Fines and enforcement

Both GDPR and CPRA impose strict financial penalties for non-compliance, making enforcement a serious risk for companies that mishandle personal data. Understanding the fine structures helps organizations prioritize compliance and avoid costly mistakes.

Fines and Enforcement

Tier 1: Up to €10 million or 2% of global annual turnover for lesser violations (e.g., not maintaining records, weak security).
Tier 2: Up to €20 million or 4% of global annual turnover for serious violations (e.g., ignoring user rights, unlawful processing).
Factors considered: Nature of violation, intent, mitigation efforts, and past infractions.

CPRA Penalties

Standard fines: Up to $2,500 per violation.
Intentional violations: Up to $7,500 per violation.
Children’s data: $7,500 fine per violation involving minors under 16.
Enforcement body: California Privacy Protection Agency (CPPA) and Attorney General.

A company sends promotional emails to EU residents without proper consent. Under GDPR, this could be treated as unlawful processing and fined under the higher tier.
If the same practice targets California residents without providing an opt-out, CPRA fines may apply per individual affected.

Quick Enforcement Checklist

Track whether your company operates in GDPR or CPRA jurisdictions
Ensure consent and opt-out mechanisms are documented
Maintain audit logs of compliance decisions
Regularly review enforcement updates from regulators
Train staff on handling user rights requests properly

Conclusion

Fines under GDPR and CPRA are designed to make non-compliance far more costly than building compliance into products and processes. By proactively aligning with these laws, companies not only avoid penalties but also strengthen trust with customers and regulators.

Lawful bases for processing

GDPR vs CPRA overview

Fines and enforcement