Living index
Privacy enforcement tracker.
Every named fingerprinting-relevant enforcement action cited across our 17-jurisdiction reference: regulator, target, amount, year, source. Updated as regulators publish. Not legal advice.
Most privacy-law marketing copy quotes the headline maximum fine. The reality is rarer and more specific. This tracker pulls every enforcement action cited on a Benny the Doorman jurisdiction page into one sortable list, so product teams can see what regulators actually act on, in what amounts, and for which violations.
17 of 17 actions
2023€1.2 billionCross-border transfer Data Protection Commission (DPC, Ireland) v. Meta Platforms Ireland
DPC issued a record €1.2 billion fine against Meta for unlawful cross-border transfer of EU user data to the United States without adequate safeguards.
Cited in EU GDPR
2023€3.94 millionOther AEPD (Spain) v. Vodafone España
AEPD fined Vodafone España €3.94 million for multiple GDPR violations including unlawful processing of personal data and deficient information-security practices.
Cited in EU GDPR
2023€3 millionConsent UX Garante (Italy) v. Glovo
Garante fined Glovo €3 million for tracking app users without valid consent, including the use of device identifiers for profiling without proper disclosure.
Cited in EU ePrivacy Directive
2022€60 millionConsent UX CNIL (France) v. Microsoft Corporation
CNIL fined Microsoft €60 million for Bing's cookie consent mechanism, which made rejecting advertising cookies more difficult than accepting them.
Cited in EU ePrivacy Directive
2022£7.5 millionFingerprinting ICO (United Kingdom) v. Clearview AI Inc.
ICO fined Clearview AI £7.5 million for unlawfully collecting images of UK residents from the internet to build a facial recognition database used by law enforcement.
Cited in UK GDPR + PECR
2022€5 millionConsent UX CNIL (France) v. TikTok
CNIL fined TikTok €5 million for making it easy to accept cookies but difficult to refuse them, violating the requirement for equivalent ease of consent and refusal.
Cited in EU ePrivacy Directive
2022€20 millionFingerprinting Garante (Italy) v. Clearview AI Inc.
Garante fined Clearview AI the maximum €20 million GDPR penalty for unlawfully scraping facial images of Italian residents to build a biometric identification database.
Cited in EU GDPR
2022€250,000Consent UX Belgian Data Protection Authority v. IAB Europe
Belgian DPA fined IAB Europe €250,000 and ordered remediation of the Transparency and Consent Framework, finding that TC Strings constituted personal data and that IAB Europe acted as a data controller.
Cited in EU GDPR
2022$1.2 millionTargeted advertising California Attorney General v. Sephora Inc.
California AG settled with Sephora for $1.2 million after finding the company failed to disclose the sale of consumers' personal information and did not honour opt-out signals including Global Privacy Control.
Cited in California CCPA/CPRA
2022RMB 8.026 billion (~$1.2 billion)Other Cyberspace Administration of China (CAC) v. Didi Global Inc.
CAC fined Didi Global RMB 8.026 billion for serious violations of China's network security law and data security law, including unlawful collection and use of personal data from millions of users.
Cited in China PIPL
2022R5 millionData breach Information Regulator (South Africa) v. Department of Justice and Constitutional Development (South Africa)
Information Regulator issued a R5 million administrative fine and enforcement notice against the Department of Justice following a 2021 ransomware attack, finding failures in security safeguards and breach notification obligations under POPIA.
Cited in South Africa POPIA
2021€150 millionConsent UX CNIL (France) v. Google LLC and Google Ireland Limited
CNIL fined Google €150 million for cookie consent mechanisms on google.fr and youtube.com that made refusing cookies more complicated than accepting them.
Cited in EU ePrivacy Directive
2021€60 millionConsent UX CNIL (France) v. Facebook Ireland Limited
CNIL fined Facebook Ireland €60 million for cookie consent mechanisms on facebook.com that made refusing cookies more difficult than accepting them, violating the equivalence requirement.
Cited in EU ePrivacy Directive
2024$375,000Targeted advertising California Privacy Protection Agency (CPPA) v. DoorDash Inc.
CPPA settled with DoorDash for $375,000 after finding the company participated in a marketing cooperative that shared customer personal information without valid opt-out mechanisms or adequate disclosure.
Cited in California CCPA/CPRA
2024BRL 14,400Other ANPD (Brazil) v. Telekall Infoservice
ANPD issued Brazil's first LGPD administrative fine of BRL 14,400 against Telekall Infoservice for processing personal data without a lawful basis and failing to respond to data subject access requests.
Cited in Brazil LGPD
2019S$750,000Data breach PDPC (Singapore) v. Integrated Health Information Systems (IHiS)
PDPC fined IHiS (the IT operator for SingHealth) S$750,000 for failing to implement adequate cybersecurity measures that resulted in the SingHealth data breach exposing 1.5 million patients' personal data.
Cited in Singapore PDPA
2019S$250,000Data breach PDPC (Singapore) v. SingHealth
PDPC fined SingHealth S$250,000 for failing to take adequate steps to protect patients' personal data, contributing to the 2018 breach that exposed 1.5 million records including Prime Minister Lee Hsien Loong's data.
Cited in Singapore PDPA
Tooling
Build fingerprinting that does not show up here.
Benny the Doorman is fingerprinting designed for the post-consent, post-GPC, post-DPA world. Defer to your CMP, honour Universal Opt-Out signals, document the data flow, ship a per-jurisdiction DPA addendum.
