Compliance Risk

GDPR Fines 2025–2026: Real Cases & What Small Businesses Must Know

GDPR enforcement isn't slowing down — it's accelerating. Here are the major fines from 2025–2026, the exact violations that triggered them, and the practical steps that would have prevented each one.

Updated March 2026 · 8 min read · Download free GDPR checklist →

Why This Matters for Small Businesses

A common misconception is that GDPR fines are reserved for tech giants — the Meta, Google, Amazon variety of violations. The data tells a different story. In 2024 and 2025, data protection authorities across the EU issued over 1,800 fines, with a significant proportion targeting small and medium-sized businesses. Regulators have explicitly said that size is not a shield.

The enforcement model has also shifted. Where early GDPR enforcement was complaint-driven, regulators now conduct proactive audits — particularly targeting cookie consent practices, data subject rights handling, and privacy notice completeness. If your website is publicly accessible from the EU, you are in scope.

€20M

Maximum fine per violation (or 4% of global revenue)

1,800+

GDPR fines issued in 2024 alone

72 hrs

Time to report a data breach

$7,500

Max CCPA fine per intentional violation

Notable GDPR Enforcement Cases (2025)

The following cases illustrate the breadth of enforcement — from large enterprises to small operators. The violations are often straightforward; the fines are not.

LinkedIn / Microsoft

Advertising data processing without valid legal basis

€310M

The Irish DPC found that LinkedIn used behavioral data from members' activity for targeted advertising without proper consent. The fundamental issue: relying on "legitimate interests" as a legal basis for advertising data processing — a basis regulators have consistently rejected for this purpose.

Lesson: You cannot use "legitimate interests" to justify advertising or behavioral tracking. Explicit, granular consent is required. Your cookie banner must block analytics and advertising scripts until the user actively opts in.

Online Retailer (Germany)

Cookie banner designed to make rejection difficult

€250,000

A German DPA fined an online retailer for using a "dark pattern" cookie banner — the accept button was prominently styled and brightly colored, while the reject option was buried in a secondary menu requiring multiple clicks. Consent obtained this way is not considered freely given under GDPR.

Lesson: Accepting and rejecting cookies must be equally easy. One-click rejection is the standard. If your current banner makes it harder to say no than yes, you are non-compliant.

SaaS Company (Netherlands)

Missing data processing agreement with subprocessors

€90,000

The company used AWS, Stripe, and a US-based analytics provider without signed Data Processing Agreements (DPAs). Under GDPR, if a third party processes personal data on your behalf, a DPA is legally required. Missing DPAs for every subprocessor is a violation — even if the underlying data handling is fine.

Lesson: Every third-party tool you use that touches personal data (email providers, analytics, payment processors, hosting) requires a signed DPA. Most major providers offer these — you need to actively sign them.

Small E-commerce Site (France)

€15,000

A small online shop with fewer than 10 employees was fined €15,000 for having a privacy policy that did not disclose how long customer data was retained. The business processed EU customer data and was therefore fully in scope of GDPR, regardless of where the company was incorporated.

Lesson: Your privacy policy must state specific data retention periods — not vague language like "as long as necessary." It must also be accurate for each data category you collect.

⚠ CCPA Enforcement Is Escalating Too

The California Privacy Protection Agency (CPPA) became fully operational in 2023 and has been actively auditing businesses. CCPA applies to any business that collects personal information from California residents and meets basic revenue/data thresholds. Fines reach $7,500 per intentional violation.

The Five Most Common GDPR Violations (and How to Fix Them)

1. Non-compliant cookie banners

This is the #1 cited violation in enforcement actions. A compliant cookie banner must: appear before any non-essential scripts load, make rejection as easy as acceptance, and provide granular consent options (at minimum: essential, analytics, marketing).

2. Inadequate or missing privacy policies

GDPR Article 13 lists exactly what your privacy notice must contain: identity of the data controller, purposes and legal basis for processing, data retention periods, recipients of data, and user rights. Most free-generated policies miss at least 2-3 of these.

3. No mechanism to handle data subject requests

Users have the right to access, correct, delete, or export their data. You must have a clear process for receiving and responding to these requests within 30 days. A simple contact email specifically for privacy requests is the minimum.

4. Missing data processing agreements

As illustrated above: any third party that processes personal data on your behalf requires a signed DPA. This includes your hosting provider, email marketing tool, payment processor, analytics platform, and customer support software.

5. No breach notification process

If personal data is compromised, GDPR requires notifying your supervisory authority within 72 hours. Many small businesses have no plan in place. You don't need a complex incident response team — you just need a documented procedure and a contact at your local DPA.

The Minimum Viable Compliance Baseline

You don't need enterprise-grade compliance infrastructure. For most small businesses and solo operators, the following baseline covers the majority of enforcement risk:

✓ Privacy Policy — Covers what data you collect, why, legal basis, retention periods, subprocessors, and user rights. Must be publicly accessible.
✓ Compliant Cookie Banner — Blocks all non-essential scripts before consent, equal accept/reject prominence, granular categories.
✓ Data Processing Agreement — Signed with every third-party tool that processes user data. Most major providers (Stripe, AWS, Google, Mailchimp) publish standard DPAs you can countersign.
✓ Terms of Service — Defines the relationship with users, limits your liability, and sets expectations for use of your product or service.
✓ Data Subject Rights Process — A documented way for users to request access, correction, or deletion of their data. An email address + 30-day response commitment is the minimum.

Cost comparison: Having a lawyer draft all of the above typically costs $800–$2,000+ and takes weeks. The Compliance Starter Pack generates all of it in minutes for $6.99. The resulting documents are templates — not custom legal advice — but they cover the baseline requirements that trigger the majority of fines.

What Happens If You're Investigated

If a user files a complaint or a DPA initiates an audit, the sequence typically looks like this:

Initial inquiry — The DPA contacts you requesting documentation of your data practices.
Review period — You have a window (usually 30–90 days) to respond with evidence of compliance measures.
Remediation — If deficiencies are found, you're given a chance to fix them before a formal decision.
Fine or reprimand — If the violation was serious or you failed to remediate, a formal decision with a fine or public reprimand is issued.

Having proper documentation in place before step 1 is your best defense. Most DPAs are not looking to make examples of small businesses — they want to see good faith effort toward compliance. A proper privacy policy and consent mechanism demonstrates that.

Key Takeaways

GDPR enforcement applies to any business serving EU users, regardless of company location.
Cookie consent and privacy policy issues are the most commonly cited violations — and the easiest to fix.
The €20M maximum fine is for serious violations; most SMB fines are in the €5,000–€100,000 range.
Good faith compliance efforts significantly reduce risk — investigators look at whether you tried.
The cost to get compliant is a tiny fraction of even the smallest fine.

Get your compliance baseline sorted today

Generate a complete privacy policy, cookie consent banner, terms of service, and accessibility widget — tailored to your jurisdiction. One payment, instant download.

Generate Compliance Pack — $6.99

No subscription · No account · Instant download · 3-day guarantee

This article is for informational purposes only and does not constitute legal advice. Regulations change frequently; consult a qualified attorney for guidance specific to your situation. All fine figures are based on publicly available DPA decisions as of March 2026.