Three charts covering 32 privacy laws: who needs your consent, the biggest fines so far, and when each law started. Click anything to filter.
Every privacy law in our reference, in three charts. Filter by region to narrow all three at once.
Filter
01 · Consent
Who needs consent?
Click a slice or label to filter the charts below.
All 32 laws here regulate fingerprinting in some way. None let you do it with no consent rule at all.
02 · Fines
Biggest fines
Filter by reason. Switch the scale. Hover a bar for the full story.
17 fines, $2.8B total
Meta Platforms Ireland
Data Protection Commission (DPC, Ireland)€1.2 billion (2023)DPC issued a record €1.2 billion fine against Meta for unlawful cross-border transfer of EU user data to the United States without adequate safeguards.
€1.2 billion2023
Didi Global Inc.
Cyberspace Administration of China (CAC)RMB 8.026 billion (~$1.2 billion) (2022)CAC fined Didi Global RMB 8.026 billion for serious violations of China's network security law and data security law, including unlawful collection and use of personal data from millions of users.
RMB 8.026 billion (~$1.2 billion)2022
Google LLC and Google Ireland Limited
CNIL (France)€150 million (2021)CNIL fined Google €150 million for cookie consent mechanisms on google.fr and youtube.com that made refusing cookies more complicated than accepting them.
€150 million2021
Facebook Ireland Limited
CNIL (France)€60 million (2021)CNIL fined Facebook Ireland €60 million for cookie consent mechanisms on facebook.com that made refusing cookies more difficult than accepting them, violating the equivalence requirement.
€60 million2021
Microsoft Corporation
CNIL (France)€60 million (2022)CNIL fined Microsoft €60 million for Bing's cookie consent mechanism, which made rejecting advertising cookies more difficult than accepting them.
€60 million2022
Clearview AI Inc.
Garante (Italy)€20 million (2022)Garante fined Clearview AI the maximum €20 million GDPR penalty for unlawfully scraping facial images of Italian residents to build a biometric identification database.
€20 million2022
Clearview AI Inc.
ICO (United Kingdom)£7.5 million (2022)ICO fined Clearview AI £7.5 million for unlawfully collecting images of UK residents from the internet to build a facial recognition database used by law enforcement.
£7.5 million2022
TikTok
CNIL (France)€5 million (2022)CNIL fined TikTok €5 million for making it easy to accept cookies but difficult to refuse them, violating the requirement for equivalent ease of consent and refusal.
€5 million2022
Vodafone España
AEPD (Spain)€3.94 million (2023)AEPD fined Vodafone España €3.94 million for multiple GDPR violations including unlawful processing of personal data and deficient information-security practices.
€3.94 million2023
Glovo
Garante (Italy)€3 million (2023)Garante fined Glovo €3 million for tracking app users without valid consent, including the use of device identifiers for profiling without proper disclosure.
€3 million2023
Sephora Inc.
California Attorney General$1.2 million (2022)California AG settled with Sephora for $1.2 million after finding the company failed to disclose the sale of consumers' personal information and did not honour opt-out signals including Global Privacy Control.
$1.2 million2022
Integrated Health Information Systems (IHiS)
PDPC (Singapore)S$750,000 (2019)PDPC fined IHiS (the IT operator for SingHealth) S$750,000 for failing to implement adequate cybersecurity measures that resulted in the SingHealth data breach exposing 1.5 million patients' personal data.
S$750,0002019
DoorDash Inc.
California Privacy Protection Agency (CPPA)$375,000 (2024)CPPA settled with DoorDash for $375,000 after finding the company participated in a marketing cooperative that shared customer personal information without valid opt-out mechanisms or adequate disclosure.
$375,0002024
Department of Justice and Constitutional Development (South Africa)
Information Regulator (South Africa)R5 million (2022)Information Regulator issued a R5 million administrative fine and enforcement notice against the Department of Justice following a 2021 ransomware attack, finding failures in security safeguards and breach notification obligations under POPIA.
R5 million2022
IAB Europe
Belgian Data Protection Authority€250,000 (2022)Belgian DPA fined IAB Europe €250,000 and ordered remediation of the Transparency and Consent Framework, finding that TC Strings constituted personal data and that IAB Europe acted as a data controller.
€250,0002022
SingHealth
PDPC (Singapore)S$250,000 (2019)PDPC fined SingHealth S$250,000 for failing to take adequate steps to protect patients' personal data, contributing to the 2018 breach that exposed 1.5 million records including Prime Minister Lee Hsien Loong's data.
S$250,0002019
Telekall Infoservice
ANPD (Brazil)BRL 14,400 (2024)ANPD issued Brazil's first LGPD administrative fine of BRL 14,400 against Telekall Infoservice for processing personal data without a lawful basis and failing to respond to data subject access requests.
BRL 14,4002024
03 · Timeline
When each law started
Click a year to see its laws. Bar colours show the consent rule.
From just 1 law in 1989 to 32 today, most arriving after the EU's GDPR in 2018.
11989
12001
22003
12014
12016
12018
32020
32021
22022
82023
32024
62025
The product
Fingerprinting that respects consent.
Benny works with your cookie banner, respects opt-out signals, and is consent-ready from day one - built for all 32 laws shown here.
