Top GDPR Cookie Fines: Lessons from Meta, Amazon, Google & More

Since GDPR enforcement began in May 2018, data protection authorities across Europe have issued billions of euros in fines. A significant portion of these relate directly to cookies, tracking, and consent violations. These aren't obscure edge cases — they involve the world's biggest companies and the most common website practices.

Here are the most notable GDPR fines related to cookies and tracking, what went wrong, and what every website owner can learn from them.

1. Amazon — €746 Million (2021)

Luxembourg's CNPD issued the largest GDPR fine in history against Amazon in July 2021. While the full details remain partially confidential, the fine related to Amazon's advertising targeting system and how it processed personal data for behavioral advertising without proper consent.

Key lesson: Behavioral advertising and tracking cookies require explicit, informed consent. Relying on "legitimate interest" for advertising purposes is an extremely risky legal strategy that regulators are increasingly rejecting.

2. Meta (Facebook & Instagram) — €390 Million (2023)

Ireland's DPC fined Meta €390 million in January 2023 for forcing users to accept personalized advertising as a condition of using Facebook (€210M) and Instagram (€180M). Meta had argued that its terms of service created a "contract" that allowed personalized ads without separate consent.

The European Data Protection Board overruled Meta's position, stating that consent for advertising cookies and tracking must be freely given and cannot be bundled into terms of service.

Key lesson: You cannot bury cookie consent in your terms of service. Consent must be separate, specific, and genuinely optional.

3. Google — €150 Million (2022)

France's CNIL fined Google €150 million for making it significantly harder to reject cookies than to accept them on google.fr and youtube.com. Users could accept all cookies with a single click, but rejecting them required navigating through multiple screens and clicks.

Key lesson: The "Reject All" option must be as prominent and accessible as "Accept All." Same visual hierarchy, same number of clicks. Asymmetric consent mechanisms are a direct violation.

4. Meta (Facebook) — €60 Million (2022)

Also from CNIL, Facebook received a €60 million fine for the same issue as Google — the cookie rejection mechanism required multiple clicks while acceptance was a single click. CNIL noted that facebook.com set advertising cookies immediately upon visit, before any consent interaction.

Key lesson: Cookies must not be set before consent is obtained. Pre-consent blocking is not optional.

5. Criteo — €40 Million (2023)

CNIL fined Criteo, one of the world's largest advertising technology companies, €40 million for dropping tracking cookies on users' devices without obtaining valid consent. Criteo was collecting browsing data from millions of users through partner websites that did not properly implement consent mechanisms.

Key lesson: If you use third-party advertising scripts, you are responsible for ensuring those scripts respect consent. The responsibility doesn't shift to the ad tech provider.

6. TikTok — €345 Million (2023)

Ireland's DPC fined TikTok €345 million for violations related to children's data processing. While not exclusively a cookie fine, the case involved TikTok's use of tracking technologies on minors and the default public visibility settings that exposed children's data.

Key lesson: Special care must be taken with tracking technologies when minors may be among your users. Age verification and enhanced consent mechanisms are increasingly expected.

7. Smaller but Significant Fines

It's not just Big Tech. DPAs across Europe have been actively fining smaller companies:

• Vueling Airlines — €30,000 (Spain): No option to reject cookies on their website.
• Spartoo — €250,000 (France): Excessive cookie retention and lack of proper consent.
• Austrian Post — €18 Million (Austria): Creating detailed profiles of citizens using tracking data without consent.
• Multiple German companies — €5,000–€100,000: Various cookie banner violations including pre-checked boxes and missing reject options.

The trend is clear: enforcement is accelerating, fines are increasing, and no company is too small to be targeted.

What This Means for You

The pattern across all these fines is consistent:

1. Cookies must not load before consent.
2. Rejecting cookies must be as easy as accepting them.
3. Consent must be granular, specific, and freely given.
4. You are responsible for third-party scripts on your site.
5. Consent cannot be buried in terms of service.

Most website owners don't violate these rules intentionally — they simply don't know what cookies their site sets or whether their consent banner actually works. That's exactly the problem CookieGuard was built to solve.