9 Cookie Banner Fines & Violations (GDPR & CCPA)

Cookie consent fines happen when businesses fail to comply with state and federal data privacy laws. Having a legally-compliant cookie banner is a business requirement in Europe, North America, and other jurisdictions. So if your business isn’t compliant, it runs the risk of GDPR cookie fines.

In this post, we dive into 9 cookie banner fines and talk about when companies were fined for not following the law. Later we also discuss major cookie laws and how you should stay compliant. 

9 Cookie Banner Fines & Violations

It should be noted that the biggest and most frequent cookie violation fines tend to get handed down by the EU and its member states. However, other nations do take legal action for egregious offenders. 

Facebook — €60  Million

When it comes to privacy, Facebook — or Meta these days — is no stranger to controversy. The brand has found itself in hot water often since it expanded beyond college campuses in 2006. In 2022, Facebook faced fines from the French data protection regulatory agency CNIL. 

This CNIL cookie fine compelled Facebook to pay €60 million for making it difficult for French citizens to refuse cookies. Note that in the EU, local member state agencies can operate on behalf of the EU ePrivacy Directive if the offense is occurring in the local jurisdiction. And France tends to lead the charge there. 

The social giant was forced to Incidentally, Google also found itself on the hot seat for this same infraction. During the same month as Facebook’s comeuppance, Google was fined twice for €100 million and €150 million. 

Google Cookie Fines — €150 Million, €100 Million, & $50 Million

Google has had three different fines for violations of cookie compliance laws. In January 2022, the French Supreme Administrative Court (French Council of State or “Conseil d’Etat”) upheld a 100 million euro fine initially levied on Google on March 2020.

Earlier that month, it was also fined 150 million Euros for the lack of ease at which users could refuse cookies for Google.fr. 

And lastly, Google had to pay roughly $50 million to South Korea’s Personal Information Protection Commission (PIPC) for violating PIPA. In particular, the PIPC noted that neither firm secured proper consent before collecting data from users. 

Apple — €8 Million

In late 2022, tech innovator Apple, Inc also had a run-in with France’s CNIL. This time, the regulatory group referenced the company’s failure to secure consent for local French iPhone users before placing ad identifiers on the devices to scrape data. It was the personalized ads that the company delivered via the Apple App Store that raised the alarm. The €8 million fine might be peanuts compared to overall revenue and profit, but it’s a black eye for a company that touts privacy protection for its customer base. 

TikTok Cookie Fine — €5 Million

TikTok is another social titan that has consistently raised red flags over data collection and privacy concerns. Once again, France’s CNIL dropped the hammer, citing concerns with the video clip-sharing site’s cookie-consent flow. In 2023, the agency announced a €5 million fine. It should be noted that TikTok did work to resolve the issue, hence the much smaller fee compared to other social platforms. 

Sephora — $1.2 Million

Not long after California’s CCPA went into effect, the Attorney General for the state was quickly catching businesses that failed to meet privacy requirements. Most businesses that were served with warnings worked quickly to remedy their errors within the given 30-day window following receipt. Unfortunately, beauty behemoth Sephora didn’t. In 2022 the multinational giant settled with the state of California for $1.2 million for failing to disclose that consumer data was being sold to third parties and not offering a legitimate opt-out option for California residents. 

This is the first example of a CCPA cookie fine. 

Amazon — $38 million

On December 7, 2020, the French data protection authority, CNIL, fined Amazon Europe €35 million ($38 million) for placing advertising cookies on users’ computers without obtaining consent or providing sufficient information on the data collection practices.

CNIL judged Amazon to have:

• Automatically placed numerous advertising cookies on users’ computers without consent, which was not essential for the service. This failure to obtain consent violated the obligation to seek user consent before depositing cookies.
• The lack of a clear banner displayed on the Amazon.fr site informing users about the cookies. 

Carrefour — $3.23 million

In November 2020, the French regulator CNIL fined Carrefour, one of the biggest retailers in Europe, a total of €3 million ($3.23 million) following inspections of their websites Carrefour France and Carrefour Banque. 

The regulator determined that both the carrefour.fr and carrefour-banque.fr websites placed cookies on users’ devices without obtaining their consent. Some of these cookies were used for advertising purposes, meaning they required explicit consent before storage under GDPR laws.

Carrefour was also fined for other GDPR violations, such as excessive data retention, unjustified identity verification, failure to respond to DSAR requests, and more.

Consequently, Carrefour France was fined €2.25 million ($2.42 million), and Carrefour Banque received a penalty of €800,000 ($861,868). 

Avoid Cookie Fines with Enzuzo

There’s no excuse to knowingly run afoul of privacy and cookie laws. However, since it’s impossible to dictate where your website traffic originates, it can be difficult to ensure that your business is compliant with all the various privacy and data usage regulations that 137 countries have enacted. 

Enzuzo is a software-as-a-service platform that helps you maintain compliance not only with how you use data, but in properly notifying visitors of what information is collected, and how they can access, limit, or refuse your cookies. Everything from ensuring that cookie policies are clearly stated, to easily visible control buttons are options that business owners can manage. 

Meanwhile, the service integrates easily with major e-commerce platforms like Shopify, SquareSpace, WooCommerce, and more. 

Book a Free Demo to Learn how Enzuzo Can Assist All Cookie Consent and Compliance Needs Across Europe, North America, and more

Key Cookie Laws You Should Know

Cookie is a term that refers to how websites collect, store, and share personally identifiable information from visitors. These details can range from internet devices, and browsing habits to more discreet information like names, addresses, or even banking details. This information is often used to customize a visitor’s browsing experience. A good example would be using cookies to show a visitor content that relates to what was previously viewed — such as if you coordinate with an ad deployment network to serve advertisements to visitors. 

Cookie laws are designed to give consumers more control over what data is collected and who it is shared with. Typically these laws require websites to give consumers the ability to request for data to be deleted or control exactly how much information can be scraped or shared from a web session. 

While several laws exist around the world, the following are some of the more well-known directives. Remember, even if your business is not located in the jurisdiction where a cookie law is drafted, you’re still liable if you violate regulations for how data is collected from visitors who are located in that country or state. 

European Union E-Privacy Directive

Also known as the Cookie Directive, this 2011 law would serve as the framework for the later released General Data Protection Regulation (GDPR) which specifically outlined how data could be collected, the rights of European Union citizens to control that information, and associated violation fines. The GDPR regulates in tandem with the Cookie Directive to create a very broad term for personal data that applies to any information that could be associated with an identifiable person.

The California Privacy Rights Act (CPRA)

Cookie management in the U.S. is generally regulated by the Federal Trade Commission’s FTC Act, Section 5. However, individual state regulations can leave businesses facing non-compliance allegations if they’re not aware of nuanced requirements across the 50 states. In the U.S. California leads the way in policing cookie use. 

The CPRA is a 2023 update that piggybacks off of the California Consumer Privacy Act (CCPA) of 2018. Simply put, you need to allow California residents to opt out of data collection and/or the sale and sharing of their data with your “trusted third parties.” This especially impacts businesses that rely on activity-tracking cookies. Note there are similar cookie laws in Virginia (Virginia Consumer Data Protection Act) and Connecticut (Connecticut Data Privacy Act).

Lei Geral de Proteção de Dados Pessoais (LGPD)

Known simply as LGPD, this is Brazil’s version of the EU’s GDPR. Along with outlining what rights a Brazilian citizen has over data collection, it also lists the associated fines for flouting the laws. Similarly, South Korea has the Personal Information Protection Act (PIPA) that dates back to 2011 although it doesn’t explicitly mention cookies. Additionally, many nations including China and Japan have similar privacy act laws that don’t mention cookies by name but can be considered applicable.]

Looking for inspiration on how to create a cookie banner of your own? Visit our list of the best cookie banner examples and replicate the theme for your own site.