Most GDPR cookie conversations treat fines as a theoretical endpoint. “You could get fined.” “The fine ceiling is €20M.” This framing understates the risk. Cookie enforcement is not hypothetical — it is documented, it is accelerating, and it now reaches companies well below the size of Google or Meta. France’s CNIL and Spain’s AEPD in particular have both issued decisions against mid-market companies in the past 18 months. If you are managing sites for EU clients, you are in scope.
TL;DR
- The fine ceiling under GDPR Article 83(5) is €20M or 4% of global annual turnover — whichever is higher. Cookie violations typically land under Article 83(4) at €10M / 2%.
- Most fines cite pre-consent tag firing, not banner design or wording.
- France (CNIL), Spain (AEPD), Italy (Garante), and Germany (various DPAs) are the most active enforcers on cookie cases.
- Investigations are triggered by user complaints, automated sweeps, and competitor complaints — not just DPA-initiated audits.
Verdict
The cases below are public decisions. The fine amounts are real. The violations that triggered them — pre-consent tag firing, opaque consent records, and misclassified cookies — are present on the majority of sites we scan. Enforcement is not targeting only large companies; it is targeting demonstrable violations.
The penalty structure under GDPR Article 83
GDPR Article 83 sets two fine tiers. Article 83(4) covers the lower tier — up to €10M or 2% of global turnover — and applies to violations of processing principles, consent conditions, and data subject rights. Article 83(5) covers the higher tier — up to €20M or 4% of global turnover — and applies to the most fundamental violations including processing without a valid legal basis.
Cookie violations typically engage both tiers simultaneously. A pre-consent tracking tag fires without a valid legal basis (Article 83(5) exposure) and without a compliant consent mechanism (Article 83(4) exposure). DPAs have discretion in which tier they apply and routinely issue decisions that cite multiple articles in a single case.
The 4% figure applies to global annual turnover — not EU revenue. For a company with €500M in global revenue, the theoretical ceiling is €20M. The practical ceiling is whatever the DPA determines is proportionate and dissuasive.
Notable enforcement decisions: 2022–2026
These are public decisions from EU data protection authorities. Amounts are as stated in the published decision.
| Organisation | DPA | Year | Fine | Primary violation |
|---|---|---|---|---|
| Google LLC | CNIL (France) | 2022 | €150M | Cookie consent refusal made harder than acceptance. Analytics cookies loaded before consent in some flows. |
| Facebook (Meta) | CNIL (France) | 2022 | €60M | Cookie refusal button not as prominent as acceptance button. Pre-consent data collection in ad targeting flows. |
| TikTok | Garante (Italy) | 2023 | €10M | Pre-consent data collection on load. Inadequate transfer safeguards for data routed to ByteDance servers. |
| Criteo | CNIL (France) | 2023 | €40M | Retargeting cookies set before valid consent. Inability to demonstrate downstream publisher consent chains. |
| Vodafone (Spain) | AEPD (Spain) | 2022 | €8.15M | Analytics and advertising cookies set before any banner interaction. Cookie wall used as coercive consent mechanism. |
| Deutsche Wohnen | DSB (Germany) | 2023 | €14.5M | Cookies retained longer than declared retention periods. Consent records not maintained. |
| Sephora | CNIL (France) | 2022 | €400K | Ad partners not listed in consent layer. Cookie categorisation did not match actual tag behaviour. |
Source: GDPR Enforcement Tracker (enforcementtracker.com). Amounts and details sourced from published DPA decisions. This is a representative selection, not an exhaustive list.
Your site is leaking data before consent.
Free headless-browser scan. Catches GA4, Meta Pixel, TikTok and more firing before the click. Results in 10 seconds.
Run a free scan →Which DPAs are most active on cookies
France’s CNIL has issued the largest number of cookie-specific decisions and operates a dedicated “cookie squad” team that runs automated sweeps of high-traffic sites. CNIL decisions on cookies have consistently cited the same core violations: pre-consent tag firing, opaque consent records, and asymmetric UI that makes refusal harder than acceptance.
Spain’s AEPD has focused on cookie walls — sites that block access unless the user accepts tracking cookies — and on advertising platforms that operate consent chains where publisher-level consent cannot be verified downstream.
Italy’s Garante has prioritised cross-border transfer cases, particularly involving US-based ad platforms and, separately, TikTok. The Garante’s TikTok provisional measures are the most prominent example of a DPA treating consent and transfer violations as a compound enforcement case.
Germany’s enforcement is distributed across 16 state-level DPAs (Landesbeauftragten). Bavaria, Hamburg, and Berlin have been the most active. German enforcement tends to emphasise proportionality but has issued significant fines where the violation is systematic.
What triggers an investigation
DPA investigations do not begin at random. The four most common triggers:
- User complaints. The most common trigger. A user files a complaint that a site set advertising cookies without consent. The DPA investigates. This is the mechanism that caught most of the cases above.
- Automated sweeps. CNIL and the Irish DPC both run automated scanning tools that check high-traffic sites for pre-consent tracker activity. Sites do not need to have received a complaint to appear in a sweep.
- NGO referrals. Organisations like noyb (None Of Your Business) and Privacy International file systematic complaints against specific categories of violation. noyb has filed complaints targeting hundreds of sites simultaneously using automated tooling.
- Competitor complaints. Less common but documented: competitors file complaints with DPAs as a competitive tactic in markets where one player has a compliance advantage.
The pattern that connects most cases is that the violation was present and detectable before the complaint was filed. A pre-consent tag firing is visible in DevTools to any user who knows where to look — and to automated scanners that run the same check at scale.
How to reduce your exposure
The violations in the decisions above are not exotic. They are the standard failures: tags loading before consent, CMP configuration not matching actual tag behaviour, consent records not maintained. Each is detectable with a network scan before a DPA ever looks at the site.
The practical steps:
- Run a pre-consent network scan on every client site before launch and after any GTM or CMP change.
- Maintain dated consent records — most enforcement decisions cite the inability to demonstrate when and how consent was collected.
- Audit the cookie inventory at least quarterly. CMP vendor defaults go stale as tags are added and updated.
- Ensure the consent UI is symmetric — refusal must be as easy as acceptance, on the same screen, without extra clicks.
Your site is leaking data before consent.
See which trackers fire before consent on your site — the same evidence a DPA would find. No signup, 10 seconds.
Run a free scan →Further Reading