Summer of Scrutiny: A 2025 Breakdown of Major Compliance Fines and Privacy Penalties

Compliance Hub

Compliance Hub

6 min read
Summer of Scrutiny: A 2025 Breakdown of Major Compliance Fines and Privacy Penalties
Photo by Bermix Studio / Unsplash

The summer of 2025 will be remembered as a period of relentless regulatory enforcement, where the grace periods of the past were replaced with multi-million dollar penalties. Across the globe, data protection authorities and regulatory bodies sent a clear and unequivocal message: compliance with data privacy and security laws is not optional.

From landmark GDPR fines targeting big tech to a surge in HIPAA settlements and the first major penalties under new state laws, this summer has provided a crucial look into the future of enforcement. For compliance officers and legal teams, these events are not just headlines; they are case studies in what not to do. Here is a comprehensive breakdown of the most significant compliance and privacy fines of Summer 2025.

CNIL Imposes Record Fines on Google and Shein for Cookie Consent Violation
Bottom Line Up Front: France’s data protection authority delivered a powerful message on September 3, 2025, with record-breaking fines of €325 million against Google and €150 million against Shein for systematic cookie consent violations. These penalties mark the largest cookie-related sanctions in CNIL history and signal an escalation in European
Breached CompanyBreached Company

GDPR Enforcement: A Focus on Data Transfers and Transparency

European Data Protection Authorities (DPAs) continued their robust enforcement of the General Data Protection Regulation (GDPR), with a particular focus on unlawful data transfers and a lack of transparency in data processing.

The €530 Million Question: How TikTok’s Record GDPR Fine Reshapes Global Data Sovereignty
Breaking the digital Cold War wide open: Ireland’s landmark penalty against TikTok signals a new era of aggressive data protection enforcement On May 2, 2025, the Irish Data Protection Commission (DPC) delivered what may be the most consequential cybersecurity ruling of the decade—a staggering €530 million ($601 million) fine
Compliance Hub WikiCompliance Hub

Historic €530 Million Fine for TikTok

The most significant penalty of the summer was levied against TikTok by the Irish Data Protection Commission (DPC), acting as the lead EU regulator. The €530 million fine was the culmination of a long-running investigation into two primary issues:

  1. Unlawful Data Transfers: The DPC found that TikTok unlawfully transferred the personal data of European users to China, where it could be accessed by its parent company, ByteDance, and potentially the Chinese government.1 This was deemed a violation of GDPR's strict rules on data transfers to third countries that do not have an adequate level of data protection.
  2. Lack of Transparency: The investigation also found that TikTok's privacy notices were not sufficiently clear or transparent about how users' data was being collected, used, and transferred, particularly for younger users.

Key Takeaway: This massive fine reinforces that international data flows remain a top enforcement priority for EU regulators. Organizations must have a clear legal basis and implement appropriate safeguards (like Standard Contractual Clauses) for any transfer of EU citizens' data outside the European Economic Area.

PII Compliance Navigator | U.S. State Privacy Law Sensitive Data Categories
Comprehensive tool to explore which U.S. states classify different types of data as sensitive under privacy laws. Navigate compliance requirements across 19 states.
PII Compliance NavigatorDavid Stauss

U.S. Privacy Enforcement: The States Get Tough

While the U.S. still lacks a federal privacy law, the states have stepped up to fill the void, and this summer saw the first major penalties under newer state-level regulations.

The Reality of CCPA Compliance: What a UC Irvine Study Reveals About Data Broker Non-Compliance
A groundbreaking study exposes widespread violations and the “privacy paradox” plaguing consumer rights When a UC Irvine PhD student decided to exercise her basic consumer rights under the California Consumer Privacy Act (CCPA), she unknowingly embarked on what would become the most comprehensive study of data broker compliance ever conducted.
Compliance Hub WikiCompliance Hub

California's Landmark $1.55 Million CCPA Settlement with Healthline

The California Office of the Attorney General (OAG) secured a $1.55 million judgment against Healthline Media, a health information publisher.2 This was the largest settlement to date under the California Consumer Privacy Act (CCPA) and the first of its kind for a publisher. The OAG found that Healthline:

Global Privacy & Compliance Explorer
Interactive map for exploring global privacy regulations and compliance requirements. Navigate GDPR, CCPA, PIPEDA, and more.
Interactive Regulatory MapLovable
  • Failed to Provide an Effective Opt-Out: The company did not have a functional "Do Not Sell or Share My Personal Information" link for users who wanted to opt out of their data being shared with third-party advertisers.
  • Improperly Shared Sensitive Health Data: The use of online tracking technologies on their website resulted in the sharing of sensitive health information with advertisers without proper consumer consent.

Key Takeaway: This settlement demonstrates that "sharing" data for cross-context behavioral advertising is considered a "sale" under the CCPA and that regulators are actively enforcing the right to opt out. It also signals a heightened focus on the handling of sensitive health data, even outside the context of HIPAA.

HIPAA Enforcement: No Mercy for Negligence

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been particularly active this summer, imposing significant fines on healthcare organizations for violations of the Health Insurance Portability and Accountability Act (HIPAA).3

$2 Million Fine for Healthplex Over Phishing Attack

In a notable case, the New York State Department of Financial Services (NYDFS), in coordination with the OCR, imposed a $2 million civil penalty on Healthplex, Inc., a licensed insurance agent.4 The fine was the result of a 2021 phishing attack that compromised the company's systems. The investigation found two key failures:

  1. Lack of Multi-Factor Authentication (MFA): The company had failed to implement MFA on its email system, which could have prevented the phishing attack from succeeding.
  2. Delayed Breach Notification: Healthplex waited over four months to report the breach, a clear violation of the 60-day notification requirement under HIPAA.

In a separate action, the OCR fined Syracuse ASC, a New York surgery practice, $250,000 for HIPAA violations related to a 2021 ransomware attack.5 The fine was not for the attack itself, but for the underlying compliance failures that allowed it to be so damaging, specifically:

  • Failure to Conduct a Risk Analysis: The practice had not conducted a thorough and accurate risk analysis as required by the HIPAA Security Rule.
  • Failure to Implement Risk Management Measures: They had not implemented procedures to regularly review information system activity.

Key Takeaway: Regulators are making it clear that a cyberattack is not an excuse for non-compliance. Organizations, particularly in the healthcare sector, will be held accountable for failing to implement basic and reasonable security measures and for not adhering to strict breach notification timelines.

The enforcement actions of this summer paint a clear picture of regulatory priorities:

  1. Foundational Security is a Must: Regulators are losing patience with organizations that fail to implement fundamental security controls like MFA and regular risk assessments.
  2. Transparency is Not Negotiable: Whether it's through clear privacy policies or timely breach notifications, regulators are demanding that organizations be transparent with both consumers and authorities.6
  3. Third-Party and International Data Flows are Under the Microscope: Organizations are responsible for where their data goes and who has access to it, even if it's a third-party vendor or an international subsidiary.7
  4. State-Level Enforcement is a Growing Force: The "American privacy patchwork" is becoming a serious compliance challenge, and state attorneys general are proving they are not afraid to levy significant fines.

As we move into the fall, the message from regulators is loud and clear: the era of warnings is over, and the age of significant financial consequences for compliance failures is here to stay.

Read more

Navigating the Digital Frontier: A Comprehensive Guide to Cybersecurity and Data Privacy Compliance in Texas

Navigating the Digital Frontier: A Comprehensive Guide to Cybersecurity and Data Privacy Compliance in Texas

The digital world presents an ever-evolving landscape of threats, with cyberattacks growing in sophistication and frequency, targeting everything from national infrastructure to sensitive personal data. In response to this escalating challenge, Texas has emerged as a significant force, implementing aggressive legislative and enforcement actions to safeguard its critical infrastructure and

By Compliance Hub
Navigating the Dynamic Digital Frontier: Cybersecurity and Data Protection in Asia

Navigating the Dynamic Digital Frontier: Cybersecurity and Data Protection in Asia

The rapid digital transformation sweeping across Southeast Asia and South Korea has undeniably brought immense opportunities, driving economic progress and improving living standards. However, this technological acceleration is accompanied by a burgeoning landscape of cyber threats, making robust cybersecurity and data protection measures a critical imperative for businesses and governments

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates