China (CAC). Maximum penalties:
- Up to ¥50 million (~US$7 million) or 5% of the previous year's annual revenue for serious violations
- Business license revocation for the most severe cases
- Personal liability for responsible officers (banned from holding senior positions)
PIPL requires explicit consent before placing non-essential cookies or tracking technologies, and consent is valid for a maximum of 12 months before it must be refreshed. Enforcement to date has focused on mobile apps and large platforms, but the regulatory scope is expanding. Organizations with Chinese users should treat PIPL consent requirements as actively enforced.
South Korea: PIPA
South Korea's Personal Information Protection Act (PIPA) was amended in February 2026 with a major penalty increase:
- Up to 10% of total revenue for high-severity breaches involving intentional or grossly negligent conduct (up from the previous 3% ceiling)
- Applies when violations affect 10 million+ individuals, or when a corrective order is ignored
- CEO personal liability — the amendment ties supervisory accountability to the chief executive
The Personal Information Protection Commission (PIPC) enforces PIPA. In a landmark action, the PIPC fined Coupang (South Korea's largest e-commerce platform) over US$409 million for a data breach affecting 30 million customers — the largest data protection fine in Korean history.
South Korea's 10% revenue ceiling is now the highest percentage-based cap in any major privacy law. Websites serving Korean users should prioritize consent compliance.
Japan: APPI
Japan's Act on the Protection of Personal Information (APPI), enforced by the Personal Information Protection Commission (PPC), has historically carried low monetary penalties:
- Up to ¥100 million (~US$650,000) for corporations
- Up to ¥1 million (~US$6,500) for individuals
However, proposed amendments under review in 2025-2026 would introduce administrative monetary penalties for the first time — calculated based on the economic benefit derived from the violation. The bill also proposes increasing criminal penalties for certain offences.
Japan's current fines are comparatively mild, but the enforcement trend is toward higher penalties. The APPI requires opt-out mechanisms for third-party data sharing, and recent PPC guidance addresses cookie-based tracking more explicitly.
Comparison Table: Maximum Penalties by Country
This table summarizes the maximum penalty structures across the jurisdictions covered in this guide. "Revenue %" penalties are generally more severe for large organizations, while fixed caps matter more for smaller ones.
| Country / Region | Law | Maximum Fine | Penalty Basis | Enforcing Authority |
|---|---|---|---|---|
| EU/EEA | GDPR + ePrivacy Directive | €20M or 4% of global turnover | Revenue % | National DPAs (CNIL, AEPD, Garante, etc.) |
| United Kingdom | UK GDPR + PECR (post-DUAA) | £17.5M or 4% of global turnover | Revenue % | ICO |
| California (US) | CCPA/CPRA | $7,500 per violation (intentional) | Per violation | AG + CPPA |
| US (Federal) | FTC Act Section 5 | $53,088 per violation (order/rule breach) | Per violation | FTC |
| Brazil | LGPD | R$50M or 2% of Brazil revenue | Revenue % (capped) | ANPD |
| Canada (Federal) | PIPEDA | C$100,000 per offence | Fixed cap | OPC |
| Canada (Quebec) | Law 25 | C$25M or 4% of worldwide turnover | Revenue % | CAI (Commission d'accès) |
| India | DPDP Act 2023 | ₹250 crore (~US$30M) | Fixed cap | Data Protection Board (effective May 2027) |
| Australia | Privacy Act 1988 (2024 amendments) | AUD 50M or 30% of adjusted turnover | Revenue % | OAIC |
| China | PIPL | ¥50M or 5% of annual revenue | Revenue % | CAC |
| South Korea | PIPA (2026 amendment) | 10% of total revenue | Revenue % | PIPC |
| Japan | APPI | ¥100M (~US$650K) | Fixed cap | PPC |
How to Prioritize Compliance Based on Your Audience
No organization has infinite compliance resources. Here's how to triage based on where your actual exposure sits:
1. Identify where your users are
Start with analytics. Use your geographic breakdown to identify your top 5-10 countries by active users — that's where enforcement will actually hit you.
2. Rank by enforcement risk, not just fine size
- Enforcement frequency: France (CNIL) and Spain (AEPD) issue far more cookie-specific fines than Germany or the Netherlands. California's CPPA has been the most active US enforcer.
- Per-violation compounding: US fines are per-violation — 100,000 affected users at $7,500 each is a theoretical $750 million exposure. EU fines are per-incident.
- Extraterritorial reach: GDPR, LGPD, PIPL, and Quebec Law 25 apply based on where the user is, not the business.
3. Build a regional compliance matrix
- Opt-in required (EU, UK, Brazil, Quebec, China, South Korea): Banner must block non-essential cookies by default.
- Opt-out sufficient (California, most US states): Non-essential cookies can load by default, but users need a clear opt-out mechanism.
- Notice-only (Canada federally, Australia for non-sensitive data): Inform users about cookies; prior consent isn't strictly required for all tracking.
- Conservative opt-in recommended (Japan): APPI doesn't mandate prior opt-in for all cookies, but enforcement is trending stricter. CookieBeam applies an opt-in default as a conservative baseline.
4. Start with the strictest applicable regime
If you're subject to GDPR and CCPA and LGPD, building for GDPR's opt-in model covers all three. US-specific requirements like "Do Not Sell" links and GPC signal recognition get layered on top.
Multi-Jurisdiction Compliance with Regional Consent Rules
Serving a global audience doesn't mean you need a different compliance system for every country. It means you need a system that adapts consent behavior based on the visitor's location.
CookieBeam's regional consent system does this with a single script installation. The CDN detects the visitor's location and applies the appropriate legal framework — adjusting banner behavior, button layout, default consent states, and legal text automatically. Built-in legal framework presets cover:
- GDPR (all 30 EU/EEA countries) — Opt-in mode, all non-essential consent denied by default
- UK GDPR — Opt-in mode, aligned with post-DUAA PECR requirements
- CCPA/CPRA (California) — Opt-out mode with Do Not Sell support
- US Opt-Out States (Colorado, Connecticut, Virginia, Texas, and 14 others) — Opt-out mode with state-appropriate language
- LGPD (Brazil) — Opt-in mode
- Quebec Law 25 — Opt-in mode with Quebec-specific consent language
- PIPEDA (Canada, excluding Quebec) — Notice mode
- PIPL (China) — Opt-in mode with localized consent text
- APPI (Japan) — Opt-in mode
- PIPA (South Korea) — Opt-in mode
- Australia Privacy Act — Notice mode
Each preset configures Google Consent Mode v2 defaults, so analytics and advertising tags respect the regional consent state automatically. Rules are matched once at page load — no redundant geolocation calls or per-page rule evaluation. For jurisdictions not covered by a built-in preset, custom regional rules can target any country and region code combination with full control over banner mode, consent defaults, and layout.
Enforcement Trends to Watch in 2026-2027
Several developments are reshaping the penalty landscape:
- UK PECR enforcement ramp-up: With the DUAA's 35x penalty increase now in effect, the ICO is expected to begin using the new ceiling. The first post-DUAA enforcement actions will set the tone for UK cookie compliance.
- US state enforcement acceleration: California's CPPA is now fully operational and pursuing enforcement independently of the AG. Other states (Texas, Connecticut, Colorado) are building their own enforcement pipelines.
- India DPDP activation: The May 2027 compliance deadline means organizations should already be implementing consent systems for Indian users. The ₹250 crore maximum is significant enough that preparation can't wait for the enforcement date.
- South Korea's 10% ceiling: The February 2026 PIPA amendment created the world's highest percentage-based privacy penalty. Combined with the Coupang precedent ($409M), Korean data protection is now a top-tier compliance priority.
- ePrivacy Regulation (still pending): If adopted, the ePrivacy Regulation would replace the current patchwork of national ePrivacy laws with a single, directly-applicable regulation — including harmonized penalties. Until then, the current Directive's uneven national implementations persist.
The overall trend: penalties are rising everywhere, enforcement capacity is expanding, and per-violation compounding (especially in the US) makes even "small" fines existentially dangerous at scale. Building regionalized consent management now is cheaper than any single enforcement action later.