The 2025 Privacy & Compliance "Fines & Follies" Awards: A Year of Record-Breaking Enforcement
When €3 billion in GDPR fines alone isn't enough to teach Big Tech a lesson
Introduction: The Year Regulators Stopped Playing Nice
If 2024 was the year of regulatory preparation, 2025 was the year enforcement went nuclear. European data protection authorities alone imposed over €3 billion in GDPR fines in the first half of 2025—more than any previous full year. The message from regulators worldwide was unmistakable: privacy compliance is no longer optional, and the era of lenient warnings has definitively ended.
But the numbers only tell part of the story. Behind every billion-euro fine lies a pattern of corporate negligence, a trail of exposed user data, and a regulatory authority that finally decided enough was enough. From TikTok's systematic deception about data flows to China, to X's "verification" system that verified nothing, to California's aggressive crackdown on data brokers, 2025 established precedents that will reshape privacy compliance for years to come.
As we've documented throughout the year on Compliance Hub Wiki, the regulatory landscape has fundamentally shifted. Over €800 million in fines across 72 major enforcement actions in Q2 alone marked Summer 2025 as a pivotal period—and that was just the beginning.
This is our annual "Fines & Follies" Awards: recognizing the most significant, egregious, and instructive privacy enforcement actions of 2025. Some companies earned their spots through spectacular failures. Others made it by pioneering new forms of data exploitation. All of them have lessons to teach.
Breached Company
🏆 The "Third Time's NOT the Charm" Award: TikTok's €530 Million Data Transfer Deception
Amount: €530 million ($601 million) Authority: Irish Data Protection Commission Violation: Unlawful data transfers to China, systematic deception of regulators
The Irish DPC's May 2025 decision against TikTok wasn't just the third-largest GDPR fine in history—it was a masterclass in how NOT to handle a regulatory investigation.
For years, TikTok assured European regulators that EU user data was absolutely, definitely, 100% NOT being stored on Chinese servers. Then, in April 2025, came the admission: oops, they'd discovered in February that "limited EEA user data had in fact been stored on servers in China."
As we detailed in our analysis of the €530 million question, this wasn't a technical oversight—it was systematic deception that transformed a potential compliance violation into a case of regulatory fraud. The fine breakdown reveals the severity:
- €485 million for unlawful data transfers to China (Article 46(1) breach)
- €45 million for transparency violations (Article 13(1)(f))
But the €530 million fine was just the beginning of TikTok's 2025 troubles. Texas AG Ken Paxton sued the platform twice—once under the SCOPE Act for sharing minors' data without parental consent, and again under the Texas Deceptive Trade Practices Act for allegedly marketing the app as safe for children despite regularly exposing them to harmful content.
The Lesson: When regulators ask where you store data, telling the truth is not optional. Subsequent discoveries of contrary facts will be treated as intentional deception.
🏆 The "First Blood" Award: X's €120 Million DSA Debut
Amount: €120 million Authority: European Commission Violation: DSA transparency breaches, deceptive verification system
The European Commission saved a special distinction for Elon Musk's X: the first-ever fine under the Digital Services Act. On December 5, 2025, the Commission found that X had breached its transparency obligations in three key ways:
The "Verified" Problem: X's blue checkmark, once a symbol of identity verification, became available to anyone willing to pay €7/month. As the Commission bluntly stated: "X's use of the 'blue checkmark' for 'verified accounts' deceives users." The result? A platform flooded with impersonators, scammers, and bots masquerading as verified accounts.
The Ads Archive Disaster: X's advertising repository was designed with barriers that undermine the entire purpose of transparency requirements.
The Research Lockout: X's terms of service actually prohibited eligible researchers from accessing public data—the exact opposite of what the DSA requires.
As we covered in our Meta and TikTok DSA enforcement analysis, this is just the opening salvo. Meta and TikTok face preliminary DSA findings with potential fines reaching 6% of global revenue—approximately $9.87 billion for Meta.
Musk's response? Posting "Bullshit" on the platform and calling for the abolition of the EU. The Commission was unimpressed, giving X 60 days to fix the checkmark problem or face additional penalties.
The Lesson: "Move fast and break things" doesn't work when what you're breaking is regulatory compliance. The DSA has teeth, and it's not afraid to use them.
🏆 The "Lone Star Sheriff" Award: Texas AG Ken Paxton's $2.775 Billion Privacy Crusade
Total Settlements: $1.4 billion (Meta) + $1.375 billion (Google) = $2.775 billion Authority: Texas Attorney General Pattern: Biometric data violations, deceptive tracking practices
No single state enforcement authority dominated 2025 like Texas AG Ken Paxton's Privacy and Tech Team. The office secured historic settlements that dwarfed anything previously obtained by a single state:
Meta Settlement ($1.4 Billion): For unlawfully collecting and using facial recognition data from millions of Texans—the largest privacy settlement ever obtained by a single state.
Google Settlement ($1.375 Billion): Resolving multiple lawsuits over deceptive tracking practices, including location tracking without consent and the misleading "Incognito Mode" that wasn't as incognito as advertised.
But Paxton wasn't done. His office launched investigations into over 200 companies, including Character.AI, Reddit, Instagram, and Discord over children's privacy practices. He sued TikTok twice, sued Allstate and Arity for secretly collecting and selling driving data, and investigated DeepSeek for potential violations tied to Chinese government access.
As we've analyzed in our 2025 privacy developments overview, Texas has positioned itself as America's privacy enforcement leader—even before comprehensive federal legislation.
The Lesson: Don't assume that because the U.S. lacks a federal privacy law, enforcement is weak. Individual states—especially Texas—are filling the void with aggressive, well-funded enforcement programs.
🏆 The "Cookie Monster" Award: Google's €325 Million French Cookie Fine Duo
Amount: €200 million (Google LLC) + €125 million (Google Ireland) = €325 million Authority: CNIL (France) Violation: Deceptive cookie consent, direct marketing violations
France's CNIL continued its crusade against Big Tech's cookie practices with a one-two punch against Google in September 2025:
Google LLC ($200 million): For designing a fundamentally flawed cookie consent mechanism on Gmail that violated users' right to free and informed choice. Users weren't properly informed that advertising cookies were part of the "free" service—effectively making consent invalid.
Google Ireland ($125 million): For identical violations, demonstrating that corporate structure doesn't insulate related entities from separate penalties.
The CNIL found that ads disguised as emails in Gmail's "Promotions" and "Social" tabs violated direct marketing rules because users never properly consented. Both entities face €100,000 daily penalties if they don't fix the problems within six months.
This pattern of cookie enforcement aligns with what we've documented in our GDPR enforcement surge analysis: regulators are no longer satisfied with cookie banners that technically exist but practically deceive.
The Lesson: Making it easy to accept cookies but hard to reject them isn't compliance—it's a dark pattern, and regulators have zero patience left for it.
🏆 The "Fashion Victims" Award: SHEIN's €150 Million Cookie Disaster
Amount: €150 million Authority: CNIL (France) Violation: Cookie placement without consent, misleading consent interfaces
Fast fashion giant SHEIN joined the hall of shame with a €150 million CNIL fine for its approach to cookies on shein.com:
- Placing advertising cookies on users' devices BEFORE they could consent
- Providing incomplete or misleading information in cookie banners
- Failing to clearly identify third-party cookies
- Making it difficult for users to refuse or withdraw consent
For a company already facing scrutiny over labor practices and supply chain transparency, adding "systematic privacy violations" to the list wasn't a great look.
The Lesson: Cookie consent isn't a formality—it's a legal requirement that must happen BEFORE tracking begins.
🏆 The "Genetic Gamble Gone Wrong" Award: 23andMe's £2.31 Million ICO Fine
Amount: £2.31 million Authority: UK Information Commissioner's Office Violation: Inadequate security measures for genetic data
Of all the data types to leave poorly protected, genetic information ranks among the worst. The ICO's June 2025 fine against 23andMe highlighted a credential stuffing attack that exposed some of the most intimate personal information possible:
- Names, birth years, location data
- Profile images, race, ethnicity
- Family trees and health reports
- Affecting 155,592 UK residents
As Information Commissioner John Edwards noted: "Once this information is out there, it cannot be changed or reissued like a password or credit card number."
The breach exploited reused login credentials—a reminder that in 2025, companies handling sensitive data still weren't implementing basic protections like mandatory multi-factor authentication.
The Lesson: Genetic data is uniquely sensitive because it's uniquely permanent. Adequate security isn't just a compliance checkbox—it's an ethical imperative.
🏆 The "Data Broker Dragnet" Award: California's CalPrivacy Crackdown
Amount: $331,600+ in fines, 8 enforcement actions Authority: California Privacy Protection Agency (CalPrivacy) Target: Unregistered data brokers and CCPA violators
